Máquina Conceal Hack the Box
Reconocimiento
realizando un escaneo, este no nos devuelve ningún servicio.
┌─[root@parrot]─[/mnt/angussMoody/Machines/Conceal]
└──╼ #nmap -p- -sS --min-rate 5000 -Pn -n -oG Puertos -oN Puertos 10.129.217.169 -vvv
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-08 19:05 -05
Initiating SYN Stealth Scan at 19:05
Scanning 10.129.217.169 [65535 ports]
SYN Stealth Scan Timing: About 50.00% done; ETC: 19:12 (0:03:30 remaining)
Stats: 0:03:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.00% done; ETC: 19:12 (0:03:30 remaining)
Completed SYN Stealth Scan at 19:11, 380.44s elapsed (65535 total ports)
Nmap scan report for 10.129.217.169
Host is up, received user-set.
All 65535 scanned ports on 10.129.217.169 are filtered because of 65535 no-responses
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 380.64 seconds
Raw packets sent: 131070 (5.767MB) | Rcvd: 3 (252B)
Se Continúa sin resultados
┌─[root@parrot]─[/mnt/angussMoody/Machines/Conceal]
└──╼ #nmap -sC -sV -p65518,65519,65520,65521,65522,65523,65524,65525,65526,65527,65528,65529,65530,65531,65532,65533,65534,65535 -o nmap 10.129.217.169
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-08 19:27 -05
Nmap scan report for 10.129.217.169
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
65518/tcp filtered unknown
65519/tcp filtered unknown
65520/tcp filtered unknown
65521/tcp filtered unknown
65522/tcp filtered unknown
65523/tcp filtered unknown
65524/tcp filtered unknown
65525/tcp filtered unknown
65526/tcp filtered unknown
65527/tcp filtered unknown
65528/tcp filtered unknown
65529/tcp filtered unknown
65530/tcp filtered unknown
65531/tcp filtered unknown
65532/tcp filtered unknown
65533/tcp filtered unknown
65534/tcp filtered unknown
65535/tcp filtered unknown
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.87 seconds
hacemos una enumeración con la Herramienta snmp-chek para ver que encontramos y vemos algo llamado IKE VPN con loIKE VPNIKE VPN que parece ser un hash y vemos unos usuarios
┌─[root@parrot]─[/mnt/angussMoody/Machines/Conceal]
└──╼ #snmp-check 10.129.217.169
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.129.217.169:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.129.217.169
Hostname : Conceal
Description : Hardware: AMD64 Family 23 Model 49 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
Contact : IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
Location : -
Uptime snmp : 00:28:44.26
Uptime system : 00:28:34.06
System date : 2021-9-9 01:31:38.6
Domain : WORKGROUP
[*] User accounts:
Guest
Destitute
Administrator
DefaultAccount
[*] Network information:
IP forwarding enabled : no
Default TTL : 128
TCP segments received : 261944
TCP segments sent : 8
TCP segments retrans : 4
Input datagrams : 529788
Delivered datagrams : 396315
Output datagrams : 1200
[*] Network interfaces:
Interface : [ up ] Software Loopback Interface 1
Id : 1
Mac Address : :::::
Type : softwareLoopback
Speed : 1073 Mbps
MTU : 1500
In octets : 0
Out octets : 0
Interface : [ down ] WAN Miniport (IKEv2)
Id : 2
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] WAN Miniport (PPTP)
Id : 3
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Microsoft Kernel Debug Network Adapter
Id : 4
Mac Address : :::::
Type : ethernet-csmacd
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] WAN Miniport (L2TP)
Id : 5
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Teredo Tunneling Pseudo-Interface
Id : 6
Mac Address : 00:00:00:00:00:00
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] WAN Miniport (IP)
