Starting Point Part 7: Markup
At this point in our journey, we have gotten quite a few tools in the toolbox. We’ve seen some heavy-hitters and some one-offs. This box will add just a few more in there, so let’s dive in. I’ll do the basics just like last time:
So we got three ports, ones that we have seen before. The easiest spot to start is the webpage, and nmap says it is “MegaShopping”…let’s go check that one out. Starts with a logon page. Before I get to far here, credential reuse has been horrible on these boxes, let’s try that first. Doing a curl on the page, I can see that it is doing a POST with a username and password. Let’s let hydra give it a shot with our current list of usernames and passwords. First I need to figure out what bad looks like, then I let hydra have a crack at it.
And what do you know, we got in:
That didn’t give me results I wanted, rats. But looking at the command, we tried to find a file on linux. Looking at our nmap results, we have windows box this time. We have to change our payload to find a windows file instead of a linux file. Easy one to find is either boot.ini or win.ini which are on almost all distributions (like /etc/passwd is found on linux distros). Let’s try that:
Nice, much better. it found the windows file we were looking for. But what can we do with this? We can try to retrieve any file that we know the path to find. This sounds like a horrible game of “whack-a-mole”, so I need to figure out what to look for. As I look back over the notes, there was port 22 open as well. I know the default location for ssh keys for a user, let’s try that and see if I get a hit.
And we won on that one. Perfect. I’ll use the “Copy to file” command so I don’t make a “cut & paste” mistake. Make sure we change the permissions on the file and then try to logon.
And we got in. I try a quick-win and check the powershell transcript file, but it is full of the last guy exploiting the box and nothing that helps us move forward (people aren’t cleaning up after themselves again). So, I’ll run winPEAS to enumerate for me. Here is what sticks out to me on the first pass through: mysql is running, admin creds are in memory again, firewalls are on, it is in the MARKUP domain, and winRM is running on the box. Okay, we can work with that. Going to the root directory, there is a non-standard directory that shouldn’t be there. Let’s check that out.
Weird file, I can write to it, and its doing some weird eventlog clearing. I know that clearing logs with wevtutil.exe requires some admin rights, let’s check to see if this thing is set up on a task:
So of course we can’t see the task, it has to run as root. But the permissions are allowing me to write and read the file…let’s just write a revshell and see if it calls back?
Okay, let me start the webpage on my server and maybe it will eventually hit? Checking the contents of the file, it has already been reset to the original. That was quick, but I didn’t get a callback to my webserver hosting up the page. I pull the that same file over to my windows box to validate it works and it does, just as expected. When I type IWR into the powershell on the Markup box, it fails. Ah, I see it, aliases are not enabled on the shell we are using. Convenience got me again. Let me write the command in cmd.exe and see if that runs:
And that is a win, ran almost immediately and we got a shell as administrator.
So that was the box. I of course look around to do some post-exploit looking, but don’t find more creds for the next box. Should have learned a few things here: know the architecture you are putting the exploit on, XXE is an xml path, and shorthand isn’t universal. Hope you added a few new things to the toolbox and we are nearing the end of the journey, see you on the next one!