Task 2
Nmap
kali@kali:~$ nmap -T4 -A 10.10.76.218
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-18 05:29 EST
Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:30 (0:00:11 remaining)
Stats: 0:02:00 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:32 (0:00:46 remaining)
Stats: 0:02:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:32 (0:00:50 remaining)
Nmap scan report for 10.10.76.218
Host is up (0.41s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: RETROWEB
| NetBIOS_Domain_Name: RETROWEB
| NetBIOS_Computer_Name: RETROWEB
| DNS_Domain_Name: RetroWeb
| DNS_Computer_Name: RetroWeb
| Product_Version: 10.0.14393
|_ System_Time: 2020-11-18T10:32:30+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2020-11-17T10:29:47
|_Not valid after: 2021-05-19T10:29:47
|_ssl-date: 2020-11-18T10:32:42+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.71 seconds
#1 — How many ports are open on our target system?
Ans:2 (Not sure why I can find more than 2 ports.)
#2 — Looks like there’s a web server running, what is the title of the page we discover when browsing to it?
Ans: IIS Windows Server
#3 — Interesting, let’s see if there’s anything else on this web server by fuzzing it. What hidden directory do we discover?
Ans:/retro
Navigate to our discovered hidden directory, what potential username do we discover?
Ans: Wade
#4 — Crawling through the posts, it seems like our user has had some difficulties logging in recently. What possible password do we discover?
Take note of the yellow outlined text.
Ans: pa******
#5 — Log into the machine via Microsoft Remote Desktop (MSRDP) and read user.txt. What are it’s contents?
A simple search on how to use RDP to connect remotely in Linux results in finding this website: https://opensource.com/article/18/6/linux-remote-desktop
We need to install remina.
apt install remminaFind Remina and open the app.
Input the IP add you want to connect to.
Accept the cert.
Enter the credentials found earlier and click ok. Ignore the domain field.
You should see a desktop interface and you will see the user.txt file.
Double click and you will get the answer.
Ans: THM{*************}
Task 3
#1 — When enumerating a machine, it’s often useful to look at what the user was last doing. Look around the machine and see if you can find the CVE which was researched on this server. What CVE was it?
Not sure why I cannot view the history. Realised the youtube walkthrough by GhostlyPy have the same issue.
Ans: See other writeups. (Can’t find answer)
#2 — Looks like an executable file is necessary for exploitation of this vulnerability and the user didn't really clean up very well after testing it. What is the name of this executable?
Ans: hhupd
#3 — Now that we’ve spawned a terminal, let’s go ahead and run the command ‘whoami’. What is the output of running this?
A search on google about the cve, reveals this website: https://www.nagenrauft-consulting.com/2019/11/21/cve-2019-1388-hhupd-exe/
On the above website, it provides a youtube link showing the walkthrough of how the exploit works.
Let’s go ahead and perform the exploit.
From the video, it seems that we need to download an executable file called hhupd.exe. Conveniently the user has downloaded it, and left it in the recycle bin.
First, restore the file to the desktop.
Right-click and run as admin.
(we do not have the admin password.)
Click show information…
Click on the VeriSign Commercial…..
This will launch a browser process running as SYSTEM.
We might not have access to the Internet but we can still click tools then file then save as.
An error message should pop-up, hinting that the browser is running as SYSTEM.
Enter: C:\Windows|System32\*.* and click enter.
Next, find the cmd file, right-click, and click open.
Now, we have a command prompt that is running as SYSTEM.
Ans: nt authority\system
#4 —Now that we've confirmed that we have an elevated prompt, read the contents of root.txt on the Administrator's desktop. What are the contents? Keep your terminal up after exploitation so we can use it in task four!
Next let’s find root flag. cd to c:\ -> users -> Administrator -> Desktop
We got the root flag.
Ans: THM{******************}
Task 4
#1 — First, let’s set the target to PSH (PowerShell). Which target number is PSH?
Next, let’s use the exploit: exploit/multi/script/web_delivery from metasploit.
set LHOST
set payload
set LPORT
set target
Check options again.
Ans: 2
$ run -j
Copy and paste the above code and paste it into the command prompt opened earlier. (you ctrl-shift con Linux terminal and ctrl- v on the windows command prompt)
You should see a reverse shell is spawned.
#2 — Last but certainly not least, let’s look at persistence mechanisms via Metasploit. What command can we run in our meterpreter console to setup persistence which automatically starts when the system boots? Don’t include anything beyond the base command and the option for boot startup.
Go to the link they provided: https://www.offensive-security.com/metasploit-unleashed/meterpreter-service/
Ans: run persistence -X
Run this command now with options that allow it to connect back to your host machine should the system reboot. Note, you’ll need to create a listener via the handler exploit to allow for this remote connection in actual practice. Congrats, you’ve now gain full control over the remote host and have established persistence for further operations!
