During an internal assessment, I discovered a web application called BioTime within the target infrastructure. Preliminary research uncovered multiple known vulnerabilities, specifically those listed in 2023 on CVE Details for ZKTeco, including directory traversal and limited write capabilities. Notably, a path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allowed me to read arbitrary files by supplying a crafted payload.
After exploiting these vulnerabilities, I obtained credentials for the BioTime program’s database, but they were hashed with salt, making it challenging to directly leverage them. This led me to wonder how I could gain further control over the system on the server despite these obstacles
What is BioTime ?
BioTime is a powerful time and attendance management software that provides a stable connection with up to thousands of ZKTeco’s standalone push communication devices through Ethernet/ WIFI/ 3G/ 4G and works as a private cloud to offer employee self-service by mobile application and web browser.
As we see BioTime can access over the Wifi, Mobile, and the Web okay let’s start our journey
CVE-2023-38950
CVE-2023-38950 is a path traversal vulnerability affecting certain versions of ZKTeco’s BioTime application. It allows attackers to access arbitrary files on the server by manipulating the file path in requests, thereby bypassing access restrictions. This vulnerability could lead to unauthorized file disclosure, potentially exposing sensitive information that compromises the system’s confidentiality and security.
According to this blog by w3bd3vil we found that The directory traversal vulnerability in the iclock API is straightforward to exploit and does not require authentication. An attacker can access any file on the system by ensuring that the SN parameter loosely matches the url parameter. To retrieve files from the server, a simple GET request with the appropriate parameters is sufficient. Here’s an example:
Nice, That’s work, Based on this manual the config file is called attsite.ini inside a directory called zkbiotime okay let’s do it
Fail
Okay, It doesn’t work let’s figure it out from our terminal, But why does this really happen?
Maybe the directory we are looking for are not the one that exists let’s brute-force, Doing a bit of research on the internet we managed to gather several ZKTeco default directory names
- zkbiotime
- zktime
- zktimepro
- zkteco
- biotime
- biotime8
- timeattendance
- zkbiotime8.0
- zkattendance
- attendance
- zkadmin
- adminzk
- attdata
- attlog
- logs
- config
- settings
- userdb
- backup
- init
- …..
Let’s give it a shot
Maybe we find the right one let’s check the content of it
Worked! , this seems base64 let’s decode it and see what this is has
Pingo , Now we have creds to get into the zkbiotime database let’s see it what we can have
This doesn’t give us any good result
Read the Manual to get the Access
That little thing scratched my mind and made me read the manual so i noticed that the auth_user is not only the table that saves the creds back to What is the biotime section notice I told you can access the software through the web and the mobile
So i tried to find if the mobile had some good tables os I found a table called mobile_appactionlog and I found that this table saves the bad logins throw the mobile app with the username and the wrong password
So i decide to guess the right password and after some tries …
Now we are in, with administrative privilege, we can upload our photos and get in or edit on the privilege to make new users with the same privilege, leak data, …
System!
Now we are on the Software as administrators what about the DC , Let’s see what we can do with our creds that we found
we can send commands with Netxec
You can do the same with xp_cmdshell with impacket-mssqlclient
Okay, That’s easy to get a shell, Let’s give it a shot
This server is for the attendance only and some other service so it doesnt’ have any smb or winrm ports open
That means Windows Defender does its job in the right way
Evasion
Now we need to do some obfuscation and use some evasion techniques to do this task
Some resources about Evasion stuff :
Let’s give it a try
Pingoo , we have shell now so i love to work with MSF let’s do AMSI bypassing to turn on the meterpreter
Cuz this is a service account and if you notice above we have SeImpersonatePrivilege priv above pic we can abuse this by printspoofer with the hard way or by simply with getsystem utility from meterpreter
Now you can do what ever you need
Now we can say we are in!
