Remote

Remote is a windows box that supposedly has a hard user and easy root. It has one official way to get root shell and one unofficial way. We came across both ways but were only proceeded with the official way

Run Nmap

Jesus that’s a messy port setup. Port 111 seems focused on NFS, lets try there.

Connect to nsf

Seems we have a full site backup including, we will probably find default credentials or stored credentials somewhere– its an easy box remember! 😊 It seems to be a CMS hosting multiple sites so lets learn about the app and see what can help us get in.

Checking for credentials.

https://our.umbraco.com/forum/getting-started/installing-umbraco/35554-Where-does-Umbraco-store-usernames-and-passwords

We google the CMS software Umbraco and its version. Using the Q&A in the above link we can find that all credentials are stored in the App_Data folder in a database. When we go there we see a db file with a SDF extension. We use strings on this and send the output to a file to review.

Going through the file we see;

Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.local b8be16afba8c314ad33d812f22a04991b90e2aaa {"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d3

We can see in the strings we have the usernames and password hashes we just need to crack.

"admin" <admin@htb.local>192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/saveupdating Name, Key, Groups, UpdateDate; groups assigned: writer
User "admin" <admin@htb.local>192.168.195.1User "admin" <admin@htb.local>umbraco/user/sign-in/logoutlogout success
User "SYSTEM" 192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/saveupdating LastLoginDate, UpdateDate
User "SYSTEM" 192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/sign-in/loginlogin success
User "ssmith" <smith@htb.local>192.168.195.1User "ssmith" <smith@htb.local>umbraco/user/sign-in/logoutlogout success

Going to the application logs in the smb share we can also see ssmith logging into the umbraco CMS and making db changes, guessing this is a web user rather than OS user.

Further searches show a FileUploads directory, which together with the user credentials we have found should be our way in – is it possible we need to upload a reverse shell and execute it through the site? The BodyPart file there looks to confirm this as it is not a default file from the HTB creator, instead it is another participants Webshell. This seems to confirm our way in, but is a disappointing spoiler.

Crack the hash

We will feed the hashes we found into https://crackstation.net

.. and we get the password for admin but unless we can figure out the encoding for ssmith, we wont know it. Lets see where the admin control panel is on the website so we can login.

Run DIRB

That’s lot of website in this website. Man.. look at all that website. It appears several sites run off this CMS. Navigating through our findings we see a login link in the contact us page that helps us ; http://10.10.10.180/umbraco#/login/false?returnPath=%252Fumbraco

The webapp

We are able to login

Let enumerate through the site.

There is very little to play with but we do get confirmation of the version of Umbraco.

Checking the CMS with get an authenticated RCE for this version! 😀

Exploiting to User

It says there is one MSF RCE and one auth RCE, I wonder if these are the same, lets try it.

The MSF vuln is for a different version so lets run our exploit 46153.py.

We cant run the script because it has some windows based formatting. We could run dos2unix but we don’t have it installed so lets just remove the formatting options with vim. The script still doesnt work for us.We get an error – lesson stands we always need to read through our scripts when using them to understand what they are doing – It seems this is because we need to edit the variables in the script. The comments in the script give a good description of whats happening in the exploit.

We update the target, user name and password and review the commands it give. Lets try dir, to see if we get a return.

We see it executing with no errors but we don’t see the output.  Reviewing the payload we put print(x) for each variable and walk ourselves through the code and by changing the payload to execute a command (or argument) with the FileName “Powershell.exe” parameter and by including a print(r4.contents) command we can both execute commands and view their results.

It works! It should be noted this is a horrible way to hack. As its an RCE and not a shell for every new command we want to run we must edit the script.Painful. So first lets enumerate abit and see what user we are and if we have userflag.

Exploring the user directories we get a nice, if random, suprise when we find the user flag in the C:/Users/Public directory.

