Bart
Last updated
Last updated
Difficulty: HARD
Trying to load the page we see that we cannot resolve the address why? because we don't have it in the /etc/hosts file.
So, once we pass the domain and subdomains to the /etc/hosts, let's start enumerating the page.
There is nothing too much interesting but, we have some emails, users and names that can be useful.
I just put it all in a file and continue making recon on the machine.
Using ffuf to brute-force for subdomains we can see that there is a subdomain called monitor.
We see this login page, we can try to validate users that we found in the previous page, before start bruteforcing the login with any other users let's try a little of password guessing.
Using the user harvey, and passing the password potter (his last name) we get access to his account.
Once you get in you can see that there's another subdomain inside of it so, pass it to the /etc/hosts.
In the internal-01 subdomain we can see this login page, you can try to do a SQL Injection but, in the URL, we can see and pretend that we are in front of an open-source project so, you can look up for it on google to see if there is any coincidence.
You can see that there is a project that is similar to our URL path/directories.
Analyzing the code, you can register a user by doing a POST request with the parameters uname and passwd and pointing to the register.php, you can try to register a new user with cURL.
Run the command with cURL and try to get in with the created user.
So, we get in successfuly, now let's continue making recon.
Viewing the source code on the page we see that there is a strange URL path so, let's play with it.
We get a number one, we can pretend that is because the user is valid.
Ok, here we're getting a 0 because the user is not valid on the machine, looking a little the URL we can see the directories that are called log, we can try to see if we can make a log using the name of harvey and try to open it.
Now knowing that using a valid user we can create a log and displayed let's see if we can do it with other file format like php so, we can upload our web shell and the reverse shell to get access.
Perfect, now I will use python3 to create the request and continue to poison the logs using the User-agent.
You can see there that by passing php code on the User-agent parameter and changing the file format that we want in this case php we can upload a web shell.
Now once we can execute commands using our web shell, let's continue to upload and execute our reverse shell using nishang powershell script and listening with a netcat session with rlwrap.
Enumerating our way to get admin privileges, we can see that the SeImpersonatePrivilege is enable in this machine, let's continue to upload the JuicyPotato program to exploit it.
Remember to use the correct CLSID for the machine to exploit this correctly.
Now, why I am uploading a netcat binary to the windows machine? Well, it is to get a shell more easily once we execute the command as administrator.
We Perfectly get in as the administrator user.
You can see the flag on the admin desktop directory.
Now let's say that we as an attacker want to get a persistence on the windows machine, to keep it simple what I'm doing is opening the port 445 to outside and inside but, for what? We will create a user with administrative privileges, and we will be able to get in with that user using psexec.py.
I will use crackmeapexec to dump the SAM to further attacks like pass the hash using xfreerdp, if we was on a active directory enviorment we want to dump the password policy too so let's do it too.
We perfectly get the info we want by using our persistent user.
The other way we can dump the SAM of windows is by using the windows registry, we can see it in the image above.
Now, finally using a samba server we can download it.
