Intro
Pretty fast and obvious box. Let me guide through my pwn:
Target
HTB - Devel
Recon
Usual recon here, based on logo and info :
Enum
We run our classic nmap scan :
1
| sudo nmap -T4 -A -p- -oA nmap $target_ip
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| # Nmap 7.91 scan initiated Tue Feb 16 14:42:03 2021 as: nmap -T4 -A -p- -oA nmap $target_ip
Nmap scan report for $target_ip
Host is up (0.023s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 23.39 ms 10.10.14.1
2 23.58 ms $target_ip
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 16 14:43:43 2021 -- 1 IP address (1 host up) scanned in 100.14 seconds
|
Our scan reveals an open FTP and a web server. Based on our initial recon, I guess we’ll have to upload a malicious file via FTP and run it via the IIS web server!
Before attacking, we’ll check searchsploit for anything interesting, but nothing will come up.
Let’s start exploiting directly!
Exploitation
The server is running IIS, so let’s try to upload an aspx shell.
Getting initial shell
A quick search brought me to this one, I uploaded it inside the root of the web dir, and it worked !
Unfortunately, we are not SYSTEM and can’t even access user’s flag which seems to be called babis. It’s time to escalate our privileges! But first, we should do recon from inside, let’s upload the winpeas.bat file and execute as below :
1
| "C:\inetpub\wwwroot\winPEAS.bat log"
|
This will generate a lot of info about Windows version, patches applied (or not), user rights, etc. This is a goldmine!
PrivEsc
Now, from what I learned, a good way to escalate privileges is to look for missing patches and related vuln that would give those wanted priv.
Our WinPEAS log file showed the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| "Microsoft Windows 7 Enterprise "
[i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
MS11-080 patch is NOT installed XP/SP3,2K3/SP3-afd.sys)
MS16-032 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
MS11-011 patch is NOT installed XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
MS10-59 patch is NOT installed 2K8,Vista,7/SP0-Chimichurri)
MS10-21 patch is NOT installed 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
MS10-092 patch is NOT installed 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
MS10-073 patch is NOT installed XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
MS17-017 patch is NOT installed 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
MS10-015 patch is NOT installed 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
MS08-025 patch is NOT installed 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
MS06-049 patch is NOT installed 2K/SP4-ZwQuerySysInfo)
MS06-030 patch is NOT installed 2K,XP/SP2-Mrxsmb.sys)
MS05-055 patch is NOT installed 2K/SP4-APC Data-Free)
MS05-018 patch is NOT installed 2K/SP3/4,XP/SP1/2-CSRSS)
MS04-019 patch is NOT installed 2K/SP2/3/4-Utility Manager)
MS04-011 patch is NOT installed 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
MS04-020 patch is NOT installed 2K/SP4-POSIX)
MS14-040 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
MS16-016 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
MS15-051 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
MS14-070 patch is NOT installed 2K3/SP2-TCP/IP)
MS13-005 patch is NOT installed Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
MS13-053 patch is NOT installed 7SP0/SP1_x86-schlamperei)
MS13-081 patch is NOT installed 7SP0/SP1_x86-track_popup_menu)
|
Inside this list, I narrowed it down in order to match the system I was attacking : Windows 7 Enterprise 6.1.7600 N/A Build 7600, which is SP0 according to a quick web search.
Then I “randomly” (not totally randoms : it matches the target’s OS) tried the MS11-011 vuln, without luck.
Then, I tried MS10-059. For this one, I had to run a listener on my attack box, then run the malicious file like shown below :
NB : I simply uploaded the malicious file via FTP to the wwwroot dir.
And it got me SYSTEM :
Now getting user and root flags was just a matter of browsing to the correct directories and printing the content of the files:
Outro
After my debacle from the last box, it felt awesome to be able to pwn this one easily. I feel my efforts are starting to pay off and that I begin to get the “hang of it”. Hacker’s mind in coming, and it is good!
