InfoSec LAB

Heist_Post_Enumeration

Created: 5 min read

User Privileges

*evil-winrm* ps c:\Users\Chase\Documents> whoami /all
 
USER INFORMATION
----------------
 
User Name         SID
================= ==============================================
supportdesk\chase S-1-5-21-4254423774-1266059056-3197185112-1012
 
 
GROUP INFORMATION
-----------------
 
Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users        Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                   Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192
 
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

The Chase user doesn’t have any exploitable privileges

todo.txt

*Evil-WinRM* PS C:\Users\Chase> dir -force Desktop
 
 
    Directory: C:\Users\Chase\Desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a-hs-        4/22/2019   7:14 AM            282 desktop.ini
-a----        4/22/2019   9:08 AM            121 todo.txt
-ar---        1/11/2023   1:15 PM             34 user.txt

There is a file; C:\Users\Chase\Desktop\user.txt

*Evil-WinRM* PS C:\Users\Chase\desktop> cat todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

The todo.txt file mentions keeping the issues list, which likely refers to the web server on port 80 All the information is already known

runphp.cmd

*evil-winrm* ps c:\Program Files> dir 
 
 
    directory: C:\Program Files
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/21/2019   9:39 AM                Common Files
d-----        4/21/2019  11:00 AM                internet explorer
d-----        2/18/2021   4:21 PM                Mozilla Firefox
d-----        4/22/2019   6:47 AM                PHP
d-----        4/22/2019   6:46 AM                Reference Assemblies
d-----        4/22/2019   6:46 AM                runphp
d-----        2/18/2021   4:05 PM                VMware
d-r---        4/21/2019  11:00 AM                Windows Defender
d-----        4/21/2019  11:00 AM                Windows Defender Advanced Threat Protection
d-----        9/15/2018  12:49 PM                Windows Mail
d-----        4/21/2019  11:00 AM                Windows Media Player
d-----        9/15/2018  12:49 PM                Windows Multimedia Platform
d-----        9/15/2018  12:58 PM                windows nt
d-----        4/21/2019  11:00 AM                Windows Photo Viewer
d-----        9/15/2018  12:49 PM                Windows Portable Devices
d-----        9/15/2018  12:49 PM                Windows Security
d-----        9/15/2018  12:49 PM                WindowsPowerShell

while enumerating, i found an unusual directory at c:\Program Files\runphp

*evil-winrm* ps c:\Program Files> cd runphp
*evil-winrm* ps c:\Program Files\runphp> ls
 
 
    directory: C:\Program Files\runphp
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/23/2013  10:56 AM           1265 runphp.cmd

There is a windows Batch file; runphp.cmd

*evil-winrm* ps c:\Program Files\runphp> type runphp.cmd
SET pf=%ProgramFiles%
if DEFINED ProgramFiles(x86) SET pf=%ProgramFiles(x86)%
 
set appcmd="%pf%\iis express\appcmd.exe"
set iisexpress="%pf%\iis express\iisexpress.exe"
 
cd > tmpFile
set /p currentdir= < tmpFile
del tmpFile
 
where php-cgi.exe > tmpFile
set /p phprt= < tmpFile
del tmpFile
if DEFINED phprt goto setup_iis
SET phprt=%pf%\PHP\v5.3\php-cgi.exe
 
:setup_iis
 
copy "%pf%\iis express\config\templates\PersonalWebServer\applicationhost.config" "%currentdir%\apphost.config"
 
%appcmd% delete site "website1" /apphostconfig:"%currentdir%\apphost.config"
%appcmd% add site /name:WebSite1 /physicalPath:"%currentdir%" /bindings:http/*:8080: /apphostconfig:"%currentdir%\apphost.config"
%appcmd% set config /section:system.webServer/fastCgi "/+[fullPath='%phprt%']" "/apphostconfig:%currentdir%\apphost.config"
%appcmd% set config /section:system.webServer/handlers "/+[name='PHP-FastCGI',path='*.php',modules='FastCgiModule',verb='*', scriptProcessor='%phprt%',resourceType='Either']" "/apphostconfig:%currentdir%\apphost.config"
%appcmd% set config /section:system.webServer/defaultDocument "/+files.[value='index.php']" "/apphostconfig:%currentdir%\apphost.config"
 
%iisexpress% /site:WebSite1 /config:"%currentdir%\apphost.config"

This script appears to be restarting the web server named WebSite1 on port 8080 There wasn’t anything about port 8080

Rabbit hole?

c:\inetpub\wwwroot

*Evil-WinRM* PS C:\Users\Chase\desktop> ls C:\inetpub\wwwroot
Access to the path 'C:\inetpub\wwwroot' is denied.
At line:1 char:1
+ ls C:\inetpub\wwwroot
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\inetpub\wwwroot:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

Access to C:\inetpub\wwwroot was denied initially

*Evil-WinRM* PS C:\Users\Chase\desktop> icacls C:\inetpub\wwwroot\login.php
C:\inetpub\wwwroot\login.php BUILTIN\IIS_IUSRS:(I)(RX)
                             NT SERVICE\TrustedInstaller:(I)(F)
                             NT AUTHORITY\SYSTEM:(I)(F)
                             BUILTIN\Administrators:(I)(F)
                             BUILTIN\Users:(I)(RX)
 
Successfully processed 1 files; Failed processing 0 files

RX remark indicates Builtin\Users group members can read and execute the file

*Evil-WinRM* PS C:\Users\Chase\desktop> cat C:\inetpub\wwwroot\login.php
*Evil-WinRM* PS C:\Users\Chase\desktop> type C:\inetpub\wwwroot\login.php
<!DOCTYPE html>
<html lang="en" >
 
<head>
  <meta charset="UTF-8">
  <title>Support Login Page</title>
[...]
</head>
 
<body>
 
[...]
 
</body>
<?php
session_start();
if( isset($_REQUEST['login']) && !empty($_REQUEST['login_username']) && !empty($_REQUEST['login_password'])) {
        if( $_REQUEST['login_username'] === 'admin@support.htb' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
                $_SESSION['admin'] = "valid";
                header('Location: issues.php');
        }
        else
                header('Location: errorpage.php');
}
else if( isset($_GET['guest']) ) {
        if( $_GET['guest'] === 'true' ) {
                $_SESSION['guest'] = "valid";
                header('Location: issues.php');
        }
}
 
 
?>
</html>

C:\inetpub\wwwroot\login.php wasn’t restricted for access Credential hash for the admin user is hard-coded into the script Password hash is in SHA256; 91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040 

PS C:\hashcat-6.2.6> .\hashcat.exe -a 0 -m 1400 .\hashes .\rockyou.txt -d 2 -O --self-test-dis
hashcat (v6.2.6) starting
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Host memory required for this attack: 1383 MB
 
Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
Approaching final keyspace - workload adjusted.
 
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1400 (SHA2-256)
Hash.Target......: 91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337a...db9040
Time.Started.....: Wed Jan 11 12:23:09 2023 (3 secs)
Time.Estimated...: Wed Jan 11 12:23:12 2023 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  6360.2 kH/s (0.35ms) @ Accel:256 Loops:1 Thr:128 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 3094/14344385 (0.02%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[3030313561707265] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#2..: Temp: 56c Util:  5% Core: 637MHz Mem:5500MHz Bus:8
 
Started: Wed Jan 11 12:22:59 2023
Stopped: Wed Jan 11 12:23:13 2023

Hashcat was unable to crack the hashes It’s a deadend.

Interactive Graph View

Backlinks