Markup (Tier 2)
Last updated
Was this helpful?
Last updated
Was this helpful?
Tier -> 2
Difficult -> Very Easy
OS -> Windows
Tags -> Apache / SSH / PHP / Reconnaissance / Scheduled Job Abuse / Weak Credentials / Arbitrary File Upload / XXE Injection / Weak Permissions
Then to learn more about the services running on the open ports found, I did an exhaustive scan
With this, I answered the first question
Answer: 2.4.41
I found the HTTP service running on port 80 so I went to the browser to explore the content and found a login page. I tried logging in with common credentials and fortunately using the combination of username admin and password password I got in successfully to a new dashboard
With this, I answered the next question
Answer: admin:password
Then I explored the tabs of the website where in the Contact tab I found an email and a form for submission. Unfortunately, the form didn't work, so we went to the Order tab which also had a form. After filling out that one and clicking on the Submit button, it worked giving me a pop-up informing the request had been sent
With this and a little research, I answered the next questions
Answer: order
Answer: 1.0
Answer: XML External Entity
To retrieve more information about this section, I checked the source code finding a commentary from one of the developers with its name, possibly being a user of the system. So as I didn't find anything else interesting, I could use this information to modify the XML of the petition
With this, I answered the next question
Answer: Daniel
I tried making a test for a possible XEE Injection and it worked successfully, being able to retrieve the content of the /etc/hosts Windows file. With this and the previous information found, I tried accessing the Desktop folder for the user Daniel and reading the user.txt file which usually contains the user flag, and it worked
So, I continued retrieving possible files that could help to gain access to the system as one of the users. Checking for configurations of the SSH protocol for Daniel, I found a file with the default name id_rsa being this the private key for the user. So I used this to connect through SSH to the system as the Daniel user and it worked
Once inside I tried accessing a PowerShell and the system let me do it without any issue. Then I checked for the privileges of the user but didn't find anything relevant, so I continued exploring the system for a possible way to escalate privileges
Exploring the root folder C:\ I found a particular folder named Log-Management which is not a standard system file for Windows. So I accessed it and listed its content finding a job.bat file, and checking at that, I saw it was a script that seemed to be a programmed task that was interacting with an executable named wevtutil.exe. Also, the script said that it could only be run with administrator permissions, letting us know it was being called with privileges
With this and the previously found user flag, I answered the next questions
Answer: job.bat
Answer: wevtutil.exe
Answer: 032d2fc8952a8c24e39c8f0ee9918ef7
Knowing this I could modify the content to possibly execute arbitrary programs or commands. So I tried using this to gain a Reverse Shell using a Netcat executable, first downloading the corresponding file to our machine and importing it to the target machine
Then I set up a listener in my machine to receive the connection and pass the payload to execute Netcat to the job file. The PowerShell gave me an error so I tried closing it and doing it from the CMD, this time working properly and checking the content of the file had been modified successfully. Then I waited for the script to be executed by the system and after a while, the listener caught the shell as the Administrator user
Finally, I went to the Desktop folder of the Administrator user, listing its content and noticing a root.txt file, which after reading it, gave me the root flag
With this, I got the root flag and pwned the machine
Answer: f574a3e7650cebd8c39784299cb570f8
I started doing an initial scan with
To learn more about the HTTP protocol you can go
So to check how the request was being sent, I used and to intercept the petition. I noticed a session cookie from PHP and what caught my attention, was the fact the site was sending the information using XML
To learn more about XXE Injection you can go .
To learn more about the SSH protocol you can go
So I about the functioning of this program, understanding that it was being called through the job to erase the logs of the system every so often. With this, I could check if the service was still running on the system and which permission it had, maybe letting us modify its content. So I checked noticing it has full-control permissions for all the local users. Then I checked the current system processes and found the system was still using the program
To learn the details about the abuse of .bat files for privileges escalation you can go
