Image for post
Image for post
The RIT Security Club

RITSEC Spring 2019 CTF — Week 11

The eleventh week of RITSEC’s Spring 2019 CTF has concluded. Although the official challenge write-ups for the semester CTF will be posted on RITSEC’s GitHub for those interested, I have more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process.

Topic: Red Team Windows

This week, participants were given a Windows Server 2016 virtual machine, each with an account corresponding to a challenge. Starting with no login information, users were required to enumerate, obtain credentials, log in, and escalate privileges from each user account to the next, eventually reaching the Administrator account and successfully “pwning” the box. Then, participants were challenged to act as the red team and learn how to create and install their own persistence mechanisms on Windows.

Easy 1: Sharing is caring! :)
ENUMERATE ENUMERATE ENUMERATE!

In order to do as the hint says and “enumerate”, connect both the challenge VM and another VM with nmap installed (I’ll be using Kali) to a NAT network so that they can communicate. Then, scan the local subnet with the following command to find the IP address the challenge VM has been assigned.

nmap first scans the subnet to find which IPs have hosts assigned to them. Then, it runs a scan on each host that was available. For me, the challenge VM was assigned the IP address 192.168.48.129.

Image for post
Image for post
The results of the above ‘nmap’ command

There are a few open ports available on the challenge VM. However, as this is an easy challenge and HTTP is open, that would be a good place to start. Visit the host in a web browser (for me, this would be http://192.168.48.129/).

Image for post
Image for post
The Windows Server IIS landing page

This page seems perfectly normal until the developer console is opened.

web.config files are a well-known way to accidentally leak exactly what this challenge is looking for…usernames and passwords. Try opening the file by browsing to http://<ip>/web.config.bak.txt. There are credentials at the bottom of the page, and someone set the password format to be in plaintext, although encoded in Base64.

Image for post
Image for post
Using the ‘base64’ command to decode the password.

The username and password combination to be used for this challenge are therefore easy1 and reeetseeec. However, this didn’t give us the flag. Check some of the other ports that were listed as open above, such as SMB (Server Message Block, port 445). SMB shares require the name of the share to be known before a user can connect to it; fortunately, Metasploit has an SMB share enumerator!

In Kali, launch Metasploit by opening a terminal and typing msfconsole. This starts the Metasploit Framework Console. Use the SMB enumerator by typing

Set the options below and run the scan; note the IP address may still be different.

Image for post
Image for post

The scanner found one share — leavemehere, which probably contains the flag. Log in to the share with any method (this example uses Kali’s file browser). Select “Other locations” in Files and enter the URL of the share prefixed with smb://. For example:

Enter the username and password discovered above to log in.

Image for post
Image for post
The SMB share at smb://192.168.48.129/leavemehere

Open the file.

As expected, it is encoded in Base64. Decode the file using the method shown above to view the message.

The password to log in to the easy2 account is ServerMemesBab0. The flag is RS{Sh4r1ng_15_C4R1nG}.

Easy 2: This Jr. Tech Lead thinks that he can deploy Windows images automatically, but he isn’t even attending the RITSEC meeting!
Find sensitive information and pwn him.

Now using the challenge VM directly, log in to the easy2 account. Use the password discovered previously when enumerating the IIS and SMB server, ServerMemesBab0.

“Deploying Windows images automatically” — also known as unattended installation — is a popular method for system administrators to quickly install Windows on large quantities of devices with only a network connection. To ensure no input from a user is needed during installation, an unattend.xml file is typically created and placed in the directory C:\Windows\Panther.

The unattend.xml file usually also contains a variety of configuration options to automate the out-of-box experience (OOBE), such as entering the product key, selecting the language and keyboard layout, and creating usernames and passwords. If the Jr Tech Lead did not obfuscate the password when placing it in the file (placing it in plaintext), finding the password and flag should be trivial.

