Visual
Last updated
Last updated
IP of kali machine: 10.10.15.101
Fuzzing directories reveal only uploads directory:
Try to upload a git project to test webapp:
After submit of GIT link we have a redirect to URL with this pattern: http://visual.htb/uploads/ae27098c16b9bddc8abd36eb1c64cc/
PHP 8.1.17
Apache 2.4.56
Windows Server 2019
Github url seems to not work, so create a GIT server and expose it using Apache on Kali linux attacker machine.
Install Git and Apache:
sudo apt install git apache2 apache2-utils
Configuring Apache HTTP Server for Git:
sudo a2enmod env cgi alias rewrite
Create a new directory /var/www/git for keeping all the Git repositories:
sudo mkdir /var/www/git
Create a new Apache site configuration /etc/apache2/sites-available/git.conf for Git:
sudo nano /etc/apache2/sites-available/git.conf
Disable the default Apache site configuration:
sudo a2dissite 000-default.conf
Enable the Git site configuration:
sudo a2ensite git.conf
Restart Apache HTTP server
sudo systemctl restart apache2
In order to bootstrap a new Git repository accessible over the Apache HTTP server, you will have to run a few commands. You don’t want to do the same thing over and over again just to create a new Git repository. So, I decided to write a shell script for that purpose.
sudo nano /usr/local/bin/git-create-repo.sh
Add execute permission to the shell script:
sudo chmod +x /usr/local/bin/git-create-repo.sh
Create a new Git repository test in the Git project root /var/www/git using the git-create-repo.sh:
sudo git-create-repo.sh evil
Now you can clone the test Git repository as follows:
git clone http://ip.of.kali.machine/git/evil.git
A quick review of Visual Code documentation revealed that it is possible to execute a predefined command before the actual build happens.
MSBuild's PreBuildEvent can be manipulated to execute custom commands before the actual build process starts. This is done by defining a custom target (PreBuild) that runs before the PreBuildEvent. Create a simple C# console project in Visual Studio and then modify the Pre-build event as follow:
Run a python server inside /usr/share/windows-resources/binaries in order to deliver netcat to windows machine:
Copy evil directory from Visual Studio Code project on Kali Machine
Copy all the contents from evil directory to evil.git directory:
cp -Rf /home/kali/Downloads/evil/* evil.git
Temporary change ownership of evil.git:
chown -Rf root:root evil.git
Initialize git inside evil.git:
git init
git checkout -b main
git add .
git config user.email "test@test.com"
git config user.name "test"
git commit -m "first commit"
Now we can upload it!
The payload force the Apache to grab netcat and then we will obtain a reverse shell:
Typically, web and database services possess "ImpersonatePrivilege" permissions. These permissions can potentially be exploited to escalate privileges. Given that a PHP application is running on this machine, I decided to upload and trigger a PHP reverse shell insideC:\xampp\htdocs\uploads.
Inspecting the privileges, I noticed the absence of ImpersonatePrivilege:
Upon further research, I came across FullPowers.
This tool allows the recovery of the default privilege set for LOCAL or NETWORK SERVICE accounts:
With the required privileges in hand, I turned to
a tool known for elevating a service user with low privileges to NT AUTHORITY\SYSTEM privileges:
And finally we will get root flag:
