Rabbit

Rabbit - 10.10.10.71

Target Enumeration:

OS: Windows

IP: 10.10.10.71

User: c6f45142bea818fe729cef32342aae9c

Root: 0b2ded66e5a49dd1620be30110f43d54

Ports / Services / Software Versions Running

Too many to list: :/

8080 - sqli

80 - owa - client side exploit

Vulnerability Exploited:

Sqli to get the users email hash and login via owa allows you to send a malicious .odt file to the manager which gives you a reverse shell

Privilege Escalation:

Apache running as system service > reverse nc php file

Exploiting the host:

Nmap

Hundreds of ports open so wasted a lot of time enumerating them and knocking out the FP’s.

Gobuster on http://10.10.10.71:8080/

Eventually got to complain which is “Complain Management System”

Searchsploit leads us to sqli

Which leads us to:

Register a user and login

Discover content with burp to see if there are any other functions/ pages uncovered

Looking at the other exploit it leads us to https://www.exploit-db.com/exploits/42968/

Rebuild in the browser:

Vulnerable to sqli so save request to run through sqlmap or do manually.

Sqlmap on the request with * at injection point

Looks like it is vulnerable.

Enumerate the databases etc until you know what you are looking for

Dump the users table

Results:

So we have some users and passwords now we need to work out where they work

After testing authentication with all the services running on the machine one appears to be OWA credentials:

Looks like we need to send some form of malicious document to “management”

There is also some information about potential privesc headaches

We need to find out who management are

After a while we found a user to email in the deleted items folder

And a full email address

Now we need to build a payload via metapsploit. (OSCP ;)

Annoyingly attaching the report would not work in firefox so I switched to chrome

Sent the report and waited, client side exploits are a pain and can be quite annoying to get to work and I have seen it before when I have done the correct exploit yet it has not worked for some reason so always try a few different exploits as our report may have been picked up by windows defender.

Looking at the other emails we get a hint

Now look for an openoffice exploit

Se the options as follows:

Send the malicious odt file

Wait again :/

This did not work so we need to create our own and possibly find a way around the restrictions

Create a payload locally (may get picked up by windows defender) and host on your webserver just to see if we can run commands via our odt file and if we are lucky get a shell.

This part took me many attempts to get right and I cannot be 100% certain about which payload actually worked as I sent around 30 emails to the user. I eventually reverted the machine just incase as I was sure I was on the right lines.

Modify the macro in the odt file to:

Send the report and wait

Grab the users file

C6f45142bea818fe729cef32342aae9c

Enumerating the system tells us that apache is running as system

Generate a meterpreter php payload

Download to the C:\wamp64\www\ dir

Request the shell via curl

We get a session but it dies almost instantly probably due to AV

So write a manual rev shell using nc.exe which we have already downloaded

Create and host the following files on your webserver

Script.bat

Download them both to the machine in the www dir

Start a nc listener on port 53

Request the file via the browser

Check your listener

Now you have a root shell so collect the flags

Last updated