This box was a really fun challenge that allowed me to try some new techniques and certainly sent me down a few rabbit holes!
I've not posted on here for a while as I've been knee deep in the PWK/OSCP certification from Offensive Security. I didn't pass on my first attempt, so thought I'd write a walk-through for a great Hack The Box challenge whilst waiting for my lab time to restart.
Summary:
Scanned for open ports using Nmap (no TCP ports open)
Scanned for any available ports using Masscan (discovered UDP port 161 was open)
Further Nmap scan to determine the service running (SMTP)
Used snmp-check to enumerate port 161 (discovered hashed IKE VPN password)
Decrypted hash using Hashcat
Scanned for a VPN connection using ike-scan and discovered the configuration
Used Strongswan to connect to the VPN
Further Nmap scan to discover open TCP ports
Discovered FTP server with anonymous login and uploaded a test file
Found upload directory on web server using Gobuster (this contained the test file)
Uploaded a webshell able to run commands (opened a connection via Powershell)
Located the user.txt and ran Watson and Windows Priv Checker to look for privilege escalation methods
Used JuicyPotato automated via a Powershell script to open a Meterpreter session with system level privileges.
Enumeration
Nmap was used for an initial scan of the box with default NSE scripts, version detection, aggressive scan speed, increased verbosity output, and output in all formats to a folder.
No responses were found. Masscan was then used to scan the host on every TCP and every UDP port.
An open port at 161 on UDP was discovered. A further Nmap scan was performed to establish the service running. This time, version detection was used and UDP only was specified.
SNMP (Simple Network Management Protocol) was discovered to be running on port 161. This is an application layer protocol used to manage and monitor network devices and (importantly) their functions. Further enumeration using snmp-check yielded a significant amount of information about the target.
One line of data was of particular interest. In the "Contact" line there looked to be a hashed password and an indication that this is related to a VPN (Virtual Private Network). Hashcat was used to decrypt the password. NTLM hash was indicated (-m 1000) and straight attack mode was used with pass.txt containing the VPN hash and using rockyou.txt as the password file.
This quickly identified the password as Dudecake1!. In addition, this hash could be decrypted on the crackstation website. This would allow compromise of the VPN.
Compromising the VPN
Ike-scan is a command-line IPSec VPN scanner and testing tool for discovering, fingerprinting and testing IPsec VPN systems. It is a default tool in the Kali distribution. A scan was performed against the target host.
This scan provided information as to how the VPN is configured. Using this information, and the previously decrypted password hash, an IPSec connection was made using Strongswan.
Firstly, Strongswan was installed. Then, the IPSec configuration file was opened for editing.
A wiki-how guide provided an outline of the parameters that needed filling in. This led to the following configuration:
An additional file was made containing the password, authentication type, and target IP.
Finally, a connection was confirmed to the host after running the following commands to start the service and make the connection.
Further enumeration
Another Nmap scan was performed on the target host now that an IPSec connection had been established. Again, default NSE scripts and version detection were optioned.
This time, there was a response from 5 TCP ports on the on the target host. In particular, the results indicated FTP service that allows anonymous login. Additionally, a HTTP service was open on port 80; the IIS number (10.0) indicated that Windows Server 16 or higher was running on the target host.
After logging in and checking for any interesting files/folders (there were no files or folders in the FTP directory), a test file was uploaded to the FTP service to confirm that anonymous login was allowed, and that the service allowed remote file uploads.
Webshell
Navigating to http://10.10.10.116 port 80 using a web browser displayed a standard IIS page. A Nikto scan yielded no interesting results. Gobuster was then used to scan the host for any hidden directories.
Gobuster was set to scan directories (-dir) on the website http://10.10.10.116 and use a wordlist (-w) specified in the file path.
A directory was located. Navigating to the page in a web browser showed that the previously uploaded test.txt file was accessible via http://10.10.10.116/upload
A number of payloads (reverse shell) were created with MSFVenom and uploaded via FTP. However, no session/shells were successful. Next, a webshell was uploaded (via FTP put command) with remote code execution functionality.
This was accessible via http://10.10.10.116/upload/shell.asp
Reverse shell and user flag
A Powershell script from Nishang was hosted on the attacking box using SimpleHTTPServer on port 80.
The following line was added to the bottom of the Invoke-PowerShellTcp.ps1 script.
This would, when called by the target host, create a reverse PowerShell session with the attacking box (10.10.14.10) on port 4443. The following command was then entered into the webshell's code execution box.
A Netcat listener was set up to catch the reverse shell on port 4443.
From here, the user flag was found on Destitute's desktop.
Privilege escalation
Two privilege escalation scripts were run to establish possible vulnerabilities on the system that could be exploited to escalate privilege from user to root (system). Watson is a .NET tool designed to enumerate missing KBs (Knowledge Base) and suggest exploits for Privilege Escalation vulnerabilities. This was downloaded from the attacking machine into the user's Temp folder and then run locally on the target host.
The Watson script suggested a number of KBs (Microsoft Knowledge Base) were missing that could lead to an attacker escalating privileges. A further script (Windows Exploit Suggester) was run on the attacking (Kali) box using systeminfo retrieved from the target host.
This script checks the systeminfo from a Windows machine against a database of KBs. Again, the script highlighted a number of missing KBs that could lead to privilege escalation in addition to other vulnerabilities.
The MS16-075 Security Update was highlighted as missing by both scripts. The exploit (Hot/Rotten/Juicy Potato) that can be performed against this vulnerability is highly reliable and consistent across many different versions of Windows. It works in the following way:
Trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint under the control of the attacker.
Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account. This is done through a series of Windows API calls.
Impersonate the token just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts.
This is also known as 'abusing the golden privileges' and can be manually checked for by running the command whoami /priv from within a PowerShell session. If SeImpersonatePrivilege is enabled the target is likely to be vulnerable.
There are a number of manual ways of exploiting this vulnerability, however, it is also possible to automate the process using a PowerShell Wrapper (Lovely-Potato). An MSFVenom payload was created that, when executed, would send a reverse Meterpreter shell from the target host to the attacking host on port 4444.
This exe file was then placed into a folder that also contained a PowerShell script, the original JuicyPotato binary, and a list of possible CLSIDs to impersonate.
The folder containing these files was then hosted again using SimpleHTTPServer on port 80. The script was called via the existing PowerShell session as user Destitute.
The exploit then tested the CLSIDs on the target host.
After approximately 10 minutes (the time taken to run through the CLSIDs) a Meterpreter session was opened with system level (root) privileges.
From here, an attacker would be able to dump any credentials using post-explotation modules (such as Kiwi/Mimikatz), exfiltrate sensitive information, create processes and install software/services, or pivot onto other machines if the host was part of a larger network. For example, the following commands would load the Kiwi module into the current Meterpreter session and then dump the SAM (Security Account Managers) database.
