Dante
Before anything, just wanted to give myself a reminder that after uploading ligolo-ng agent on target, as root run these commands on the target to make sure other users cannot modify / delete the agent but can execute it. I store my agents in /opt after gaining foothold.
chown root:root agent
chmod 755 agent
chattr +i agentThen to set up the TUN interface of ligolo-ng run these commands:
sudo ip tuntap add user [your_username] mode tun ligolo
sudo ip link set ligolo upAfter identifying internal host IP on target machine, add it to ip route:
sudo ip route add XXX.XXX.XXX.0/24 dev ligoloIf TUN interface is being used, run these commands and then start ligolo-ng
[Agent : user@machine] » autoroute
[Agent : user@machine] » Use existing interface
[Agent : user@machine] » ligolo
[Agent : user@machine] » startI'm nuts and bolts about you
10.10.110.100 (DANTE-WEB-NIX01)
Entry point is: 10.10.110.0/24
Started with RustScan to find available subnets and open ports
FTP and SSH ports are open in 10.10.110.100, let's get more details with a Service Version scan
Now, we can see there is also an additional HTTP server running at port 65000. The first flag is also visible at /wordpress
1st flag: DANTE{Y0u_Cant_G3t_at_m3_br0!}
It's easier this way
Let's do this one at a time starting with FTP. The FTP port allows anonymous logins.
Disable passive mode and list items
Looking around there is a file names todo.txt. Download it
The file reveals a few stuff that we may be able to use later on
Now, we check out the HTTP port. Apart from the default Apache page, the robot.txt directory reveals the website has a Wordpress CMS hosted
Checking out the website looks fine nothing unusual. Using Wappalyzer, we now knoq the Wordpress version is 5.4.1, we start by looking for some POCs
I tried focusing on the high CVSS but none of them has any exploit to directly gain access. Then I noticed an interesting tool
This is my first time doing Wordpress xD. Now, we use wpscan to enumerate stuff. Looking at the available options. We can use -e u to enumerate for users
We have 2 users that are available. remembering the todo.txt file hinted james maybe has a weak password. We can try to Brute Force passwords with -P to specify wordlist
Unfortunately, after exhausing almost 10 minutes using rockyou.txt wordlist, I looked for an alternative and then I found cewl, which is a tool that generates possible passwords from the given URL.
This command outputs into the txt file specified
Run the wpscan brute force again and we get a hit on james!
james:Toyota
I tried to SSH with the credentials but that didn't work. So I tried logging into Wordpress but we needed to find the login page. So I fuzzed for it using feroxbuster
And there it is, now we login as james
Looking around, we can see the 2 users' email here. Also james has an Administrator role lol.
Because of this, we can mess around with the website. An idea would be to edit the Themes configuration.
As an Administrator, we can customize the themes however we want such as a one-liner rev shell :).
I didn't want to break the website so I chose the least used page which is /404.php in the twenty seventeen page to put our reverse shell.
Got my oneliner over here:
Update the file and start a listener.
Now, navigate to the path of the file. Base on Hacktricks's Wordpress guide, the path will be:
/wordpress/wp-content/themes/twentyseventeen/404.php
And we received a callback as www-data. Since we only have a semi-shell, let's try to upgrade our shell into an interactive one using python3
Going down the home path we can see two users available, james and balthazar
I tried to check some stuff out in james directory but didn't have permission. So I tried logging in with his password from Wordpress and see if it worked and it did
Get the second flag in james' home directory
2nd flag: DANTE{j4m3s_NEEd5_a_p455w0rd_M4n4ger!}
Show me the way
Next, I downloaded linpeas on the target and ran it
Looking at the output, we notice the find binary has the SUID bit set by being highlighted as a PE vector
We can exploit this using this one liner to escalate privileges:
Now that we have root, get the flag in the root directory
3rd flag: DANTE{Too_much_Pr1v!!!!}
An open goal
Looking through the linpeas output, we see some SQL credentials here for balthazar
Because Prolabs has a lot of machines, I deduced there will be a lot of network pivoting and that is why I decided to used ligolo-ng to ease my life
On my machine I started ligolo-ng proxy with a connection to port 8888
And I uploaded the agent binary on the target machine using a Python web server.
Execute the agent with the same port on the proxy
Connection established! Now we enter the session and run ifconfig to check out available networks
We have an internal address. Let's add that to our Ligolo routes in the attacker machine.
