1. What is BioTime ?
  2. CVE-2023-38950
  3. Fai!
  4. Read the Manual to get the Access
  5. System !
  6. Evasion
  • Comments and More

    • By Fady Moheb

    What is BioTime ?

    BioTime is a powerful time and attendance management software that provides a stable connection with up to thousands of ZKTeco’s standalone push communication devices through Ethernet/ WIFI/ 3G/ 4G and works as a private cloud to offer employee self-service by mobile application and web browser.
    As we see BioTime can access over the Wifi, Mobile, and the Web okay let’s start our journey

    CVE-2023-38950

    According to this Blog by w3bd3vil we found that The directory traversal vulnerability in the iclock API is straightforward to exploit and does not require authentication. An attacker can access any file on the system by ensuring that the SN parameter loosely matches the url parameter. To retrieve files from the server, a simple GET request with the appropriate parameters is sufficient. Here’s an example:

    Nice, That’s work, Based on this manual the config file is called Attsite.ini inside a directory called zkbiotime okay let’s do it

    Okay, It doesn’t work let’s figure it out from our terminal, But why does this really happen?

    Fai!

    Maybe the directory we are looking for are not the one that exists let’s brute-force, Doing a bit of research on the internet we managed to gather several ZKTeco default directory names 

    zkbiotime
    zktime
    zktimepro
    zkteco
    biotime
    biotime8
    timeattendance
    zkbiotime8.0
    zkattendance
    attendance
    zkadmin
    adminzk
    attdata
    attlog
    logs
    config
    settings
    userdb
    backup
    init

    Let’s give it a shot

    Maybe we find the right one let's check the content of it
    Worked! , this seems base64 let's decode it and see what this is has
    Pingo , Now we have creds to get into the zkbiotime database let's see it what we can have
    We will use [dbeaver](https://dbeaver.io/) to complete this process, At the beginning I found the auth_user table that has usernames and hashes but Those hashes are salted so This making it challenging to directly leverage them
    This doesn't give us any good result

    Read the Manual to get the Access

    That little thing scratched my mind and made me read the manual so i noticed that the auth_user is not only the table that saves the creds back to What is the biotime section notice I told you can access the software through the web and the mobile

    So i tried to find if the mobile had some good tables os I found a table called mobile_appactionlog and I found that this table saves the bad logins throw the mobile app with the username and the wrong password

    So i decide to guess the right password and after some tries ...
    Now we are in, with administrative privilege, we can upload our photos and get in or edit on the privilege to make new users with the same privilege, leak data, ...

    System !

    Now we are on the Software as administrators what about the DC , Let’s see what we can do with our creds that we found

    we can send commands with [Netxec](https://www.netexec.wiki/) ​ > You can do the same with xp_cmdshell with impacket-mssqlclient {: .prompt-tip } Okay, That's easy to get a shell, Let's give it a shot >This server is for the attendance only and some other service so it doesnt' have any smb or winrm ports open
    That means Windows Defender does its job in the right way

    Evasion

    Now we need to do some obfuscation and use some evasion techniques to do this task

    Some resources about Evasion stuff :

    Let’s give it a try

    Pingoo , we have shell now so i love to work with MSF let’s do AMSI bypassing to turn on the meterpreter

    Cuz this is a service account and if you notice above we have SeImpersonatePrivilege priv above pic we can abuse this by printspoofer with the hard way or by simply with getsystem utility from meterpreter

    Now you can do what ever you need

    Now we can say we are in