Probably a stupid question, but when connecting to FTP servers, there is sometimes an option for account. What is the significance of this vs the username? Show See this method from the Apache FTP Client for example: /** * Login to the FTP server using the provided username, password, * and account. If no account is required by the server, only * the username and password, the account information is not used. * * @param username The username to login under. * @param password The password to use. * @param account The account to use. * @return True if successfully completed, false if not. * @throws FTPConnectionClosedException * If the FTP server prematurely closes the connection as a result * of the client being idle or some other reason causing the server * to send FTP reply code 421. This exception may be caught either * as an IOException or independently as itself. * @throws IOException If an I/O error occurs while either sending a * command to the server or receiving a reply from the server. */ public boolean login(final String username, final String password, final String account) throws IOException { .... }As usual, let's start with nmap: nmap -sV -sC IPReplace IP by the IP of the target machine (Fawn) Note: The IP of the target machines are always changing so make sure you type the correct one. You can find it on your Hack The Box account. We can see that port 21 is open on the target machine. Port 21 is associated with FTP (File Transfer Protocol). Notice the line : ftp-anon: Anonymous FTP login allowed This means that this FTP server has been misconfigured and we can use the username anonymous to login! When we are prompted to enter a password for anonymous, we should be able to enter whatever we want because the server will disregard the password for the anonymous account. Let's see if that works! Footholdftp 10.129.252.202Type: anonymousand press enter When prompted to enter a password, type whatever you like and press enter. We are in! Let's list the files available in our current directory using: lsThere is a file called flag.txt This seems interesting! Let's use the get command to download this file directly onto our VM: get flag.txtNow go to your home directory and the you can see flag.txt is there. Open the file flag.txt Congratulations! You got the flag! HTB is a platorm which provides a large amount of vulnerable virtual machines. The goal is to find vulnerabilities, elevate privileges and finally to find two flags — a user and a root flag. As I am planning to take the OSCP exam, my focus is to exploit some HTB machines as preparation. As I tend to remember stuff easier, when writing them down, I decided to summarize the walkthroughs as documentation for later reference or anyone who is interested in this topic. This is my first HTB writeup! This machine has an anonymous FTP login, meaning that anyone with the username anonymous and any string as a password can login and access the files on the server. Allowing users to gain access from any part of the globe can be dangerous, if they in addition have write access it is even worse. Normally the anonymous user should have limited access rights and operation restrictions, which is not the case here. The anonymous user can upload any binary and execute it directly in the browser as the ftp root is equal to the \inetpub\wwwroot directory, which is the default folder for publishing web pages. Furthermore, the machine has several Windows Kernel Vulnerabilities which allows to elevate privileges. In order to identifiy vulnerabilities in order to proceed with exploitations, it is necessary to do a little bit of port scanning and to collect as much information as possible about the target network. I start with a Nmap scan to retrieve an overview of open ports and running services. nmap -A -T4 10.10.10.5 -oX nmap/scan.xml --webxml A: Enable OS detection, version detection, script scanning, and traceroute Port 80: Potentially risky methods/ Microsoft-IIS/7.5 Port 21: Anonymous FTP allowed The first step will be to test if file upload to the ftp server is possible. Given that this is the case we can upload a payload and try to execute it through the browser to get a shell. Now where we know that ftp login & upload is working, we can create our own reverse shell, upload it and execute it, in order to get access to the machine via a reverse shell to our attacker machine. We can use msfvenom to create our custom payload for the exploit. For a clear understanding make sure to understand the various reverse shells available and to choose the right one. For example, select windows/meterpreter/reverse_tcp only if you use the Metasploit. Make sure to understand the difference between staged and unstaged payloads. In our case we use the non-meterpreter unstaged reverse shell payload windows/shell_reverse_tcp to generate the aspx payload. With this, we have the option to get a shell with a basic netcat listener. The staged version will not work with the netcat listener. The listening host is the attacking machine (ip address |grep tun) and the port is the one we will listen on. We have created our backdoor executable binary. Upload this file as mentioned above to the FTP root directory. As we want to get a shell, we start a netcat listener on the attacking machine and visit 10.10.10.5/test.aspx. Low Privilege Shell As soon as we visit the malicious URL 10.10.10.5/test.aspx the exploitation process starts. In the listener we can see, that we have a shell running as iis apppool\web. Our next goal is to escalate our privileges. Windows Exploit Suggester is a tool which checks if public exploits are available for a specific machine. For this, I saved the output of systeminfo to a text file. We need to elevate the privileges into a system level user. As mentioned I am using Windows Exploit Suggester to detect which public exploits exist. The only requirement to use this tool is the systeminfo command output from a Windows Machine. Before executing the below command make sure you have all relevant dependencies installed (as explained on their Github page). We are interested in the public exploits. In order to make a quick decision which exploit to try, I chose one that is marked as public and listed here https://github.com/SecWiki/windows-kernel-exploits (they provide compiled versions). MS11–011 did not work, thus I used MS10–059, which worked like a charm. The description gives a good insight, if elevation of privilege is possible. For this challenge I used the compiled version from this git repo. We have various ways to transfer the file to the victim machine. As we have a Target Machine with Windows OS, wget,nc,etc. are not recognized as an internal or external command. Via Pythons’s Built-in HTTP Server In the listener we can see, that we have a shell running as nt authority\system. Via FTP We can upload the exploit binary via FTP to the server and navigate to the respective folder on the victim machine. The \inetpub\wwwroot is the default directory for all web pages and content that is published on the web. \inetpub itself is the default folder for Microsoft Internet Information Services (IIS). Now where we have escalated our privilege, we can access the root and user text files. When ever possible I will focus to solve HTB Challenges without using Metasploit. This chapter is a quick step by step tutorial, in case someone is interesting to walk this through.
|