Start the tunneling on Ligolo's proxy
In another tab, I scanned the whole subnet and we get a lot of results
Since we now know the host is up, I wanted to check the details of every subnet with an nmap scan
Okay, so now we can perform our attacks on any of these networks without worrying about pivoting again, there are a lot of stuff here but let's do it one by one
172.16.1.1 (DANTE-FW01)
This subnet has PfSense firewall running on it so we can ignore this
172.16.1.5 (DANTE-SQL01) - Part1
This subnet looks like it has Windows Server running on it. It also has the FTP port open with Anonymous login allowed, SMB and MSSQL
Download the flag and we got em
4th flag: DANTE{Ther3s_M0r3_to_pwn_so_k33p_searching!}
Seclusion is an illusion
There is also SMB port available, we enumerate it using smbclient
We are denied access, I continued to check out the MSSQL service and used the SQL credentials to authenticate but that didn't work. I crashed out for a while...
Then, I just decided to check out other subnets instead of staying here
172.16.1.10 (DANTE-NIX02)
Looks like HTTP and SMB port is open. Let's start with SMB enumeration
Looks like we have some interesting stuff here. Enumerate the print$ and SlackMigration shares.
There is a file present. Connect to the share and download it
Check the txt file out
There a few hints here. But what is interesting its mentioning the user margaret . This could be useful later. Let's check out the HTTP port.
When checking out the website. I noticed something familiar with the URL. It has potential to be vulnerable to LFI
/nav.php?page=about.html
So, i tested with a basic /etc/passwd and whaddayaknow.
From the results, we see user frank , nxautomation and margaret present. Let's try to read either the flags in their home directory.
The file doesn't exist in anyone except in margaret's home directory
5th flag: DANTE{LF1_M@K3s_u5_lol}
Snake it 'til you make it
Looking back the admintasks.txt . We know the website deployed Wordpress and the removal is still pending. This is proven by using Wappalyzer to look at available CMS but Wordpress is not there. We can try to attempt to grab the database password.
Now we just need the path to the file. Based on this post on reddit:
The path seems to be /var/www/html/wordpress/wp-config.php
So from here, to inspect the php file we use a PHP Base64 wrapper to encode the path
Decode it
Nice, now we can try to SSH into user margaret
Success! but it looks like we are in a restricted shell with only a few allowed commands
Vim is favourable in this situation. We can use it to escape the restricted shell
Enter and boom we have an interactive shell
Like usual, for privesc upload linpeas and let's see what we can find
There are no other interesting stuff in margaret's but there some worth checking out in frank's. Looks like it has something to do with Slack.
Even though we could not traverse the directories, we could download the zipped file of the export onto our machine and change directories directly.
Looking at around, there is a leaked conversation between frank and margaret in:
/secure/2020-05-18.json
We can see the password of frank being leaked here. Let's try switching to frank.
It didn't work and I was frustrated. I kept looking for a way and then I found this article
Since, we dont' have access on frank, we can access it on margaret's home directory.
I looked through everything and found nothing and decided to look at the /exported_data folder and hoped to find something different and well...
I don't know why this happened honestly, was it intentional? maybe...but it is very annoying :)
frank:TractorHeadtorchDeskmat
We see a python file in frank's system. The script looks like its checking to see if the local Apache web server returns a status 200 by sending a request to the localhost. Simply put, its a script to make sure the Apache web server is always running. The thing is it doesn't have a while loop to repeat the process. From this, we can deduce that a cronjob was configured to make sure it runs at regular intervals.
Of course, I already checked the output of linpeas, but did not notice anything peculiar. This is when to utilise the tool pspy.
With this we can check the running cronjobs with more detail than linpeas. Upload the binary file on to the target and run it
Now, we wait for a while to monitor any process that uses the apache script.
And there it is. We can see it is using the urllib.py library to load modules. Maybe we could use this to escalate to root.
I googled a bit and saw this:
So the exploit we have to be doing is Library Hijacking. Yay! (This is my first time). Dive deeper to find a suitable exploit/method.
So from what I have read so far, if we create a file that has the name of the library, supposedly Python will load that library first from the directory that has the script of the cronjob.
What we can do from here is put a reverse shell inside the fake library script so that everytime the cronjob excutes, our reverse shell will be loaded
This will be my reverse shell script:
Name it urllib.py because that is the library I am targeting. Start a listener and wait until the cronjob executes.