Privilege Escalation

We have the user flag which means we have the expected user and we just need to escalate it to root now. Testing what we can do with this command we see we can ping kali vm, maybe we need to execute some command on the server that will connect to us remotely and download the webshell. Maybe we should setup ftp or a webserver for this. We found an instance of antak webshell earlier on during enumeration and it is a good contender over what we would normally use as it has full PS functionality; https://github.com/samratashok/nishang/tree/master/Antak-WebShell

Reading up on this webshell doesnt give us many answers so we grab a handy privesc guide and start enuming using https://www.fuzzysecurity.com/tutorials/16.html and https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

Enumerating by RCE is painful, so painful, and we arnt finding much to work with. We can see TeamViewer is installed and there are several interesting services running. USOSVC specifically is mentioned in the PrivEsc guide i linked to above.

We setup a quick python webserver and put a nc.exe file there. We need a way to pull the nc onto our victim, and USOSVC may be the way.

After reading up on what commands we can feed into USOSVC using sc.exe we create 3 python RCE scripts, to stop USOSVC, to set the cmd to pull down our hosted NC file and execute powershell and finally to start USOSVC.

Running these commands and using Public as our write location we see it is successful but for some reason it is not working for us, our nc listens in vain. Trying a different route we find a blog that shows teamviewer 7 stores a password in the registry that can be decrypted; https://whynotsecurity.com/blog/teamviewer/ it even gives us a decrypt python script 🙂

Manually going through the registry keys until we find TeamViewer we can see the credentials as described in the blog;

SecurityPasswordAES    REG_BINARY    FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B

Reading through the python script in the link we can see, using the hard coded IV and key we can decrypt it using pythons AES Cipher library.   

We have our password .. so simple but the enumeration to get this far took days! 😮 Lets use PSexec.py to login

And we have root! 🙂 Key is in Administrators Desktop as expected.

OpenAdmin

Run NMAP

As always nmap is the first tool we use and we see only 2 ports open 22 and 80.. bleh it’s a website box ☹ hate webapp pentesting.

Run Dirb

Since its web app we run dirb and wfuzz to map out the site, the two tools let us see if we get anything different between the two. What we can see is this box is running 3 separate sites; art, music and tech websites. Given the name of the box im assuming this box is mimicking a multi-tenant hosting company and our way in will be the hosting providers admin page. But so far we haven’t found this so let try dirbuster with the medium list.

Dirbuster with the medium list shows an /ona/ directory which didnt appear in the previous tools – shows the importance of using multiple tools. This dir is how the site is managed, with a tool called OpenNetAdmin v18.1.1 which has an RCE related to it.

Run Nikto

While the dirbuster scan was running we ran Nikto just incase but unfortunately it is not our way in. Trying to fuzz the site also doesn’t work.

Check the services

Nikto did shows us that the apache version being run is out of date, so we will check vulnerabilities associated with that service. https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-241078/Apache-Http-Server-2.4.29.html

One vulnerability captures our eye; https://www.exploit-db.com/exploits/42745. But it is unlikely this is the way forward.

OpenNetAdmin seems the way to go with 2 potential exploits including a msf Command injection exploit. Lets see if it works.

It doesn’t work for us. Interesting.

Downloading the script from exploitDB and loading it into msf manually also doesn’t work. So lets try the other script searchsploit pointed us to.

This one works to give is a basic shell. Basic commands work so lets enumerate what we can. Cat all the things 😊

So it looks like we use the DCM cli to run sql commands maybe; https://github.com/opennetadmin/dcm

Alas DCM failed us, we couldn’t run sql commands through it but we did findund the sql username in /var/log/ona.log .. lets enum some more.

After much searching we find the db login and password in one of the sub directories of where our shell started in – n1nj4W4rri0R! . Never forget to check whats close to home i guess.

We also have two users.. lets try the db password on the user accounts and see if we can ssh.

And with have jimmy, to the sound of applause!

A friend introduced us to a linux enum script we want to try; https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

LinEnum.sh goes through a massive amount of enum and gives some great information but here, for this box – there are no interesting findings.

When checking out the /var/www location we find a separate “internal” web page. Lets check out these files

We can see jimmy’s hashed password is stored in the index.php file but not Joanna’s, Joanna seems to use a key which is cat’d to the output in main.php.

We can see joanna’s ssh key will be cat’d to us if we run main.php but we don’t seem to have the permissions to run it from php, by checking out apaches config we can see Internal is an enabled-site with the server name internal.openadmin.htb. So lets curl the server name instead of the ip. Curling the hostname didn’t work for us.

