DEVEL — HTB walkthrough
Hack your way in, the way you want. Easy machine. Exploit covered is exploit/windows/local/ms10_015_kitrap0d.
We can see here we have port 21 with anonymous login allowed and a Microsoft IIS 7.5 web server at port 80
FTP Enumeration
So we observe here
— We have one Html file uploaded.
— a png file
— aspnet_client directory : containing nothing gradually
PORT 80 Enumeration
Port 80 shows us a welcome page with IIS7 logo and have nothing juicy in source code of page
- Enumerating IIS 7.5 exploits
We see a remote DoS which we won’t do. On looking at multiple vulnerabilities text file. Microsoft IIS 7.5 has Client Authentication Bypass and .NET source code disclosure vulnerabilities
Getting back to FTP where we have found iisstart.htm, let us open this on browser and capture on burp
Send this to repeater to analyze the request. We see if we change request method from GET to PUT it says it requires length. Also we observe that whatever file is in FTP is getting opened in browser. Time to exploit…
EXPLOITATION
You can do the same using msfconsole
- Let’s try to put a malicious ASP file on machine
On opening this on browser I found cannot be displayed. So I realized we added wrong format. We added asp instead of aspx
Difference in ASP and ASPX
- ASP runs on IIS while ASPX runs on .NET framework.
- ASP.NET offers the ability to build pages
- ASP.NET — — — ability to develop applications using an event-driven GUI model,
- ASP — — — — ability for conventional Web-scripting environments.
And run netcat listener on our machine at port 4444 , along with requesting page 10.10.10.4/offs3cg33k.aspx on browser
So you see we get a reverse connection from server. You can do the same using msfconsole
Enumerating all folders , I could not get any interesting file. It ‘s time for priv escalation.
- Checking for privileges we have
We can try to exploit them in many ways. Here is what methodology I followed.
- Using meterpreter Incognito
Now since we are already IIS APPPOOL\web. Let’s impersonate NT AUTHORITY\IUSR
We belong to NT AUTHORITY/SERVICE and have SeImpersonatePrivilege , same as earlier. Nothing new. So this method was of no use to us.
Method 2: Easiest of all go for exploit suggester and use the exploit
Way 3: JUICY POTATO
Here we will try JuicyPotato to get to NT AUTHORITY/SYSTEM
First lets enumerate our system info
So finding the CLSID from http://ohpe.it/juicy-potato/CLSID/Windows_7_Enterprise/
{03ca98d6-ff5d-49b8-abc6–03dd84127020}
Now we will transfer JuicyPotato.exe (x86 versions) to our machine and run it; Refer : https://github.com/ivanitlearning/Juicy-Potato-x86
For this we need to compile it on Visual Studio. Just open .sln file and Terminal — -> Run build task. And it will create JuicyPotato.exe
And copy C:\inetpub\wwwroot\JP.exe C:\Windows\Temp
This gives you a shell and you see you are NT AUTHORITY/SYSTEM. ROOTED!!!
Solution
Refer : https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015
1. Click **Start**, click **Run**, type **gpedit.msc** in the **Open** box, and then click **OK**. This opens the Group Policy console. 2. Expand the **Administrative Templates** folder, and then click **Windows Components**. 3. Click the **Application Compatibility** folder. 4. In the details pane, double click the **Prevent access to 16-bit applications** policy setting. By default, this is set to **Not Configured**. 5. Change the policy setting to **Enabled**, and then click **OK**. **Impact of workaround.** Users will not be able to run 16-bit applications.
