ENUMERATION
Nmap tcp full scan
nmap -A -p- -oN nmap_tcp_all.txt 10.10.10.8The nmap output highlighted the presence of:
- a web server on port 80:
HttpFileServer (HFS) 2.3.
The link on the left bottom corner indicated that the web server is also named Rejetto .
Searchsploit search results shown the presence of different RCE exploits. Since I’m trying to avoid msf a local copy of the exploit with EDB-ID 39161 (python exploit) was created.
EXPLOITATION
In order to run the exploit and transfer the nc.exe binary to the target a web server on the attacker machine was needed.
The ip address and listening port were modified in the exploit as follows:
I started to use tmux recently. It’s really useful to run different tasks which interacts between them or simply to keep an eye on different activities. The exploit was run a couple of times to make it work and a low-privileges reverse shell was obtained as kostas user.
PRIVILEGE ESCALATION
There are a lot of post-exploitation scripts for Windows systems. First I run winPEASany.exebut I wasn’t able to find any PE vector based on its output. Then I started to focus on kernel exploits. My approach when I have to deal with kernel exploits search is described below:
- on older Windows systems →
Sherlock.ps1,windows-exploit-suggester.py - on newer Windows systems →
winPEASany.exe,wes.py
Thus, I executed Sherlock.ps1 .
The results were quite encouraging 👌. The candidates were MS16–032, MS16–034 and MS16–135.
SecWiki is a good source to look for compiled kernel exploits.
- MS16–032
One ms16-032.exewas available at the SecWiki repo and another at the following address:
Both of them didn’t work. They resulted in the same error.
I thought the .1 appended at the end could be the cause but also after removing it the result was the same.
A powershell version was available at:
The result was an hanging shell…
2. MS16–034
I decided to go for MS16–034, but I couldn’t find any compiled/powershell version of the exploit then I left it for later and tried MS16–135.
3. MS16–135
The powershell version of the exploit from SecWiki didn’t work.
The error indicates that the exploit is only for x64 systems. The check which triggered the error is shown below:
System.IntPtris “A platform-specific type that is used to represent a pointer or a handle.”“The IntPtr type is designed to be an integer whose size is platform-specific. That is, an instance of this type is expected to be 32-bits on 32-bit hardware and operating systems, and 64-bits on 64-bit hardware and operating systems.”
The target systems was x64 so I didn’t get why the check was invalidated.
Anyway removing the check caused an AccessViolationException
… it was time to move on.
windows-exploit-suggester (1st attempt)
The next tool to try was windows-exploit-suggester.py .
xlsx extension seemed to be the cause of the error shown below.
The privilege escalation phase was becoming quite frustrating 😱 , so before digging deeper on a possible fix of the error I used wes.py .
wes.py
It’s another exploit suggester that is more tailored to newer versions of Windows systems.
The output was really lengthy. Review all the vulnerabilities and try the exploits would take a lot of time.
windows-exploit-suggester (fixed)
So I went back on the older version of wes to see if it was possible to fix the error. 2 working ways to fix it are listed in a related issue.
I used the second approach. First python virtualenv was installed.
A virtual environment was created inside a dedicated directory.
Once the virtual environment was activated, an old version of xlrd was installed.
Then everything worked flawlessly with python2 ( python was showing invalid syntax error)
The first two exploits reported in the results were: MS16–135 and MS16–098.
4. MS10–098
Since I wasn’t lucky with MS16–135 I directly tried MS10–098 and finally I got SYSTEM privileges .
EXTRA
MS16–032 msf
When ippsec first used local_exploit_suggester with x86 meterpreter
the results shown different vulnerabilites including MS16–032…
…but when he tried to run the exploit an error was triggered
After changing the exploit with the x64 version of meterpreter…
…although local_exploit_suggester didn’t show any vulnerabilities
the module
exploit/windows/local/ms16_032_secondary_logon_handle_privescworked without errors. ippsec explains that probably msf doesn’t impelements some checks in the 64bit version so vulnerabilities didn’t show up.
The advice is: run local_exploit_suggester with both 32 and 64 bit meterpreter version; combine the result and if an exploit appears in both version try it first.
MS16–032 powershell
Although I didn’t try the powershell version of this exploit, ippsec illustrates two version of it.
One from the PowerShell-Suite project:
and one from the EmpireProject:
ippsec explains that the first version didn’t work in Optimum box because the access to the machine was obtained through a command prompt while the exploit requires to launch another command prompt in a new window.
The EmpireProject version took this into consideration and adapted the exploit as shown below to make it work also when the attacker is using a command prompt.
Then keep in mind to use this version when you don’t have access to the GUI.
Rejetto HFS 2.3 exploit logic
Why did the RCE work?
“Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by using ‘%00’ to bypass the filtering.”
Then you can obtain a reverse shell as shown by ippsec using HFS scripting language.
The HTTP GET request to transfer and run a powershell reverse shell.
LESSONS LEARNED
- always read exploit notes.
- try different post-exploitation scripts (read the docs about which OS version they suit the best). Check
issuesection on github for error fixes. - python virtual environment allows to create separate environments for your python projects without the risk of breaking existing dependencies when different version of libraries are installed. In our specific case to make
windows-exploit-suggesterwork the steps are:
# install python virtual environment
pip3 install -U virtual env
# create and activate a virtual environment
cd env_wes/
virtualenv venv
source /bin/activate
# install xlrd
(venv) pip2 install --user xlrd==1.1.0
(venv) python2 windows-exploit-suggester.py --database 2021-01-16-mssb.xls --systeminfo systeminfo.txt
# deactivate the virtual environment
(venv) deactivate- if you have just a command prompt and not a session with a GUI (e.g.
vnc,rdp) you should use the EmpireProject version of the MS16–032 exploit. - always run
local_exploit_suggesterboth with a32and64bit process and combine the results.
