Exercise: The Shield Box with Metasploit

On logging in to Hack The Box, you will be presented with lots of things you can do via the dashboard. In this book, we are going to focus on the Machines that are part of the Labs environment of the site. In particular we are going to stick to Retired Machines because writeups and videos discussing approaches to these challenges are public. Remember that to get access to all of the retired machines, you will need a VIP account. A machine is an actual virtual machine that is hosted on a server located in a region that is accessible via VPN connection. You should choose a region that is close to where you live in order to get the best response times from the machines. Hack The Box has a tutorial on how to get VPN access (https://help.hackthebox.eu/getting-started/v2-introduction-to-vpn-access\). Each machine will have a unique IP address and if the machine is not started already by someone else, you can start the machine and it will run for a minimum of 24 hours. If you haven't finished in that time, you can extend the length of time the machine runs by a further period. When you are ready, you can tackle the Active Machines which are ones for which there are no public writeups or videos available and you are on your own to try and solve the challenge.

All Hack The Box machines present the same goals, getting a user flag which is a 32 character unique hexadecimal string. Once this is obtained, you then need to get the root flag which means getting administrator privileges on the box. In our case studies, I won't explicitly talk about getting these flags although everything we do will allow you to get and submit them.

To get started, we are going to look at a machine called Shield in the Starting Point track. This isn't the first machine in the list but it will enable us to explore some different approaches to tackling these challenges. We will go through the standard enumeration and look for an entry point into a misconfigured WordPress site. We will do this using command line tools and through the use of the amazing Metasploit Framework.

There will be things that you do here that haven’t been covered yet and so I ask that you bear with me and concentrate on the use of Metasploit and meterpreter shells. The other aspects will be dealt with in more detail later. I could have skipped over the initial parts but if you are still uncomfortable, go ahead and read the enumeration section and then come back.

Setup

To connect to the Starting Point machines, you need to run a VPN with the Starting Point access pack. Download the OpenVPN configuration file and run that using:

I find it convenient to add the hostname of the machine in the /etc/hosts file so that I can refer to the hostname and not have to remember the IP address. Add the hostname of the machine that you are targetting and associate it with its IP address:

and then add

Create a directory called Shield that you can use as the working directory for this challenge. Create a sub-directory called Nmap to store the Nmap results.

Finding Open Ports and Services

In starting any box on Hack The Box, the first step is to perform enumeration of the network services that the box provides. We are given the IP address of the box and so what we need to know is what ports are open and what services are running on the machines listening on those ports. We will go into networking in the next chapter and describe how services can listen on specific ports for connections from client software. Web servers for example, usually listen on ports 80 and 443. For the time being, however, just follow along without worrying too much about the detail. To scan for open ports on the box, we will use a command line tool Nmap.

Performing an Nmap Scan

To start, add a hostname for the box and associate it with its IP address.

Run an Nmap scan in the terminal using the command:

You might see an alternative of this command which is to run an initial scan to get the open ports and then run the second command to get information about the services and versions of software. There isn't very much difference between the two approaches however and so it is easier simply to run the single script.

When run, Nmap will report 2 ports open, port 80 and port 3306.

The output from nmap tells us that Shield is a windows box running Microsoft IIS web server on port 80. Opening the URL http://shield.htb gives the default IIS web page.

Check for Subdirectories

Continuing the enumeration, we want to discover more about the website and in particular, its directory structure and potential files in those directories. Web servers are normally configured to serve HTML and other types of files from a root directory, like /var/www/html/ for example. The root directory may have subdirectories to organize files that the website uses like stylesheets and JavaScript. Subdirectories may also be used for files that belong to other websites.

To explore the subdirectories and files that a website has access to, we can use a tool called Gobuster. Gobuster uses dictionaries of common words associated with directories and files and will just repeatedly try URL paths replacing the final part of the path with words from the dictionary. This process is called fuzzing and it is used in hacking to explore the effect of inputs on the outputs of a program.

Running Gobuster using the directory dictionary /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt, we discover a sub-directory of the website called wordpress indicated by the status code 301. This status code indicates to the requester that the URL has been moved permanently to another location, in this case to the URL http://shield.htb/wordpress/.

The url http://shield.htb/wordpress reveals a wordpress website called SHIELDSUP that features blog posts by a user admin. Wordpress sites by default have administration pages at the url http://shield.htb/wordpress/wp-admin. You already know a user admin and from a previous machine in the StartingPoint series, you would have discovered the password P@s5w0rd!. Trying this with the user admin gets us in.

Launching a Meterpreter Reverse Shell

The objective of the challenge is to gain access to the box to explore and hopefully discover more vulnerabilities that can be exploited to gain further privilege and access. This means getting control of user accounts that give progressively more access until we get to be the administrator of the box. Initial access usually refers to gaining a shell as one of these users. A shell is a program that allows a user the ability to type commands and display results.

