search
Read BlogpostsLet's Connect

windowsDVR4

Privilege Escalation using RunAs

hashtag
Summary

  • This machine ran an older version of Argus Surveillance DVR, which was vulnerable to a Directory Traversal exploitarrow-up-right.

    • The machine also had an SSH port open, so the initial foothold plan was to get a private SSH key by exploiting the directory traversal vulnerability and attempting to ssh into the machine.

  • Two usernames were identified from the Argus user dashboard, one of which had an associated SSH private key obtained via the directory traversal exploit.

  • Within the system, an encrypted password was discovered in the DVRParams.ini file. Weak encryption methodsarrow-up-right allowed the decryption of the password, granting plain-text access to the admin user account.

  • Despite SSH access being disabled for the admin user, elevated privileges were achieved using the runas command.

hashtag
🧵Let's Unpack

hashtag
Enumeration

# Port Scanning
sudo nmap -sC -sN -A -oN nmapFull -p- -A 192.168.172.179

# Got 2 usernames from manual enumeration 
- Administrator
- Viewer

hashtag
Initial Foodhold

The plan is to get the id_rsa key into the box using a directory traversal exploit and ssh.

The Location of id_rsa in Windows:

hashtag
Priv Escalation

Found the encrypted Password in the following directory.

Used the following script to decrypt the password

LogoGitHub - s3l33/CVE-2022-25012: Updated version of this weak password encryption scriptGitHubchevron-right

Since SSH was disabled on Administrator, I used runas to get root shell

PreviousShenziNextResourced

Last updated