But by re-reading the config file we see its listening on a particular localhost:port , when we curl this we get our RSA priv key.

We can see that the RSA key is encrypted with a pass phrase. We try using jimmys password, due to the ninja hint in the webpage, but it doesnt work. We can see there passphrase is breakable by checking the header; DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6. Using SSH2John format to convert the file to a john crackable format, we get the passphrase, bloodninjas. This is the same process we did for Postman.

Now we are in for Joanna and we have the user flag.

Checking the sudo -l we can see Joanna can execute a particular file as root using nano. A friend recently introduced us to GTFOBins which are ways to abuse this type of privilege. Lets use the nano file to break out of the restricted shell as per here; https://gtfobins.github.io/gtfobins/nano/#shell

Sure enough running sudo /bin/nano /opt/priv and using the gtfobin saves our bacon and we get the root flag.

Happy days we have evolved into a script kiddy 🙂

Sauna

Run nmap.

Review interesting findings

  • 9389/tcp – Active directory web services
  • 445/139/tcp – SMB ports lets run smbmapper
  • 80/tcp – web server – lets run dirb on it.
  • 3268/tcp – LDAP requests sent to port 3268 can be used to search for objects in the entire forest for the global catalog
  • 464/tcp – kpasswd – A vulnerability has been reported in Kerberos, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the kpasswd application not properly handling malformed UDP packets and can be exploited to exhaust CPU and network resources via the UDP “ping-pong” attack on port 464.
    References: [CVE-2002-2443], [SECUNIA-53375]
  • 389/tcp – LDAP
  • 593/tcp – MS Security Bulletin [MS03-026] outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
  • 135/tcp – Remote Procedure Call (RPC) 
  • 88/tcp – KDC (Kerberos key distribution center) server.
  • 5985/tcp – WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default.

We can see many interesting ports to look at – the box seems to be LDAP/AD/Kerberos focused. We also see we get an nmap segmentation fault;

Checking the services

SMBmap doesn’t give us much to work with here.

Not much shown from dirb either, looks like a pretty flat site. We have a lot of other choices to check but lets spin up sparta to try and narrow down our options before we take the next step with the AD/LDAP/Kerberos enumeration. Lets see if it gives us alternative options.

While sparta is running we will also setup openvas on our machine using the guide here -https://hackertarget.com/install-openvas-gvm-on-kali/ ;

root@kali:~# apt update
root@kali:~# apt install openvas
root@kali:~# openvas-setup
kali:~# greenbone-scapdata-sync
root@kali:~# openvas-adduser
root@kali:~# gsd
[*] Creating admin user
User created with password '73a95e20-b3fd-4e77-9b6f-247a49ff695e'.

While these scans run we read up on Kerberos here; https://www.tarlogic.com/en/blog/how-kerberos-works/ this blog leads us to an interesting attack which matches the boxes name; https://attack.mitre.org/techniques/T1208/ KerbeRoasting but we need a domain account to do this. So lets try and get one with some further enumeration.

A good amount of information, usernames, including guest. Plus the domain name. Going back to the site itself we found some usernames;

We can also see many blog posts from user Admin. Finally using cme we can find some additional information.

