CTF-Writeups/Vulnlab/Lock.md

Vulnlab - Lock

PORT     STATE SERVICE       VERSION               
80/tcp   open  http          Microsoft IIS httpd 10.0
445/tcp  open  microsoft-ds?
3000/tcp open  ppp?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
5357/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

PORT 80

The webserver has template page hosted with just about section and nothing else

PORT 3000

On this port there's an instance of gitea being hosted, having a repository dev-scripts

This repo has python script which is going to list down all the repository of the user with his PAT (Presonal Access Token).

Enumerating repoistories

Checking the commit history, we'll find gitea token

Copying the script on your local machine and using the token from commit history, the script will show another repo named website

Using the PAT we can clone this repo

git clone http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.10.109.226:3000/ellen.freeman/website.git

Uploading webshell

The readme.md from the repo, says that any changes made into this repo will be deployed on the webserver, so let's verify by creating a simple html file

Adding the created html file with git add file.html also setting the username and email with git config --global

git add uwu.html 
git config --global user.name "ellen.freeman"
git config --global user.email "ellen.freeman"
git commit -m "uwu"
git push

Now this file will be deployed on the webserver

Since IIS server is being used as a webserver (from the nmap scan), we can upload an aspx web shell https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx

Transferring nc and getting a shell

Under documents directory, we'll find config.xml which has an encrypted password for mRemoteNG

Using the script to decrypt the password https://github.com/gquere/mRemoteNG_password_decrypt/blob/master/mremoteng_decrypt.py

Having the credentials, we can login as `gale.dakarios` through RDP, after logging we can see `PDF24` launcher on desktop

Escalating privileges through PDF24

Checking the version, it appears to be 11.15.1, which is vulnerable to local privilege escalation

The vulnerabilities lies with in the repair process of PDF24, the process calls pdf24-PrinterInstall.exe which gets executed with SYSTEM privileges with write access on faxPrnInst.log, with SetOpLock this file can then be blocked or to hold that file so the pdf24-PrinterInstall.exe will still remain open and we can then the perform the actions listed in the article

• right click on the top bar of the cmd window
• click on properties
• under options click on the "Legacyconsolemode" link
• open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11)
• in the opened browser window press the key combination CTRL+o
• type cmd.exe in the top bar and press Enter

In C drive there's a hidden directory _install having pdf24 msi file

Before running it make sure to have SetOpLock from here https://github.com/googleprojectzero/symboliclink-testing-tools

Now executing the installer file with msiexec

After sometime, we'll get a cmd window for pdf24-PrinterInstall.exe

Opening the properties of this window and clicking on legacy consolemodel link to open with firefox

Use ctrl+o to open up a file and at the address bar type cmd.exe to spawn a shell as SYSTEM user because this whole process is being executed in the context on that user

References

• https://kettan007.medium.com/how-to-clone-a-git-repository-using-personal-access-token-a-step-by-step-guide-ab7b54d4ef83
• https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
• https://github.com/gquere/mRemoteNG_password_decrypt/blob/master/mremoteng_decrypt.py
• https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-via-msi-installer-in-pdf24-creator-geek-software-gmbh/
• https://github.com/googleprojectzero/symboliclink-testing-tools