Enumeration

Initial nmap scan revealed SSH, HTTP and RDP ports were open.

00 - nmap

Exploitation

At first I found 3 names on the website. So I created a userList with username-anarchy and applied some basic brute forcing but none of them worked.

02 - UserList

There was also an upload function on the website which states upload files that are compatible with windows media player. At first I uploaded random files and did directory brute force to find uploaded files but could not find anything useful.

Then I searched windows media player pentesting got this post. We can apply NTLM Authentication attack with windows media player. This post is also great and explains NTLM Authentication against microsoft related tools.

So at first, I created a .wmx file. It can also be created using ntlm_theft repo (.asx file).

04 - wmx file

Then waited while responder was running and got the NTLM hash.

05 - hash

Cracked the hash using hashcat.

06 - cracked

Got the User Flag.

07 - user flag

Privilege Escalation

I ran PrivescCheck.ps1 and WinPEAS which did not reveal anything useful. Then checked the index.php under C:\xampp\htdocs.

The file included uploading functionality. So it creates an md5 hash with firstname, lastname and email, then checks C:\Windows\Tasks\Uploads<md5> if there is a folder it puts the file in it if not it creates the folder then puts the file in it.

08 - index php

09 - file uploaded

So I thought what if I create a symbolic link to C:\xampp\htdocs with the name of the md5 folder. So when the script checks it will find the folder and put the file inside it.

This post explains symbolic links in detail.

10 - linked

After creating the link, I could upload the web root.

11 - uploaded

Then using Invoke-PowerShellTcp.ps1, I got the reverse shell.

12 - get

13 - revshell

Current shell was NT Authority\Local Service but it did not have the SeImpersonatePrivilege. So I searched through the internet and found FullPowers tool. The tool allows to get a shell with all service privileges if current user is local service.

So using Reverse Shell Generator, I created a base64 encoded reverse shell and ran it using FullPowers.

14 - revshell within revshell

With the new reverse shell, I got SeImpersonatePrivilege.

15 - priv enabled

I then used Sigma Patato to get a SYSTEM shell, and got the root flag.

16 - sigma patato

17 - root txt

Pwned

The machine was fully compromised.

18 - pwned

<
Previous Post
Sendai - Hack The Box
>
Next Post
Data - Hack The Box