Enumeration
Start with an nmap scan:
From there we can discern that ports 21 and 80 are open.
Gaining Access
Check port 21 (FTP) for anonymous login:
Success! We see we have access to the website and, with it being FTP, we can put files, so we set up a netcat listener and place a reverse shell and navigate to the page, spawning the shell on our box. Make sure to change the items in the red highlighted area of the reverse shell code prior to using it. It should match the port you're using on your netcat listener:
The shell I used can be found here: https://github.com/borjmz/aspx-reverse-shell
We figure out what user context we're in:
Start enumerating the box for sensitive files/flags:
Since we are unable to access these files, we need to check what our privileges are and how we can escalate them:
Privilege Escalation
We see we have SeImpersonatePrivilege enabled, and this can be useful. A quick google search regarding that privilege points you to the potato exploits. For this box, we will be using JuicyPotato. If you want to learn more about JuicyPotato, check out the sites I have in the references section at the end of the post.
Before transferring the JuicyPotato binary, we need to make sure that the file type for FTP transfer is set to binary:
Next we will transfer the binary. I will save you time by letting you know that the target endpoint will not run x64 binaries, only x86, so make sure that the version of Juicy Potato that you're using is such. Here is the link to one: https://github.com/ivanitlearning/Juicy-Potato-x86/releases
Next you will need to craft an msfvenom payload to go with JuicyPotato. Here is what I used:
Upload that to the target as well, again making sure that the file transfer format is still binary:
Now, here's the slightly nuanced part. As part of enumeration, you may have come across the fact that this target is Windows 7:
To use JuicyPotato, you will need a Target CLSID that has SYSTEM level privileges and coincides with that Windows OS. Here is a link to a table of them: https://ohpe.it/juicy-potato/CLSID/
For Windows 7, I will be using the following: {03ca98d6-ff5d-49b8-abc6-03dd84127020}
Note that it has to be a CLSID associated with the NT AUTHORITY/SYSTEM user because the LOCALSERVICE ones will not spawn an interactive shell.
Now that we have all of the parts we need with regard to the target, let's set up our listener to coincide with the reverse shell payload we built using msfvenom:
Now, go back to the original reverse shell you had on the box and switch directories to the web root:
We have everything we need there. Time to run JuicyPotato
Check your listener:
Now not only can you get the user flag, but the root flag as well:
Profit.
References
ASPX Reverse Shell (GitHub): https://github.com/borjmz/aspx-reverse-shell
JuicyPotato (HackTricks): https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato
CLSIDs by OS (OHPE): http://ohpe.it/juicy-potato/CLSID/
Potatoes Windows PrivEsc (Jorge Lajara): https://jlajara.gitlab.io/Potatoes_Windows_Privesc
Comments