Target Experience:
My observations while working this target:
· Enumeration: Life-like
· Vulnerabilities: Life-like
· Exploitation: Life-like
· Difficulty: Easy/Medium
· Community Notes: OSCP-like
Tools:
The recommended tools for this machine were:
· Nmap
· Browser
· Python
· Hashcat
· Crackmapexec
· Smbmap
· lookupsid.py (Impacket)
· Procdump
Vulnerabilities:
The following vulnerabilities were found:
· Sensitive Information
· Local Privilege Escalation
Information Gathering:
Using Nmap, I performed a SYN scan on all TCP ports for service version detection as well as default safe scripts.
I followed up the Nmap scan with dirb and Nikto.
Web Enumeration:
Reviewing the findings from Nmap and Nikto, I decided to launch a browser to further investigate TCP Port 80.
The first page that I found was a Login page; where I tried various methods to bypass it.
Since my attempts failed, as well as not seeing any useful information within the source code, I clicked the hyperlink to Login as guest. Once logged in as guest, I was redirected to the issues.php page.
Reviewing the page, I found several interesting items on the page. The first being a router configuration file that Hazard attached to the conversation. The second was possible usernames of Hazard and admin that could be utilized later.
Password Cracking:
Based on my networking background, I identified that both Type 5 and Type 7 passwords were present. Like many times in the past, I used axceron’s cisco_pwdecrypt Python script to crack the Type 7 hashes and then Hashcat (on my cracking rig) to crack the Type 5 (MD5) hash.
SMB Enumeration:
I returned to using Nmap and Enum4Linux to assist with enumeration of usernames and shared directories. However, neither yielded any interesting results.
So, I decided to use the newly obtained passwords, as well as possible usernames identified, with Crackmapexec. I tried various username/password combinations until I found a valid login.
Since Crackmapexec did not provide the pwn3d identifier, I knew that the user did not have administrative access to the target. So, I used smbmap to identify any shares that the user could access.
Unfortunately, the IPC$ share did not have any interesting data to review.
Normally at this point, I would have launched Metasploit and then use PSExec to obtain a shell. However, with user having Read Only access to IPC$, MSF would more than likely fail. I tried other techniques to gain a shell, but all of them failed.
I did find it odd that my go to Nmap SMB brute force enumeration also failed.
So, I decided to do a little research to see what I could use to help further enumerate the target. I found that I could use the Impacket script of looksupsid.py, with the credentials, to return the available SIDS on the system.
Once again, I used Crackmapexec with the newly obtained accounts and the existing passwords to obtain valid credentials.
And again, I used smbmap to view shared folders that the user could access.
Foothold:
Having no luck with SMB, I decided to research TCP Port 5985 from the Nmap scan. Based on my findings, I could connect to this port via Powershell. However, I did not have Powershell installed on my attacker system. So, I was able to find an alternative that would run as a Ruby script on Kali named evil-winrm.
After downloading evil-winrm, I used it with the previously authenticated credentials and was able to establish a connection to the system.
With the connection established, I started investigating the user’s home directory and found the User Flag.
Privilege Escalation:
After obtaining the User Flag, I decided to review the contents of the todo.txt file.
At first, I did not correlate the subtle hint provided (see below). So, I stated performing typical Windows enumeration with Sherlock, PowerOPs, Nishang, Jaws, etc. However, I was not having any luck.
I decided to rely on Powershell commands to view the active processes. I did notice that the server had active FireFox usage; which I thought was odd for a server.
Continuing to enumerate, I still was not finding any new information. Then I reviewed the todo.txt again. Maybe, the user of Chase had admin access to the Issues site on the web server. So, I performed a search to find out how I could dump the contents of the Firefox processes out of memory.
Finding Procdump, by Sysinternals, I uploaded it to the Downloads directory within Chase’s home directory.
Reviewing the documentation from Procdump, I was able to dump each one of the PIDs associated to the Firefox running processes.
Note: I had to use the -accepteula flag the first time a ran Procdump.
With all of the Firefox processes dumped, I tried to download the files to my local attacker system. However, there was either a bug or I was not entering the command correctly and was not able to download them. So, I reviewed Powershell commands in order to find a command with similar functionality to grep to search the files for the keyword of admin.
Next, I used the found credentials and validated that they worked on the Web Server Login page. I then returned to evil-winrm and changed the username to Administrator and logged into the target with the validated password.
After the successful login with the Administrator credentials, I found the chase.ps1 file. This file appeared to be a Powershell script that was part of an automated processes required for this challenge.
Continuing to investigate, I found the Root Flag in the Administrator’s Desktop directory.
References:
https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
https://github.com/Hackplayers/evil-winrm
https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
