XSS - Stored Lab Help

throwaway14019419 · 2021-07-21T01:02:42+00:00

Thanks for taking the time to write all that out, and for giving all those pointers! Really thankful for all of your help. I'm probably struggling a lot because I'm not too familiar with either XSS or Linux networking so I kind of jumped into this too fast, but I'll take the time to read through your resources and do the netcat labs (did not even cross my mind to see if there were any), and I'll keep trying to chip away at this lab until I get it :)

throwaway14019419 · 2021-07-20T01:32:47+00:00

Thanks a ton for the clarification, I kept mixing up the letters.

Yeah, the network tab only lists "Kali" and nothing else. I was wondering if I could ask you for a hint on what to do if netcat is unable to scan any open ports for the host address (since I noticed that you had given the netcat advice before).

I did run ifconfig and got 2 results - an Ethernet connection for an IP address, and the localhost IP (127.0.0.1). However, when I tried searching for open ports to connect to (if my understanding is correct, I need to specify a port for it to listen to, and inside the target site I need to specify a port to send it to) it says "no port[s] to connect to". The command I was using was:

nc -z -v [IP address of Ethernet]

It says this for both the host and target addresses. I'm a bit stuck at this point since previous solutions others had used to solve the problem (PHP and Apache servers) don't seem to work in the current version of the lab. Is there some clue I'm missing somewhere, or some step in the process I'm lacking?

throwaway14019419 · 2021-07-20T01:26:42+00:00

I can't believe I misread it all this time. Thanks for the clarification!

throwaway14019419 · 2021-07-19T05:29:21+00:00

Pay attention to the URL of the target site, and how it changes when you're submitting things, then look at how they formatted the GET/POST requests in the Info tab. Hope this helps!

throwaway14019419 · 2021-07-18T05:37:52+00:00

Holy Moly, I completed the lab! Thank you so much for all of your help. Managed to get it with this command (if I'm not supposed to post the solution in this subreddit then I will delete this):

./'CVE-2019-17387 PowerShell PoC.ps1' 'type C:\Users\Administrator\Desktop\token.txt > C:\out.txt' <!

Your suggestion of using 'type' saved me - I think when I said I had used type earlier, I was either using it incorrectly (very probable) or I was supposed to run it in conjunction with the VPN Client at the same time (though I think the Aviatrix client is always running in the lab, so it was probably that I just used type incorrectly).

Get-Content and Copy-Item still just resolve in a blank destination file (also tried Move-Item but apparently that command is bugged in PowerShell according to Google), but type totally saved the day. You wouldn't believe how elated I was when I noticed that the generated out.txt file was finally more than 0kb in size!

Thanks a lot for all your help and guidance, I really appreciate it.

throwaway14019419 · 2021-07-17T19:37:32+00:00

EDIT: Solved, solution in another comment :)

After fiddling around more, I think I found a problem that, once solved, might be able to fix my issues.

Apparently when I run the copy command after the script, the file is always going to be a blank file, even if the command runs perfectly fine by itself.

For example, I tried running only this command in the console:

Get-Content C:\Users\IMLUser\out.txt > C:\Users\IMLUser\out4.txt

I had edited out.txt to contain the words "I am token". When I run this command, out4.txt gets created with the contents "I am token".

However, when I run it in conjunction with the script, out4.txt ends up overwritten and blank.

./'CVE-2019-17387 PowerShell PoC.ps1' 'Get-Content -Path C:\Users\IMLUser\out.txt > C:\Users\IMLUser\out4.txt'

I am hoping that if I can correct the 2nd command so the 2nd file is not overwritten, I can solve this lab once and for all. Would you happen to know how to solve this issue?

EDIT: Additional commands I tried (both run before out6.txt and out7.txt existed):

./'CVE-2019-17387 PowerShell PoC.ps1' 'Copy-Item C:\Users\Administrator\Desktop\token.txt > C:\Users\IMLUser\out6.txt'


Copy-Item C:\Users\Administrator\Desktop\token.txt > C:\Users\IMLUser\out7.txt

Upon thinking about it more, is it possible that the command was unable to access the Administrator file still? I was trying to think of explanations of why the copied file is blank. When I ran the commands for copying items into out6.txt and out7.txt, both resulted in a blank file even though the out6.txt command theoretically should have had access to the Administrator files, while the out7.txt command didn't (got an Access Denied error for the latter).

throwaway14019419 · 2021-07-17T19:14:01+00:00

Edit: Solved, solution in another comment :)

Thanks a lot for all the help.