And voila! we have root after so long...Get the flag
6th flag: DANTE{L0v3_m3_S0m3_H1J4CK1NG_XD}
Again and again
172.16.1.12 (DANTE-NIX04)
We can see here that FTP is open but does not allow Anonymous logins. HTTP and HTTPS of XAMPP service is running on PHP 7.4.7 and port 3306 is MySQL but is appearing as tcpwrapped. It could be because of firewall and its being filtered.
I tried to look for known exploits of PHP 7.4.7 but known were available. So, i fuzzed the web service
Two notable directories were /blog and /blog/database. Lets check them out
We are met with a responsive blog template according to the title here
I was looking around and found this
Notice the URL:
I thought this was an easy IDOR but I was wrong xD. Also tested it multiple times but nothing came out. Also, Wappalyzer does not show this is built on a CMS. Let's continue to check the subdirectory
Okay, standard XAMPP database directory. Now, let's try to look for some exploits. I found one that proved useful from Exploitdb
So basically the vulnerable file is /category.php which has the vulnerable code:
The id parameter is inserted directly into the SQL query without any sanitization causing an SQLi vulnerability. We can test this by entering a single quote in the parameter:
And there it is, returning an SQL error. From here, we can use sqlmap to enumerate available databases
Alright, that worked. We have a database named flag. Check the tables
Dump the flag tables
7th flag: DANTE{wHy_y0U_n0_s3cURe?!?!}
Five doctors
Looking again, there was a blog_admin_db database. After enumerating tables and dumping it, we will get some interesting information
Enumerating the tables will show us a few tables. But the want we are interested in is membership_users .
Now dump it
Okay we see 2 users here with their MD5 hashed password. We can crack this using Crackstation. Crack both of their passwords and try to SSH
ben:Welcometomyblog
egre55:egre55
Above is the password of Ben. Eventually we will find out that only Ben has SSH onto the machine
Get the flag
8th flag: DANTE{Pretty_Horrific_PH4IL!}
Minus + minus = plus?
Upload linpeas onto the target and run it. Analyzing the output we see a PE vector here when running:
Googling a bit will lead to the exploit
Exploit:
Get the flag
9th flag: DANTE{sudo_M4k3_me_@_Sandwich}
After that, we check /etc/shadow. We can see user julian has a hint on his shadow file
Attempt to crack it using unshadow
julian:manchesterunited
Add it to our credentials wordlist
Let's take this discussion elsewhere
172.16.1.13 (WS01)
Like the previous subnet, this one has a XAMPP service running on port 80 and 443. But this time its a Windows machine. It also has SMB port up. Let's enumerate
Denied listing as Anonymous. Let's continue to fuzz the XAMPP service website
We see a directory /discuss with multiple interesting sub directories. Let's check them out
We are met with a forum webpage. I tried looking around and navigating to the directories. /admin doesn't exist.
/DB gave us an sql file
I downloaded it and opened it up to see the contents
Now, we found a user named John. From here, I tried SQLi into admin and john but nothing came out but here's the thing. In the picture there, there a directory was mentioned, /ups.This is important for the next step.
I created a random account and there was a file upload feature. Perfect for uplaoding PHP reverse shells. So I tried one right off the bat.
And it worked, we were registered and the file was uploaded
then I utilised the /ups directory to navigate my uploads
I started a listener and executed it
But....it didn't work. I didn't get a shell and I did not know why. I was tired man. Then, I gave another shot by uploading a webshell
It worked bruh finally. Now let's run some basic commands
Since we are on a Windows machine, the flag would usually be located in the users Desktop
10th flag: DANTE{l355_t4lk_m04r_l15tening}
Compare my numbers
Now, we need to get onto the Windows machine itself. We need to setup a reverse shell connection. For this we can utilise nc.exe . A netcat, but for Windows. Start a python server and download it using Powershell
Verify it has been downloaded
Start a listener on our machine
Execute nc64.exe
Callback received!!
Now, we check available privileges
Looks like there's nothing we could use. After that, I uploaded Winpeas on the target machine
Looking throught the output, this caught my eye
I didn't know what it was, so I googled a bit
I also tried to look for some available exploits
Here's a brief understanding what the underlying vulnerability is
We can verify the exposed port from the winpeas output
Rapid7 has an exploit built in Metasploit's module. This was supposed to be an easy win by generating the reverse shell payload using Msfvenom and starting a listener to get the Meterpreter shell and then using that session to launch the inSync exploit. There were 3 problems. The main problem was this:
I couldn't execute the the generated payload and get the shell because of Defender. So I started looking for alternatives and found a Python POC
The 2nd problem was there was no Python on the system. I tried to transfer manually from my machine to the target but it also didn't work. Until, I saw this:
And guess what's inside?
