$ nmap -p- --min-rate 5000 10.129.85.240
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-06 08:57 EDT
Nmap scan report for 10.129.85.240
Host is up (0.012s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
This is a pretty old machine AND its running Windows, so there's probably some kind of IIS exploit here.
File Upload
The web application just shows an image of a wizard:
A quick check on the requests reveals this is running Microsoft-IIS/7.5.
We can run a quick gobuster scan with aspx,html,txt extensions, and find a few files.
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://10.129.85.240/ -t 100 -x aspx,html,txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.85.240/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,aspx
[+] Timeout: 10s
===============================================================
2023/05/06 09:00:00 Starting gobuster in directory enumeration mode
===============================================================
/transfer.aspx (Status: 200) [Size: 941]
/uploadedfiles (Status: 301) [Size: 0]
The ASPX page was a simple file upload.
I tried to upload an ASPX reverse shell, but it gives me an Invalid File error.
This can be bypassed via NULL byte by appending %00.jpg to the end of the filename in Burp.
However, when trying to view the file at /UploadedFiles/rev.aspx, it returns an error instead of a shell.
So uploading ASPX files doesn't work. But how about web.config files? It is possible to upload one that has VBScript embedded within it to execute commands. This is because we can potentially overwrite the existing web.config file and replace it with ours that executes commands.
This would download a simple Powershell reverse shell from our device. We can directly upload the web.config file without bypassing any file extension checks. Afterwards, visiting the /UploadedFiles/web.config directory would make the machine download and run the script, giving us a reverse shell.
We can grab the user flag.
Privilege Escalation
MS15-051
I did a quick check on the machine's OS by running systeminfo.
PS C:\windows\system32\inetsrv> systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 5/6/2023, 9:04:11 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,575 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,587 MB
Virtual Memory: In Use: 508 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Local Area Connection 3
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.85.240
[02]: fe80::4112:6417:a55f:fe64
[03]: dead:beef::4112:6417:a55f:fe64
This was running Windows Datacenter 2008 and had no hotfixes applied. This means it is vulnerable to MS15-051.
We can download the exploit and nc.exe to the machine via Powershell and run exploit.exe like this:
