search

Craft2

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.199.188
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 09:17 +08
Nmap scan report for 192.168.199.188
Host is up (0.010s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
|_http-title: Craft
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
49666/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-03T01:18:45
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.26 seconds

hashtag
Initial Access

hashtag
Enum4Linux

hashtag
Anonymous

hashtag
Guest

hashtag
Port 80

There is a website that is hosted on port 80.

At the top right there is an admin login link, however if we try to click on it, it will give us this.

When we inspect the source code, it does not really do anything special or go any random URLs.

After scrolling down more, we can see that we can upload a file to the website.

If we try to upload a .jpg image into the website, it will give us this error.

So this means that the file is being processed in upload.php, it also requires it to be a ODT file.

After researching what is a ODT file, we can see that it is part of Open Document Format (ODF).

hashtag
CVE-2018-10583

LogoLibreOffice/Open Office - '.odt' Information DisclosureExploit Databasechevron-right
LogoGitHub - lof1sec/Bad-ODF: LibreOffice/Open Office - '.odt' Information DisclosureGitHubchevron-right

We can use this exploit to leak out the NTLM hash used by the user.

We first git clone the repo as for some reason I am unable to work with the python2 version on exploit DB.

Next we will need to install ezodf as we do not have the package.

Next we will run the python script to generate the malicious .odt file using our own IP as the listener.

Next we will run responder on our side to capture the NTLM hash.

Then we will upload the file to the website.

It should capture the NTLM hash for the user thecybergeek.

After which we will crack the hash to get the password.

hashtag
WebApp Share

We will then reenumerate the shares using this user and we can see that they can access the WebApp share folder on the server using SMB.

We will test if we can upload the file into server. Turns out we can, so we just upload a reverse webshell.

Then execute it by going to that website.

hashtag
Privilege Escalation

hashtag
MariaDB running locally

LogoGitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHubchevron-right

The database have not much information that we can use.

If we look at the grants, it shows that we are running it as administrator.

We are also able to read the flag directly. However, we want the full shell.

We shall test if we are able to write our files.

Sure enough, we are able to write our files.

hashtag
WerTrigger

After searching online, there is this exploit that allows us to get an administrator shell.

LogoGitHub - sailay1996/WerTrigger: Weaponizing for privileged file writes bugs with windows problem reportingGitHubchevron-right

Firstly we will download all the files and upload into the target machine first.

Next we will move phoneinfo.dll into C:\Windows\System32\.

The last step is to execute the payload to get our administrator shell. However we cant see anything.

So we can try to run nc to see if we are able to get a reverse shell.

After running again, we are able to get a reverse shell.

PreviousAuthByNextHeist

Last updated