MedJed
Last updated
Last updated
Source: Proving Grounds OS: Windows Community Rating: Hard
I started off with the usual autorecon. The open ports were: 135, 139, 445, 3306, 5040, 8000, 30021, HTTP (33033), 44330, HTTP (45332), HTTP (45443), 49664 -> 49669
I began with port 33033, which displayed a simple web application with a login page. I attempted SQL injection to bypass the login but that didn't work.
There was also a forgot password page where the user had to type their username, a reminder (a sort of secret word), and then the new password. I tried SQL injection there as well with no success.
The main page featured a list of users so I tried a few basic credential combinations (using the username as the password, etc.), but none of them worked out.
One trick I often use in these environments is to deliberately cause an error to see if debugging is on and if information is exposed. For example, I requested a non-existent resource: http://192.168.194.127:33033/aaaThat revealed the fact that the application was built on Rails and even showed a list of endpoints, but nothing more. I was stuck for a bit, so I moved on to the other ports.
I checked ports 45332 and 45443 next. They were basic dummy applications with a simple test, but the fuzzers exposed a phpinfo page. That helped me determine the document root for later shell uploads, though nothing else of value was found there.
I went back to the first HTTP service (33033) since it had the login and forgot password features, but again, nothing worked. I focused mainly on the user with the cat profile picture because it stands out and because based on the username, it is the "devops" engineer, "jerren.devops".
Since I was stuck, I started looking for hints and that's when a note in the team profile came in handy. The cat devops engineer’s profile contained the text: "Only the paranoid survive." It turned out the reminder was simply "paranoid". Funny CTF style. I really hope I don’t end up with such a thing in an OffSec test if I ever take one.
Now that I had the reminder, I changed the user’s password and logged in. There was an edit profile function with a "Request Profile SLUG (experimental)" feature that appeared to run SQL queries. It turned out to be vulnerable to SQL injection.
The query looked like:
sql = "SELECT username FROM users WHERE username = '" + params[:URL].to_s + "'"
Remembering the phpinfo page from the other HTTP service (which revealed the document root), I uploaded a simple web shell using the query:'UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/shell.php'-- '
After that, using the shell, I uploaded a reverse shell. Finally, I gained initial access!
I began with the usual checks (whoami /priv) and checking the folders.
On the C drive, I found an FTP directory, but it contained nothing useful. However, I also discovered an installed application called "bd" (BarracudaDrive).
I searched for known exploits for this software and found one with EBD ID: 48789 (no CVE ID). Essentially, it we have access over bd.exe, meaning we could replace it with any executable. In the provided PoC, they created a new user and added that user to the administrator group. I simply uploaded a reverse shell instead.
I replaced the bd.exe file with my reverse shell and then restarted the machine using:
After starting the listener and waiting for the machine to restart, I got a SYSTEM shell.
A subtle hint (like a note in a user’s profile) can lead to critical credentials if you think to try it.
SQL injection in non-traditional fields, such as profile editing functions, can be a used to get web shells.
When a service binary is replaceable (like bd.exe), swapping it with a reverse shell executable is an effective escalation method.
