# Devel ## Devel - 10.10.10.5 ### Target Enumeration: OS: Windows IP: 10.10.10.5 User: 9ecdd6a3aedf24b41562fea70f4cb3e8 Root: e621a0b5041708797c4fc4728bc72b4b ### Ports / Services / Software Versions Running ``` 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft IIS httpd 7.5 ``` ### Vulnerability Exploited: Anonymous ftp upload to web root with aspx shell ### Privilege Escalation: windows/local/ms10\_015\_kitrap0d This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows. ### Exploiting the host: Nmap ![](https://lh3.googleusercontent.com/YE7c5NK4B8dZKeHmPTBU-SinRARLVJXcqkKx5RUswUMIAvslbRAwQRHVwqvfseXVkjEl962k14j6mzwPg4XvM9-zOZuokzjbrbDdqRBBaEpExa-slJyVkTcnraWZf5pSYfoBGyhq) Anonymous login allowed. Upload a test file to see if it is executed
Test to see if file is accessible remotely:
Now generate and an aspx shell. ![](https://lh6.googleusercontent.com/gJGixYXpKiNw6GosTKhj9bD7YcSjgDv1ScmwRkn3RERFd7_385aDwEnxMJBKqkq4H4s1xwlDNgrjWZppjn-ii_UrTn4GQx88v1FVlbJH-7X20YuqqfqqknRsvw7u01eOMjtvj2Hb) Open msfconsole and set a listener. Upload vdk.aspx via anonymous ftp
Request the file with curl
Watch your listener spawn a shell. ![](https://lh5.googleusercontent.com/oF6peeAbE2iZHTdgLsTb8TnsKCfUI1xsEmDjulsIKXad2f0xdhQ-bn__GLHOaP4UM-dqKjHRymPoTXnQr-OVZyT8qGR2Z2GYF71pd2TDDHvdzH_bXdkMYQ2RICGT2zZsVMAKidTn) Enumerate the system for privesc opportunities with local exploit suggester. ![](https://lh3.googleusercontent.com/1XskU7WdIhbgQxdTByqc4vyATIWGBDYePmGgpzjdFXhtT2uAhZd0v0OA1acle9TA1CQM4CRUjOmULc4CYeAXXwZT5bMQPTOThEffcuEFBgGH9JyJhJab6DqMjYU7kPKKKp4iLaIs) Use windows/local/ms10\_015\_kitrap0d ![](https://lh4.googleusercontent.com/-teIY0Cb7n8rbHXEPOn1ff44qiZtjDsyNlVmOURgNqPr57QF6OZIPo1uQFL4cxO0TKtS124lEzrKMhLe8HoozeWU318BeLmtHHfN50iyBmXAAIWmnHudPLbv52hCFRkkBN47K8Wd) Execute the exploit ![](https://lh5.googleusercontent.com/Gzp2nnQ3hQDANNjIUk5jBu9a2k8hStABpOrx7HxFDAoZVX0DvvOMctA6luXQgs6E3A-f4ovcVMA_arJ4TCutOQEoWWwf4Tgf23UP3Pj7ORjq43Dy9vqjnRtoomC77URH1Lmtonwd) Check we have system access
Collect the flags: