During a routine penetration testing engagement, we found an IIS webserver with HTTP methods (verbs) like PUT and DELETE enabled on it. During enumeration of the web server we figured it was configured to run PHP as well.
The PUT method allows an attacker to place a file on the server. Uploading a web shell was our obvious choice. However due to some security settings enabled on the server we were unable to upload any php/aspx/jsp etc. files. Had we been able to upload a shell, we would’ve gotten code execution on the server. But it was not as simple as we thought it to be.
After trying some variation of the file types, we figured out we could upload .txt files on the server. We could access these files by opening them through the browser. After multiple attempts we decided to use something very simple: “MOVE”method to rename the files once they were uploaded on the server. So we uploaded a .php file as .txt and renamed that to .php
The screenshot for these two steps is shown below:
Here is the output when visiting our test123.php file,
Safemode was enabled on the server and we didn’t really try to bypass that. But we uploaded an ASPX Shell on the server (rename the .txt file to .aspx as mentioned earlier). At this point our service was running with “Network Service”Privileges and we were limited in terms of our control on the Server.
Using our ASPX webshell we were at least able to traverse the content on the server. We were able to read the MySQL configuration details for one of the applications configured on the server and noted that the database is configured using root.
Armed with the credentials of the MySQL root user, we could login to the server remotely. Unlike Microsoft SQL Server there is no built-in stored procedure like xp_cmdshell that allows us to execute OS commands. However, MySQL has User Defined Functions (UDF) that can be used to execute OS level commands but they are not available by default. At this point “lib_mysqludf_sys”available on https://github.com/mysqludf comes in handy. The “lib_mysqludf_sys”library has functions to interact with the operating system. These functions allow you to interact with the execution environment in which MySQL runs. This library is available with SQLMAP (udf/mysql)
Firstly, we copied the library on to the target machine in a known location using the PUT method. We had to write this file to “c:\windows\system32”directory. But our web server was running with limited privileges.
While logging in we face another issue, the root user is not allowed to login remotely on the MySQL database. This was easy to overcome!We wrote a php file which allowed our IP address to login remotely on the MySQL server and executed it using the same steps that we have been doing so far.
Next, we logged in and triggered a SQL query to load this file in to a newly created table row. Here, we are instructing MySQL to create a new function to point to the code in our malicious library. Finally, we executed this new function with arbitrary system commands that we wish to run.
The commands used are shown below:
USE mysql; CREATE TABLE npn(line blob); INSERT INTO npn values(load_files('C://root//lib_mysqludf_sys.dll')); SELECT * FROM mysql.npn INTODUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll'; CREATE FUNCTION sys_exec RETURNSintegerSONAME 'lib_mysqludf_sys_32.dll'; SELECT sys_exec("net user omair NIIConsult!n4 /add"); SELECT sys_exec("net localgroup Administrators omair /add");
As seen a user omair with administrative privileges was added to the server.
Further, we logged in to the server through remote desktop. Time to escalate our privileges even further!At this stage, we were local administrator and did not have a domain account. We found multiple users logged in to the system. At this point we want to dump the passwords from the memory of that system. Mimikatz helps you do that.
What is Mimikatz?
Mimikatz is a slick tool that pulls plain-text passwords out of WDigest interfaced through LSASS. Read here to know more about how to use different features in Mimikatz
We then uploaded “mimikatz.exe”on the server using our account omair. It was likely that the antivirus on the server would flag it. In our case it did not. Even if it did we could use various evasion techniques to upload and execute the file. We then used our favourite widgest method to retrieve passwords in clear text and get credentials for a user “taufiq” who was an ordinary Domain User but also had Admin privileges on some product related servers.
Now we logged into all these product related servers with the account we had to search for more interesting accounts which we could escalate our privileges to. We were able to find several accounts but the most authoritative account was of course the Domain Admin.
That’s it, we again uploaded mimiktaz on this system and obtained password for the Domain Admin account. Net result was that the Domain was 0wned!
From here on we could use smbexec utility to extract domain hashes from the domain controller.
This article shows how a simple vulnerability like enabling HTTP verbs such as PUT and MOVE can serve as the doorway to a far more insidious attack and allow the attacker to take complete ownership of the network. Of course, there were a large number of other vulnerabilities that allowed us to do this – but the entry point was simply one mis-configured HTTP server!