Table of Contents
Introduction
The box Relevant is on TryHackMe as part of the Offensive Pentesting path and is considered to be a black box penetration test, since only information provided is the IP address and the objective which is to compromise the box by leveraging multiple vulnerabilities and recovery of the flags as proof of system compromise. It is strongly recommended to write up the report as this is to assist with preparation for the eLearnSecurity eCPPT exam. As such here is my report of this compromised box.
Rules of Engagement
The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:
User.txt
Root.txt
Additionally, the client has provided the following scope allowances:
Any tools or techniques are permitted in this engagement; however, we ask that you attempt manual exploitation first.
Locate and note all vulnerabilities found
Submit the flags discovered to the dashboard
Only the IP address assigned to your machine is in scope
Find and report ALL vulnerabilities (yes, there is more than one path to root)
Executive Summary
The machine was evaluated and was found to have several critical vulnerabilities that lead to obtaining full system access over the entire machine. It is highly advisable that these vulnerabilities are addressed as soon as possible, as these vulnerabilities are easily exploited without much effort that allow the attacker to obtain full system administration.
Vulnerability Report
Upon scanning the target system with Nmap there are 7 Ea open ports displayed. 2 Ea ports are running an IIS version 10 web server and a SMB share server that is running. Furthermore, Nmap has identified the system as Windows Server 2016 Standard Evaluation 14393.
The SMB share 'nt4wrksv' allows read/write access without supplying credentials.
The default Windows Server IIS webpage is running on both ports 80 & 49663.
The SMB share 'nt4wrksv' can be read via the web browser, where the passwords.txt file can be publicly read on the browser. The passwords were easily decrypted using an online Base64 decryption tool. Since this web address is executing whatever is stored in this file share to be displayed on the browser it will further assist with the initial foot-hold into the system.
By crafting a MSFVenom reverse shell payload and uploading it to the SMB share 'nt4wrksv' proves that the writing capabilities exist without supplying any credentials.
Starting a Netcat listener over port 53 and navigating to the payload 'pwn.aspx' via the browser at 'http://10.10.167.238:49663/nt4wrksv/pwn.aspx' will activate the payload and produce a reverse shell back to the Netcat listener. After gaining access the user flag can be obtained by navigating to 'C:\Users\Bob\Desktop' and entering the command 'type user.txt'.
Now that the initial access has been granted to the system as 'iis apppool\defaultapppool', privilege escalation can begin. The command 'whoami /priv' is ran to see what kind of privileges the current logged in user has. Looking over the output 'SeImpersonatePrivilege' is enabled, which will be used to elevate privleges.
Using Google to look for exploits a GitHub repository provides a proper exploit 'PrintSpoofer' that can be used to assist with privilege escalation.
The SMB is again abused to perform to upload the payload for staging and execution.
Then, by manually navigating to the location within Window's CMD the payload is executed locally on the machine without any issues by executing the command '.\PrintSpoofer.exe -i -c cmd'. Now, full system access has been achieved as the user NT Authority\System.
Finally, by navigating to 'C:\Users\Administrator\Desktop' the flag can be achieved by using the 'type root.txt' command.
Remediation Plan
The following fixes are recommended in order to reduce the risk to an acceptable level and harden the system from potential threats.
Close ports on the server that are not required for business functionality.
Ensure that the latest security patches are installed for the server.
If file sharing is required, lock down the SMB service to prevent anonymous logins by using authenticated account access only.
Do not store passwords in hashed or clear text forms that can be easily compromised and reused. Use encryption to safeguard passwords and all sensitive files.
Disable 'SeImpersonatePrivilege' so that it can't be exploited to gain system level access.
Perform a credentialed vulnerability system scan to ensure that all known vulnerabilities have been successfully patched.
Conclusions
There are 7 EA ports open on the system, which ports 139, 445, and 49663 were used to compromise the system to gain access and to further assist in delivery of the payload for privilege escalation. 'SeImpersonatePrivilege' permission was enabled on the system allowing for an easy user transition from 'iis apppool\defaultapppool' account to 'NT Authority\System' account to gain the highest system access over the server. From there all of the placed flags were compromised and submitted for accountability as proof of system compromise.
To further elaborate, the current report only resembles a snapshot of the system's security posture at the time it was conducted as proof against the requested system and should not be utilized in a future reflection of the system's present security state; due to changes made on the system since this penetration test was conducted. After the recommendations have been implemented, another penetration test is recommended to ensure that all known vulnerabilities at that time are no longer a concern on the system.
Comentarios