This article describes the solution steps of the retired machine ‘’CUMHURIYET’’ on the PriviaHub platform. First, scanning has been started to detect the open ports on the machine and the current services running on the open ports.
As a result of the scanning process, it was found that ports 80 and 443 are open and “Apache 2.4.38” service is running on these ports. Access to the web application running on the Apache service is provided through the web browser via port 80.
User access page is encountered when access is provided. In order to log into the system, user registration must be created.
For this purpose, by clicking on the link indicated by “Create An Account”, access to the registration page is provided and user registration is created.
After the registration process is completed, access to the user panel is provided from the login page.
After logging in, the page “account.php” on the user panel is accessed. This page allows users to change passwords.
During the password change, a local proxy application was initiated to intercept outgoing request data when the “Change Password” button was clicked. After entering the new password value in the text boxes and clicking the button, the user_id parameter between the request data to the proxy application is noteworthy.
The “2” value assigned to this parameter indicates the ID value of the user logged into the system. When this ID value is changed, if the newly assigned value is the ID value of a different user, then the password of that user will change when the request is sent. This vulnerability is called IDOR (Insecure Direct Object Reference). “User_id” has been assigned a value of 1 and the request has been sent.
The user name must be known in order to access the panel of the user whose password is changed after the request is sent. Since the ID value is assigned as “1”, it can be inferred that this account can be an “admin” account.
Since the e-mail address is requested on the login page, it can be inferred that the e-mail address of the account with ID value 1 can be “firstname.lastname@example.org” or “email@example.com”. An attempt was made to access the panel by entering the new password value with this e-mail address in the text boxes.
As a result of the entered information is correct, access to the admin panel is provided.
There is a web page on the panel that can be used to add a new page to the system. The first text box on this page represents the name of the newly created PHP file and the other text box represents the PHP code that will be placed in it. Therefore, a file can be created containing PHP code that provides a session link to execute commands on the machine.
After entering PHP code that provides file name and session link in text boxes, a page named “reverse_shell.php” has been created with msfvenom tool in Kali.
Generated request, when the reverse_shell.php page is accessed, will be received with using the multi/handler exploit in Metasploit Framework and a session connection will be provided through the machine.
In order to execute the commands through the provided session, the “meterpreter“ agent, which is an effective tool developed for performing post-exploitation operations, will be used and access to this page will provide a meterpreter connection through the machine.
As a result of access to the page, multi/handler exploit received a request and meterpreter session connection was obtained.
The Apache service runs with the privileges of the local user account named “web” on the machine. Therefore, the meterpreter session was obtained with the rights and authorizations of the user “web”. However, this session link received with the PHP file does not provide an interactive session. Because this session is presented with a payload called “php/meterpreter/reverse_tcp”, presented by the Metasploit Framework, and the possibilities are limited by the capabilities of the PHP programming language.
Therefore, an application file with the extension “.exe” has been created on the Metasploit Framework, which will provide a meterpreter session, and a new listening mode is initiated using the payload “windows/meterpreter/reverse_tcp.
The newly created file was uploaded to the machine over the resulting session and rerun. Thus, the listening mode that works in the background has captured the request and a new meterpreter session is obtained.
By using meterpreter agent, desktop directory of the user “web” is accessed and “non-privflag.txt” file is obtained. However, the “privflag.txt” file in the desktop directory of the ”Administrator” account cannot be read. Because user ”web” has low privileges. For this reason, privilege escalation will be performed.
When the rights and privileges of user “web” are examined, it is seen that this user belongs to the group named “Administrators”.
As you can see, the “web” user has administrator rights, but the Apache service works with UAC (User Access Control) protection. Therefore, the meterpreter connection is achieved with low privileges. The next step is to bypass the UAC mechanism and to perform transactions requiring high privileges with the “web” user. A tool called Akagi, developed by “hfirefox”, can be used to bypass the UAC mechanism. This tool includes a variety of UAC Bypass techniques so that the UAC mechanism can be bypassed using a suitable method according to the machine’s operating system and Build number.
After downloading and compiling the Akagi tool from Github, the next step is to install the executable file on the victim machine and run it by specifying an argument. Therefore, a meterpreter agent created with the Akagi tool can be run to obtain a new meterpreter session connection with high privileges.
According to the operating system and Build number of the machine, the Akagi tool was operated with a meterpreter agent previously installed on the machine using technique 10 (techniques available on the Github page). Thus, a new meterpreter session was obtained with high privileges.