A python executable and the exploit itself. I don't know why it was there but boy was I glad. I spent so long troubleshooting time-wasting problems.
Now, for the 3rd problem.
Although the command was correct, attempting to read the flag directly or outputting the flag to a file didn't work for some reason, it could be because of UAC idk.
So, I decided to just opt for a reverse shell using the earlier nc.exe we uploaded. Start a listener first on a different port
From the Python27 folder run the command:
And boom, we have a SYSTEM session on the target. Now, we can read the flag from Administrator's Desktop
11th flag: DANTE{Bad_pr4ct1ces_Thru_strncmp}
Feeling fintastic
172.16.1.17 (DANTE-NIX03)
We can see a few unusual ports besides HTTP and SMB, also there is a Webmin service. Webmin is a web-based server management control panel for Unix-like systems. Like usual, let us start by enumerating the SMB port
We got something here, a share named forensics. Enumerate more
There is a file inside. Download it onto our machine
Analyze the file type
Its a PCAP file. We can do further analysis using Wireshark
Right off the bat, a HTTP packet jumped right out from the webmin port which is 10000 with the admin credentials.
admin:password6543
Okay, lets head to the webmin page
We are prompted with a login page. Enter the credentials earlier, but we will get an error
So i decided to look again at the PCAP file. Instead of looking at the packets at surface area. I followed the HTTP stream of the packets
This is the packet we inspected earlier let's scroll down.
No wonder an error occured...it was literally the wrong password. Continue to check other packets in the stream
In the 5th packet of the stream, its the same credentials but with a capital P in Password6543, checking the following packets show that the dashboard loaded and returned a success message
admin:Password6543
Okay, let's try it out now.
Cool we got in. Now if we look at the lower part of the dashboard, we can see what version the webmin service is using. We are on Webmin 1.900. It also hints that it was exploitable.
This Github Advisory Database provides several links for the resources and articles. Rapid7's website provides the module in Metasploit to ease our exploitation
It provides the guide on which module to use. We also need to check for the options
It requires some essential parameters to be filled like the username, password, target host and target URL where webmin is hosted. After all required parameters are filled, start the exploit
Unfortunately, this exploit didnt work even though I have disabled SSL option.
I'm beginning to hate Metasploit...anyways I looked for alternative webmin exploit modules on Metasploit.
This one looked promising, the parameters were the same as the first module
Nice, so we have a root session. I went back to the webmin site to look at the available users
We have user lou . Tried to read the flag from her home directory but the flag wasn't there. Then, i just read the root flag.
12th flag: DANTE{SH4RKS_4R3_3V3RYWHERE}
That just blew my mind
172.16.1.19 (DANTE-NIX07)
We can see 2 HTTP ports are opened here. Port 80 is just the server (basically nothing). Port 8080 has a Jetty service which is a Java web server. It clearly states its using the version 9.4.27. It also has a /robots.txt directory but that doesn't show anything useful
Looking at the webpage, reveals a login page
Let's try to look for some exploits
Looking at the Advisory Database here, none of the articles showed a vulnerability that discloses a direct way to access the site through a login page. Therefore, the credentials must be stored somewhere in the different subnets. Let's leave this one on hold
Very well, sir
Continuation of the progress was over here in later sections
Admin_129834765:SamsungOctober102030
17th flag: DANTE{to_g0_4ward_y0u_mus7_g0_back}
We're going round in circles
I did a bit of googling on how to get inside the jenkins server after getting admin, but there were no clear answers. So ChatGPT helped me,
There is indeed a script console present. Let's make a reverse shell script using the Groovy language
Start a listener and run it
Nice, we get a connection but it seems its a semi shell. Try to upgrade it with a generic Python pty module
Looks like we are the jenkins admin user but we don't have any home directory or flag lol
We have user ian and lou
Looking around, in /var/lib/jenkins. There is a secret.key and master.key in /secrets. This unfortunately was a rabbit hole
Then I uploaded linpeas to try and look for some misconfigs. Then I saw this PE vector
I tried to replicate the Polkit vulnerability POC here but it just wont work...
Then I tried uploading pspy and see anything useful
And we catch root logging into ian 's MYSQL account with his password being visible. Let us now log into his ian .
ian:VPN123ZXC
Now, I tried running linpeas again but this time as ian. I found this lmaoo.
