AVenger
You’ve been asked to exploit all the vulnerabilities present. - by andrea526
The following post by 0xb0b is licensed under CC BY 4.0
Recon
By scanning our target with Nmap, we can discover several open ports. Notable services include HTTP on port 80, HTTPS on port 443, Microsoft RPC on port 135, NetBIOS on port 139, SMB on port 445, RDP on port 3389, WinRM on port 5985, dynamic RPC on port 47001, and additional dynamic RPC ports ranging from 49664 to 49669, as well as specific ports 49676 and 49677.
For a more detailed scan, we specify a service and default script scan on the initially found ports.
After finishing the Nmap scan, we run a Gobuster scan to enumerate all possible files and directories on the web server running at ports 80 and 443. We see that phpmyadmin
is running, and the CMS WordPress is present.
During manual enumeration, /gift
also turned out to be a WordPress page. The domain avenger.tryhackme
also became clear from the sources. Next, we run the wpscan on the WordPress page /gift
.
At first glance, we see a very low-hanging fruit. Forminator version 1.24.1 is in use. Which is also affected by the vulnerability of unauthenticated remote command execution in version 1.24.6 (CVE-2023-4596). This vulnerability would allow us to upload a reverse shell, which could then be accessed at /wp-content/uploads/<current_year>/<current_month>/shell.php
to execute it.
There is also a forminator form on the /gift
page. It seems perfect.
Checking the sources of the form, it is indeed a forminator form.
After a short amount of research, two exploits can be identified. The one from exploit.db
does not appear to be directly transparent and clear. We first use the automated exploit from E1A, but quickly realize that we will fail. We are able to upload files with the exploit, but cannot find them in /wp-content/uploads/2023/11
. Let's ignore this vulnerability and move on.
Foothold
We stay at the form and try to upload an arbitrary image.
After uploading it, we'll get a decent hint. The message states that the team is delighted to review every message carefully.
So let us assume that someone or something is opening or executing whats uploaded.
Let's make a quick sanity check using an HTML file containing an image whose source points to our web server. A quick shoutout to amine04. Without the assumption and testing using an HTML file like amine04 suggested, I wouldn't be able to come this far. Like the box states "Think outside the box, unleash your inner prankster, and find unconventional solutions to outwit your opponents."
After a really short duration, the file seems to have been opened by someone, and we see the picture gets loaded from our server.
With that in mind and the description of the room that there is Antivirus (AV) is enabled, we look up techniques to upload reverse shell evading AV. For this, there is a really good resource referring to that topic:
The idea is to use powercat to create a reverse shell whose content is stored base64-encoded in a text file. The content of the file is downloaded to the target computer and executed using a batch file. The batch file is placed and executed by uploading it via the form.
Powercat (https://github.com/besimorhino/powercat) is a simple network utility used to perform low-level network communication operations. The tool is an implementation of the well-known Netcat in PowerShell.
To evade the Windows Defender antivirus software, we can encode reverse shell payload with Powercat. Powercat has a good feature to encode a command to Hexadecimal Array. This way, some of the basic security features can be bypassed.
The following version of powercat was used:
To generate the powercat shell on our attacker machine, you can make use of the following commands:
Create the batch file to download and execute the encoded powercat reverse shell using PowerShell. This batch file will be executed by someone or something after uploading it.
After generating the shell, a listener on 49371
is created on the attacker machine. We upload the batch and see after a short duration that the text file containing the shell gets downloaded.
The reverse shell connects, and we are the user hugo
.
After our first look up, we head to the Desktop of hugo
where the first flag can be found.
Privilege Escalation
During the enumeration process, we see that hugo
is part of the administrator groups - nice. Lets check if UAC is present. Maybe we are able to bypass it. As Microsoft states, User Account Control is a security feature that requires a user's consent before running applications with administrator privileges.
User Account Control (UAC) is a key part of Windows security. UAC reduces the risk of malware by limiting the ability of malicious code to execute with administrator privileges.
With UAC, each application that requires the administrator access token must prompt the end user for consent. The only exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level.
We query if UAC is enabled. The settings are at level5
(default). It will ask the administrator to confirm to run non Windows binaries with high privileges.
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
First we make use of the encoded AMSI bypass of Fabian Mosh:
Next, we download the windows binary ncat.exe
on the target machine using curl.
To bypass the UAC we make use of Technique 2 of Morphs Blog. It makes use of abusing trusted folders, to hijack DLLs of elevated binaries. A quick guide can be found at https://notes.morph3.blog/windows/uac-bypass#technique-2. A more detailed explanation can be found here https://redteamer.tips/uac-bypass-through-trusted-folder-abuse/.
