Unattended
https://www.cyberseclabs.co.uk/labs/info/Unattended/
Scanning and Enumeration
Nmap
Port 445 (SMB)
I started off with checking SMB for null authentication as I usually do for any quick wins. These however did not return any decent results.
Port 80 (HTTP)
Apart from Port 80 the remaining ports are used for remote management or RDP services so port 80 is likely the next best vector.
The root page of port 80 redirects us to:
Exploitation
Low Privilege Shell
Fortunately for myself I have dealt with a machine before using this which is Rejetto HttpFileServer 2.3 as shown in the bottom left. I am aware at this point of metasploit
having a module for this so I will be proceeding with metasploit for this machine.
First off fire off metasploit and search for 'Rejetto'.
Select the module and set the appropriate options.
Once the the correct options have been set run the exploit and you should get a shell as the user 'pink'.
Privilege Escalation
The name of the machine is a dead giveaway for privilege escalation. Unattend.xml which is a file used by unattended installs. If not properly sanitized can leave administrative credentials in plain text.
Metasploit has a module for checking against these post/windows/gather/enum_unattend
set this module and set the correct session ID.
We now have obtained the following credentials: Administrator:cnt4weRAbtXMTSVV
I will use Impacket's psexec.py to connect as 'NT AUTHORITY\System'.
I was able to also connect with these credentials over RDP and WinRM.
Last updated