Task 1 : Enumeration
Here we need to deploy the machine and begin the enumeration.
Q: How many TCP ports aunder 1024 are open?
nmap -sS -sV -vv --top-ports 1000 10.10.104.217 | grep open
The system is running a anonymous FTP server which always requires some quick poking around even if there isn’t a question asking for any specific information.
Once we log into the FTP server we can see that there is a file named notice.txt and it states that the ftp contents have been moved to a hidden windows share …you know, for security reasons ;)
Q: What is the hidden share where images should be copied to?
smbclient -L 10.10.104.217
Task 2: Foothold
Gain a foothold on the box using what you found through enumeration.
After an initial struggle of using the stock
/usr/share/webshells/php/php-reverse-shell.php I realized that this was running a bash shell and we needed something that would run against a windows system.
A quick search will show that we have some options available. The shell below from ivan-sincek will detect the host as linux or windows and send the correct shell back to us.
Just a little refresh on the popular PHP reverse shell script pentestmonkey/php-reverse-shell. Credits to the original…
First we need to clone the repository and update the ip address to point to our attack machine.
With the shell updated we now need to upload the file to the server using smbclient, since I am lazy I will normally rename it to shell.php.
Reviewing the website we can see that it is loading the images from a /images/ directory so we should be able to trigger our shell.php via a curl request.
Now we start our netcat listener with
nc -lnvp 9000 and then execute the shell via a curl request
Q: What user is signed into the console session?
A: Can be provided by running
quseron the shell
Q: What hidden, non-standard share is only remotely accessible as an administrative account?
This was also found previously with our
smbclient -L ip.address command, but since we have a shell we can also run a
net share to see what the path is also.
Q: What is the contents of the user_flag.txt?
A: provided below
Task 3: Pwnage
Q: What is the users password? Hint: The user is automatically logged into the computer.
A: steps provided below
Since the hint says that the user is automatically logged on the username and password are stored in the registry. A quick online search will provide you with the required registry key below.
reg query “HKLM\SOFTWARE\microsoft\windows nt\currentversion\winlogon”
Q: What is the Administrators Password? Hint: Well there wasn’t a hint but we know there is a
installs$ share that is located at
A: steps provided below
Once in the c:\installs directory you can type
get-content Install_www_and_deploy.bat to reveal hard coded Administrator credentials.
Q: What executable is used to run the installer with the Administrator username and password?
A: This is also in the same batch file from above.
Q: What is the VNC Password?
A: this is also provided in
ultravnc.inibut must be decoded… see below
I was unable to get this “password” to work so I looked at the hint and it provides a link to some password decoding tools. Specificially the *VNC password decoder 0.2.1. Since I didn’t have a windows box handy, I just uploaded
vncpwd.exe to the victim machine using
smbclient and executed with the
Q: What is the contents of the admin_flag.txt?
A: see the steps below
I struggled trying to elevate with psexec.exe and connecting with psexec.py from Impacket, so ultimately I gave up on the command line and went with
rdesktop /u:administrator /p:thepass... and failed there too, ugg!
The system was too slow and failed… #tryharder
This next solution is a very low tech approach to the problem.
I connected via vnc using
xvncviewer, I lowered the quality because of the performance issues I had in the past. Though I don’t believe this helped at all as the performance issue was on the windows machine…
xvncviewer -QualityLevel 2 ip.address
- Step 1: double click on the user_flag.txt
- Step 2: Change the contents of the user_flag.txt file to be
runas /user:administrator cmd.exe
- Step 3: Save the file as
pwn2.bat, my first attempt at a powershell escalation didn’t work quite so well.
- Step 4: double click the pwn2.bat and paste in the admin password. #profit!
Thank you to apjone for a fun room. I struggled at the end to find a usable solution, but I think that’s what makes for a fun room! #greatjob