I found this blog on the disk group privilege escalation on how to replicate it
First, we need to identify what the partition is the root paritition mounted on
Okay, so its /dev/sda5. To examine and modify the partition the debugfs utility can be used . This utility can also be used to create a directory or read the contents of a directory.
After creating a test directory using debugfs utility, it shows that the filesystem has read/only permissions. By right, we should also have permission to read the directly read the root flag
18th flag: DANTE{g0tta_<3_ins3cur3_GROupz!}
172.16.1.20 (DANTE-DC01)
Cool, we are now dealing with an AD machine. Standard, we can see some HTTP and SMB. Also notable, Kerberos and LDAP is present. Let's hope to find some interesting attack vectors
Notice the OS:
Its vulnerable to the EternalBlue exploit
There are exploits built in Metasploit. Let's look at some
I used this one initially
After entering the required parameters, it failed
So, I used another exploit, specifically the psexec variant
And, we get a SYSTEM session. Noice, lets look at some of these users
We have users katwamba
Get the flag in his Desktop
13th flag: DANTE{Feel1ng_Blu3_or_Zer0_f33lings?}
mrb3n leaves his mark
Digging through the other stuff we can also notice katwamba's SSH keys in his home directory. I downladed it just for fun
Also an Excel sheet was in his Desktop
Do some more digging we will find these and downloaded them as well:
I used an online xlsx viewer to see the file
We have a list of users and their credentials. Trying to SSH one by one would be pointless as I was denied entry
I uploaded Winpeas to enumerate some more information. I uploaded it using certutil because Powershell was not working well. But first, drop into a shell
Execute Winpeas
From here, see the flag when enumerating mrb3n's info
mrb3n:S3kur1ty2020!
14th flag: DANTE{1_jusT_c@nt_st0p_d0ing_th1s}
It's getting hot in here
172.16.2.5 (DANTE-DC02)
This might be useful. I'm just storing everything I see hahah
Weirdly enough mrb3n also couldn't login as SSH and had the same error lmao
Check for internal hosts using netstat:
We can see here there is an internal host with the 172.16.2.5 IP ,which means we have to scan the whole subnet. Yay, more subnets (im dying).
Because we are on a Domain Controller. I uploaded a ligolo-ng Windows agent to pivot to the internal host
Execute the agent
And we should receive a callback on the listener
Add a new TUN interface on our machine
Add the internal host to our route
Autoroute and use the interface we set up and start the tunnel
Verify the tunnel worked by pinging the host
Cool, now that it worked. Let's scan the whole subnet of the new host
Unfortunaely, this did not work because somehow...the server blocks ICMP requests, even Rustscan didn't work... so I resolved to a Connect scan with the -Pn and with a faster rate of -T4
Looks like we only have one subnet up. To inspect the services a little bit deeper, I ran a normal Service scan on the 172.16.2.5 subnet
Okay finally, This took freaking 2 hours for me to get it right, I wanna punch a wall. Anyways, We can see here there is no HTTP for the first time only SMB, LDAP and Kerberos. This might be an Active Directory machine. Let's goooo.
Firstly enumerate SMB shares.
After that, I tried bruteforcing the users RID, but still have nothing
Now, let's try to enumerate users using kerbrute
This however didn't work, so I tried adjusting the domain string to DANTE
And we have a hit on jbercov@DANTE
Now, we can test for common vulnerabilities like ASREProasting using Impacket's Get-NPUsers script
Nice! jbercov has pre-auth disabled which means we now have his Kerberos 5 AS-REP hash, we can save it in a file and attempt to crack it using hashcat
Noice, now we have his password
jbercov:myspace7
We can log in to his account using evil-winrm
Now, we can get the flag in his Desktop folder
15th flag: DANTE{Im_too_hot_Im_K3rb3r045TinG!}
One misconfig to rule them all...
Now, like ususal let's upload winpeas on the target
Unfortunately Winpeas will not show anything useful for AD that we can use for lateral movement and privilege escalation. What we can do now is upload Sharphound, which is a tool that collects info on the objects and relationships within the AD domain
Execute Sharphound with the following parameters
It will output a zip file containing multiple JSON files of the domain like GPOs, Users, Computers and OUs
What we can do with this zip file is ingest it in Bloodhound so we get a graph to map where we want to go and what we rights we have.
