nmap

All posts tagged nmap

Walkthrough of a Windows machine exploitation. The room has a description of two methods, the first is a semi-auto Metasploit one and a manual one afterwards. 

Introduction

In this room after the usual enumeration and initial access Powershell to be used for further analysis. Please note that this machine does not respond to ping (ICMP).

Who is the employee of the month?

This question can be easily answered with a couple of clicks instead of the advised reverse image lookup. All we need to do is just right click on the page to inspect the picture.

Initial Access

Scan the machine with nmap. What is the other port running a web server on?

Take a look at the other web server. What file server is running?

This could be easily answered with a quick curl request as shown below.

What is the CVE number to exploit this file server?

Usually all the exploit scripts have a short explanation of the vulnerability with the relevant CVE number as highlighted below.

Use Metasploit to get an initial shell. What is the user flag?

Privilege Escalation

Now that we have an initial shell as Bill, we can do further enumeration in order to get root privileges. We shall use a powershell script called PowerUp for this purpose finding common Windows privilege escalation vectors that rely on misconfigurations. The script can be downloaded from here.  Meterpreter can be used to get the file uploaded.

Also, the Powershell extension of Meterpreter can be utilized to make our life a bit easier.

What is the name of the service which shows up as an unquoted service path vulnerability?

We use msfvenom to generate a reverse shell as an Windows executable.

We shall upload the newly generated binary and replacing the legitimate one with it. Then restart the program to get a shell as root.  Note: The service showed up as being unquoted (and could be exploited using this technique), however, in this case we have exploited weak file permissions on the service files instead.

What is the root flag?

The exploit works by grabbing a Netcat executable which to be hosted from the folder in which the HTTP server is setup and running. Also a local Netcat listener is necessary to catch the backward connection.

Access and Escalation without Metasploit

Now let’s complete the room without the use of Metasploit. For this we will utilise Powershell and WinPEAS to enumerate the system and collect the relevant information to escalate to. The same CVE to be used with this exploit. As with the previous case, a webserver and a Netcat listener should be up and running at the same time in order for this to work. We can use the same Netcat static binary as above. The exploit should be run two times as the first time it should pull the Netcat binary to the victim system and the second would execute the payload to gain a callback.

We need to modify the exploit as shown below.

Setting up the HTTP server in our working directory.

Receiving the low privileged shell on the Netcat listener.

Now we can pull WinPEAS to the system using powershell -c. Once we run WinPeas, we see that it points us towards misconfigured unquoted service paths vulnerabilities. We can see that it provides us with the name of the service it is also running.

What powershell -c command could we run to manually find out the service name?

Let’s generate a new payload with msfvenom and pull it to the system using powershell. Now we can move our payload to the unquoted directory about which WinPEAS alerted us and restart the service with “sc stop AdvancedSystemCareService9” and “sc start AdvancedSystemCareService9”. Once this command runs, we shall see a new Administrator shell on the listener.

Before stopping and re-running the service, we could check whether it runs as normal user with the “sc qc AdvancedSystemCareService9” command.

Running the webserver from the working directory as before.

Uploading the payload from Powershell using the wget command.

Receiving the system level shell on our listener.

Thanks for reading and as always, any feedback is most welcome.

Walkthrough of exploiting a Linux machine via Samba shares and a vulnerable version of a proftpd FTP server. Privileges escalation with path variable manipulation afterwards.

Deploy the vulnerable machine

We shall do a quick Nmap scan at first right after spinning up the VM.

How many ports are open?

Enumerating Samba for shares

Samba is a suite of apps using the SMB (Server Message Block) protocol. In the everyday life is mostly about the Windows – Unix communication, file access, printing, shared resources etc. We shall run a dedicated Nmap script against the machine for further enumeration. SMB has generally two open ports, 139 and 445. Port 139 is for communication over NetBIOS on the application layer. Port 445 is utilized by the newer version of SMB (after Windows 2000) and it allows SMB to communicate over the Internet.

Using the nmap command above, how many shares have been found?

Let us connect to the shares with the smbclient tool.

What is the file we can see?

The file can be downloaded with the “get” command. Let’s open the file with the “cat” command. It contains interesting information like:

  • Information generated for Kenobi when generating an SSH key for the user
  • Information about the ProFTPD server.

What port is FTP running on?

Our earlier Nmap port scan showed port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. It basically tells rpcbind the address at which it is listening and the RPC program number its prepared to serve. In our case, port 111 is access to a network file system. Let’s use Nmap to enumerate this as well.

What mount can we see?

Gain initial access with ProFtpd

ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions. Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.

What is the version?

We can use searchsploit to find exploits for a particular software version. Searchsploit is basically just a command line search tool for exploit-db.com.

How many exploits are there for the ProFTPd running?

There is an exploit for the mod_copy module of ProFTPD. This module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user. We’re now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands.

As we knew that the /var directory was a mount from above, we could have moved Kenobi’s private key to the /var/tmp directory. As a next step, let’s mount the /var/tmp directory to our machine.

We now have a network mount on our deployed machine. We can go to /var/tmp and get the private key then login to Kenobi’s account.

What is Kenobi’s user flag (/home/kenobi/user.txt)?

Privilege Escalation with Path Variable Manipulation

SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as it can reset passwords of a system). Let us search the a system for these type of files.

What file looks particularly out of the ordinary?

Running the binary, how many options appear?

Strings is a command on Linux that looks for human readable strings on a binary. This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname). As this file runs with root privileges, we can manipulate our path to gain a root shell.

What is the root flag?

We copied the /bin/sh shell, called curl, gave it the correct permissions and then putting its location in our path. This means when the /usr/bin/menu binary runs, it uses our path variable to find the “curl” binary. As this is actually a version of /usr/sh and runs as root it also runs our shell as root.

Thanks for reading and as always, any feedback is most welcome.