VL - Lock
Enumeration
NMap showed the following ports open:
1
2
3
4
5
6
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
3000/tcp open ppp
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
We notice that GitTea is running, and we can read a repo with an old commit exposing an Authorization key. We can add this key manually to the dev script, as it talks to the Swagger API and reveals the other repo named “website.” Next, we can use the authorization key to pull down the git repo to our local machine:
1
git pull http://<authorization-key>@<gittea>:3000/ellen.freeman/website
User
The README.md of the repo reveals that changes will be automatically added to the website. Since it is a Windows box, we can upload an (ASPX reverse shell)[https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx] to the git repo and get our low-priv access. In the Documents folder on ellen.freeman, we find an .xml file which is used for mRemoteNG, the password is encrypted, and there are multiple ways to get the decrypted password out of it. I added an external tool to mRemoteNG locally which opens a CMD shell and echoes the password variable. To do this, you have to go to Tools > External Tools > New External Tool. Put as the filename CMD and as arguments /k echo %password%
and run the external tool on the connection. There is also a Github repo that decrypts the password using Python; I did not test this mRemoteNG_Password_Decrypt. This allows us to RDP into the user Gale and obtain the first flag.
Privilege Escalation
When opening the RDP session, the first thing that seems odd is the extra application on the desktop named PDF24. The version on the server is 11.15.1, which has a known privilege escalation vulnerability in it. We can abuse this by following the post PDF24 Creator Priv Esc. The only thing we have to do is ship the .msi with the SetOpLocks.exe to the server to fulfill the requirements. You might have to give it a few tries before the CMD mentioned in the post pops up.