Devel
https://www.hackthebox.eu/home/machines/profile/3
**Nmap **
As we can see we have port 21 and port 80 open. I will start by hitting port 80 with gobuster
and nikto
to save some time and will then jump into port 21.
FTP
From the nmap
results earlier we can see FTP is running on port 21 and anonymous login is allowed. (nmap will check this by default). We successfully login as per below:
We are able to login with a blank password using the anonymous login. We can see the aspnet_client directory where if we follow leads us to a directory with the .NET framework version it is running under.
We can take a note of the version running on the machine in the event we need it. From the login directory of the FTP we can see the welcome page "welcome.png" for IIS. When viewing this we can see the server is running IIS7.
File Upload
As it is possible the FTP has been misconfigured we should check to see if we can perform a file upload. If we are able to perform this it is probable we could access uploaded files in the web browser and get a reverse shell on the server.
We can see when we now browse to the file in a web browser we can see our text file confirming file upload.
Payload Creation
At this point we should see if we can get a reverse shell uploaded and hopefully we can execute it as well. As this is an IIS server we would ideally need to use a ASP or ASPX reverse shell. We can create these with msfvenom
.
We need to use the following payload:
netcat does not handle staged payloads well so the payload above is unstaged.
I used port 443 for my port in the payload as this is a reliable connection that is usually open on web servers.
We can upload the payload to the server using the put
command.
Reverse Shell
Before attempting to execute the payload we need to set up a netcat
listener to catch the reverse shell. if we are using a port within the 1-1024 range we will need to use sudo
We can now browse to the directory of the file we uploaded.
After checking back on netcat
we have a shell as a low privilege account on the server.
Privilege Escalation
We should now run the systeminfo
command to see what initial information we can gather regarding the system. Taking note the important fields such as OS Name and System Type.
We can take the systeminfo
information and run this against Windows exploit suggester.
The exploit we are interested in above is MS10-059. This is a kernel level exploit which affects the following:
Vulnerability Identifier: CVE-2010-2554; CVE-2010-2555
Risk: Important
Affected Software:
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems
Windows Vista Service Pack 1
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1
Windows Vista x64 Edition Service Pack 2
Description:
This security update addresses vulnerabilities in the the Tracing Feature for Services that could allow increase in privilege once an attacker runs a specially crafted application.
In this scenario we are going to use the Chimichurri compiled exploit taken from the following GitHub link:
https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled
Once downloaded we can cd
to the directory where we have the Chimichurri.exe on our attacking machine and start a Python SimpleHTTPServer
with the following command:
If no port is specified Python will default to port 8000
We can then use certutil.exe
on the Windows machine to download the executable from our attacking machine.
When attempting to run the executable we are given a usage example:
First we can set up a netcat
listener on our attacking machine to catch the shell.
We can these use the following command to run Chimichurri.exe
After waiting a short while we should gain a shell as NT Authority\system
Last updated