Introduction

Using Devel from HTB I will show you how to exploit a Windows Server with anonymous FTP enabled and IIS 7.5. We will then use a popular exploit, MS11-046 (afd.sys) to get root. This guide will use a well-known web shell, Insomnia, and will be done fully without the use of Metasploit.

As the OSCP only allows the use of Metasploit once in the exam picking the proper time is imperative and so this guide is written without it. In your day to day, I would highly recommend Metasploit (and PowerShell empire) as to why make life more difficult then it needs to be?

Using anonymous FTP session to upload my web shell and exploit.

Using anonymous FTP session to upload my web shell and exploit.

After running AutoRecon (which I have mentioned in depth) I can see Port 21 is running FTP with anonymous sessions enabled. I log into the FTP client and notice that iistart.htm is in the directory. In the majority of cases this means you are the root of an IIS server. I go to the web browser and verify the page. I then upload a favorite of mine, InsomniaShell.aspx. Later on I uploaded ms11-046.exe for the root.

ALWAYS use binary when uploading executable files to an FTP. This will prevent a lot of errors/headaches.
Copy

I navigate over to InsomniaShell.aspx and put in my Attack-IP and port. I then start an nc session on my Attack machine with nc -nvlp 1234. Once connected I navigate to C:/inetpub/wwwroot and execute the previously uploaded exploit. I used this exploit as it is available for all Windows x86 architectures and have experience with it from my OSCP. You could also upload WinPrivCheck.bat or WinPEAS.bat to find the exploit.

Check out HERE for more information and HERE for the exploit.

InsomniaShell running.

InsomniaShell running.

MS11-046 Exploit running.

MS11-046 Exploit running.

Copy
Showing 'root' flags off in style. Useful for the OSCP.

Showing ‘root’ flags off in style. Useful for the OSCP.

Rooted

Published On: October 8th, 2020 / Categories: HTB, Technology / Tags: , , , , /

Leave A Comment