Id : 7
Mac Address : :::::
Type : ethernet-csmacd
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] WAN Miniport (SSTP)
Id : 8
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] WAN Miniport (IPv6)
Id : 9
Mac Address : :::::
Type : ethernet-csmacd
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] WAN Miniport (PPPOE)
Id : 10
Mac Address : :::::
Type : ppp
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] WAN Miniport (Network Monitor)
Id : 11
Mac Address : :::::
Type : ethernet-csmacd
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ up ] vmxnet3 Ethernet Adapter
Id : 12
Mac Address : 00:50:56:b9:46:96
Type : ethernet-csmacd
Speed : 4294 Mbps
MTU : 1500
In octets : 25627902
Out octets : 109032
Interface : [ up ] vmxnet3 Ethernet Adapter-WFP Native MAC Layer LightWeight Filter-0000
Id : 13
Mac Address : 00:50:56:b9:46:96
Type : ethernet-csmacd
Speed : 4294 Mbps
MTU : 1500
In octets : 25627902
Out octets : 109032
Interface : [ up ] vmxnet3 Ethernet Adapter-QoS Packet Scheduler-0000
Id : 14
Mac Address : 00:50:56:b9:46:96
Type : ethernet-csmacd
Speed : 4294 Mbps
MTU : 1500
In octets : 25627902
Out octets : 109032
Interface : [ up ] vmxnet3 Ethernet Adapter-WFP 802.3 MAC Layer LightWeight Filter-0000
Id : 15
Mac Address : 00:50:56:b9:46:96
Type : ethernet-csmacd
Speed : 4294 Mbps
MTU : 1500
In octets : 25627902
Out octets : 109032
[*] Network IP:
Id IP Address Netmask Broadcast
12 10.129.217.169 255.255.0.0 1
1 127.0.0.1 255.0.0.0 1
[*] Routing information:
Destination Next hop Mask Metric
0.0.0.0 10.129.0.1 0.0.0.0 15
10.129.0.0 10.129.217.169 255.255.0.0 271
10.129.217.169 10.129.217.169 255.255.255.255 271
10.129.255.255 10.129.217.169 255.255.255.255 271
127.0.0.0 127.0.0.1 255.0.0.0 331
127.0.0.1 127.0.0.1 255.255.255.255 331
127.255.255.255 127.0.0.1 255.255.255.255 331
224.0.0.0 127.0.0.1 240.0.0.0 331
255.255.255.255 127.0.0.1 255.255.255.255 331
[*] TCP connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 21 0.0.0.0 0 listen
0.0.0.0 80 0.0.0.0 0 listen
0.0.0.0 135 0.0.0.0 0 listen
0.0.0.0 445 0.0.0.0 0 listen
0.0.0.0 49664 0.0.0.0 0 listen
0.0.0.0 49665 0.0.0.0 0 listen
0.0.0.0 49666 0.0.0.0 0 listen
0.0.0.0 49667 0.0.0.0 0 listen
0.0.0.0 49668 0.0.0.0 0 listen
0.0.0.0 49669 0.0.0.0 0 listen
0.0.0.0 49670 0.0.0.0 0 listen
10.129.217.169 139 0.0.0.0 0 listen
[*] Listening UDP ports:
Local address Local port
0.0.0.0 123
0.0.0.0 161
0.0.0.0 500
0.0.0.0 4500
0.0.0.0 5050
0.0.0.0 5353
0.0.0.0 5355
10.129.217.169 137
10.129.217.169 138
10.129.217.169 1900
10.129.217.169 56254
127.0.0.1 1900
127.0.0.1 56255
[*] Network services:
Index Name
0 Power
1 Server
2 Themes
3 IP Helper
4 DNS Client
5 Data Usage
6 Superfetch
7 DHCP Client
8 Time Broker
9 TokenBroker
10 Workstation
11 SNMP Service
12 User Manager
13 VMware Tools
14 Windows Time
15 CoreMessaging
16 Plug and Play
17 Print Spooler
18 Windows Audio
19 SSDP Discovery
20 Task Scheduler
21 Windows Search
22 Security Center
23 Storage Service
24 Windows Firewall
25 CNG Key Isolation
26 COM+ Event System
27 Windows Event Log
28 IPsec Policy Agent
29 Geolocation Service
30 Group Policy Client
31 RPC Endpoint Mapper
32 Data Sharing Service
33 Device Setup Manager
34 Network List Service
35 System Events Broker
36 User Profile Service
37 Base Filtering Engine
38 Local Session Manager
39 Microsoft FTP Service
40 TCP/IP NetBIOS Helper
41 Cryptographic Services
42 Diagnostic System Host
43 Tile Data model server
44 COM+ System Application
45 Diagnostic Service Host
46 Shell Hardware Detection
47 State Repository Service
