Granny Writeup
i. Port Scan
ii. Enumeration
Navigating to port 80:
Presented with an Under Construction page.
Running Nikto to enumerate the websoftware:
IIS 6 was shipped out with Windows 2003 R2 in 2005, which means it’s over 13 years old.
With software being that old, there’s bound to be an exploit out there.
Running the exploit in Metasploit:
Awesome, we got a shell!
iii. Privilege Escalation
We see that we are NT Authority\Network Service:
Network Service
is a built-in account with reduced privileges.
https://serverfault.com/questions/217654/difference-between-nt-authority-network-service-and-nt-authority-system
Metasploit has a local exploit suggester module which displays exploits that the machine might be vulnerable to:
Going to attempt the last one, ppr_flatten_rec
To do so, first need to background the session. Then setup the options for the exploit:
$ background # backgrounds session
$ sessions # shows available sessions
$ set SESSION #
Once the options are setup, run the exploit:
RequestError stdapi_sys_config_getsid
Strange error…
The error can be fixed by migrating the process.
First switch back to the session, and run ps
to see available processes:
The migrate to another process.
Note: the process must have same or lesser privileges. If not, you'll get an error when migrating
Re-run the exploit as before:
Looking at the UID, we are now SYSTEM
iv. Conclusion
This is a great beginner box into the world of Metasploit.
Thanks for reading.
Sources / Links:
[0]: https://serverfault.com/questions/217654/difference-between-nt-authority-network-service-and-nt-authority-system