Unattended
https://www.cyberseclabs.co.uk/labs/info/Unattended/
Last updated
https://www.cyberseclabs.co.uk/labs/info/Unattended/
Last updated
I started off with checking SMB for null authentication as I usually do for any quick wins. These however did not return any decent results.
Apart from Port 80 the remaining ports are used for remote management or RDP services so port 80 is likely the next best vector.
The root page of port 80 redirects us to:
Fortunately for myself I have dealt with a machine before using this which is Rejetto HttpFileServer 2.3 as shown in the bottom left. I am aware at this point of metasploit having a module for this so I will be proceeding with metasploit for this machine.
First off fire off metasploit and search for 'Rejetto'.
Select the module and set the appropriate options.
Once the the correct options have been set run the exploit and you should get a shell as the user 'pink'.
The name of the machine is a dead giveaway for privilege escalation. Unattend.xml which is a file used by unattended installs. If not properly sanitized can leave administrative credentials in plain text.
Metasploit has a module for checking against these post/windows/gather/enum_unattend set this module and set the correct session ID.
We now have obtained the following credentials: Administrator:cnt4weRAbtXMTSVV
I will use Impacket's psexec.py to connect as 'NT AUTHORITY\System'.
I was able to also connect with these credentials over RDP and WinRM.