On Windows it is the cmd.exe program, on Linux it is Bash or Zsh that runs in the terminal program. We have been using a shell on our Parrot box to carry out all of the actions we have taken so far. When a shell is run locally on a box, it is a local shell. Remote shells are those that are accessed over a network connection so that the commands are typed on the local attacker box but run on the remote machine. We can set up a remote shell by running a program on our local Parrot box which listens for connections and then run a program on the remote machine that connects back to the listener and establishes the remote shell session. This is called a reverse shell.

We will explore all of this in more detail in the next chapter, but for the moment, we are going to get a reverse shell using Meterpreter. Time to turn to Metasploit which has a way of launching a Meterpreter reverse shell in PHP! Start Metasploit by selecting it from the menu or by running

In Metasploit, we are going to use an existing exploit of the WordPress administrator account by uploading a plugin to WordPress that is actually a reverse shell. Plugins, as we see later when we craft our own custom plugin, are ways of packaging PHP code to add functionality to WordPress. The security vulnerability with this is that this code has access to do whatever the user account that is running WordPress can do. There is nothing limiting what code in plugins can do normally. In the case of this exploit, we use the command:

We can ignore the fact that this is a Windows box not a Unix one. It still works.

You can set the options for this exploit using the set command:

LHOST is the IP address of your attacker machine which you can get using the command “ifconfig”. After doing that, the options should look as follows:

All that remains is to type “run”. The exploit consists of uploading a plugin that consists of a php page and then calling that page. This executes a staged Meterpreter reverse shell. The output should be something like:

Upgrading the Meterpreter Reverse Shell

That gives us a Meterpreter shell that is a little unstable and also, because it is written in PHP, somewhat limited in its abilities. We are going to generate a better meterpreter shell using a program called msfvenom. To start with we can use msfvenom to generate a Windows executable program that will run the meterpreter reverse shell. To do this, we need to exit from the meterpreter session by typing bg and then hit return.

Then we can type

Once the payload is created, we can upload it to the Shield machine. We need to get back into the current Meterpreter session first. We do that with the sessions command. Just typing sessions will list the current sessions available. We can interact with a session using the sessions -i <session number> command:

Once back in the meterpreter session , we can upload the revshell.exe using the meterpreter command upload:

Before you run this shell, you want to run another exploit/multi/handler to handle the reverse shell. We need to get out of the meterpreter session to get back to the Metasploit prompt by using the background command "bg". We can then use exploit/multi/handler and set the options to match what we set for the reverse shell with msfvenom above.

Finally, we need to return to the original meterpreter session to run the new reverse shell payload. To get back to a session, you can list them with the command “sessions” and then select the session by using "sessions -i <session number>"

We can then just execute the meterpreter reverse shell by executing revshell.exe and waiting for the new meterpreter session to start. We then background the first session and interact with the new meterpreter session we just created.

We are now in a new, more powerful Meterpreter session and typing help will show more commands than were available with the PHP Meterpreter shell (not all shells are equal). You can verify this by typing help at the Meterpreter command and seeing the range of commands available.

Discovery and Privilege Escalation

Now that we have achieved initial access, the process of further enumeration or discovery takes place. We are looking for ways of elevating our user account to administrator and gain total ownership of the box. This process is called privilege escalation or priv esc for short.

In Metasploit, you can run a command that will look for particular vulnerabilities that will lead to privilege escalation. This command is the “local_exploit_suggester”

Normally when reviewing possible exploits, experience will tell you which ones are likely to work better than others. In some cases though it might be a question of trial and error to find one that works. This could be a problem if any of the exploits leave the machine in an unstable state. If that is the case in Hack The Box, you can ask for the machine to be reset.

From experience, I know that the most promising exploit is going to be ms16_075_reflection_juicy which is the JuicyPotato exploit. This vulnerability allows for privilege escalation through impersonation of the System user. It occurs if the user doing the exploit has certain privileges, notable the SeImpersonate privilege. Unfortunately, the Metasploit module doesn’t work as is and so you have to do this manually by downloading JuicyPotato.exe from https://github.com/ohpe/juicy-potato/releases/tag/v0.1

We can run another handler as before and then upload JuicyPotato.exe. One more step however as executing it from the Meterpreter prompt doesn’t work. So you can drop into a cmd.exe shell prompt by typing “shell”. From the command prompt, you can then run the JuicyPotato.exe

Remember to change the path of the revshell.exe to the actual path name Meterpreter has used. When JuicyPotato.exe runs, it will start another Meterpreter session but as the privileged user that the exploit has impersonated, NT AUTHORITY\SYSTEM. From there, you can cd (change directory) into the c:\Users\Administrator\Desktop directory and find the flag.

Finding User Credentials

Now that we have administrator privileges, we can do some more discovery to look for any other useful information on the box, in particular, other user accounts and their passwords.