Vulnerability Detection Result

Here is the list of DCE/RPC or MSRPC services running on this host via the TCP protocol:
Port: 49664/tcp
     UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49664]
Port: 49665/tcp
     UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49665]
     Annotation: Event log TCPIP
Port: 49666/tcp
     UUID: 3a9ef155-691d-4449-8d05-09ad57031823, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49666]
     UUID: 86d35949-83c9-4044-b424-db363231fd0c, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49666]
Port: 49667/tcp
     UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Annotation: RemoteAccessCheck
     UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Named pipe : lsass
     Win32 service or process : Netlogon
     Description : Net Logon service
     UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : LSA access
     UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : SAM access
     UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Annotation: Impl friendly name
     UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Annotation: MS NT Directory DRS Interface
Port: 49673/tcp
     UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7, version 0
     Endpoint: ncacn_http:10.10.10.175[49673]
     Annotation: RemoteAccessCheck
     UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
     Endpoint: ncacn_http:10.10.10.175[49673]
     Named pipe : lsass
     Win32 service or process : Netlogon
     Description : Net Logon service
     UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
     Endpoint: ncacn_http:10.10.10.175[49673]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : LSA access
     UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
     Endpoint: ncacn_http:10.10.10.175[49673]
     Annotation: MS NT Directory DRS Interface
Port: 49674/tcp
     UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Annotation: RemoteAccessCheck
     UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Named pipe : lsass
     Win32 service or process : Netlogon
     Description : Net Logon service
     UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : LSA access
     UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : SAM access
     UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Annotation: MS NT Directory DRS Interface
Port: 49675/tcp
     UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     Named pipe : spoolss
     Win32 service or process : spoolsv.exe
     Description : Spooler service
     UUID: 4a452661-8290-4b36-8fbe-7f4093a94978, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     UUID: 76f03f96-cdfd-44fc-a22c-64950a001209, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     UUID: ae33069b-a2a8-46ee-a235-ddfd339be281, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
Port: 49678/tcp
     UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2
     Endpoint: ncacn_ip_tcp:10.10.10.175[49678]
Port: 49686/tcp
     UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5
     Endpoint: ncacn_ip_tcp:10.10.10.175[49686]
     Named pipe : dnsserver
     Win32 service or process : dns.exe
     Description : DNS Server
Port: 49696/tcp
     UUID: 897e2e5f-93f3-4376-9c9c-fd2277495c27, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49696]
     Annotation: Frs2 Service

CME doesn’t show us much and our OpenVAS scan hasn’t given us any vulnerabilities to exploit, though we did get additional enumeration information. But I think this is the extent of the info we will get so lets start trying to get in using https://www.tarlogic.com/en/blog/how-to-attack-kerberos/ and https://pentestlab.blog/2018/06/04/spn-discovery/

We will need a valid user so we create a user list using cewl and edit it to include the users above, in different standard employee formats. Ever wonder why your employer doesn’t just use $Firstname.$lastname? Now you know!

Foothold

Initial foothold shows we are using the wrong domain, to the glee of a friend who is getting into the habit of saying stop being stooopid.

Interestingly it looks like fsmith is a user and we now have there hash. Bouncing back to the blogs we are able to move along this chain to crack this hash. Using hashcat we run;

hashcat -m 18200 --force -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt

With that we have the password and the SPN for

ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon  Delegation 
----------------------------------------  ------  --------  --------------------------  ---------  ----------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111  HSmith            2020-01-23 00:54:34.140321  <never>               

HSmith is showing instead of fsmith interestingly. I need to read up more on SPNs though it probably wont be needed for this box. Microsoft has some good documentation here; https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

It looks like hsmith will be the service account we will be targeting. Initially we were getting an error when trying to run this command “[-] SPN:  – Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)” but after doing an ntpupdate 10.10.10.175 we fixed this. Running the command above again we get the hash and now we just need to.. ah roast it.

We crack it successfully but the password is Thestrokes23.. same as for fsmith, maybe this was a false positive. Lets log in.

Looks like we can smb login as hsmith and fsmith.

We see a RICOH printer drive which is interesting but there doesnt seem to be any vulnerabilities we can use. Going back over the nmap results we see winrm running on this server on its default port, so lets try Evil-Winrm to see if we can get a shell with these users. We use this guide to setup Evil-Winrm – https://github.com/Hackplayers/evil-winrm

Bingo! We have access for FSmith, but we cant access winrm from hsmith. So lets try some enumeration to get root, bloodhound might be good here. Using ireds tutorial we setup bloodhound; https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux

While this is being set up we enumerate some more.

 We can see a svc account is available.. we will try to kerberoast it.

Doesn’t work so let enumerate some more;

Some good information. We alse run these commands from C:\

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

We get a lot of results but nothing seems relevant. After a while we find a blog with additional enumeration steps; https://pentestlab.blog/2017/04/19/stored-credentials/ ;

I am not associated with https://pentestlab.blog/ but I owe her so many beers by now.

DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager
DefaultPassword    REG_SZ    Moneymakestheworldgoround!

We now have User 1, and User 2 but how do we get root… Lets go over our enumeration with impactet and these new user credentials.