48 Diagnostic Policy Service
49 Network Connection Broker
50 Security Accounts Manager
51 Network Location Awareness
52 Windows Connection Manager
53 Windows Font Cache Service
54 Remote Procedure Call (RPC)
55 DCOM Server Process Launcher
56 Windows Audio Endpoint Builder
57 Application Host Helper Service
58 Network Store Interface Service
59 Distributed Link Tracking Client
60 System Event Notification Service
61 World Wide Web Publishing Service
62 Connected Devices Platform Service
63 Windows Defender Antivirus Service
64 Windows Management Instrumentation
65 Windows Process Activation Service
66 Distributed Transaction Coordinator
67 IKE and AuthIP IPsec Keying Modules
68 VMware CAF Management Agent Service
69 VMware Physical Disk Helper Service
70 Background Intelligent Transfer Service
71 Background Tasks Infrastructure Service
72 Program Compatibility Assistant Service
73 VMware Alias Manager and Ticket Service
74 Connected User Experiences and Telemetry
75 WinHTTP Web Proxy Auto-Discovery Service
76 Windows Defender Security Centre Service
77 Windows Push Notifications System Service
78 Windows Defender Antivirus Network Inspection Service
79 Windows Driver Foundation - User-mode Driver Framework
[*] Processes:
Id Status Name Path Parameters
1 running System Idle Process
4 running System
288 running smss.exe
324 running svchost.exe C:\Windows\system32\ -k LocalServiceNoNetwork
348 running svchost.exe C:\Windows\system32\ -k LocalService
376 running csrss.exe
456 running wininit.exe
464 running csrss.exe
524 running winlogon.exe
600 running services.exe
608 running lsass.exe C:\Windows\system32\
688 running svchost.exe C:\Windows\system32\ -k DcomLaunch
712 running fontdrvhost.exe
720 running fontdrvhost.exe
812 running svchost.exe C:\Windows\system32\ -k RPCSS
888 running vmacthlp.exe C:\Program Files\VMware\VMware Tools\
908 running dwm.exe
944 running svchost.exe C:\Windows\System32\ -k LocalServiceNetworkRestricted
960 running svchost.exe C:\Windows\System32\ -k LocalSystemNetworkRestricted
1052 running svchost.exe C:\Windows\System32\ -k NetworkService
1092 running svchost.exe C:\Windows\system32\ -k netsvcs
1196 running svchost.exe C:\Windows\System32\ -k LocalServiceNetworkRestricted
1272 running svchost.exe C:\Windows\system32\ -k LocalServiceNetworkRestricted
1280 running svchost.exe C:\Windows\System32\ -k LocalServiceNetworkRestricted
1408 running spoolsv.exe C:\Windows\System32\
1604 running svchost.exe C:\Windows\System32\ -k utcsvc
1616 running svchost.exe C:\Windows\system32\ -k apphost
1640 running svchost.exe C:\Windows\system32\ -k ftpsvc
1708 running SecurityHealthService.exe
1732 running snmp.exe C:\Windows\System32\
1764 running svchost.exe C:\Windows\system32\ -k appmodel
1812 running VGAuthService.exe C:\Program Files\VMware\VMware Tools\VMware VGAuth\
1824 running vmtoolsd.exe C:\Program Files\VMware\VMware Tools\
1840 running ManagementAgentHost.exe C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\
1852 running svchost.exe C:\Windows\system32\ -k iissvcs
1880 running MsMpEng.exe
2024 running Memory Compression
2260 running SearchIndexer.exe C:\Windows\system32\ /Embedding
2560 running LogonUI.exe /flags:0x0 /state0:0xa3a09055 /state1:0x41c64e6d
2632 running svchost.exe C:\Windows\system32\ -k NetworkServiceNetworkRestricted
2768 running WmiPrvSE.exe C:\Windows\system32\wbem\
2932 running dllhost.exe C:\Windows\system32\ /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
3184 running msdtc.exe C:\Windows\System32\
3488 running NisSrv.exe
