Post

HTB Visual: Walkthrough

Posted Updated
Preview Image
By partyh4t
3 min read
HTB Visual: Walkthrough

image

This is a relatively short machine, starting off with a web app that allows us to submit a github repo for the program to compile for us via Visual Studio. We can use EvilSln to exploit a vulnerability in VS to gain RCE on the target. This is then followed by an abuse of SeImpersonatePrivilege to gain Administrator access.

0) Machine Overview

  1. Scans
  2. Web Enumeration
  3. Privilege Escalation

1) Scans

1
2
3
4
5
6
7
8
9
10

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-title: Visual - Revolutionizing Visual Studio Builds
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (87%)

2) Web Enumeration

image

So here we have a web application that basically offers to compile our code for us, using Visual Studio. I tried putting a random GitHub repo of mine:

image

So I started researching of ways to potentially exploit this, and almost instantly, I came across this.

image

After reading it, it gives a brief explanation about multiple “vulnerabilities” within Visual Studio which Microsoft doesn’t seem to even consider as vulnerabilities. So we can leverage this to make our .csproj program execute code before being compiled. Once that’s done, we can host a Git repository locally, since the machine isn’t connected to the internet.

1) Create our repository:

1

dotnet new console -n fakedotnet

2) Create a new .sln file:

1
2
3

cd fakedotnet
dotnet new sln -n fakedotnet
dotnet sln fakedotnet.sln add fakedotnet.csproj

3) Commit our changes:

1
2
3

git init
git add .
git commit -m 'test1'

4) Update the server info and host the server:

1
2
3

cd .git
git --bare update-server-info
python3 -m http.server 9000

5) Lastly, if we ever need to perform a change:

1
2
3
4

git add . (from fakedotnet directory)
git commit -m 'test2'
cd .git
git --bare update-server-info

With that, assuming we have the proper payload within our .csproj file, we have RCE:

image

Then upload our file:

image

Works perfect.

image

Lets try and get a shell now.

image

Upload our file, and then:

image

3) Privilege Escalation

Now that I had a shell, I tried running WinPEAS and PowerUp, but didn’t find anything too interesting. Now one cool thing I learnt to start doing recently was to run tasklist /v if there is a web-application running, and see under what context its running as. Most of the time it’ll just say N/A but that doesn’t tell the full story. In this case, I uploaded my own PHP web-shell to the C:\xampp\htdocs\ directory, to see who’s actually running the web-server. In this case, it was nt_authority/local service.

image

So I decided to look into privilege escalation methods from local service.

I came across a super useful tool called FullPowers.

FullPowers is a Proof-of-Concept tool made for automatically recovering the default privilege set of a service account including SeAssignPrimaryToken and SeImpersonate.

Lets give it a try:

image

Caught the shell, and as we can see, we have all the privileges we wanted :)

image

Then can either go the easy route and upload a meterpreter shell and use getsystem:

image

Or do it manually using EfsPotato: (Could have used GodPotato as well, since I think this gives the best versatility and no need to compile.)

1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618

image

image

Pwned.

HTB
HTB C# SeImpersonatePrivilege
This post is licensed under CC BY 4.0 by the author.