We have a ticket granting ticket. Lets kerberoast the service account incase we get something new. But we don’t.

Sadly this isn’t helping us. So lets go back to enumeration, we have a domain account so let use bloodhound to enumeration all things AD;

Going through the information generated we see Unconstrained delegation is enabled, allowing for this attack; https://blog.stealthbits.com/unconstrained-delegation-permissions/ this might help us. Unfortunately it doesn’t.

But the information from just FSmiths account is limited, so lets login as svc_loanmgr and see what information we get.

After spending some time navigating bloodhound, as nice as having a gui is for the point-click admins, I hate it – but after much searching, blood, sweat and sanity I finally see that svc_loanmgr has both getchanges and getchangesall privileges allowing for a DCSync attack.

We will attack it using the impacket tool secretsdump.py, described in the blog https://spookysec.net/2019-12-01-domain-controller-sync/ (sent our way by a friend who stops us being stoopid).

From here we just need to use the hash with evil-rm as administrator to get the flag.

Game set and match, but in saying that I was working on this on-off for about 4 days before it clicked, strangely it was the seeing the vulnerability in bloodhound that I had the most trouble with, which if you go by the comments in the HTB forums was the easy bit! 😀

Such is life.

Hack The Box – Postman

Run Nmap

Shows a few ports we can play with including http so lets dirb it.

Dirb the website

Its interesting, the js scripts might have an exec we can use but not sure. Lets run a full nmap to see what info we can get on OS and versions.

Full nmap

The verbose nmap shows some extra info including; OpenSSH, Apache httpd 2.4.29, MiniServ 1.910 (Webmin httpd) and ubuntu.

Lets google these versions for exploits as it might be easier than manipulating the js, if that’s possible.

The google

Interesting we seem to see 2 exploits that might be useful.

For Webmin (CVE-2019-12840) https://www.rapid7.com/db/modules/exploit/linux/http/webmin_packageup_rce

This is interesting and might be useful if we can get the webmin credentials.

For Apache – https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2019-0211

Interesting as well, might be how we get root but not the door we are looking for.

Webmin enum

So lets checkout webmin first.

Researching webmin vulnerabilities we see https://www.rapid7.com/db/modules/exploit/linux/http/webmin_backdoor could potentially let us change the password. We know the device is linux so the default username is root. Lets see if we can change the password.

Nope. Researching the Apache version also didn’t do much good. When speaking to a friend I am told I am an idiot and lazy with nmap, and I should redo my nmap and not be stooopid. As such I am now redoing nmap with sadness in my heart.

Sure enough we see port 6379 – Redis Key-Value Store 4.0.9. Abit of research shows Redis to be a mix of nosql and caching software that, as it says, acts as a key value store. Guessing our user credentials are stored in it so after installing redis-cli we can connect to the box;

Using HackTricks site we are able to learn about more about redis and how to enumerate it; https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

Using CONFIG GET * we can see the configuration;

