Windows Machines on rchitect

SeImpersonatePrivilege privilege escalation using Juicy Potato

Wed, 09 Mar 2022 00:00:00 +0000

Exploiting ‘‘SeImpersonatePrivilege’ using Juicypotato for privilege escalation Link to heading

Lets take a sceanrio we have initail reverse shell or nomral user shell which requires to be elvated as Administrator.Checking the Privilege of cuurent user we have noticed “SeImpersonatePrivilege” is enabled.

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State 
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled 
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Windows\SysWOW64\inetsrv>

The below one privilege can be exploited using the [Juicypotato](Release Fresh potatoes · ohpe/juicy-potato · GitHub) for most of the windows machine

Hackthebox Conceal

Mon, 07 Mar 2022 00:00:00 +0000

Hackthebox Conceal Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

$ sudo nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.116
sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.116
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 19:46 EST
Nmap scan report for 10.10.10.116
Host is up.
All 65535 scanned ports on 10.10.10.116 are filtered

Nmap done: 1 IP address (1 host up) scanned in 130.18 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 19:48 EST
Nmap scan report for 10.10.10.116
Host is up (0.16s latency).
Not shown: 65534 open|filtered ports
PORT STATE SERVICE
500/udp open isakmp

Nmap done: 1 IP address (1 host up) scanned in 14.25 seconds

I have decided to run the Autorecon script as well to confirm i have not missed anything. It took longer time(more than 40min). I could see and additinal udp port 161 as well.Full results are uploaded [here](Rchitect/_top_100_udp_nmap.txt at Yoda · tcprks/Rchitect · GitHub). There 2 services to enumerate( SNMP and ISAKMP)

Hackthebox Silo

Thu, 24 Feb 2022 00:00:00 +0000

Hackthebox Silo Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

─$ nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:46 EST
Nmap scan report for 10.10.10.82
Host is up (0.091s latency).
Not shown: 65261 filtered ports, 269 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 121.90 seconds

┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:48 EST
Nmap scan report for 10.10.10.82
Host is up (0.100s latency).
Not shown: 65268 filtered ports, 262 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds

┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.82
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:49 EST
Warning: 10.10.10.82 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.82
Host is up (0.16s latency).
All 65535 scanned ports on 10.10.10.82 are open|filtered (65460) or closed (75)

Nmap done: 1 IP address (1 host up) scanned in 75.11 seconds

┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ sudo nmap -p 80,135,139,445,8080 -Pn -sC -sV -oN detailed.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:53 EST
Nmap scan report for 10.10.10.82
Host is up (0.16s latency).

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-server-header: Oracle XML DB/Oracle Database
|_http-title: 400 Bad Request
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb-security-mode: 
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2022-02-24T00:53:53
|_ start_date: 2022-02-24T00:28:20

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.89 seconds

Vulnrability Scan Link to heading

$ sudo nmap -p 80,135,139,445,8080 -script VULN 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:54 EST
Nmap scan report for 10.10.10.82
Host is up (0.057s latency).

PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
| http-enum: 
|_ /i/: Potentially interesting folder

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try

Nmap done: 1 IP address (1 host up) scanned in 342.38 seconds

SMB enumeration Link to heading

It seems we may not get any information from SMB ports.

Hackthebox Buff

Wed, 23 Feb 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Buff

Hackthebox Legacy

Tue, 22 Feb 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Legacy