Open the file C:\Windows\Panther\unattend.xml. Scrolling down, the following XML is seen:

The password to log in to the medium1 account is Qu0teEndQu0te. By decoding the Base64 above, the flag is RS{4tt3nD_Y0_C145535}.

Medium 1: Always wrap around your strings with something, under some circumstances.

Log in to the medium1 account. Use the password found in the unattend configuration in the previous challenge, Qu0teEndQu0te.

The hint and the password for the account both indicate that this challenge will involve an unquoted service path vulnerability. This vulnerability involves the CreateProcess function, which handles the starting of services on Windows.

Essentially, if a service were to have a path such as the following:

the registry entry to start the service must be formatted as:

or the CreateProcess function will attempt to start the first executable at the location preceding a space. Anything after the space will be passed as an argument. In this example, any of the following could be executed, if they exist:

  • C:\Program.exe with arguments Files\Example and Service
  • C:\Program Files\Example.exe with argument Service
  • C:\Program Files\Example Service.exe with no arguments

If the intended operation is to start C:\Program Files\Example Service.exe with no arguments (which is typical), but a malicious actor has write access to any of the previous directories and can place an executable at either C:\Program.exe or C:\Program Files\Example.exe, CreateProcess will execute it with the privileges of the owner of the service. If the owner is SYSTEM and the executable happens to be a reverse shell, the user now has complete unrestricted access to the box.

Are there any services running on the challenge machine that have this vulnerability? Services are defined in the registry at HKLM\SYSTEM\CurrentControlSet\Services, and if this vulnerability exists it would be an unquoted path with spaces in the ImagePath value of a key. Check for such a case by running the following command in the challenge machine:

Image for post
Image for post
Results of the above command

Yes! The service Automated Panther is vulnerable, and it’s location is C:\Program Files\Windows Panther\Automated Installation\2019 April. The corresponding registry entry is therefore at HKLM\SYSTEM\CurrentControlSet\Services\Automated Panther. The ObjectName (owner of the file) is the account medium2. Therefore, if a reverse shell can be placed anywhere in the path prior to go.exe, it will be executed with the permissions of that user.

Image for post
Image for post
The vulnerable service at the registry location listed above. Note the lack of quotes around the ImagePath data.

However, since the current user medium1 doesn’t have administrative privileges on this box, one of the following directories will need to be writable with the privileges of the account:

  • C:\
  • C:\Program Files
  • C:\Program Files\Windows Panther
  • C:\Program Files\Windows Panther\Automated Installation
  • C:\Program Files\Windows Panther\Automated Installation\2019 April

Rather than manually checking each of these paths by writing to them, use the command icacls <path>, which displays the security descriptors of files. Run the command with each path above and check for a standard user write (BUILTIN\Users:(W)) descriptor on any of the folders.

Image for post
Image for post
The security descriptors of "C:\Program Files\Windows Panther"

Per the above screenshot, C:\Program Files\Windows Panther can be written to. This will be the directory to place the malicious program. There are many ways to create such a program, but this example will use msfvenom, a part of Metasploit on Kali. Run the following command to create a reverse shell:

The IP address and port number will need to be adjusted depending on the local IP address of where the reverse shell will call back to (in this case, the Kali box) and the availability of ports on the box (pick any port that is available, provided the listener created later is set to listen on that port).

Image for post
Image for post
The reverse shell Automated.exe

A Windows-executable reverse shell is created, Automated.exe. The program is named Automated so that it will be found prior to the correct path, Automated Installation, and therefore executed. Transfer this file to the challenge machine and place it in the C:\Program Files\Windows Panther directory.

Image for post
Image for post
Contents of the directory C:\Program Files\Windows Panther

Now create the listener on the Kali VM with the following command. This will listen for a connection coming from the challenge VM once Automated.exe is executed, and will give a shell.

