DVR4 - Proving Grounds Practice
Enumeration
Nmap
Initial nmap scan revealed SSH, SMB and Port 8080 were open.
Web Enumeration
Visiting the website revealed that it was Argus Surveillance web page.
Later, I checked the help page and found out that the version was Argus Surveillance DVR 4.0.
Exploitation
CVE-2018-15745
Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
The version was vulnerable to path traversal. I tried it and it worked.
Later, I checked usernames from the web page.
Then I tried to read SSH private keys (id_rsa) for both user. And it worked for viewer user. Command can be seen below.
curl "http://192.168.165.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2FViewer%2F.ssh%2Fid_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
And using it I obtained the user shell.
Privilege Escalation
CVE-2022-25012
Argus Surveillance DVR v4.0 employs weak password encryption.
So by reading C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini and obtaining password hashes, we can decrypt both users’ passwords.
At first I read the C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini and noted password hashes.
Then I used G4sp4rCS/CVE-2022-25012-POC which simply decrypts the password. However, it can not decrypt special characters. So I checked and found the byte codes for special chars as seen below.
- ! = B398
- @ = 78A7
- # = <blank>
- $ = D9A8
Running this tool revealed last byte was unkown. However, checking the special char byte codes, I found that it was $.
RunAsCs
Later, I simply used RunAsCs with Administrator user and found password to obtain reverse shell using netcat.
I obtained the Administrator shell.