First we create a DLL which executes ncat to establish a reverse shell.
We compile it using x86_64-w64-mingw32-gcc
.
If you succeed in making folders with trailing slashes, Windows will interpret them as if the trailing slash was not there, however as you created the folder, you have full control over said folder.
So, as a regular user, you now created a folder Windows considers “trusted”, but you have full access on this folder, making you able to write whatever you want in there and execute it under auto elevation.
After providing the machine with a version of ncat and having the DLL prepared, we create the folders with trailing spaces, tricking windows. We place the elevated executable computerdefaults.exe
in there that is using the Secur32.dll
. Next we download our custom Secur32.dll
and place it also in C:\Windows \System32\
.
After executing "C:\Windows \System32\computerdefaults.exe"
our reverse shell connects, and we are able to access the root flag at C:\Users\Administrator\Desktop
.
Unintended Privilege Escalation I
This was my initial way of escalating privileges. For some reason, the information gathered in this approach is only accessible while using a (powercat) reverse shell provided by a batch, as described here in the following. For some reason, it does not work with an HTA-Shell uploaded via the form.
During the enumeration process, we see that hugo
is part of the administrator groups - nice. We know that there is an open RDP port, so eventually we are able to retrieve the credentials of the user and use them to RDP into the machine. There, we could easily run stuff as administrator with being able to interact with the UAC.
We query if UAC is enabled. The settings are at level5
(default). It will ask the administrator to confirm to run non Windows binaries with high privileges.
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
To further enumerate the target on how to bypass the UAC or find other ways to escalate privileges, we want to make use of PowerUp.ps1
. Since the target is still under AV protection, we try to bypass it. Especially the Antimalware Scan Interface (AMSI).
AMSI is a Microsoft technology that enables applications to collaborate with antimalware products for real-time scanning of code and data in memory. It enhances security by allowing dynamic analysis of scripts and code executions to detect and prevent potential malware threats.
Several attempts like downgrading PowerShell or using different payloads were made to bypass AMSI, like the example below shows.
A good resource regarding that AV evasion topic is the following:
Here we make use of the encoded AMSI bypass of Fabian Mosh:
Other payloads can be found here:
After applying the bypass, the PowerUp.ps1
can be downloaded from our web server. Having the PowerUp.ps1
file on the machine, we import the PowerUp module and utilize the Invoke-AllChecks
. The Invoke-AllChecks
is a function that runs all the checks included in the module. The function outputs results of the checks in a useful format and offers us suggestions for where to look regarding privilege escalation.
The following version of PowerUp.ps1
was used:
With that, we are able to spot two findings. First, there is a hijackable path, which we were not able to abuse yet and discussed in Further Ideas. Secondly, we get the credentials for the user hugo
stored in the registry.
When autologon is turned on, the password is stored in the registry in plain text. The registry can be queried manually using reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
With those credentials, we hit up Remmina to get a remote desktop connection as the user hugo
, recalling the open port 3389. From there, we are able to run the PowerShell terminal as an administrator since the user is part of the administrator group. The UAC just has to be confirmed. With the administrator PowerShell spawned, we head directly to C:\Users\Administrator\Desktop
to find the root.txt
flag there.
Unintended Privilege Escalation II
Another working approach was found by amine04. We discussed our different approaches to gaining root
, and I want to briefly showcase the approach. A web shell can be placed at C:\xampp\htdocs
. The web server seems to be running as NT Authority/System
. With that web shell, all files can be accessed.
Unfortunately, there is an error when running the following command to download the reverse shell.
There might be an encoding error that leads to the PHP page not being evaluated correctly.
With cURL, we are able to download the shell correctly.
Accessing the web shell at http://avenger.tryhackme/shell.php
gives us then full access on the system.
Further Ideas
Another approach was discussed with 0day. Recalling the PowerUp Finding of Hijackable Path. A working exploit has not been found yet, but I am still trying. But referring to https://juggernaut-sec.com/dll-hijacking/ Hijacking the Service DLL to get a SYSTEM Shell a restart of the machine is required, which we are not able to do so.
The following approach was introduced by 0day. The snippet below is a modified version of his testing malicious DLL to capture the contents of C:\Users\Administrator\Desktop
of which was tested on a VM.
Compile the custom DLL.
Use the Write-HijackDll CMDLet to place a Command into the vulnerable DLL.
Last updated