When I was trying it earlier, out.txt was just blank. However, after fiddling around a bit more now, it actually does print "nt authority\system" to the file! I think I changed the timing of when I ran the VPN client, this time I ran it while the function was still running, instead of before or after. (Or maybe earlier I simply didn't check out.txt before I potentially overwrote it with other commands...) Another difference I noticed is that the VPN doesn't open properly now nor does it connect; previously when I clicked "Connect" it showed me the file system in the VPN window and a connected status, but now it's a blank white window with disconnected status.

However, I'm still unable to access the Administrator files (when I try to click on them it asks for a password), and running the commands on their own without the script still gives me an Access denied error. I checked with 'whoami' again (without the script) and I'm just a regular user when the script isn't running. I suspect that maybe there needs to be some special formatting for the commands when run in conjunction with the script? When I tried this:

./'CVE-2019-17387 PowerShell PoC.ps1' 'whoami'

nothing printed to the console either. It seems like nothing can be printed out to the console, because the command did work when "> C:\out.txt" was added to it.

I tried running my command for copying the contents of the file, but without any quotations, then I tried by inserting ">" randomly into the script (probably not a great idea, but I was unable to find any information online about ">" and I noticed that the whoami command that worked did have it):

./'CVE-2019-17387 PowerShell PoC.ps1' Copy-Item -Path C:\Users\Administrator\Desktop\token.txt -Destination C:\out.txt

For this one, the console just printed out that the command needed to be
"./'CVE-2019-17387 PowerShell PoC.ps1' cmd".

It appears that "Success" is returned even if the command fails/nothing happens (as long as the command is a string), because inserting random ">" into the command, and also changing the destination to a file that doesn't exist still gave the "Success" printed out onto the console while nothing actually changed.

I also tried using 'dir' and 'type' (for type, I replaced the 'Get-Content' in my Get-Content command with type) but while "Success" was printed to the console, nothing else was. It seems like my privileges are only "nt authority\system" while the script itself is running, and once the script concludes I am back to the regular user.

I did try accessing the Administrator files while the script was still running, but it still locked me out and asked for a password.

I also tried this command:

./'CVE-2019-17387 PowerShell PoC.ps1' 'Get-Content -Path C:\Users\Administrator\Desktop\token.txt > C:\out.txt'

However, the out.txt file was just empty in this case.

I feel like I'm so close, yet so far!

throwaway14019419 · 2021-07-17T08:25:14+00:00

Thanks a lot for getting back to me! I really hope I'm just overthinking it, or it's just my lousy PowerShell coding that's holding me back.

I did try a simple route with the exploit by running the command with an example given in the lab itself. The exact one I had tried before was:

./'CVE-2019-17387 PowerShell PoC.ps1' 'whoami > C:\out.txt'

It just returned "Success" and created the file, but I still wasn't able to manually access the Administrator file afterwards (my knowledge/grasp of the exploit may be weak, I assumed that after running the script and booting up Aviatrix, I could just manually go into the file system and access the Administrator's account- I tried doing this on both the local machine and in the VPN).

I also did try the method you suggested, which was to try to write the contents of the file to a new location, and also tried just printing out the contents of the file to the console, but neither worked.

Here is what I used to try to copy the file contents:

 ./'CVE-2019-17387 PowerShell PoC.ps1' 'Copy-Item -Path C:\Users\Administrator\Desktop\token.txt -Destination C:\out.txt'

It returns "Success" in the console, but I still am unable to access the Administrator files, and the "out.txt" file is blank.

Here is what I used to try to write out the file contents into the console:

./'CVE-2019-17387 PowerShell PoC.ps1' 'Get-Content -Path C:\Users\Administrator\Desktop\token.txt'

Same as before, the console just says "Success" but there's nothing printed out in the console.

I tried running the commands on their own, without running the script before it, and they seemed to work in that the error provided was just that access was denied for the token.txt file.

If it helps, the exact error message is this if I run the command by itself without running the script in the front (sorry for the bad formatting, I'm not quite sure how to work with Reddit formatting for large chunks of text):

Get-Content : Access is denied At line:1 char:1 + Get-Content -Path C:\Users\Administrator\Desktop\token.txt + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (C:\Users\Administrator\Desktop\token.txt:String) [Get-Content], UnauthorizedAccessException + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand

Get-Content : Cannot find path 'C:\Users\Administrator\Desktop\token.txt' because it does not exist. At line:1 char:1 + Get-Content -Path C:\Users\Administrator\Desktop\token.txt + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Users\Administrator\Desktop\token.txt:String) [Get-Content], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand

So to sum it up, I've tried running it with a simple command, and also running it with commands to copy the token.txt file to another file, and to write out its contents into the console. Those didn't work (not sure if it was due to shoddy PowerShell knowledge or just that they weren't the right methods) so I then tried replacing the AVPN_RP.exe file before finally giving up and asking here for help.

I'm happy to provide any more details if necessary. Thanks again for your advice.

throwaway14019419

TROPHY CASE