This is the first of a write-up series which have few goals:
- learn
- prepare for the OSCP exam
- share what I learned and what I did wrong in the process of hacking the machine
- share what I learned reading other write ups
ENUMERATION
Nmap tcp full scan
nmap -A -p- -oN nmap_tcp_all.txt 10.10.10.93The nmap output highlights the presence of a web server running on port 80: Microsoft IIS 7.5.
Dirb common
dirb http://10.10.10.93 -o dirb_common.txtDirb shows that a directory named /uploadedfiles/exists. This suggest that we should find a way to upload files to the server.
EXPLOITATION
I already felt lost because I couldn’t find references to the upload function and I started to search for:
iis 7.5 exploit, iis 7. exploit, iis 7 rce
Then I built a list of the possible exploits to try:
- File Restriction Bypass
Extract:
I unsuccessfully tried to run wfuzz as follows:
wfuzz -Z -c -w /usr/share/wordlists/dirb/big_asp.txt --hc=404 http://10.10.10.93/uploadedfiles:$i30:$INDEX_ALLOCATION/FUZZReading again the exploit-db entry I missed an important point…
…and we didn’t have a password protected directory.
2. MS15–034
This vulnerability looked promising because, from the description, it could lead to RCE. The exploit leverages HTTP Range header value, which usually is used to resume interrupted downloads.
Analysis:
Extract:
The first step was running the check which gave a positive response (HTTP Error 416. The requested range is not satisfiable):
curl -v 10.10.10.93 -H "Host: anything" -H "Range: bytes=0-18446744073709551615"I was almost smiling 😬 because I thought I was on the right track…
…anyway I wasn’t able to find any RCE exploits, only DoS 😤.
3. Tilde Character Name Disclosure
When you create a file on Windows, it also generates an MS-DOS-compatible short file name in 8.3 format. If you send particular requests to an IIS server it is possible to extract short file names based on the server responses (for example: 400 vs 404).
Original paper:
https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
A scanner exists to automate the process.
Run the scan:
java -jar iis_shortname_scanner.jar
Results were truncated. I created a file containing all the words I found using egrep -r ^transf inside /usr/share/wordlists/ directory in order to complete the file name of TRANSF~1.ASP.
Since the scanner output indicated that the extension was .asp I did another mistake. I used the new wordlist with dirb using the option -X .asp (and .asp only) to add the .asp extension to each entry. After another unsuccessful result I started to think I missed something about the extensions. Were also the extensions truncated 🤔?
To have a better understanding of how short names works I created two files in a Windows system: mistake.aspx and newmistake.asp, then run dir /X and looked at the results. The short version of names truncated both the name and the extension. That means I had to try also .aspx extension.
Using the extension option in gobuster allowed me to find transfer.aspx.
gobuster dir -u http://10.10.10.93 -w transform_uniq.txt -x .aspx,.asp
As a reminder:
web.config RCE
I first tried to upload .aspx,.asp,.exe files but without success.
Searching for:
iis rce upload
one of the first result was:
So the first step was to upload an empty web.config file to check if the extension was whitelisted. It was uploaded successfully.
The second step was an attempt to retrieve a file from the attacker system. I modified the web.config file as follows, uploaded it and then visited http://10.10.10.93/uploadedfiles/web.config to trigger the RCE.
The GET request reached the attacker machine…
..but CertUtil: Access is denied. probably meant that we couldn’t write in that directory.
In fact the file /prova was not found.
The reverse shell was obtained as described below:
A first web.config upload was used to transfer nc.exe to the target but in another directory (note the \\ ).
A second web.config upload was used to run nc.exe (note that if you use cmd /c you don’t need to escape \ .
It was also possible to obtain a reverse shell using a single command:
Another way to get a reverse shell used by a friend of mine ( giofz) was:
- rename
nc.exetonc.jpg - upload
nc.jpgthroughtransfer.aspx(.jpgwas an allowed extension) - use
web.configrce to renamenc.jpgtonc.exeand runnc.exe
User flag was an hidden file.
PRIVILEGE ESCALATION
Two of the first commands I run on Windows system are whoami /priv and systeminfo . The former to check it the current user has some dangerous privileges. The latter to check OS version and verify if Hotfix are applied.
If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.
This means the system is vulnerable to JuicyPotato.
JuicyPotato
Basically using a local MITM approach the exploit negotiates a NT AUTHORITY/SYSTEM account token and then impersonate it because of the privileges the user has.
You can find JuicyPotato here https://github.com/ohpe/juicy-potato/.
MS10–092, MS16–014
From the output of systeminfo no hotfix was applied.
As reported here https://0xdf.gitlab.io/2018/10/27/htb-bounty.html the system is also vulnerable to MS10–092 and MS16–014. Both of them leads to SYSTEM privileges.
EXTRA
Merlin
Merlin is a post-exploit Command & Control (C2) written in golang (like EoP/MSF). Ippsec used this tool instead of a classic reverse shell.
migrate meterpreter
When you get a meterpreter session you can check if the process where mterpreter resides is x64 or x86 . Ippsec shows how migrating from a 32 bit process to a 64 bit process in order to be consistent with the target system architecture gives different results when the local_exploit_suggester module is run.
Before migration.
Migration process: first use ps to check running process and then use migrate <pid> to migrate meterpreter to a 64 bit process.
After meterpreter migration.
__VIEWSTATE, __EVENTVALIDATION
Another interesting thing ippsec shows in his video is how to write a python script which searches whiltelisted extensions for the upload function. Tasks like this require successive requests to be sent to the target. If there are values which change at every request or after a short period of time (CSRF token) you should consider them at every request, otherwise the request will be invalid. In this specific case the source code of transfer.aspx shows the presence of __VIEWSTATE and __EVENTAVALIDATION fields which are used in .NET applications and change after a while.
The python script by ippsec :
In this way before every request the current value of __VIEWSTATE and __EVENTVALIDATION are retrieved from the source code.
LESSONS LEARNED
- Use proper (windows vs linux) extensions during the directory busting process.
- On older IIS versions you can bypass password protected directories appending
:$i30:$INDEX_ALLOCATIONto the directory name. - Older Windows version are vulnerable to MS15–034, a vulnerability which exploits HTTP Range header and that leads to DoS and potentially to RCE. You can check if the system is vulnerable with
curl -v x.x.x.x-H "Host: anything" -H "Range: bytes=0-18446744073709551615. - ~ IIS short name file disclosure shows only up to the first 6 letters of the folder/file name and the first 3 letters of the extension. Scan the target wit h
java -jar iis_shortname_scanner.jar. - Keep attention to
\escape or usecmd /c. - On IIS if you can upload
web.configyou can obtain RCE. - If the user has
SeImpersonateorSeAssignPrimaryTokenprivileges then you are SYSTEM (JuicyPotato). - An OS without Hotfixes applied can be affected by multiple vulnerabilites.
- metasploit has a useful post-exploitation PE module
post/multi/recon/local_exploit_suggester. migratemeterpreter accordingly to the target system architecture.- consider
CSRFtoken and/or values which change at every request when you need to send successive requests to the target.