10.10.10.160:6379> CONFIG GET *
  1) "dbfilename"
  2) "authorized_keys"
  3) "requirepass"
  4) ""
  5) "masterauth"
  6) ""
  7) "cluster-announce-ip"
  8) ""
  9) "unixsocket"
 10) ""
 11) "logfile"
 12) "/var/log/redis/redis-server.log"
 13) "pidfile"
 14) "/var/run/redis/redis-server.pid"
 15) "slave-announce-ip"
 16) ""
 17) "maxmemory"
 18) "0"
 19) "proto-max-bulk-len"
 20) "536870912"
 21) "client-query-buffer-limit"
 22) "1073741824"
 23) "maxmemory-samples"
 24) "5"
 25) "lfu-log-factor"
 26) "10"
 27) "lfu-decay-time"
 28) "1"
 29) "timeout"
 30) "0"
 31) "active-defrag-threshold-lower"
 32) "10"
 33) "active-defrag-threshold-upper"
 34) "100"
 35) "active-defrag-ignore-bytes"
 36) "104857600"
 37) "active-defrag-cycle-min"
 38) "25"
 39) "active-defrag-cycle-max"
 40) "75"
 41) "auto-aof-rewrite-percentage"
 42) "100"
 43) "auto-aof-rewrite-min-size"
 44) "67108864"
 45) "hash-max-ziplist-entries"
 46) "512"
 47) "hash-max-ziplist-value"
 48) "64"
 49) "list-max-ziplist-size"
 50) "-2"
 51) "list-compress-depth"
 52) "0"
 53) "set-max-intset-entries"
 54) "512"
 55) "zset-max-ziplist-entries"
 56) "128"
 57) "zset-max-ziplist-value"
 58) "64"
 59) "hll-sparse-max-bytes"
 60) "3000"
 61) "lua-time-limit"
 62) "5000"
 63) "slowlog-log-slower-than"
 64) "10000"
 65) "latency-monitor-threshold"
 66) "0"
 67) "slowlog-max-len"
 68) "128"
 69) "port"
 70) "6379"
 71) "cluster-announce-port"
 72) "0"
 73) "cluster-announce-bus-port"
 74) "0"
 75) "tcp-backlog"
 76) "511"
 77) "databases"
 78) "16"
 79) "repl-ping-slave-period"
 80) "10"
 81) "repl-timeout"
 82) "60"
 83) "repl-backlog-size"
 84) "1048576"
 85) "repl-backlog-ttl"
 86) "3600"
 87) "maxclients"
 88) "10000"
 89) "watchdog-period"
 90) "0"
 91) "slave-priority"
 92) "100"
 93) "slave-announce-port"
 94) "0"
 95) "min-slaves-to-write"
 96) "0"
 97) "min-slaves-max-lag"
 98) "10"
 99) "hz"
100) "10"
101) "cluster-node-timeout"
102) "15000"
103) "cluster-migration-barrier"
104) "1"
105) "cluster-slave-validity-factor"
106) "10"
107) "repl-diskless-sync-delay"
108) "5"
109) "tcp-keepalive"
110) "300"
111) "cluster-require-full-coverage"
112) "yes"
113) "cluster-slave-no-failover"
114) "no"
115) "no-appendfsync-on-rewrite"
116) "no"
117) "slave-serve-stale-data"
118) "yes"
119) "slave-read-only"
120) "yes"
121) "stop-writes-on-bgsave-error"
122) "yes"
123) "daemonize"
124) "yes"
125) "rdbcompression"
126) "yes"
127) "rdbchecksum"
128) "yes"
129) "activerehashing"
130) "yes"
131) "activedefrag"
132) "no"
133) "protected-mode"
134) "no"
135) "repl-disable-tcp-nodelay"
136) "no"
137) "repl-diskless-sync"
138) "no"
139) "aof-rewrite-incremental-fsync"
140) "yes"
141) "aof-load-truncated"
142) "yes"
143) "aof-use-rdb-preamble"
144) "no"
145) "lazyfree-lazy-eviction"
146) "no"
147) "lazyfree-lazy-expire"
148) "no"
149) "lazyfree-lazy-server-del"
150) "no"
151) "slave-lazy-flush"
152) "no"
153) "maxmemory-policy"
154) "noeviction"
155) "loglevel"
156) "notice"
157) "supervised"
158) "no"
159) "appendfsync"
160) "everysec"
161) "syslog-facility"
162) "local0"
163) "appendonly"
164) "no"
165) "dir"
166) "/var/lib/redis/.ssh"
167) "save"
168) "900 1 300 10 60 10000"
169) "client-output-buffer-limit"
170) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
171) "unixsocketperm"
172) "0"
173) "slaveof"
174) ""
175) "notify-keyspace-events"
176) ""
177) "bind"
178) "0.0.0.0 ::1"

We learn abit about the config file locations, the DB filename and that protected mode(whatever that is) is not enabled.. not much I can think of using so lets try the next command HackTricks suggests;

Looks like we will be able to get the public ssh_key for the user, red. After some more research we come to this blog; https://medium.com/@Victor.Z.Zhu/redis-unauthorized-access-vulnerability-simulation-victor-zhu-ac7a71b2e419 shows how we can use protected mode being disabled to upload our own trusted public key. As per that blog we create temp.txt and upload it to redis.

We can see our key s-key. Next what we want to do with our uploaded ssh key is to get it into the authorized keys file and save it, this way we should be able to ssh.