The Sharphound data must be used with the modern version of Bloodhound CE, or otherwise it will not work
Now, let's spin up Bloodhound and upload the zip file
Over here, we can see our compromised user, jbercov. Using Bloodhound, we can also see what group is he part of as we could inspect permissions. This is a lateral movement technique called Permission Delegation.
So our goal here is to get Administrator. Let's look at the Pathfinding menu. Set the starting node as jbercov and the end node as Administrator.
So over here, we can notice that jbercov has DCsync and WriteGPLink rights to the domain. DCsync is a method of replicating the domain by simulating the DC to retrieve the password hashes. WriteGPLink is a bit complicated way to modify GPOs for privilege escalation.
The easiest method to exploit this would be using impacket's secretsdump to perform a DCsync attack
Nice, we basically have full domain compromise with the dumped hashes. We can even forge Golden Tickets.
Now, log into Administrator using evil-winrm by passing the hash
Get the flag in Desktop folder
16th flag: DANTE{DC_or_Marvel?}
My cup runneth over
176.16.2.101 (DANTE-ADMIN-NIX05)
There's a note in the same directory
Huh... well guess I missed that one.
There was also a Jenkins.bat file in the Documents folder
Then I remembered the Jetty login page where we were stuck before. Let's download the .bat file and head back to the website
After that was done, I did a check for additional host IP's and found nothing, which was weird because there were supposed to be more machines
But I found an alternative which was to use this one liner ping sweep:
But the problem was, this can only be used in a CMD console and we have an evil-winrm session which was basically Powershell. So, I opted for using impacket's psexec which we would allow us to gain remote access on a CMD
This utility can also be used to pass hashes for authentications
Great, now we can use that one liner ping sweep
As we can see there is an internal subnet replying. This is good but we have another problem, because the internal subnet can only be accessed through the DC01 machine, we need to pivot again and add a new route. So this is basically triple pivoting
But, for the route adding, we just need to add the specific IP and not the whole subnet because that is currently being used by another interface
Upload the agent on the DC02 machine and execute it like usual
Check sessions on our proxy and start the route on the new interface
Ping to verify it worked
Nice, that worked. Now we can scan the host for open ports
We see port 22 is open with SSH. It is kinda a bit sus to only have SSH open. We can attempt to brute-force this using Hydra using the credentials that we collected along the way
And let's go we have a hit on julian:manchesterunited
Let's login to his user credentials
Cool, we got in. Now let's run linpeas first and look for some stuff
Going through the results, we see an unknown SGID binary that we can execute
I attempted to read the root flag directly but that didn't work, also tried normal files like /etc/passwd and doesn't work
I downloaded the binary from the target to my machine for further analysis. We might have to do some reversing or some sort
Check the file type.
Its a 64-bit file dynamically linked and not stripped. Great, the binary is not packed. We can perform full analysis
Now check for protections
Some protections are disabled particularly NX, we may be able to exploit this. Let's further our analysis by using Ghidra
I already renamed some variables for better visibility. Essentially, what this code does is execute the the code as root (setresuid(0, 0, 0,)) and copying argument supplied to the buffer using strcpy
strcpy is a well-known vulnerable function to be used in this case because it does not check the size before being copied to the buffer. With NX disabled, we can place shellcode inside the stack pointer and get a shell as root!
First we need to check if ASLR is enabled on the target machine as this could hinder our exploitation.
Nice, 0 means ASLR is completely disabled. By already having access to the system, we can attempt to exploit this locally, without the need to leak an address (which we have no way lol). This also renders PIE useless
Now we need to find the offset for the return address, I will be using my trusty pwndbg
The stack pointer is filled, find the return address using:
Cool, the offset is 88. To explain my full attempts would make this already long writeup even more long, but the way we can do this without an address leak is exporting the shellcode as a variable into the env section.
