Intro
This machine will cover brute-forcing account credentials & handling public exploits. Here’s a link to the box.
Enumeration
Nmap scan
As usual, we’ll start with a Nmap scan.
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: | Supported Methods: GET HEAD OPTIONS TRACE POST |_ Potentially risky methods: TRACE | http-robots.txt: 6 disallowed entries | /Account/*.* /search /search.aspx /error404.aspx |_/archive /archive.aspx |_http-server-header: Microsoft-IIS/8.5 |_http-title: hackpark | hackpark amusements 3389/tcp open ssl/ms-wbt-server? | ssl-cert: Subject: commonName=hackpark | Issuer: commonName=hackpark | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-10-01T21:12:23 | Not valid after: 2021-04-02T21:12:23 | MD5: 3032 2fb5 4e45 55fa e4d8 a136 f99f 86d3 |_SHA-1: e191 17b5 7329 905e 23e3 93ca d5b1 fbac a510 663b |_ssl-date: 2021-02-09T08:23:14+00:00; -1s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
We have an open Microsoft web server & an RDP port. While inspecting the website, let’s brute-force for other interesting directories in the background.
Gobuster directory brute-forcing
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.33.120/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Follow Redir: true [+] Expanded: true [+] Timeout: 10s =============================================================== 2021/02/09 11:14:40 Starting gobuster =============================================================== http://10.10.33.120/contact (Status: 200) http://10.10.33.120/search (Status: 200) http://10.10.33.120/archives (Status: 200) http://10.10.33.120/archive (Status: 200) http://10.10.33.120/content (Status: 403) http://10.10.33.120/contactus (Status: 200) http://10.10.33.120/contacts (Status: 200) http://10.10.33.120/contact_us (Status: 200) http://10.10.33.120/admin (Status: 200)
With the results from gobuster, we find the admin login page. Checking out its request type by inspecting the form element shows us POST requests that send data to the webserver.
We also found the username to be admin, shown in the URL of the login form. Now that we know the request type and have a URL for the login form, we can start brute-forcing the account.
Exploitation
Hydra account brute-forcing
1. Go to the website’s login page and try to login with random credentials.
2. Press “F12” or open “Toggle Tools” in Firefox.
3. Select the “Network” tab.
4. Make an attempt to login with random credentials.
5. Find & select the “POST” request under the “Method” column.
6. Copy the URL starting from “/Account/login” and paste it somewhere to build your command:
7. On the right tab, press on “Request“, scroll all the way down and copy the contents of “Request payload“, and append to the previous link separated by a colon ( : )
8. Replace your typed username & password with ^USER^ & ^PASS^
9. Append “:Login failed” to your command at the end.
10. Result:
This string has three parts divided by colons:
path to the login form page : request body : error message indicating failure
Searchsploit
After logging in as admin, we find the BlogEngine version to be 3.3.6.0 & search for an exploit:
Copy the exploit locally, change the IP & port & start listening to the choosen port.
According to the exploit description, we need to do the following:
1. Navigate to Content
2. Posts
3. New
4. Upload Exploit (name must be PostView.ascx)
5. Publish
6. Visit http://TARGET_IP/?theme=../../App_Data/files
to get a shell
Privilege Escalation
Systeminfo to get an overview
Let’s see the machine’s specs:
c:\windows\system32\inetsrv>systeminfo Host Name: HACKPARK OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00252-70000-00000-AA886 Original Install Date: 8/3/2019, 10:43:23 AM System Boot Time: 2/9/2021, 3:19:24 AM System Manufacturer: Xen System Model: HVM domU System Type: x64-based PC ...
Whoami privileges check
c:\windows\system32\inetsrv>systeminfo PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated.
There are two types of access tokens:
- primary access tokens: those associated with a user account that are generated on log on
- impersonation tokens: these allow a particular process (or thread in a process) to gain access to resources using the token of another (user/client) process.
We could use token impersonation to gain system access.
Winlogon credentials
Let’s check the registry for User Autologon / Winlogon credentials:
... LastUsedUsername REG_SZ administrator AutoAdminLogon REG_DWORD 0x1 DefaultUserName REG_SZ administrator DefaultPassword REG_SZ 4q6[redacted]Fdxs
It looks like we found some admin credentials; let’s use the open RDP port to connect to the machine.
We’ve unusually retrieved the flag. Let us continue with the normal path to exploit another weakness this box has.
Unquoted Service Paths
Let’s search for unquoted service paths:
AWS Lite Guest Agent AWSLiteAgent C:\Program Files\Amazon\XenTools\LiteAgent.exe Auto System Scheduler Service WindowsScheduler C:\PROGRA~2\SYSTEM~1\WService.exe Auto
Let’s query the service name for more info.
[SC] QueryServiceConfig SUCCESS SERVICE_NAME: WindowsScheduler TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\PROGRA~2\SYSTEM~1\WService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : System Scheduler Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem
Check out the log files for the right binary name that’s being run automatically. In the system scheduler map, you can replace the
message.exe
with a generated shell exec to get an admin shell as an alternative.
0 Comments