We don’t have permission to write the authorized_key to the user, reds .ssh folder so let’s try it in the default /var/lib/redis/.ssh. Now trying to SSH as Root, Red and Redis doesn’t seem to work. Let’s try again incase we did something incorrect, this time I will do it as root, just incase there is some unlikely permission issue. We run a flushall command in redis-cli to clear everything and begin again.
This time it seems to work, guessing I typo’d the DIR, or misspelled the auth_keys 😕 Who doesn’t love life..

So now we are logged into the system as Redis, we can view one other user on the system, /home/Matt and the user key is there but unreadable as Redis. The user Red seems to be a red haring. So now we will go through the system to see what we can see.

Checking through the bash history for redis we can see scan.py and sshd_config and id_rsa.bak. Lets check these out first. Sshd_config didn’t show anything interesting but we were able to find a passphrase protected id_rsa.bak file in /opt;

googling how to enumerate id_rsa files shows us we might be able to get a password from this file; https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c. We copy/paste the file contents into a file on our kali machine, setup john the ripper and.. ah… let ‘er rip!

Computer2008 seems to be our pass, so lets su into Matt and grab that user key.

Everythings coming up matthouse! So now we have user how will we get root. We know we have webmin and redis on the machine so are there any privilege escalations that will help? Checking running processes we can see webmin is being run as root so that might be a good start for checking;

Cant read most of the webmin files but we can confirm the version and search sploit shows one option for us.

And this is in MSF, we can be lazy. MSF module shows we need the webmin password to exploit. Lets see if Matt/computer2008 lets is log into it.

It does, we are in! 😊

Now we run and… we are in!

Lets see if we can get root flag now.

And we win! 😊

HTB – NetMon

As always first step is to run nmap and see what we find.

kali@kali:~$ sudo nmap -v -A -O 10.10.10.152
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 07:02 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:02
Completed NSE at 07:02, 0.00s elapsed
Initiating NSE at 07:02
Completed NSE at 07:02, 0.00s elapsed
Initiating NSE at 07:02
Completed NSE at 07:02, 0.00s elapsed
Initiating Ping Scan at 07:02
Scanning 10.10.10.152 [4 ports]
Completed Ping Scan at 07:02, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:02
Completed Parallel DNS resolution of 1 host. at 07:02, 0.01s elapsed
Initiating SYN Stealth Scan at 07:02
Scanning 10.10.10.152 [1000 ports]
Discovered open port 21/tcp on 10.10.10.152
Discovered open port 445/tcp on 10.10.10.152
Discovered open port 135/tcp on 10.10.10.152
Discovered open port 139/tcp on 10.10.10.152
Increasing send delay for 10.10.10.152 from 0 to 5 due to 113 out of 376 dropped probes since last increase.
Increasing send delay for 10.10.10.152 from 5 to 10 due to max_successful_tryno increase to 4
Completed SYN Stealth Scan at 07:02, 25.20s elapsed (1000 total ports)
Initiating Service scan at 07:02
Scanning 4 services on 10.10.10.152
Completed Service scan at 07:02, 6.57s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.152
Retrying OS detection (try #2) against 10.10.10.152
Retrying OS detection (try #3) against 10.10.10.152
Retrying OS detection (try #4) against 10.10.10.152
Retrying OS detection (try #5) against 10.10.10.152
Initiating Traceroute at 07:03
Completed Traceroute at 07:03, 0.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 07:03
Completed Parallel DNS resolution of 2 hosts. at 07:03, 0.01s elapsed
NSE: Script scanning 10.10.10.152.
Initiating NSE at 07:03
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 07:03, 8.26s elapsed
Initiating NSE at 07:03
Completed NSE at 07:03, 0.08s elapsed
Initiating NSE at 07:03
Completed NSE at 07:03, 0.00s elapsed
Nmap scan report for 10.10.10.152
Host is up (0.13s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/8%OT=21%CT=1%CU=39034%PV=Y%DS=2%DC=T%G=Y%TM=5E64D0F6
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=A
OS:)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54
OS:DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000
OS:)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S
OS:=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=80%CD=Z)

