Start with an Nmap Scan:
From the output you can see that we have we only have one port open on the machine, Port 80.
The output of the scan also shows us that it is a HttpFileServer, and the version running is 2.3.
Lets first see if we can find any vulnerabilities for this version via a Google search.
Lets have a look at https://www.rapid7.com/db/modules/exploit/windows/http/rejetto_hfs_exec/
This tells us that there is a potential Rejetto exploit that could provide us Remote Command Execution if successful.
The exploit tells us to use the following Metasploit Module:
Lets set the following options and run the exploit:
This may take a bit of time, but we eventually get a meterpreter shell on the machine:
Now we can enter shell and the command whoami to see which user we are:
We are the low-level user of kostas
Now lets attempt to perform Privilege Escalation, by using the local exploit suggester module built in Meterpreter.
Lets try the second option, set the following options and run the exploit:
BOOM! It was successful (We love easy wins!)
Lets now check with the command shell, then whoami
We get back that we are System, and so the box is pwned
Now grab that root flag!
Congratulations, you have pwned this box!
Comentarios