CTF Walkthroughs, Hack The Box

Hack The Box – Devel Walkthrough

June 11, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Windows box that involved exploiting an open FTP server to upload an ASPX shell and gain remote access to the host, and the MS10-015 KiTrap0D vulnerability to escalate privileges to SYSTEM.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

Based on this scan FTP and HTTP are open no the remote host so the next steps will be to start enumerating them.

Enumerating FTP

According to the Nmap scan, the FTP server allows anonymous authentication. Logging into it reveals the MicrosoftIIS default index page:

This means that through FTP it is possible to upload arbitrary files that will be served on the web server, this can be exploited by uploading malicious executable files and browse to them to have the web server execute them.

Exploiting Open FTP Share

The first step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case, the Windows TCP Reverse Shell
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format for the shell, in this case, ASPX

Uploading the ASPX shell onto the web server’s root directory through FTP:

Starting MSFConsole, selecting the multi handler module, setting and running the exploit:

  • payload to specify the payload type, in this case, the Java reverse shell
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to

Navigating to the ASPX shell uploaded via FTP:

A Meterpreter shell was received:

Privilege Escalation

It appears the current access is the default IIS user:

Searching for the local exploit suggester Meterpreter module, selecting it and running it against the current session:

The module has found a few potential exploits, one of which is the MS10-015 KiTrap0D module, which exploits a vulnerability that exists due to the fact that certain versions of the Windows Kernel do not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka “Windows Kernel Exception Handler Vulnerability”.

Selecting the module and specifying the following parameters:

  • SESSION to specify the session to run the exploit against
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to

The exploit was successful and returned a SYSTEM-level shell.

Conclusion

Although this box was quite simple, it shows just how dangerous having open file-transfer protocols with anonymous login enabled can be, especially when they allow to directly upload files onto a web server.