Yeah… that’s definitely not the Jerry I remember from Tom and Jerry. Anyway, let’s get started with our usual portscan:
Okay. Let’s look at some other enumeration scans, namely gobuster on port 8080 and nikto:
Hmm. Ok interesting… So we can use PUT and place a malicious file on the server…? But let’s see if there’s another way to get into this box:
Ooh Apache Tomcat! Pretty familiar with this. Using default creds: tomcat and s3cret, we get in.
Scrolling down, we see we can upload a .war file.
Too easy. We can generate a war file with msfvenom to get a reverse shell:
Clicking the link navigates us to our war file which triggers the reverse shell
NT AUTHORITY\SYSTEM shell! A bit anti-climactic but oh well. Getting the flags, we see that this was the intended way because we have “2 for the price of 1.txt” for the flags:
Cool… let’s get started with a portscan and basic gobuster enumeration:
Okay. Let’s have a look at the website:
Hm. Seemingly useless dead end.
I thought I was missing something. No matter how much I try to enumerate, I come up short with nothing:
Then after doing A LOT of research, I found out that cgi-bin stores scripts in other languages such as python, js, bash, php, etc.
Let me try fuzzing that with those specific extensions:
Finally a hit. user.sh
Googling for cgi-bin and sh web exploits, shellshock came up… I looked into it more and knew I had to put a special shellshock string into the User-Agent field to exploit the vulnerability, followed by the command
And we get a callback on our listener:
Note: Usually I’ll have tested the above exploit with a ping first, but at this point I was extremely frustrated and just wanted to go for it.
Grabbing the user flag:
Okay. Now on to priv esc. I always like to do sudo -l as one of the first enumeration commands:
duh. So I can run any perl command as root. This should be pretty obvious but from here, all you need to do is sudo /usr/bin/perl and then either use pentestmonkey’s perl reverse shell one-liner and you’ll get a root shell OR just use perl syntax to switch to the root user. Leaving this open-ended for you to figure out the rest!
Looks like only port 80 is open. Running gobuster on port 80, we get some interesting directories:
After going down the list, we see /dev’s contents:
What’s phpbash.php ?
It’s an interactive web shell. Well that’s pretty straight forward. Using this payload from the pentestmonkey website:
We get a reverse shell on our listener:
Grabbing the user.txt flag:
So let’s look around and MANUALLY enumerate before we try to use scripts. Manual enumeration is always preferred because you’re being more intentional on what you’re looking at. And to be honest, scripts can always miss stuff.
Running PS -ef we see that there is a cron job running every minute:
So let’s try to read test.py
Womp womp. Okay… well let’s try to do something that we should have done right away in the first place: sudo -l
So this is interesting. We know that scriptmanager is a user on the box. This took me a little bit, but I eventually got it (of course, syntax error):
So now, I can read test.py. Now that I am scriptmanager, I’m willing to bet that test.py is executed by root. I just need to create my own test.py and replace what’s in there.
Once I put this on the box, I tested it first to make sure it worked … of course I had a few issues prior to getting the script right but that’s why we test first!
Ok so the script works. Time to let the cron run and start our listener and wait patiently for root to execute the script:
Fire up autorecon and run some scans… I did this while I went to http://10.10.10.63. It’s a good habit to just try port 80 while your scans are running so you’re not wasting time.
So when we go to the website and try searching, anything we do results in this:
But weird thing is… it’s a fake image. So this is a dead end.
I waited a bit and got my scans back. Let’s look at nmap:
Okay so there’s a port 50000 as well. I like to switch up the enumeration tools so this time I wanted to try using wfuzz. Running wfuzz on port 80 didn’t show anything new. However, on port 50000:
Interesting. I tried logging in with default creds and common lists, but nothing worked. I then just started poking around at the site to see what I could do without logging in.
Looks like we can create a project.
Now clicking around and scrolling down… we see something very interesting:
This looks like a clear path to RCE. Let’s test it out:
After saving it, I had to figure out how to trigger it. The “build now” button seemed like a good candidate:
Running tcpdump on my box, I see the ICMP requests coming through:
Now it’s as simple as creating a reverse powershell script with Nishang and appending the bottom with a callback to our box:
Serve up the PowerShell script:
Modify the build request:
Once you trigger it, you should receive a callback on your listener:
As a force of habit, I uploaded nc.exe and used it to get a binary shell as well
Some simple enumeration showed an interesting file: CEH.kdbx
I tried copying the file with nc.exe but it was way too slow (if at all). I ended up using SMB:
Create the folder on the victim box and navigate to it:
Copy the file over
Now looking at the file and running file on it, you know it’s a keypass file. Crack it with hashcat. In order to do this first you need to extract the hash with keepass2john:
Locate the mode (-m) for hashcat for this hash format:
Hashcat is not expecting the CEH: file name before the hash, so edit that and then run hashcat with rockyou.txt
Whoops… This happened because I swapped the wordlist and the actual hash… so hashcat thought it was cracking a much larger file.
So we found that the password for the file is moonshine1
Looking through everything in the kdbx file, we find:
Taking note of all our credentials found
So I tried using smbexec with either of the administrator passwords with no luck… but I knew that first line is a hash, so I attempted to pass the hash… and returned a system shell
Grabbing the user and root flags:
What? Deeper?
Ok, maybe an alternate data stream… I found an online tutorial using streams.exe but it didn’t want to work for me, so I found a PowerShell alternative:
Look at the bottom left. We get HttpFileServer 2.3
Let’s poke around on SearchSploit:
RCE always looks fun. Let’s look at that one… specifically the .txt file:
So basically we need to apply a null byte and then {.exec|cmd.} where cmd is whatever command we want. Let’s use burp to try this out. It took me a while to figure this out and I actually had to watch Ippsec’s video but in it he explains the importance of SysNative vs. SysWow64 vs System32.
And in our icmp dump we get:
So we have command execution! Now, let’s copy Invoke-PowerShellTCP.ps1 to working our directory and append the file with the example in the PS1 script
Serve it up on our box:
Now let’s supply the correct argument to burp and remember to URL encode it. Don’t forget to set up your listener.
On our listener, we get a user shell:
Looking around we get some creds that are pretty much useless at this point (but we keep enumerating anyway!)
At this point, I ran sherlock.ps1 to help me out a bit.
Hmm. At first I tried using an off-the-shelf MS16-032.ps1 script but they don’t work because they spawn a new terminal. We don’t have visual access so we can’t use it. Ippsec’s video shows us that there’s a copy in Empire that can be used on the CLI.
Testing it out:
So we can use this modified MS16-032 that accepts commands.
To use this you have to edit the bottom to run the function that you want with the specified argument as the script states:
Create another reverse tcp script with a different port (I called mine rev4445.ps1)
Running it:
And on our other listener that we set up on port 4445, we get a NT AUTHORITY\SYSTEM shell:
Definitely learned a new thing or two with this box. Anyway, let’s fire off nmap:
Okay… so let’s go look at port 4386 to try to see what it is.
HQK Reporting Service? Erm. Ok. Port 445 was open so let’s run smbclient to list the shares and smbmap to list the contents:
What’s in Welcome Email.txt?
Cool. So we got a password. No… don’t go trying to use it just yet. Continue enumerating.
Looking at NotepadPlusPlus config.xml:
Looking at RU_config.xml:
… and that’s why we continue to enumerate FIRST.
Okay so, trying the creds that we’ve found so far… we figure out a couple things.
TempUser can get access with welcome2019
So can L.Frost!, but L.Frost can only login with welcome2019, not list shares for some reason (access denied)
Same with R.Thompson…
User: C.Smith and Password: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= can list contents in Secure$\IT\Carl\ directory with TempUser
With the encrypted password, RUScanner had vb files (Module1.vb) with an example of how to decrypt the password
Utils.vb had the actual code to decrypt the password
So I needed a nudge on this because this is all REALLY out of my brain capacity (but wouldn’t be for long!)… this involved A LOT of trial and error:
Cutting and pasting the code on .net Fiddle (https://dotnetfiddle.net) and removing all the unnecessary (non encrypting related functions) and adding Imports System at the top (to get rid of the errors and import necessary classes/modules/etc to make the code work) and adding Console.WriteLine(plainText) before the decrypt function returns gave us this code:
That last portion was used to just decrypt the actual string that we found earlier. This returned the password:
The password is: xRxRxPANCAK3SxRxRx
Using this, we can try to access the share with C.Smith’s username:
We can then just download user.txt and read it:
Now onto root. Looking around, we see some interesting files in HQK Reporting
HQK_Config_Backup.xml contents:
Looking a bit at Debug Mode Password.txt, it looks interesting. After looking for hours, I remembered about using alternate data streams to hide stuff in files.
Interesting… so there’s a stream called Password!
Okay, so we know this is associated with the HQK service on port 4386. Let’s try to telnet with these creds:
Reading the manual for HQK Reporting Service, we can figure out the commands used to enumerate what is on the service.
Doing initial nmap recon, we get some lengthy output:
So it looks like it’s a Windows box with quite a lot of ports open. My eye first caught Ports 139/445. So using enum4linux against resolute, we get some interesting information. I missed this the first time, but looking back over everything line-by-line, I was able to find some really juicy info:
Okay so we see Marko Novak’s password is set to Welcome123! Trying this with evil-winrm to login, we get an authentication failure. However, let’s think this through. This looks like the default password created for new users. Running down the list, we try this with the user melanie
So from here, I actually used Powershell and uploaded nc.exe to get a more stable shell. Call me old-fashioned, but I just don’t like the Evil-WinRM shell.
I don’t remember quite why, but I ended up using Evil-WinRM’s shell anyway. It’s good to have a backup.
Looking around, we find an unusual file under C:\ called “PSTranscripts”. We enumerated hidden files with dir -FORCE from the PowerShell prompt to find PSTranscripts.
Did you see it? ryan’s password is in the other transcript file! Password: Serv3r4Admin4cc123!
Let’s try these creds with ryan:
Alright, time to look around. We enumerated around, looking at basic stuff like whoami /groups
After a while, I came up with nothing. I used PowerUp.ps1 to find an interesting potential exploit:
This link actually helped me out a lot in understanding what to do next.
So, I created a malicious DLL:
Then I served it up on SMB:
And I injected the DLL remotely (really cool new trick I didn’t know before):
I then started the DNS process as seen above. With the listener on port 443, I caught an NT AUTHORITY\SYSTEM shell: