search
Read BlogpostsLet's Connect

Devel

Got root using MS10-015 kernel exploit after failing all Potato/UAC bypass attempts.

hashtag
Summary

  • Two open ports found: FTP (21) and HTTP (80), both hosted on IIS 7.5.

  • Anonymous FTP login allowed with full read/write access.

  • Uploaded a web shell through FTP and accessed it via the HTTP server.

  • Gained reverse shell using a custom MSF payload.

  • Manual enumeration revealed SeImpersonatePrivilege was enabled.

  • Tried multiple potato variants and UAC bypass attempts—none worked.

  • Eventually achieved SYSTEM access using an unpatched exploit (MS10-015) for Windows 7.

hashtag
🧵 Let's Unpack

hashtag
🔍Enumeration

sudo nmap -sC -sV -A -T4 -p- 10.10.10.5
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|   Files listed: aspnet_client, iisstart.htm, shelly.asp, shelly.aspx, welcome.png
| ftp-syst: 
|   SYST: Windows_NT

80/tcp open  http    Microsoft IIS httpd 7.5
| http-title: IIS7
| http-server-header: Microsoft-IIS/7.5
| http-methods: 
|   Potentially risky methods: TRACE

Notable findings:

  • Anonymous FTP access with upload permissions

  • IIS 7.5 running on port 80

  • Accessible files via FTP and HTTP

hashtag
️️⚙ Initial Foothold

Used the FTP upload capability to drop a reverse shell payload:

Got a reverse shell back using nc listener:

hashtag
Privilege Escalation

Initial attempts:

Tried classic Potato techniques:

But binary execution failed due to UAC restrictions and lack of PowerShell.

Tried UAC bypass:

No success

Eventually, ran systeminfo and noticed the system was severely outdated (Windows 7), with no patching. Compiled and used a known kernel exploit:

Boom! got SYSTEM access.

PreviousHackTheBoxNextLegacy

Last updated