Proxmox AD Lab: Vulnerable Software

# Vulnerable Software We want to load the machines with vulnerable software so we have pathways to exploit. ## Download We are going to download this into our Kali VM as that is the only vm that should have Internet Access ### RemoteMouse - WC1 [RemoteMouse 3.008 - Arbitrary Remote Command Execution](https://www.exploit-db.com/exploits/46697) Filters: - Has App - Platform: Windows - Type: Remote ![image](https://hackmd.io/_uploads/Sk1b9sQb0.png) Download app: ![image](https://hackmd.io/_uploads/rkNpqsmb0.png) ### WiseCare (Unquoted Service Path Vuln) - WC1 [Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path](https://www.exploit-db.com/exploits/50038) Filters: - Has App - Search: Unquoted Service ![image](https://hackmd.io/_uploads/H1mmjjmbR.png) Download app: ![image](https://hackmd.io/_uploads/H1JFsoXZ0.png) ### Webserver (XAMPP) - WC1 https://www.apachefriends.org/ ![image](https://hackmd.io/_uploads/Sysaoim-R.png) ### Autologon (Sysinternals) - WC1 & WC2 https://learn.microsoft.com/en-us/sysinternals/downloads/autologon ![image](https://hackmd.io/_uploads/S1YBnoXZ0.png) ## Staging We put all the files into a folder within our kali VM ![image](https://hackmd.io/_uploads/Hyt4ajm-A.png) We can get the files to the vulnerable client any way we want, but i'll be using Impacket's smb share. ![image](https://hackmd.io/_uploads/S10i6iXZR.png) ![image](https://hackmd.io/_uploads/rkOYghX-R.png) ## Download to WC1 Access the smb share server from vulnerable client by typing the ip address in the File Explorer bar ![image](https://hackmd.io/_uploads/HkQhenm-R.png) ![image](https://hackmd.io/_uploads/B1lpg3X-0.png) Make another folder in C: and paste the contents in there ![image](https://hackmd.io/_uploads/HJ1rZ2Qb0.png) ![image](https://hackmd.io/_uploads/r11Yb2X-A.png) ## XAMPP ### Installation ![image](https://hackmd.io/_uploads/Sk23DyEW0.png) ![image](https://hackmd.io/_uploads/BkMAPkEb0.png) ![image](https://hackmd.io/_uploads/Hk6CwJ4b0.png) - *[Always a good idea to bypass or disable UAC, best security practice ever.](https://www.blackhillsinfosec.com/why-you-really-need-to-stop-disabling-uac/)* ![image](https://hackmd.io/_uploads/BJbaiJ4-R.png) We won't need most of the following ![image](https://hackmd.io/_uploads/SJMZnyNWC.png) ![image](https://hackmd.io/_uploads/SJIrugE-0.png) ![image](https://hackmd.io/_uploads/S1uL_eEb0.png) ![image](https://hackmd.io/_uploads/rJED_lE-A.png) ![image](https://hackmd.io/_uploads/SkawdgN-0.png) ![image](https://hackmd.io/_uploads/rJCg9xVWR.png) If we open the control panel after installation we see that we don't have authorization to change or start anything ![image](https://hackmd.io/_uploads/SJ5NcgN-C.png) We need to open it as Admin for the options to be availabke to us ![image](https://hackmd.io/_uploads/S1ss2xVWC.png) ### Setup Click the Red X, then Yes ![image](https://hackmd.io/_uploads/SycHTlVbC.png) We will need to allow access - otherwise we would then have a webserver which is only available on the local machine ![image](https://hackmd.io/_uploads/rJ4PpxEZA.png) When we press start, we can see that it runs ![image](https://hackmd.io/_uploads/S1x9J0eN-R.png) We can also access the webserver via the browser ![image](https://hackmd.io/_uploads/Hy-MybN-R.png) ### Housekeeping We can delete the installer file after ## Autologon ***This will be transferred to WC2 later on*** ### Prep ![image](https://hackmd.io/_uploads/BkUNYgVZC.png) ![image](https://hackmd.io/_uploads/H1HBYlEWR.png) We can delete the ones we don't need ![image](https://hackmd.io/_uploads/SyPdFxNWC.png) ### Housekeeping We can delete most of the files except for the Autologon64.exe 64-bit installer ## Remote Mouse ### Installtion ![image](https://hackmd.io/_uploads/BJitJ-NbR.png) ![image](https://hackmd.io/_uploads/S1-q1ZNbA.png) ![image](https://hackmd.io/_uploads/ByC9kbVZA.png) ![image](https://hackmd.io/_uploads/Hkss1WEW0.png) ### Housekeeping Rename the installer to something more ambiguous ![image](https://hackmd.io/_uploads/SJgF2Z4bA.png) Maybe we can leave just the hash ![image](https://hackmd.io/_uploads/Hyvi3bVbA.png) Create a folder in the webserver folder called "uploads" - `C:\xampp\htdocs\uploads` - Uploads is a common word found in wordlists when doing directory enumeration ![image](https://hackmd.io/_uploads/H1rlpbEbR.png) And we paste it there as part of our dioscovery process ![image](https://hackmd.io/_uploads/BJc4Tb4ZA.png) ## Wise Care 365 ### Installation ![image](https://hackmd.io/_uploads/Bk2pkbVb0.png) Choose Custom install ![image](https://hackmd.io/_uploads/BJR-xbEWR.png) ![image](https://hackmd.io/_uploads/SyqQgbV-A.png) Change this ![image](https://hackmd.io/_uploads/HyFoeWVZA.png) to this ![image](https://hackmd.io/_uploads/SJR6xZN-R.png) By putting it in the apps folder, it's even easier to take advantage of and exploit - because it is more open on permissiong. This will also demonstrate why we shouldn't be installing in non-default locations (like the Programs directory for programs). ![image](https://hackmd.io/_uploads/B1t4bZV-R.png) After install, we can launch it to check it's there ![image](https://hackmd.io/_uploads/Syq8--E-A.png) *WOW! What a secure looking app!* ![image](https://hackmd.io/_uploads/BJJj-b4WR.png) #### YO, WTF is this?! LOL. This appeared after I rebooted the computer at some point. Hilarious. ![image](https://hackmd.io/_uploads/ByvZRaSW0.png) ### Housekeeping We can delete the installer after For reliability when interacting with machine using a VPN ![image](https://hackmd.io/_uploads/By08A6NZC.png) ![image](https://hackmd.io/_uploads/B1Q6z1S-C.png)