This was a great lil box! If you want to learn about kernel mode LPEs, studying the exploits used to solve this box is a great way to do so.
nmap -sT -sV -A -v <ip> shows us an FTP server, as well as a webserver.
The webserver simply has a picture of a welcome sign that links to Microsoft's IIS homepage. The FTP server can be logged into to reveal a ".htm" file and a png named "welcome". This indicates to us that the FTP server is in the root directory of the web server. This is confirmed by uploading a text file and browsing to it: echo 'Hello, World!' > hello.txt; ftp <ip> <<< $(echo -e 'anonymous\n\nput hello.txt')
Getting A Shell:
We can get a shell by uploading an ASPX reverse shell through the FTP server. The one I had the only luck with was one found on github . Start a netcat listener and navigate to the shell from the browser: nc -lvp 3184.
Listing "C:\Users reveals a user "babis", but we don't have access to his home directory. Instead, we can immediately get to System using an LPE. Run systeminfo to get the current OS version. Googling exploits for this version lands us on an exploit from Exploit DB, that does an LPE against the "MS11-046" security bulletin. Download the exploit and compile it using: i686-w64-mingw32-gcc <exploit file> -o exploit.exe -l ws2_32. Upload it to the server (I just used the FTP server), and execute it. The FTP root is found at "C:\inetpub\wwwroot".
Once the code is done executing, run whoami to confirm we are now "nt authority/system". NOTE: The exploit doesn't show any output until you exit the shell. Grab the flags:
Last edit: 2021.08.25