Uptime guess: 0.001 days (since Sun Mar  8 07:01:37 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2m03s, deviation: 0s, median: 2m03s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-08T11:05:18
|_  start_date: 2020-03-08T11:03:54

TRACEROUTE (using port 256/tcp)
HOP RTT      ADDRESS
1   30.47 ms 10.10.14.1
2   30.59 ms 10.10.10.152

NSE: Script Post-scanning.
Initiating NSE at 07:03
Completed NSE at 07:03, 0.00s elapsed
Initiating NSE at 07:03
Completed NSE at 07:03, 0.00s elapsed
Initiating NSE at 07:03
Completed NSE at 07:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.31 seconds
           Raw packets sent: 2006 (91.810KB) | Rcvd: 1265 (54.086KB)

We see FTP, SMB, NetBios and RPC ports open.. lets try enumerating what we can find in FTP first. Lets spin up MSF and search what FTP options we have.

We see alot of ways to play around with FTP, but first we want to check for guest, anonymous and no password logins. First check shows anonymous is allowed, lets see what we can see. As part of researching i found this nice blog; https://shahmeeramir.com/penetration-testing-of-an-ftp-server-19afe538be4b?gi=961d209d3042

Using scanner/ftp/anonymous we cab see that anonymous logins are allowed, so lets log in and see what we can see.

lucky day – looks like the whole C drive is available; everything from program files to users – lets see if we can get both flags.. we can get the user flag easily.

Lets see if we can also get admin. If blue was easy maybe this will be too.

Boo we cant. lets check out the other directories.

Not much interesting to find (dont forget to escape your spaces!) PRTG is the only program – which ties into the netmon name so lets google this. Its an interesting monitoring tool ive used before but not sure how we can use this to get admin; https://blog.paessler.com/monitor-applications-and-services-with-prtg lets check version and see what vulns show. Lets first try playing around with the website.

After about too many tears shed from searching the FTP drive and the website I still cant find anything interesting. Lets try the web app.. DIRB and a manual search dont give anything i can use, common accounts arnt recognised.. back to google. i got this blog https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data looks like program data might give us something

ProgramData.. hidden folders shouldent be forgotten about. 🙂 Going through the folder we see a .dat, .old and .old.bak config files. lets pull down the 3 config files and see whats in them

We have the version from .dat file; 18.1.37.13946. the config itself is very long with most setting seem unimportant, and searching through “user” doesn’t give any results. Lets see if we can find any vulnerabilities for that version.

Found a few CVE’s, CVE-2018-19203, CVE-2018-19204 and CVE-2018-9276 but nothing that we can use.

Success? After being stumped for awhile i was going through the .bak.old I found something – never forget to search for admin in all files 😮

<login>
                  prtgadmin
                </login>
                <name>
                  PRTG System Administrator
                </name>
                <ownerid>
                  100
                </ownerid>
                <password>
                  <flags>
                    <encrypted/>
                  </flags>
                  <cell col="0" crypt="PRTG">
                    PDWXMOPZT43U2GKGR3YCBILXDMLAUZVBN27KGBOPKXRQ====
                  </cell>
                  <cell col="1" crypt="PRTG">
and 
<dbpassword>
            <!-- User: prtgadmin -->
              PrTg@dmin2018
            </dbpassword>

Lets see if we can log into the website with these credentials…

suspenseful pause and it fails. Checking the other config files for this we find that the DBPassword is now set to encrypt and inherit, nice and secure 😦 .. not in plain text anymore. After playing around i noticed the .dat file has a saved date of 2019, and changing the year in the password to 2019 lets us log in!

Now that we are logged into the app we can use one of the CVE’s we found earlier. Started trying the OS command injection CVE-2018-19204.. but there was no MSF module and I wasnt able to find a working PoC to use it but while searching a few more articles referenced CVE-2018-9276 which might work and has a python script prebuild; https://github.com/wildkindcc/CVE-2018-9276 so lets give this a go.

After some playing around the python script wasnt working so i ended up using exploitdb’s bash script instead; https://www.exploit-db.com/exploits/46527 .

With this we have created an admin user account on the system itself so lets try to login. Reading up on https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ we can try using PSexec to get a shell.

And we are in as admin! The flag has been found in the Admins users desktop! 🙂