3728 running svchost.exe C:\Windows\system32\ -k LocalServiceAndNoImpersonation
3884 running SearchProtocolHost.exe C:\Windows\system32\ Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozil
4092 running svchost.exe C:\Windows\system32\ -k LocalSystemNetworkRestricted
4964 running SearchFilterHost.exe C:\Windows\system32\ 0 696 700 708 8192 704
[*] Storage information:
Description : ["C:\\ Label: Serial Number dcaa9f4"]
Device id : [#<SNMP::Integer:0x000055743567ab98 @value=1>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x0000557435678e88 @value=4096>]
Memory size : 19.51 GB
Memory used : 10.28 GB
Description : ["Virtual Memory"]
Device id : [#<SNMP::Integer:0x0000557435673ac8 @value=2>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x0000557435671d68 @value=65536>]
Memory size : 3.12 GB
Memory used : 846.44 MB
Description : ["Physical Memory"]
Device id : [#<SNMP::Integer:0x000055743566cae8 @value=3>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x00005574355ded60 @value=65536>]
Memory size : 2.00 GB
Memory used : 782.62 MB
[*] File system information:
Index : 1
Mount point :
Remote mount point : -
Access : 1
Bootable : 0
[*] Device information:
Id Type Status Descr
1 unknown running Microsoft XPS Document Writer v4
2 unknown running Microsoft Print To PDF
3 unknown running Microsoft Shared Fax Driver
4 unknown running Unknown Processor Type
5 unknown running Unknown Processor Type
6 unknown unknown Software Loopback Interface 1
7 unknown unknown WAN Miniport (IKEv2)
8 unknown unknown WAN Miniport (PPTP)
9 unknown unknown Microsoft Kernel Debug Network Adapter
10 unknown unknown WAN Miniport (L2TP)
11 unknown unknown Teredo Tunneling Pseudo-Interface
12 unknown unknown WAN Miniport (IP)
13 unknown unknown WAN Miniport (SSTP)
14 unknown unknown WAN Miniport (IPv6)
15 unknown unknown WAN Miniport (PPPOE)
16 unknown unknown WAN Miniport (Network Monitor)
17 unknown unknown vmxnet3 Ethernet Adapter
18 unknown unknown vmxnet3 Ethernet Adapter-WFP Native MAC Layer LightWeight Filter
19 unknown unknown vmxnet3 Ethernet Adapter-QoS Packet Scheduler-0000
20 unknown unknown vmxnet3 Ethernet Adapter-WFP 802.3 MAC Layer LightWeight Filter-
21 unknown running Fixed Disk
22 unknown running IBM enhanced (101- or 102-key) keyboard, Subtype=(0)
[*] Software components:
Index Name
1 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
2 VMware Tools
3 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
[*] IIS server information:
TotalBytesSentLowWord : 0
TotalBytesReceivedLowWord : 0
TotalFilesSent : 0
CurrentAnonymousUsers : 0
CurrentNonAnonymousUsers : 0
TotalAnonymousUsers : 0
TotalNonAnonymousUsers : 0
MaxAnonymousUsers : 0
MaxNonAnonymousUsers : 0
CurrentConnections : 0
MaxConnections : 0
ConnectionAttempts : 0
LogonAttempts : 0
Gets : 0
Posts : 0
Heads : 0
Others : 0
CGIRequests : 0
BGIRequests : 0
NotFoundErrors : 0
Vamos a ver si podemos crackear este hash en https://crackstation.net/
Vamos a Investigar un poco sobre IKE VPN https://book.hacktricks.xyz/pentesting/ipsec-ike-vpn-pentesting que nos dice que podríamos mirar el puerto 500 de UDP que es el puerto por defecto de este servicio
Vemos que este si se encuentra abierto y al parecer con el servicio que nos dice el articulo
┌─[✗]─[root@parrot]─[/mnt/angussMoody/Machines/Conceal]
└──╼ #nmap -sU -sC -sV -p 500 10.129.217.169
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-08 19:48 -05
Nmap scan report for 10.129.217.169
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
500/udp open isakmp?
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.89 seconds
