Skip to content

CyberSecLabs Engine Write-up

Engine is a beginner windows box from cyberseclabs.co.uk hosting a version of BlogEngine vulnerable to file upload we can use to gain a foothold on the box and then escalate using discovered autologin creds. Let’s get started!

Recon

We’ll start off by firing off autoenum (found here) and giving it the IP of the box, we’ll then be prompted for a scan profile. (I default to aggr).

After a few minutes, we get the nmap script output spit out.

PORT      STATE SERVICE            VERSION                                                                                                                                                                                                    
80/tcp    open  http               Microsoft IIS httpd 8.5                                                                                                                                                                                    
| http-methods:                                                                                                                                                                                                                               
|   Supported Methods: OPTIONS TRACE GET HEAD POST                                                                                                                                                                                            
|_  Potentially risky methods: TRACE                                                                                                                                                                                                          
|_http-server-header: Microsoft-IIS/8.5                                                                                                                                                                                                       
|_http-title: IIS Windows Server                                                                                                                                                                                                              
135/tcp   open  msrpc              Microsoft Windows RPC                                                                                                                                                                                      
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn                                                                                                                                                                              
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 -
2012 microsoft-ds                                                                                                                                                       
3389/tcp  open  ssl/ms-wbt-server?                                                                                                                                                                                                            
| ssl-cert: Subject: commonName=Engine                                                                                                                                                                                                        
| Issuer: commonName=Engine                                                                                                                                                                                                                   
| Public Key type: rsa                                                                                                                                                                                                                        
| Public Key bits: 2048                                                                                                                                                                                                                       
| Signature Algorithm: sha256WithRSAEncryption                                                                                                                                                                                                
| Not valid before: 2020-04-30T21:30:10                                                                                                                                                                                                       
| Not valid after:  2020-10-30T21:30:10                                                                                                                                                                                                       
| MD5:   8205 f1f4 3837 abb5 6139 a069 c8ac ee2a                                                                                                                                                                                              
|_SHA-1: 86ce 2d5e eb76 f33a 2e49 1f80 b586 c119 ef2d a8b7                                                                                                                                                                                    
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                                                                                                    
|_http-title: Not Found                                                                                                                                                                                                                       
49155/tcp open  msrpc              Microsoft Windows RPC                                                                                                                                                                                      
49164/tcp open  msrpc              Microsoft Windows RPC                                                                                                                                                                                      

All the msrpc ports aside, we have the usual smb and http ports open. 5985 is also open, which will be used later for post exploitation. We’ll start by taking a look at the webserver and go from there. Before that, checking the http loot directory, we can see that autoenum picked up a few dirs.

Enumerating /blog

According to autoenum, the only directory on the webserver is /blog. Taking a look at the page, we come across the following:

Seems like the blog is running off something called BlogEngine. Taking a look around the page, there isn’t anything about a version but we do have a login button. The last button to the left takes us to a login page that looks like this:

Trying the usual suspects, I found that admin:admin got us in. Once we’re in, there is an about tab on the side. Clicking on it and taking a look around we can see that we have a version.

Now that we know the version is 3.3.6, we can take a look and see if searchsploit has anything interesting.

The first entry is a text file that explains how to exploit CVE-2019-6714, a directory traversal leading to RCE via file upload. We can move the file to our working directory using searchsploit -m [id].

Path Traversal to RCE

The exploit gives us a run down of CVE-2019-6714 and how to exploit it.

According to this, we can upload a file in the edit post screen. Below is the code to upload. Change the listening settings and copy it over to a separate file that will be uploaded. Once the file has been moved over and modified, head on over posts -> content and choose the only post.

The right-most icon that looks like an open folder is what we are looking for. Clicking it opens a prompt to upload a file, upload the file (make sure to rename the file PostView.ascx) and save the post.

Start up a listener and navigate to the following link to execute the uploaded file

http://172.31.1.16/blog?theme=../../App_Data/files

Taking a look at our listener, we can see that we have a shell but it isn’t very pretty. We’ll msfvenom to get a better shell.

We don’t have access to write in the directory we are dropped in so I transfered the file over in the C:\Users directory, which we do have write access to. Once there, execute the shell with a listener open.

Now that we have a better shell, we can move to priv esc.

Priv Esc

After doing some quick post exploitation enumeration, there doesn’t seem to be anything that really sticks out. Let’s get winPEAS transfered over and go from there.

Now that we’ve moved it over, run it and let it do its thing. Looking through the output we come across the following

 

AutoLogon to System

Windows uses AutoLogon to hence the name, log in automatically without having to supply creds. We can use a tool called Evil-winRM to abuse the WinRM feature of windows (more on WinRM here) and log into a windows machine as long as the service is on the box.

And we are admin!

Published inCyberSecLabsWindows