Nmap Results
# Nmap 7.94SVN scan initiated Wed Jun 19 17:33:15 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.2.84
Nmap scan report for cyberlens.thm (10.10.2.84)
Host is up (0.075s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.57 (Win64)
|_http-title: CyberLens: Unveiling the Hidden Matrix
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-06-18T21:30:11
|_Not valid after: 2024-12-18T21:30:11
| rdp-ntlm-info:
| Target_Name: CYBERLENS
| NetBIOS_Domain_Name: CYBERLENS
| NetBIOS_Computer_Name: CYBERLENS
| DNS_Domain_Name: CyberLens
| DNS_Computer_Name: CyberLens
| Product_Version: 10.0.17763
|_ System_Time: 2024-06-19T21:34:46+00:00
|_ssl-date: 2024-06-19T21:34:54+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
61777/tcp open http Jetty 8.y.z-SNAPSHOT
|_http-title: Site doesn't have a title (text/plain).
|_http-cors: HEAD GET
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
| http-methods:
|_ Potentially risky methods: PUT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-06-19T21:34:47
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 19 17:34:54 2024 -- 1 IP address (1 host up) scanned in 98.53 seconds
Service Enumeration
TCP/139,445
TCP/80
Happy Path Testing
Right now, we know nothing about the web site. We're just going to click through and inspect things to better understand what the web site does. We're just inputting expected values, nothing malicious. Again, just trying to understand the application.
Initial observations after interacting with the application:
- The
/contact.html
page has a form that does nothing - The search bar does nothing
- The
/about.html
page — CYBERLENS IMAGE EXTRACTOR — has an input field that takes any file and attempts to parse the file's metadata- It uses specific file parsers depending on the file's content type
- When you submit the file, it makes a couple of HTTP requests to
http://cyberlens.thm:61777/meta
HTTP OPTIONS
request, the server responds with allowed methodsHTTP PUT
request with the raw file contents asContent-Type: application/octet-stream
, which is a raw byte stream to the server, after which the application reassembles the bytes and analyzes the file locally
Unhappy Path Testing
The interesting part of the application is the HTTP PUT
call to http://cyberlens.thm:61777/meta
. We should just be able to make requests directly to the server using curl
.
Testing the File Upload
Probing the Server for More Information
This looks promising—if we put together all the information we have found so far we should technically be able to make some kind of HTTP request to the server, set a header that looks like “X-Tika-OCRTesseractPath: <some command>” and have this command be inserted into the cmd string and be executed. The only problem is is the “config.getTesseractPath()” is prepended to another string we cannot control, “getTesseractProg()” which ends up being a static string, “tesseract.exe”. To fix this we can wrap our command we want to execute in double quotes and Windows will ignore whatever is appended to it after the quotes, just executing our injected command.
Tika 1.17
is vulnerable to command injection via HTTP headerX-Tika-OCRTesseractPath
- The Java server does not sanitize inputs in this HTTP header, which defaults to
tesseract.exe
. However, as the author mentions, wrapping the payload in\"\"
— escaped double quotes — causes Windows to parse the executable of our choosing- This works fine for executing single binaries, but we need a way to send process arguments along with the target binary
- As the author points out, there are a few places we can control with specific inputs
💡
OCR is a technology for analyzing text data in image files, so we'll need to upload an image file in addition to using the OCR-specific HTTP headers. As the author notes, we can use
Effectively,
Content-Type: image/jp2
to bypass checks for jpg
magic bytes.Effectively,
cscript.exe
becomes the OCR processing tool -- instead of tesseract.exe
. And, the //E:Jscript
is passed as an argument to cscript.exe
, which tells cscript.exe
to read the .tmp
file as a VBScript
or Jscript
file.Exploit
ℹ️
I tried for a good bit to use
curl
and PowerShell
to mimick the exact payload being sent by the python
script. I even sent the python
request through Burp, as well as curl
and PowerShell
. And despite the requests being completely identical, it seems there is something magical about the python-requests
module that curl
and PowerShell
cannot match.Testing the Exploit
wget https://raw.githubusercontent.com/RhinoSecurityLabs/CVEs/master/CVE-2018-1335/CVE-2018-1335.py -O pwn.py
Reverse Shell
ℹ️
The issue is likely me being impatient, but I had to run the exploit a few times in succession before the connection would establish
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: CYBERLENS
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00430-00000-00000-AA344
Original Install Date: 3/17/2021, 2:59:06 PM
System Boot Time: 6/19/2024, 9:29:24 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz
BIOS Version: Xen 4.11.amazon, 8/24/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 4,096 MB
Available Physical Memory: 2,941 MB
Virtual Memory: Max Size: 4,800 MB
Virtual Memory: Available: 3,329 MB
Virtual Memory: In Use: 1,471 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CYBERLENS
Hotfix(s): 27 Hotfix(s) Installed.
[01]: KB4601555
[02]: KB4470502
[03]: KB4470788
[04]: KB4480056
[05]: KB4486153
[06]: KB4493510
[07]: KB4499728
[08]: KB4504369
[09]: KB4512577
[10]: KB4512937
[11]: KB4521862
[12]: KB4523204
[13]: KB4535680
[14]: KB4539571
[15]: KB4549947
[16]: KB4558997
[17]: KB4562562
[18]: KB4566424
[19]: KB4570332
[20]: KB4577586
[21]: KB4577667
[22]: KB4587735
[23]: KB4589208
[24]: KB4598480
[25]: KB4601393
[26]: KB5000859
[27]: KB5001568
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 10.10.0.1
IP address(es)
[01]: 10.10.2.84
[02]: fe80::c0dd:89a1:c4a5:7941
Current User
User name CyberLens
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/6/2023 7:10:41 PM
Password expires Never
Password changeable 6/6/2023 7:10:41 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/19/2024 9:30:26 PM
Logon hours allowed All
Local Group Memberships *Remote Desktop Users *Users
Global Group memberships *None
USER INFORMATION
----------------
User Name SID
=================== ============================================
cyberlens\cyberlens S-1-5-21-1966530601-3185510712-10604624-1008
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Users and Groups
Local Users
User accounts for \\CYBERLENS
-------------------------------------------------------------------------------
Administrator CyberLens DefaultAccount
Guest WDAGUtilityAccount
Local Groups
Aliases for \\CYBERLENS
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
Network Configurations
Network Interfaces
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : eu-west-1.compute.internal
Link-local IPv6 Address . . . . . : fe80::c0dd:89a1:c4a5:7941%5
IPv4 Address. . . . . . . . . . . : 10.10.2.84
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.0.1
Processes and Services
Interesting Processes
Name : java.exe
Owner : CYBERLENS\CyberLens
CommandLine : "C:\Program Files\Eclipse Adoptium\jdk-17.0.7.7-hotspot\bin\java.exe" -cp
"C:\Apache-Tika\tika-server-1.17.jar;C:\Apache-Tika\jakarta.xml.bind-api-2.3.2.jar"
org.apache.tika.server.TikaServerCli --cors=* --host 0.0.0.0 --port=61777
Interesting Files
C:\Users\CyberLens\Documents\Management\CyberLens-Management.txt
CyberLens
HackSmarter123
Privilege Escalation
RDP as CyberLens
During the post-exploit enumeration phase, I was hunting around for interesting files and ran this PowerShell command, which revealed the file logged above:
AlwaysInstallElevated
⛔
You cannot install
.msi
files over the RDP session, due to the way the system security policies are configured, so we'll have to do this part back in our reverse shellFlags
User
THM{T1k4-CV3-f0r-7h3-w1n}
Root
THM{3lev@t3D-4-pr1v35c!}