Vulnlab — Lock

ARZ101
5 min readJul 1, 2024

--

Lock is a basic windows machine which involved enumerating the gitea repository to find a Personal Access Token (PAT), through which it revelead having ability to deploy files on the server, allowing us to upload aspx web shell, escalating privileges to a user with remote access whose password was decrypted through mRemoteNG configuration file and further escalating to a SYSTEM user through the repair process of PDF24.

PORT     STATE SERVICE       VERSION               
80/tcp open http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
3000/tcp open ppp?
3389/tcp open ms-wbt-server Microsoft Terminal Services
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

PORT 80

The webserver has template page hosted with just about section and nothing else

PORT 3000

On this port there’s an instance of gitea being hosted, having a repository dev-scripts

This repo has python script which is going to list down all the repository of the user with his PAT (Presonal Access Token).

Enumerating repositories

Checking the commit history, we’ll find gitea token

Copying the script on your local machine and using the token from commit history, the script will show another repo named website

Using the PAT we can clone this repo

git clone http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.10.109.226:3000/ellen.freeman/website.git

Uploading webshell

The readme.md from the repo, says that any changes made into this repo will be deployed on the webserver, so let's verify by creating a simple html file

Adding the created html file with git add file.html also setting the username and email with git config --global

git add uwu.html 
git config --global user.name "ellen.freeman"
git config --global user.email "ellen.freeman"
git commit -m "uwu"
git push

Now this file will be deployed on the webserver

Since IIS server is being used as a webserver (from the nmap scan), we can upload an aspx web shell

Transferring nc and getting a shell

Under documents directory, we’ll find config.xml which has an encrypted password for mRemoteNG

Using the script to decrypt the password

Having the credentials, we can login as gale.dakarios through RDP, after logging we can see PDF24 launcher on desktop

Escalating privileges through PDF24

Checking the version, it appears to be 11.15.1, which is vulnerable to local privilege escalation

The vulnerabilities lies with in the repair process of PDF24, the process calls pdf24-PrinterInstall.exe which gets executed with SYSTEM privileges with write access on faxPrnInst.log, with SetOpLock this file can then be blocked or to hold that file so the pdf24-PrinterInstall.exe will still remain open and we can then the perform the actions listed in the article

  • right click on the top bar of the cmd window
  • click on properties
  • under options click on the “Legacyconsolemode” link
  • open the link with a browser other than internet explorer or edge (both don’t open as SYSTEM when on Win11)
  • in the opened browser window press the key combination CTRL+o
  • type cmd.exe in the top bar and press Enter

In C drive there’s a hidden directory _install having pdf24 msi file

Before running it make sure to have SetOpLock from here

Now executing the installer file with msiexec

After sometime, we’ll get a cmd window for pdf24-PrinterInstall.exe

Opening the properties of this window and clicking on legacy console model link to open with firefox

Use ctrl+o to open up a file and at the address bar type cmd.exe to spawn a shell as SYSTEM user because this whole process is being executed in the context on that user

References

--

--

ARZ101
ARZ101

Written by ARZ101

Smol Pentester| OSCP | CTF Player | UwU

No responses yet