Executive Summary#
The Devel machine features an FTP service with anonymous login and write permissions, allowing the upload of an ASPX payload leading to RCE via IIS 7.5. Privilege escalation was achieved using the MS10-015 (KiTrap0D) vulnerability, resulting in SYSTEM level access.
Attack Chain (PTES Mapping)#
1. Discovery & Enumeration#
Identification of FTP (port 21) and HTTP (port 80). Anonymous login was enabled, and the FTP root directory was mapped to the IIS webroot.
nmap -Pn -sS -p- -T4 -sV 10.129.9.61- MITRE Technique: T1190 - Exploit Public-Facing Application.
2. Exploitation (Initial Access)#
An ASPX payload generated by msfvenom was uploaded via FTP. Accessing the file through the browser triggered the reverse shell.
- MITRE Technique: T1505.003 - Server Software Component: Web Shell.
3. Privilege Escalation#
Local enumeration identified the system as vulnerable to MS10-015. The exploit was executed to upgrade the session to NT AUTHORITY\SYSTEM.
meterpreter > use exploit/windows/local/ms10_015_kitrap0d
meterpreter > getuid # NT AUTHORITY\SYSTEM- MITRE Technique: T1068 - Exploitation for Privilege Escalation.
Remediation (NIST SP 800-115)#
- Configuration Hardening: Disable anonymous FTP login and remove write permissions from the webroot.
- Vulnerability Management: Update the legacy Windows OS and apply critical security patches.