We will come back to this later in the book and deal with it in more details but what you will do is take advantage of a module that Meterpreter allows us to run called kiwi that is the module that runs Mimikatz commands. Mimikatz is a program that has been designed to search for and collect credentials on Windows from a number of different places where these are commonly stored. These include the two main sources:

• Passwords stored in memory. Mimikatz looks for passwords that may be in the memory of the Local Security Authority Subsystem Service (LSASS) process

• Kerberos: Using an API to access Kerberos credentials (tickets) again from memory

To run Kiwi, you type “load kiwi” and then “creds_all”. From this, you can see the user “sandra” has the password “Password1234!” which has been extracted from Kerberos running on the machine.

If you follow the tutorial on Hack The Box for this machine, some things are different. A different approach is taken to using netcat for reverse shells and running mimikatz.exe directly. The end result is the same however.

Doing the initial access to Shield manually

You have seen how Metasploit can make discovery and exploitation a simple process of choosing a command, setting options and then typing run. The problem with this is that you don't get to see what is actually happening in each of these steps and so it is difficult to understand what it is you are actually exploiting. In this section, we will do the initial access using our own crafted exploit.

Getting a reverse shell by uploading a WordPress plugin

Visiting the Shield WordPress site at http://shield.htb/wordpress, you will find a website called Shields Up which is for a company supplying electric trucks.

Navigating to the WorPress administration site at http://shield.htb/wordpress/wp-admin, you can enter the username and password admin and P@s5w0rd! to get in and get the Dashboard page.

We can now call the reverse shell by entering the url

This should first call the web server to get the PowerShell file

And then the reverse shell should then call netcat to give us a PowerShell prompt:

Although the process was more involved, we understood the process much better at the end of it and we got an initial shell that was far more robust than the PHP shell that Metasploit initially established. The way that we did the initial access in this way is more generalizable as well. We will see that we use the same approach repeatedly in different situations where we can't use Metasploit. However, there is no denying that Metasploit speeds things up and if you are working on an assignment which has time (and cost) pressures, Metasploit may be the way to go.

There is not necessarily a right or wrong answer when it comes to the choice of tools in most cases but knowing about a range of different approaches gives you the flexibility to select what you think is optimal for a particular situation.

Alternative Box: Devel

As the Shield box is no longer available, the Devel box is another good introduction to Metasploit. It is worth reading through the Shield section to get an introduction to Wordpress Plugins, which are not covered in Devel. Again, we will use Metasploit to attain a reverse shell and escalate to root privileges. However, we will upload our shell using FTP rather than a Wordpress vulnerability. Note that this is a retired box that requires a VIP subscription to access.

Performing Nmap Scan

Add a hostname for the box by adding the IP address and hostname in the /etc/hosts file. Create a directory to work in called devel and then add a subdirectory called nmap for the output of the Nmap scans.

Run an Nmap scan in the terminal using the command:

The box has an FTP service on port 21 that allows anonymous logins, and a web server running on port 80.

Opening the URL http://devel.htb gives the default IIS web page.

Check for Subdirectories

At this point, we could run gobuster to look for subdirectories, but the ftp files shown in the nmap scan look like they could be part of the website. http://devel.htb/iistart.htm looks to be the same page that we get when we visit the root url, and welcome.png is the image we see.

The nmap scan also shows an ftp file called aspnet_client, which indicates the server is running ASP.NET.

We are going to create a meterpreter shell using a program called msfvenom. To start with we can use msfvenom to generate an .aspx program that will run the meterpreter reverse shell. Unlike the Shield box, the server is running ASP.NET, so we will use a .aspx payload.

Don't forget to change the LHOST (listening host) to your IP address.

Now we can upload the reverse shell over FTP:

Now we can open Metasploit with msfconsole and create a handler for the reverse shell we uploaded with use exploit/multi/handler.

If we navigate to http://devel.htb/revshell.aspx we should now get a response in our metasploit window.

Discovery and Privilege Escalation

Now that we have achieved initial access, the process of further enumeration or discovery takes place. We are looking for ways of elevating our user account to adminstrator and gain total ownership of the box. This process is called privilege escalation or priv esc for short.

In Metasploit, you can run a command that will look for particular vulnerabilities that will lead to privilege escalation. This command is the "local_exploit_suggester". First, we need to get out of the meterpreter session to get back to the Metasploit prompt by using the background command "bg". We can then use post/multi/local_exploit_suggester to scan for vulnerabilities.

A few options here - lets try exploit/windows/local/ms10_015_kitrap0d.

This will start another Meterpreter session but as the privileged user NT AUTHORITY/SYSTEM. From there, you can cd (change directory) into the c:\Users\Administrator\Desktop directory and find the flag.

Inital Shell without Metasploit

Instead of creating a Meterpreter shell with msfvenom, we can create a tcp shell and use netcat to listen for a connection.

Upload the reverse shell in the same way as previously - by using the put command on the FTP server.

Now start a netcat listener.

We can start the reverse shell by navigating to http://devel.htb/revshell.aspx or using curl in the terminal.