search

Visual

hashtag
Gaining Access

$ nmap -p- --min-rate 3000 10.129.63.153                
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-01 21:35 +08
Nmap scan report for 10.129.63.153
Host is up (0.0084s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 43.87 seconds

There's only one HTTP port that's open, so I can start proxying requests with Burp. Did a detailed scan as well:

$ nmap -p 80 -sC -sV --min-rate 4000 10.129.63.153      
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-01 21:48 +08
Nmap scan report for 10.129.63.153
Host is up (0.0066s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
|_http-title: Visual - Revolutionizing Visual Studio Builds

I added visual.htb to the /etc/hosts file as per standard practice.

hashtag
Web Enumeration -> PreBuild RCE

As expected from the name of the box, this website was Visual Studio themed.

The machine says that we have to include a Git Repo with a .sln file for compilation. The page accepts Git Repo URLs:

This looks vulnerable to SSRF, so let's test it by making the machine send a request to our server. This is what a HTTP server would receive:

So we need to create a .git repository with a malicious Visual Studio project.

The machine explicitly states that .NET 6.0 is supported, and that it only compiles the binary. There's no mention anywhere that it will execute it. As such, there's probably a method within VS projects that can make the machine compile, then execute the binary immediately.

When researching for methods, I came across this, which allows us to execute .exe files:

LogoSpecify build events (C#) - Visual Studio (Windows)MicrosoftLearnchevron-right

The above allows us to specify commands to be executed before building the project. I tested this by creating a .sln project using dotnet new sln -o rev. Afterwards, I used git init to make it a repository.

This was my .csproj file:

This file can be added using dotnet sln add test.csproj and add these files to the .git repo:

Afterwards, I used http://<MY_IP>/.git to attempt to compile the project. Weirdly, I kept getting a either 404 for /info/refs?service=git-upload-pack or the machine complaining that a .sln file doesn't exist.

Googling this error just shows this is a permissions issue. Running git --bare update-server-info within the .git folder will solve both issues. This is because we are trying to access this repository over HTTP, and by default it isn't allowed.

LogoPrivate git repository over httpStack Overflowchevron-right

If done correctly, we would get a ton of GET requests from the machine, and also take quite a while to compile.

Eventually, would get a shell as enox:

hashtag
Privilege Escalation

This user didn't have much privileges, but they were part of the SERVICE group, which we might need to use later.

hashtag
WebShell -> Service User

When checking the C:\xampp\htdocs directory, we find that we have permissions to write there:

I downloaded a cmd.php shell there (since the website was in PHP), and we can get RCE as another user:

Getting a reverse shell can be done by downloading nc.exe onto the machine and running it.

hashtag
FullPowers + GodPotato -> Root

local service did not have its normal full privileges:

This is where FullPowers.exe comes into play.

LogoGitHub - itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE accountGitHubchevron-right

Running it gives us another cmd.exe shell with more privileges, most notably SeImpersonatePrivilege.

From here, we can use godpotato.exe to run commands as the administrator.

LogoGitHub - BeichenDream/GodPotatoGitHubchevron-right

Then, we can just get another reverse shell using nc.exe again.

Rooted!

PreviousSurveillanceNextHTB Season 2

Last updated