I referred to these blogs, it was very helpful
I tried testing this on my machine but it was useless, so I ended up doing it on the target machine itself lmao
Firstly, we export the shellcode variable using python2
Then we use this script from the blog to get the address of the SHELLCODE variable from env
Compile it and execute it with the following arguments
Now that we have our address, attempt to execute the file using the original path with our env address as an argument in little-endian
And boom we have a root shell! Let's upgrade our shell using python3 and get the flag
flag: DANTE{0verfl0wing_l1k3_craz33!}
It doesn't get any easier than this
172.16.2.6 (DANTE-ADMIN-NIX06)
Next, we need to look for more hosts inside. using linpeas output and netstat isn't going to be useful here. We will utilize this one liner here:
We can see a new host which is 172.16.2.6. It is clear that we cnanot ping this from the attacking machine. This means one thing. We need to pivot AGAIN. Holy shi* bro
Autoroute in ligolo-proxy and start it. Let's scan the new host and find some open ports
We can see again SSH is the only one available, maybe we can bruteforce this again. Let's try it
This took a while as we are quadriple pivot bruteforcing but we have a hit on plongbottom:PowerfixSaturdayClub777
I wanted to run linpeas but for some reason I couldn't ping my attacking machine from the target so I had to manually search for stuff
I ran sudo -l to check for privileges
Easy root, plongbottom can instantly become root with sudo su
Get the flag
flag:DANTE{Alw4ys_check_th053_group5}
What do we have here?
When I was looking around I noticed julian also had a home directory on the internal host
I wanted to wait for the bruteforce to finish but it was so long, I tried to login to julian using the same credentials
julian:manchesterunited
And we got in, there is also a flag in there lmao
flag: DANTE{H1ding_1n_th3_c0rner}
Fail 2: The Sequel
Inside the Desktop folder, there is a txt file named SQL
Nice, we have a new credential Sophie:TerrorInflictPurpleDirt996655, let's add her to our growing wordlist. Now, if we remember in the initial progress there is a MSSQL service running on 172.16.1.5 that we left to move on. Let's head back there.
172.16.1.5 (DANTE-SQL01) - Part2
We can authenticate using nxc
Let's try to list available databases
Looks, like a few standard database nothing out of the ordinary. Using nxc we can also execute some Windows commands using the xp_cmdshell option
Nice, that worked. Let's try to list the available users in C:\Users
Cool, we have the flag. Attempt to read it
flag: DANTE{Mult1ple_w4Ys_in!}
I prefer mine with skins on
Nice, after that I tried upload nc.exe on to it but it didnt work so I to dump the SQL hash using the master DB
I tried cracking it using Hashcat and John but it was useless, so I used impacket's mssqlclient module to login to the SQL shell
Now, we check our privileges
The query returns 1 meaning we have full control. We can enable xp_cmdshell to execute system commands
Now test for command execution
Niceee, from here I tried uploading nc.exe but it also doesnt work because of permission issues...im tired man. So, I used this one liner to get a reverse shell
Boom, callback baby. I got in. But, there was a problem. I tried listing directories for sophie but it seems we were not seeing any folders or files. It must be because we are in a Service Account. Let's check for privileges
We can see SeImpersonatePrivilege is here again lol. We can abuse this using PrintSpoofer.exe and escalate to SYSTEM but wait...this is an exception.
We are an SA (Service Account) not a User Account. we can't just use PrintSpoofer because it won't work but we can use another tool which is JuicyPotatoNG.exe
Using this, we can perform command executions from the SA. Upload this tool on the target and run this
Basically, we are running the command whoami and directing the output to a file because it won't appear just like that.
Verify that the command worked
Nice, it worked. Now we can directly read the flag from Administrator's Desktop folder
flag: DANTE{Ju1cy_pot4t03s_in_th3_wild}
Update the policy!
172.16.1.101 (DANTE-WS02)
We see here FTP on port 21 has a Filezilla Server version 0.9.60. SMB on ports 139 and 445. Also an unidentified service on port 2020
Let's start by checking the FTP to see if there any exploits for the Filezilla Server
No directs access exploits. Let's try brue-forcing with the list of credentials we received earlier
Separate them into a wordlist users in users.txt and passwords in passwords2.txt. We can bruteforce using hydra
I tried using hydra and also medusa to bruteforce but it didn't work, I thought I was blocked for too many attempts...
So, I ended up using Metasploit's built in FTP bruteforce
Cool we have a hit ondharding:WestminsterOrange5
Looking inside there is a file Remote login.txt . Download it on our machine
James is talking abaout a changed password, maybe this is a hint for the SMB logins?.
Let's move on to the SMB ports
Based on the previous txt file, we can conclude that the user is possibly the same but the password, WestminsterOrange5 was changed to a different character/number. Let's modify the password and make a list of different characters.
Let's use these first and try to bruteforce using nxc
Nice!! we have a hit on dharding:WestminsterOrange17. Let us now enumerate the SMB shares
Okay so, we enumerated the available shares but it seems dharding doesn't have any permissions over the ADMIN$ and C$ shares. Let's try to log in directly into dharding's account using evil-winrm
Nice, that worked. Let's get the flag in Desktop
24th flag: DANTE{superB4d_p4ssw0rd_FTW}
Single or double quotes
Upload Winpeas and execute it and tried look for some juicy stuff
I found this foreign program which looks kinda out of place, so i had to Google a bit
Results show IObit is a free software that scans, manages and deletes software. Interestingg, this could be a hint. Let's look at some available exploits to escalate our privileges
Found this exploitDB page that mentions the IObit Uninstaller Service has a PE vector in the version 9.5.0.15. Let's check the version on the target machine
Noice, we have the same version, which means we can replicate the exploit. Now scrolling down the exploitDB page reveals the step to replicate it.
This confirms that SYSTEM is running the service. Now we generate the reverse shell payload using msfvenom
Things were going well until Step 7. We have no write access to the directory of "C:\Program Files (x86)\IObit" when wanting to transfer our reverse shell payload
We can check the permissions of our ACL using the Get-ServiceAcl.ps1 cmdlet Powershell module which lets us see the permissions of users over the provided service
Import the module and filter by the service
Now, that we can see the ACLs, we see dharding has the permission to change the service configuration. We can exploit this by replacing the current service binary path with the reverse shell payload.
First, we transfer the payload to dharding's home directory like his Desktop folder. Then we change the configuration of the binary path of the IObit service using this:
Verify that it worked
Nice we changed the binary path of the file. Let's head back to our machine and start a listener in Metasploit to catch the shell and start a Meterpreter
Now, in our dharding session, we also have the rights to stop and start the service. Let's do that to reload the service.
Boom, we get SYSTEM session on the meterpreter, though it only lasts for a few seconds before we lose it for some reason, get the flag quickly
25th flag: DANTE{Qu0t3_I_4M_secure!_unQu0t3}
Congratulations to a perfect pear
176.16.1.102 (DANTE-WS03)
We can see here were are dealing with a Windows machine with ports HTTP, SMB MYSQL and RDP...this could be a clue on how we could get in and gain access. Let's check the HTTP web server
A marriage registration system huh...Like previous methods, try to look for some available exploits. I found this one in exploitDB
The script registers a different phone.no everytime while having the -c flag to execute remote commands. Let's try it!
Nice, from here we can straight up ge the flag
26th flag: DANTE{U_M4y_Kiss_Th3_Br1d3}
MinatoTW strikes again
Now, to get in, we can upload nc64.exe and make a reverse connection back to our machine
Verify it worked by listing directories
Open a listener and execute the executable to make a callback
Callback received. Now check for privileges
We can see here an easy win because SeImpersonatePrivilege is enabled. The SeImpersonatePrivilege is a Windows privilege that grants a user or process the ability to impersonate the security context of another user or account. This privilege allows a process to assume the identity of a different user, enabling it to perform actions or access resources as if it were that user.
However, if not properly managed or granted to unauthorized users or processes, the SeImpersonatePrivilege can pose a significant security risk. Like here, we can exploit this privilege using PrinSpoofer64.exe
Enter a powershell session, Upload it on the target
Execute it and spawn a Powershell
Boom, another SYSTEM session. Get the flag in Administrator's Desktop folder
27th flag: DANTE{D0nt_M3ss_With_MinatoTW}
Credential Gathering/Harvesting
As of now, I have gathered these credentials of usernames and passwords.
asmith
smoggat
tmodle
ccraven
kploty
jbercov
whaguey
dcamtan
tspadly
ematlis
fglacdon
tmentrso
dharding
smillar
bjohnston
iahmed
plongbottom
jcarrot
lgesley
james
balthazar
margaret
frank
ben
egre55
ian
mrb3n
julian
admin
Admin_129834765
Princess1
Summer2019
P45678!
Password1
Teacher65
4567Holiday1
acb123
WorldOfWarcraft67
RopeBlackfieldForwardslash
JuneJuly1TY
FinalFantasy7
65RedBalloons
WestminsterOrange17
MarksAndSparks91
Bullingdon1
Sheffield23
PowerfixSaturdayClub777
Tanenbaum0001
SuperStrongCantForget123456789
Toyota
TheJoker12345!
Welcome1!2@3#
TractorHeadtorchDeskmat
Welcometomyblog
egre55
VPN123ZXC
S3kur1ty2020!
manchesterunited
password6543
SamsungOctober102030
Last updated