Fire up autorecon and run some scans… I did this while I went to http://10.10.10.63. It’s a good habit to just try port 80 while your scans are running so you’re not wasting time.
So when we go to the website and try searching, anything we do results in this:
But weird thing is… it’s a fake image. So this is a dead end.
I waited a bit and got my scans back. Let’s look at nmap:
Okay so there’s a port 50000 as well. I like to switch up the enumeration tools so this time I wanted to try using wfuzz. Running wfuzz on port 80 didn’t show anything new. However, on port 50000:
Alright… Let’s navigate to http://10.10.10.63:50000/askjeeves/
Interesting. I tried logging in with default creds and common lists, but nothing worked. I then just started poking around at the site to see what I could do without logging in.
Looks like we can create a project.
Now clicking around and scrolling down… we see something very interesting:
This looks like a clear path to RCE. Let’s test it out:
After saving it, I had to figure out how to trigger it. The “build now” button seemed like a good candidate:
Running tcpdump on my box, I see the ICMP requests coming through:
Now it’s as simple as creating a reverse powershell script with Nishang and appending the bottom with a callback to our box:
Serve up the PowerShell script:
Modify the build request:
Once you trigger it, you should receive a callback on your listener:
As a force of habit, I uploaded nc.exe and used it to get a binary shell as well
Some simple enumeration showed an interesting file: CEH.kdbx
I tried copying the file with nc.exe but it was way too slow (if at all). I ended up using SMB:
Create the folder on the victim box and navigate to it:
Copy the file over
Now looking at the file and running file on it, you know it’s a keypass file. Crack it with hashcat. In order to do this first you need to extract the hash with keepass2john:
Locate the mode (-m) for hashcat for this hash format:
Hashcat is not expecting the CEH: file name before the hash, so edit that and then run hashcat with rockyou.txt
Whoops… This happened because I swapped the wordlist and the actual hash… so hashcat thought it was cracking a much larger file.
So we found that the password for the file is moonshine1
Looking through everything in the kdbx file, we find:
Taking note of all our credentials found
So I tried using smbexec with either of the administrator passwords with no luck… but I knew that first line is a hash, so I attempted to pass the hash… and returned a system shell
Grabbing the user and root flags:
What? Deeper?
Ok, maybe an alternate data stream… I found an online tutorial using streams.exe but it didn’t want to work for me, so I found a PowerShell alternative: