Yeah… that’s definitely not the Jerry I remember from Tom and Jerry. Anyway, let’s get started with our usual portscan:
Okay. Let’s look at some other enumeration scans, namely gobuster on port 8080 and nikto:
Hmm. Ok interesting… So we can use PUT and place a malicious file on the server…? But let’s see if there’s another way to get into this box:
Ooh Apache Tomcat! Pretty familiar with this. Using default creds: tomcat and s3cret, we get in.
Scrolling down, we see we can upload a .war file.
Too easy. We can generate a war file with msfvenom to get a reverse shell:
Clicking the link navigates us to our war file which triggers the reverse shell
NT AUTHORITY\SYSTEM shell! A bit anti-climactic but oh well. Getting the flags, we see that this was the intended way because we have “2 for the price of 1.txt” for the flags:
Fire up autorecon and run some scans… I did this while I went to http://10.10.10.63. It’s a good habit to just try port 80 while your scans are running so you’re not wasting time.
So when we go to the website and try searching, anything we do results in this:
But weird thing is… it’s a fake image. So this is a dead end.
I waited a bit and got my scans back. Let’s look at nmap:
Okay so there’s a port 50000 as well. I like to switch up the enumeration tools so this time I wanted to try using wfuzz. Running wfuzz on port 80 didn’t show anything new. However, on port 50000:
Interesting. I tried logging in with default creds and common lists, but nothing worked. I then just started poking around at the site to see what I could do without logging in.
Looks like we can create a project.
Now clicking around and scrolling down… we see something very interesting:
This looks like a clear path to RCE. Let’s test it out:
After saving it, I had to figure out how to trigger it. The “build now” button seemed like a good candidate:
Running tcpdump on my box, I see the ICMP requests coming through:
Now it’s as simple as creating a reverse powershell script with Nishang and appending the bottom with a callback to our box:
Serve up the PowerShell script:
Modify the build request:
Once you trigger it, you should receive a callback on your listener:
As a force of habit, I uploaded nc.exe and used it to get a binary shell as well
Some simple enumeration showed an interesting file: CEH.kdbx
I tried copying the file with nc.exe but it was way too slow (if at all). I ended up using SMB:
Create the folder on the victim box and navigate to it:
Copy the file over
Now looking at the file and running file on it, you know it’s a keypass file. Crack it with hashcat. In order to do this first you need to extract the hash with keepass2john:
Locate the mode (-m) for hashcat for this hash format:
Hashcat is not expecting the CEH: file name before the hash, so edit that and then run hashcat with rockyou.txt
Whoops… This happened because I swapped the wordlist and the actual hash… so hashcat thought it was cracking a much larger file.
So we found that the password for the file is moonshine1
Looking through everything in the kdbx file, we find:
Taking note of all our credentials found
So I tried using smbexec with either of the administrator passwords with no luck… but I knew that first line is a hash, so I attempted to pass the hash… and returned a system shell
Grabbing the user and root flags:
What? Deeper?
Ok, maybe an alternate data stream… I found an online tutorial using streams.exe but it didn’t want to work for me, so I found a PowerShell alternative:
Look at the bottom left. We get HttpFileServer 2.3
Let’s poke around on SearchSploit:
RCE always looks fun. Let’s look at that one… specifically the .txt file:
So basically we need to apply a null byte and then {.exec|cmd.} where cmd is whatever command we want. Let’s use burp to try this out. It took me a while to figure this out and I actually had to watch Ippsec’s video but in it he explains the importance of SysNative vs. SysWow64 vs System32.
And in our icmp dump we get:
So we have command execution! Now, let’s copy Invoke-PowerShellTCP.ps1 to working our directory and append the file with the example in the PS1 script
Serve it up on our box:
Now let’s supply the correct argument to burp and remember to URL encode it. Don’t forget to set up your listener.
On our listener, we get a user shell:
Looking around we get some creds that are pretty much useless at this point (but we keep enumerating anyway!)
At this point, I ran sherlock.ps1 to help me out a bit.
Hmm. At first I tried using an off-the-shelf MS16-032.ps1 script but they don’t work because they spawn a new terminal. We don’t have visual access so we can’t use it. Ippsec’s video shows us that there’s a copy in Empire that can be used on the CLI.
Testing it out:
So we can use this modified MS16-032 that accepts commands.
To use this you have to edit the bottom to run the function that you want with the specified argument as the script states:
Create another reverse tcp script with a different port (I called mine rev4445.ps1)
Running it:
And on our other listener that we set up on port 4445, we get a NT AUTHORITY\SYSTEM shell:
Definitely learned a new thing or two with this box. Anyway, let’s fire off nmap:
Okay… so let’s go look at port 4386 to try to see what it is.
HQK Reporting Service? Erm. Ok. Port 445 was open so let’s run smbclient to list the shares and smbmap to list the contents:
What’s in Welcome Email.txt?
Cool. So we got a password. No… don’t go trying to use it just yet. Continue enumerating.
Looking at NotepadPlusPlus config.xml:
Looking at RU_config.xml:
… and that’s why we continue to enumerate FIRST.
Okay so, trying the creds that we’ve found so far… we figure out a couple things.
TempUser can get access with welcome2019
So can L.Frost!, but L.Frost can only login with welcome2019, not list shares for some reason (access denied)
Same with R.Thompson…
User: C.Smith and Password: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= can list contents in Secure$\IT\Carl\ directory with TempUser
With the encrypted password, RUScanner had vb files (Module1.vb) with an example of how to decrypt the password
Utils.vb had the actual code to decrypt the password
So I needed a nudge on this because this is all REALLY out of my brain capacity (but wouldn’t be for long!)… this involved A LOT of trial and error:
Cutting and pasting the code on .net Fiddle (https://dotnetfiddle.net) and removing all the unnecessary (non encrypting related functions) and adding Imports System at the top (to get rid of the errors and import necessary classes/modules/etc to make the code work) and adding Console.WriteLine(plainText) before the decrypt function returns gave us this code:
That last portion was used to just decrypt the actual string that we found earlier. This returned the password:
The password is: xRxRxPANCAK3SxRxRx
Using this, we can try to access the share with C.Smith’s username:
We can then just download user.txt and read it:
Now onto root. Looking around, we see some interesting files in HQK Reporting
HQK_Config_Backup.xml contents:
Looking a bit at Debug Mode Password.txt, it looks interesting. After looking for hours, I remembered about using alternate data streams to hide stuff in files.
Interesting… so there’s a stream called Password!
Okay, so we know this is associated with the HQK service on port 4386. Let’s try to telnet with these creds:
Reading the manual for HQK Reporting Service, we can figure out the commands used to enumerate what is on the service.
Doing initial nmap recon, we get some lengthy output:
So it looks like it’s a Windows box with quite a lot of ports open. My eye first caught Ports 139/445. So using enum4linux against resolute, we get some interesting information. I missed this the first time, but looking back over everything line-by-line, I was able to find some really juicy info:
Okay so we see Marko Novak’s password is set to Welcome123! Trying this with evil-winrm to login, we get an authentication failure. However, let’s think this through. This looks like the default password created for new users. Running down the list, we try this with the user melanie
So from here, I actually used Powershell and uploaded nc.exe to get a more stable shell. Call me old-fashioned, but I just don’t like the Evil-WinRM shell.
I don’t remember quite why, but I ended up using Evil-WinRM’s shell anyway. It’s good to have a backup.
Looking around, we find an unusual file under C:\ called “PSTranscripts”. We enumerated hidden files with dir -FORCE from the PowerShell prompt to find PSTranscripts.
Did you see it? ryan’s password is in the other transcript file! Password: Serv3r4Admin4cc123!
Let’s try these creds with ryan:
Alright, time to look around. We enumerated around, looking at basic stuff like whoami /groups
After a while, I came up with nothing. I used PowerUp.ps1 to find an interesting potential exploit:
This link actually helped me out a lot in understanding what to do next.
So, I created a malicious DLL:
Then I served it up on SMB:
And I injected the DLL remotely (really cool new trick I didn’t know before):
I then started the DNS process as seen above. With the listener on port 443, I caught an NT AUTHORITY\SYSTEM shell:
So I fired off AutoRecon (written by Tib3rius) and after it was done, this is what nmap found:
Alright, well let’s start with ftp. After getting anonymous access to ftp, I found this:
So that’s a hint that Passwords.txt is a file under Nathan’s username. Using basic knowledge of Windows file system mapping, we can guess at where exactly this file is. Something like C:\Users\Nathan\Desktop\Passwords.txt maybe?
Enumerating further, we find that Port 80 runs something called NVMS. Let’s look on Searchsploit for nvms:
Before we go to trying to exploit this… let’s continue properly enumerating. Port 8443 has something called NSClient++ running on it.
Okay so we have a priv esc possibility in our back pocket.
Firing off burp, we use the directory traversal to see if anything good comes of that guess on Passwords.txt’s location
Sweet. Now doing a bit of research, we can also find the location of the file that contains the password for NSClient++. It’s in a file called nsclient.ini. Reading this file, we get another password
However, it looks like we can only log into this from the “allowed host” of 127.0.0.1.
Trying to use the list of passwords found in Passwords.txt with nadine and SSH, we eventually get in with username: nadine and password: L1k3B1gBut7s@W0rk
Now that we’re in, let’s focus on our initial hunch of using NSClient++ to priv esc. First, we use plink.exe to set up a port forward via SSH
Now this took a bit of messing around with, but eventually what I did was uploaded nc.exe into temp and created a bat file to return a reverse shell.
The WebUI was pretty difficult to understand how to work so I ended up reading documentation and using the API to put the script rev.bat onto the box
To trigger the script, I then booted up the WebUI and ran scripts\ex\rev.bat in the console
On our listener, we get an NT AUTHORITY\SYSTEM shell