Weak from CyberSecLabs is a beginner box hosting a FTP file share and Mircorosft IIS web server . We’ll use Nmap and Nikto to enumerate and find a foothold. For privilege escalation we will discover a common Windows privesc path manually without using automated tools like winPEAS.
Weak’s IP Address is 172.31.1.11
Let’s get started.
Scanning and Enumeration
I’ll begin with our standard Nmap scan: -sC for default scripts, and -sV for service enumeration.
First thing I notice at the top is port 21. FTP is open and since we ran our Nmap scan with default scripts we see that anonymous login is allowed. That’s most likely our initial entry point. I see port 80 is hosting a Microsoft IIS web server. Beyond that we have Microsoft SMB ports and an assortment of higher level ports. Those don’t interest me at the moment, let’s focus on those first two for now (21, 80).
Continuing to review our Nmap results we have the Host Scripts results section. Here we learn the machine’s operating system is Windows 7 Ultimate Service pack 1. That information could be useful to us later, so make a note. Nothing else to report here. Let’s move on and enumerate the interesting open ports.
I ran the Nikto vulnerability web scanner on port 80. Nothing to interesting to report here, but we are able to confirm Microsoft IIS 7.5 is running and it’s a default installation. Which does have known vulnerabilities we might be able to leverage.
First let’s connect to FTP on port 21 as the anonymous user. If you haven’t done this before you can enter any password you like when prompted. Again for first time FTP users, you can use the HELP command to get a list of commands. I first start with a ls command to list the contents of the directory. I receive an error message. Again if you’ve used FTP before, then you’ve likely encountered this. All you need to do is enter the “passive” command to switch to Passive mode. After you’ll see I’m able to use the ls command successfully.
The directory contents appear to be in the web root folder, which is the root folder used for port 80. In most default IIS installs you’ll find a welcome.png image file.
If we browse to the IP address and open the image in a new window. You’ll see that the welcome.png is the IIS logo image. This confirms the FTP directory is in the web root folder. So anything we upload to FTP we can then view or execute in our browser. Sound useful?
We’ve discovered a default IIS installation combined with a open FTP share in the web root directory. All we need to do is upload a reverse shell payload and execute it to gain access to the target. We will do this with MSFvenom.
The payload parameters took me a few tries to get right, mainly the file extension. I wasn’t sure initially which files IIS would accept and execute. So I tried a few and found success with the .aspx file extension.
With the payload created we need to transfer shell.aspx to the target. We’ll do this using the FTP client.
Like before you’ll connect to FTP with anonymous login, enable passive mode, and use the put command to transfer the file. Verify the file transferred successfully with a ls command.
After the reverse shell is transferred to the target setup a Netcat listener on the port specified in your msfvenom payload. With the listener running, navigate to 172.31.1.11/shell.aspx to execute the reverse shell.
Great! We have a low privileged shell as the IIS apppool/alpha site user. The Netcat shell is kinda limited so let’s upgrade it to a Meterpreter shell. That’ll give us more flexibility.
To start we need to create a meterpreter payload msfvenom. Our file type here will be a windows executable.
Now we will transfer the meterpreter payload using Certutil. This is a built-in utility included on most Windows operating systems and my go-to tool for windows file transfers.
With the meterpreter payload on the target machine, we need to launch MSFconsole and configure a Exploit/Multi/Handler. Set the parameters to match your port and IP Address and run the handler.
All we need to do now is execute shell.exe and wait for the Meterpreter session to connect. Awesome, we a nice Meterpreter prompt with lots of built in options and flexibility. That will help us during the next phase.
Privesc on this box will be a bit different, in that I won’t be running WinPEAS or any automated scripts to help us here. I found this path on my own by utilizing the whoami /priv command. It’s a good habit to run this command on any Windows box you get access to, it might lead you to towards a quick win or at least point you in the right direction for escalation.
Running whoami /priv reveals we have the SeImpersonatePrivilege privilege enabled. This allows us perform a Juicy Potato attack.
What is a Juicy Potato attack?
Juicy Potato is a variant of RottenPotatoNG which leverages the privilege escalation chain based on the BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges.
Basically, if you have the SeImpersonate or SeAssignPrimaryToken privileges enabled for your account, you can perform this type of local privilege escalation attack.
To launch a Juicy Potato attack we will need a couple of arguments.
JuicyPotato.exe -l [Any_Port] -p [Program_To_Execute] -t * -c
[Any_Port] = Any working port that is not blocked by the windows
[Program_To_Execute] Path to a msfvenom exe reverse shell that will be executed and connect back to our attacker machine.
[CLSID_Value] We need to find the correct CLSID value from the list.
So the only thing we need to search for would be the CLSID value. These values are operating system specific. If you refer back to the Github page, you can download the CLSID list for whichever Windows operating system you need.
We know from our scanning and enumeration that the target is a Windows 7 system. So make sure you get the Windows 7 CLSID list.
To get started we need a couple of files transferred to the target.
JuicyPotato.exe – The executable to launch the attack
TestCLSID.bat – This bat script will test each CLSID value included in CLSID.list
CLSID.list – The list of operating system specific CLSID values to test. This list feeds the TestCLSID.bat script.
Make sure to upload JuicyPotato.exe, TestCLSID.bat and CLSID.list to same folder on the target machine.
Start the TestCLSID.bat script and allow it to run for about 5 minutes. This should allow enough time to collect a CLSID running as the NT Authority/SYSTEM user.
Cat out the contents of the result.log and we should see many CLSID’s. Select anyone of the CLSID’s that is running under the NY Authority/SYSTEM account.
With the CLSID value selected we are ready to launch Juicypotato.exe. Refer back to the syntax above and fill in the arguments. I’ll be reusing my shell.exe file from before since its located in the same folder as the Juicy potato files.
You will need to configure the Exploit/Multi/Handler in Metasploit again for the new shell we are about to spawn.
Run the exploit and wait for the session to be opened.
Boom. We are NY Authority/SYSTEM. We’ve owned this box. Now all that’s left is…
Capture the Flags!
So that’s Weak from CyberSecLabs. A beginner box where we exploit a FTP file share/IIS web server with anonymous access to get a reverse shell and eventually launch a token impersonation attack using Juicy Potato to escalate our privilege to NY Authority. This was my first time using Juicy Potato and doing token impersonation and it was a great learning experience.