Start with an Nmap Scan:
This tells us Port 80 is open.
Lets visit the website in a web browser
Not much to go off here, however within the Nmap scan we were given a Server Type and version.
We should go Google search this version to see if there are any vulnerabilities.
After searching the web I was able to find a Metasploit Module to try to exploit a Buffer Overflow vulnerability.
Set the following options and run this exploit:
We gained a shell, woo!
Entering the command shell, then whoami, we are told that we are user 'network service', and so we must perform Privilege Escalation to gain system/administrator.
Lets enter systeminfo into the shell and copy and paste the output into a file called 'sysinfo.txt' on our machine.
In another terminal, we can run the following command using a tool called Windows Exploit Suggester:
This will suggest exploits for us to try that the victim machine may be vulnerable to.
Lets try the first exploit we are given to try.
We can attempt this manually or by using a Metasploit Module.
As Metasploit is more of an easy win, lets use that.
Before we try a Metasploit Module, we should use the ps command and make sure we are on a service we have permissions with.
Lets use the migrate command (migrate PID) to change to davcdata.exe.
Use the Exit command to exit the shell in Metasploit and return to a Meterpreter shell, then enter background to background the session.
Search Metasploit for MS15-051.
Doing this gives us the following module to use:
Now lets enter the following options:
And just like that we have another shell.
We can confirm we are now system by issuing the whoami command in the shell.
And indeed we are, now go grab that root flag!
Congratulations you pwned this box!!
コメント