Image for post
Image for post
The running listener

Finally, all that is necessary is to restart the service Automated Panther. As unprivileged users such as the current user medium1 can’t stop and start services, the challenge VM will need to be restarted. Upon restart, the listener will have received a connection if configured properly, and a shell will be available.

Image for post
Image for post

Check the user with the whoami command. It should return medium2 instead of medium1. Now, search for the flag.

Image for post
Image for post

There is an interesting file on the user medium2’s desktop, lovesociety.txt. Open the file.

Decode the Base64.

The password to log in to the medium2 account is AutomatedGoo. The flag is RS{J4G0_Sh1P_D4}.

Medium 2: “ … more [service] … then you think.”
Solve Medium 1 first.

Log in to the medium2 account. Use the password found in the previous challenge, AutomatedGoo. Strangely, this challenge is exactly the same as the previous challenge, but with a different path. Run the same command to identify vulnerable services and C:\Users\medium2\Desktop\gogo.exe also appears.

Image for post
Image for post
Results of the previous ‘wmic’ command to identify services vulnerable to privilege escalation.

This time, the file is simply missing. Since it is on the desktop of medium2, no special access is needed. Simply use the same file as generated for the previous command (make sure to remove it from the Automated Panther directory first so it runs from the right location!) and rename it gogo.exe. Place the file on the desktop of the medium2 user and restart the challenge VM.

Image for post
Image for post
The listener used in the previous challenge. Note the permission change to SYSTEM.

SYSTEM access has been obtained on the box! Check the user root’s directory for the flag. It is found at C:/users/root/Desktop/meeeeeedium2flaggggg.txt.

Decode the Base64.

sorry Im just so tired medium2 flag = RS{3l3v4t0r5_r_c001}

Ah, that would explain the duplicated challenge. The stress of this time of the semester indeed gets to everyone. The flag is RS{3l3v4t0r5_r_c001}.

Hard: Install 5 different methods of persistence on Windows 10!
Signoff-based: Show your solution to the Tech Lead.

You must include the following persistence mechanisms:

  • Autorun
  • Registry persistence
  • Sticky Keys backdoor
  • Two of your choice

Autorun — Obfuscated PowerShell Script

This script, generated with Empire, downloads the BeeLogger keylogger. Later, the script was also hidden from the Sysinternals Autoruns with the same tool.

Image for post
Image for post
The script and the entry in Sysinternals Autoruns

Registry Persistence — Debug key

This key was also generated with Empire. NorkNork, a Python script, was used to detect the persistence.

Image for post
Image for post

Sticky Keys backdoor

Using an Accessibility Panel backdoor was a previous challenge. Simply copy the Command Prompt (C:\Windows\system32\cmd.exe) and rename it to the utility for opening the panel, C:\Windows\system32\sethc.exe. Most modern antimalware will detect this action.

Image for post
Image for post
Sticky Keys backdoor giving SYSTEM level access to the box

Empire script

Elevate permissions from a normal user to SYSTEM upon logging in.

Image for post
Image for post
Two Empire processes
Image for post
Image for post
Elevating an Empire process to SYSTEM permissions

Keylogger — BeeLogger

BeeLogger is a simple Windows keylogger that also supports logging via email.

Image for post
Image for post
BeeLogger forwarding logs from Windows Server to Kali Linux

Conclusion

Although it sometimes isn’t realized, red teaming is a very active and important market outside of security competitions. Many companies such as Facebook, Google and even Busch have internal red teams and penetration testers that specifically attack their own infrastructure to find vulnerabilities before malicious actors do. Some, such as IBM, contract this service to other companies as well. One of the most difficult industry certifications, the Offensive Security Certified Professional, is focused on penetration testing.

For more resources, RIT has several classes dedicated to both sides of the game such as CSEC-470 Covert Communications, CSEC-471 Penetration Testing Frameworks and Methodologies, and CSEC-466/476 Introduction to Malware/Malware Reverse Engineering.

There will be 4 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–4 PM in GOL-1400 for the CTF and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store